04-30-2009 7:55 AM
Hi Gurus,
We have some users who have been all of a sudden complaining of missing access. the change logs shows that a profile has been deleted. however, there is no corresponding role name shown in " Text for old value".
i checked in the table agr_prof to see the role name corresponding to the deleted profile but its shows nothing.
Can anybody provide some inputs on this?
Just to add....we are in the middle of an upgrade and the roles were updated by us based on the results from su25
Thanks,
Vinaya
04-30-2009 8:32 AM
Hi,
In SUIM check the change document option.Give the user name and check the logs of each user
04-30-2009 6:52 PM
Hi,
Check in SU01 ....information--> change by role
Here you will get the exact information.
Please let me know is there any problem to check the above.
BR,
Bikshamaiah.G
04-30-2009 8:41 AM
> the change logs shows that a profile has been deleted. however, there is no corresponding role name shown in " Text for old value".
Sounds like someone ran PFCG_TIME_DEPENDENCY or hit some buttons in transaction PFUD. That would cause all profiles without roles (direct assignments) and profiles for roles with out-of-date assignments to be removed from the user masters.
I'd suggest you to build roles based on these profiles so you can re-assign them via the roles and prevent this from happening in the future.
04-30-2009 9:13 AM
Hi,
There could be another possibility that some one could have changed roles assigned to the user. A big role can have more than one profile, deleting some entries from it could have deleted this profile. Check all the roles assigned to user and last changed by date under authorizations tab. You can also find change documents to roles in SUIM--> Change documents --> roles --> authorization data
Regards,
Gowrinadh
04-30-2009 1:54 PM
Hi
Security audit log(sm20) is also used to record security related changes to the SAP system environment. You may use it to see changes to user master record.
Ravi
05-01-2009 11:38 PM
Hi,
Your are able to find the profile which was deleted... right.
Now you want to find the corresponding role for that profile. if my understanding is right..
go to SUIM >>>> roles >>> by profile asignment >>> give the profile valsue you will get the conserned role name.
Pleas let me know if you need any furtherinformation.
Thanks,
Phani.
05-02-2009 3:27 PM
We came accross the same scenario during upgrade.There is a possibility of the profiles being over written or should I say just renamed. This happens especially when you download/upload the roles and regenerate the profiles and if you are using the default profile names. The profile generated will pick the next available profile name and ofcourse the role name stays the same. When you move this to production, since the role now has a different profile name, all the users with the assignment of role with old profile name will loose the access when the daily batch job for usercomparision/PFUD runs.
05-02-2009 3:31 PM
One more point.
If you are maintaining dual environment for upgrade , you can look for the role associated with the profile name that is missing from the user in the secondary environment. Once you find the role name, you can assign the role to the user in the primary environment.
Good Luck!