04-03-2009 5:58 AM
Hi Friends
We are having 2000 users , most of the users having duplicate role. ( assigned one role 3-4 times)
is it affecting any where? like space ,access , performance? is it necessary to remove duplicate one?
please suggest.
Vijay
04-03-2009 6:17 AM
Hi Vijay,
It makes no real sense to have the same role more than once in a user master record as nothing extra is achieved by having a role assigned multiple times as far as authorizations & SAP security is concerned.
However, it does lead to performance issues.Whenever a user logs into the SAP system the user master data of the user comprising of all authorizations is copied into the user buffer.There is also some fixed value allocated to the size of the user master buffer; therefore having either excess authorization or an authorization multiple times is not recommended as this would definitely affect the performance of the system.
Thanks,
Saby..
04-03-2009 6:17 AM
Hi Vijay,
It makes no real sense to have the same role more than once in a user master record as nothing extra is achieved by having a role assigned multiple times as far as authorizations & SAP security is concerned.
However, it does lead to performance issues.Whenever a user logs into the SAP system the user master data of the user comprising of all authorizations is copied into the user buffer.There is also some fixed value allocated to the size of the user master buffer; therefore having either excess authorization or an authorization multiple times is not recommended as this would definitely affect the performance of the system.
Thanks,
Saby..
04-03-2009 9:44 AM
Hi
Rudra is absolutely correct.
It will be a performance issue, SAP Auditors will definetely pick this issue while Audit.
So there should be a internal audit for every three months find and kcorrect the various errors in the SAP system
04-03-2009 8:47 PM
>
> Hi
>
> Rudra is absolutely correct.
> It will be a performance issue, SAP Auditors will definetely pick this issue while Audit.
>
> So there should be a internal audit for every three months find and kcorrect the various errors in the SAP system
Very few auditors would pick this up. Duplicate role assignment is not in most work programs as it debatable about the risk it causes.
As Fredrik pointed out, if you have a user compare scheduled (and it should be an audit point if you dont) you will not get duplicate profiles and no additional authorisations will be loaded into the buffer.
If your system has degraged performance due to duplicate profile assignments then you will have no end of trouble come period end closing etc.
04-04-2009 5:04 PM
I have not seen problems that could be related to assigning multiple versions of the same role to a user.
Remember this is the ideal way of merging authorisations when a user logs on. As in that case the object and values are exactly the same!
If you have performance problems related to roles I would look at the use of user menuu2019s and how they are controlled (table SSM_CUST) as that is known to give performance problems.
I however do agree that there should not be such a thing so download table AGR_USERS and do a lookup for multiple assignments and simply delete them.
TRICK: as one cannot automate deleting a user from the role in PFCG or deleting one role from a user in SU01 using Secatt or LSMW.
Make a list of the unique role assignment and simply delete all roles from the user and in a second run assign the unique roles to that user again.
This task should be done preferable when no user is logged on to the system!
04-04-2009 5:19 PM
>
> I however do agree that there should not be such a thing so download table AGR_USERS and do a lookup for multiple assignments and simply delete them.
>
> TRICK: as one cannot automate deleting a user from the role in PFCG or deleting one role from a user in SU01 using Secatt or LSMW.
Hi Auke, with the info from AGR_USERS (user, role + validity dates) you can pass them into SU10 to do the deletion. On the balance of it I think your approach would be a fair bit faster though.
04-05-2009 7:44 AM
Alex
in my experience when using SU10 you mostly delete both versions of the role so you will need to reassign it again?
04-05-2009 9:08 AM
Hi Auke, If you use the From & To dates in your selection then you'll only delete the role corresponding to those dates, of course it's not much use if you have assigned 2 roles on the same day.....
Overall I think your approach is better.
04-05-2009 9:36 AM
Alex
yes i know but in most cases when i have seen this, the double assignmnet was never done on the same data so you would have to run SU10 as many times as there were users with double assignment so it would have been as much work as using SU01!
04-05-2009 11:04 AM
Hi Auke, you are right, that's why I have plugged into an ECATT to do this, it just loops through line-by-line until completed. It's not a great solution though & only useful if you have lots of roles in a UMR
04-05-2009 11:40 AM
Alex
agreed that is also a solution.
anyway we have given everyone a number of possible solutions now!
04-03-2009 7:05 AM
I think as vijay said is correct and I have a suggestion id duplicate role has the same validity period then no problem other then the vijay said .if the duplicate role has the different validity period then there is problem.
04-03-2009 9:59 AM
If you use the PFCG_TIME_DEPENDENCY it will compress the number of profiles to one for every duplicate role assigned to the user.
These reports are also important for the time limitation of roles to work. They remove the profile when the valid to date have expired.
Excerpt from saphelp:
You should schedule the report PFCG_TIME_DEPENDENCY periodically (preferably daily) as a background job. This ensures that user authorizations are regularly updated. The program performs a complete user master comparison for all roles. The authorizations are updated in the user master records. The authorization profiles of user assignments which have become invalid are removed from the user master record. The authorization profiles of valid user assignments to the role are entered.
http://help.sap.com/saphelp_nw04/helpdata/en/5c/deaa7ad3d411d3970a0000e82de14a/frameset.htm
Good luck!
/fredrik
04-06-2009 7:31 AM
There's also a program PRGN_COMPRESS_TIMES that will (1) remove roles that are not within period of validity (e.g. expired role) - this is very useful as PFCG_TIME_DEPENDENCY won't do this and (2) compress several entries with overlapping validity periods into single entry.
I find it beneficial to schedule both of these programs into the same job, sequentially - first PRGN_COMPRESS_TIMES, then PFCG_TIME_DEPENDENCY.
04-06-2009 8:11 AM
Does the program really remove the double role entries from the user account or ONLY the double profiles??
04-06-2009 8:38 AM
PRGN_COMPRESS_TIMES does actually remove double entries, or rather, it will compress them into a single entry.
There's a simulation option available, so try it yourself.
04-07-2009 11:24 PM
I guess if you first "compress" the profiles and then remove the delimited roles, then the performance is better for PFUD.
But for me, when I am in my puritan mood, performance problems are still a symptom of role design errors - for which composite roles followed shortly afterwards by manual authorizations are the primary culprits...
Cheers,
Julius
04-08-2009 6:40 AM
Julius
i do not agree with you on composite role being a performance problem, the biggest problems is personal menu's and that is mostly releated to giving many roles (regardless if they are composite or single roles) to a single user. especsially when the same TRX is in more than one role and SAP trys to merge these roles. The worst you can do in perfoamce is having tabel SSM_CUST do the work.
We have clocked the same user and found a difference in sap startup of over 10 minutes dependent on how we use SSM_CUSt and the roles setup. The quickest was when using sap menu and the secodn quikest was setting all roles in oe composite and manage the whole menu in there!