Composite Profiles

312 is a somewhat famous number in SAP Security. It is the maximum number of Profiles that can be assigned to a User.

A bit of detail around this fascinating number:

The relationship between a user ID and authorization profiles is of type one to many (1:n, meaning one user can have many profiles assigned). From a technical point of view, you expect (behind the scene) that there’s a table in which there are many records that show the number of profiles assigned to the user. Unfortunately there is only one record in Table USR04, and the profiles are all concatenated in the PROFS field. If you divide the length of field PROFS by the length of a single profile, you'll come up with the number 312.

It ever so happens that sometimes you end with users having so many Roles (especially in Development system) that the number of Profiles exceeds 312 and the user doesn't get the required Authorization due to some of the Profiles not being available in USR04.

Unfortunately, there is no system parameter you can use to avoid this limit.

But there is a workaround, albeit it's somewhat sketchy and has disadvantages.

Enter - Composite Profiles

Just like Composite Roles, you also have Composite Profiles. 

With Composite Profiles, you can combine multiple Profiles into one and assign it to the User, thereby reducing the number of Profiles.

The reason why this is not used and also the reason why you haven't heard of this before is that SAP best practice is to use only the “roles concept” thorough Transaction PFCG (Role Maintenance), and direct Profile assignment is not encouraged.

Reason 2 for this being discouraged - if PFUD (Compare User Assignments) is run with the 'Cleanups' option selected, then the direct profile assignments will be removed. 

But, let me take you through the process of creating profiles so that you can use it if ever needed.

• Execute Transaction SU02, enter your profile name, and press Enter

• Select 'Create' from the Menu

• Select 'Composite Profile'

• Enter the list of existing Profiles that you want to to add and Save.

         You can find the Profiles for a particular Role from table - AGR_PROF

There you go. Your Composite Profile is now ready and you can assign it to the User. But don't forget the reasons listed above.

On a different note - Did you know Mars is called the Red Planet because during the Cold War it sided with the Communists...... No that's not true. I was just pulling your leg. Keep scrolling.