Hello, Adrian

Yes, I create a transport with the changed role. but I am not sure what it means "and include profile too". where does it explicitely asks me to include or not ot include a profile?

Thanks

Galina

In transaction PFCG type in the name of role that you want to transport than click on the little truck (CtrlShiftF9) and than in the next window check the box "Also transport Generated Profiles for Single Roles" like this you will transport the generated profile too and it should be fine in production system when you are importing the transport request.

Thanks.

Hi, Adrian

I see what you are saying. We have this box checked by default. So, this would not be a reason, I think.

Thanks

Galina

Adrian,

This is large role, and it has multiple profiles generated behind it, like:

T-D8730080 Profile for role Z_BBN_FUNCTIONAL_ROLE

T-D87300801 Profile for role Z_BBN_FUNCTIONAL_ROLE

T-D87300802 Profile for role Z_BBN_FUNCTIONAL_ROLE

T-D87300803 Profile for role Z_BBN_FUNCTIONAL_ROLE

In PFCG it shows only the first profile....

Profile Name T-D8730080

Profile Text Profile for role Z_BBN_FUNCTIONAL_RO

Status Authorization profile is generated

I thought that issue could be that as a result of the changes and moving role over there was some discrepancy in the size/number of these multiple profiles. I could not find any relevant info to figure out how to avoid this problem.

Thanks

Galina

I understand, than check in the transport request where you included the role and profiles to see if you have all the profiles inside.

You can see them in SE01 (Display Tab), fill in the transport request number, click on DISPLAY button, than expand to Customizing: Table contents -> SUSPR -> USR10 -> you should see here something like this:

XXXT-D8730080 A

XXXT-D87300801 A

XXXT-D87300802 A

XXXT-D87300803 A

Where XXX stands for client number (Example 300)

If you see all of those profiles inside of you transport request than you are sure you'll transport your entire profile for your role.

Thanks.

Adrian

Hello, Adrian

Yes, I see profiles. I think profiles get transported fine. Because after I remove role and profiles from the user and then assign the role back again, everything is working. The problem is auditors object to an unexplained change to the user setup. And it is hard to explain by saying that it stopped working after the role transport and required such manipulations.

thanks

Galina

Akhilesh,

thanks a lot for your reply. Yes, the problem could be in the user master data. However, at this point I see that user comparison is in red, but nevertheless, role is working fine after I removed it fro mthe user and then reinstated it back into the user's account. I wonder what makes these discrepancies to appear. I have never did this user comparison before so it is opening a whole new lack of knowledge area for me. Does it make sense to do it as a periodic background job/

Thanks

Galina

Yes you should schedule it at least once a day, in my systems it's running around midnight.

Use transaction PFUD or schedule a background job with one of this reports:

PFCG_TIME_DEPENDENCY (this is the old report)

RHAUTUPD_NEW (this is the new version of report) <- I'm using this in R/3 4.7 and Netweaver 7.0

Short text

User Master Data Reconciliation

Description

This report runs the user master comparison for roles you have selected. For single roles you can also start the user master comparison in transaction PFCG.

You can either execute it with the single processing types in dialog mode or schedule it as a complete reconciliation in the background.

To run only specific processing types in the background, schedule a variant of program RHAUTUPD_NEW.

You can choose the following processing types:

Profile Comparison

/>: Start the profile comparison directly after the profiles have been generated or imported. Provided you are using time-dependent role assignments, we recommend you schedule daily background jobs. The authorization profiles will then be reconciled with the user master data. Profiles no longer current will be deleted from the user master records and the current profiles will be entered.

Composite Role Comparison : Start the composite role comparison, if you want to make changes to a composite role definition (that is, add to or delete single roles from a composite role) or if you want to import a change. Single role assignments will then be reconciled with the composite role assignments for the user. If you want to include single roles in the composite role, the single roles are assigned to those users who are assigned to the composite role. Conversely, the single roles assigned to users are deleted, if the single role is removed from the composite role.

HR Comparison : Start the HR comparison, if you want to make changes to the HR Org Model, which affect the indirect role assignment. You can only select this processing type, if HR Org is active. The switch HR_ORG_ACTIVE in table PRGN_CUST must be set to YES.

Cleanups: Carry out a cleanup, if you want to generate or import profiles. Generated profiles that do not have any roles are deleted.

Further options:

Issuing error messages: In dialog mode all error mesasges are displayed on the screen.

Replicating local HR assignments centrally (You can only select this option, if this client is an active child system of a CUA group and HR org. Role assignments in the child system that have arisen from links in the local HR Org model are replicated for information in the central system

Thanks,

Adrian

Adrian,

I appreciate your help.

Galina