Julius,
I understood what probably happened: as you said, we changed the roles (but I can't find them in the Change Documents because they were probably archived/deleted): some time before 2013, we changed the role by replacing the standard "generated profile" (T_BA...) by a new one (T-H6...), and changed the role. Note: you say the profile is not delivered by SAP, are you sure? I see many other roles with standard profile names (T_...)
As far as I understand now, an upgrade on a role (i.e. any transport request) changes both the "role authorization definitions" (those we can see in PFCG, tables AGR_125*) and the authorizations in the standard associated profile, which is T_BA... So, the profiles are not to be regenerated as they are supplied, as long as we did not replace the standard associated profile! Notes: the generated profiles contain the actual authorizations checked (tables UST* + USRBF2 for the buffer); the concept of PFCG "generation" is to transfer the "role authorization definitions" to the profile.
So, in my case, as we changed the standard T_BA... profile to a custom T-H6... profile, the latter has not changed during the upgrade, and is now different from the role, so the T-H6... profile has got status "Current version not generated".
So, it's a mess now as PFCG doesn't show the actual authorizations, we need absolutely to merge the standard versus custom authorizations and get the status "Generated" so that PFCG = actual authorizations. Of course, as you say, we should have never changed these standard roles! I know what to do.I'll try to set the situation back to the normal.
Regards
Sandra
PS: while using SUIM, I was mistaken by searching for authorization values *, because it doesn't look for * but for any authorization value (it returns values 03 for instance). To search the authorization value * we must search for '*' (* enclosed by two single quotes).