Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Are there any dangers in running PFCG_TIME_DEPENDENCY too frequently ?

Former Member
0 Kudos

Hello All,

We are in the midst of an go-live where role assignment are automated via a home grown application.

New roles are being assigned often throughout the day. Users are complaining that they are not immediately getting the new additional roles.

Is there any danger in scheduling PFCG_TIME_DEPENDENCY during peak usage times ? Should it be run hourly for example?

Our concern is that existing authoirzations could be jeapordized while PFCG_TIME_DEPENDENCY runs but are unable to find documentation to support this.

Thanks in advance for all your input.

Jamie

Edited by: James DeLorenzo Jr. on May 15, 2009 4:10 PM

1 ACCEPTED SOLUTION

Former Member
0 Kudos

One more thought. When you say should not be "too big a risk" , Im trying to understand what the risk is.

Thanks again.

Jamie

11 REPLIES 11

jurjen_heeck
Active Contributor
0 Kudos

If you make sure you run it nightly as well so no-one looses authorizations during the day because of expired role assignments there shouldn't be too big a risk.

Taking away authorizations from users that are working in the system at that moment can bring some risks so if you're sure that will not be the case I personally see no objection.

On the other hand I would let my users get used to a more normal SLA than "immediately"....

Former Member
0 Kudos

Thank you Juren for a very prompt response.

Do you know if there would be any other situation where access would be lost as a result of running PFCG_TIME_ DEPENDENCY, aside from an expired role validity date ?

Could access be lost on roles with valid date ranges when time dependency runs ?

It would be fine if a user role is out of date and that access is lost. We just do not want valid roles to be compramised.

Many Thanks,

Jamie

Former Member
0 Kudos

One more thought. When you say should not be "too big a risk" , Im trying to understand what the risk is.

Thanks again.

Jamie

0 Kudos

> One more thought. When you say should not be "too big a risk" , Im trying to understand what the risk is.

Performance maybe. But you just have to make very sure you don't take away authorizations from people who are actually working in the system. If you run the job after midnight but before users logging in and make sure it has run you should be fine.

0 Kudos

Does everyone agree that any user with all valid role dates will not be effected by PFCG_TIME_DEPENDENCY ?

Thanks

Jamie

0 Kudos

Hi James,

The authorization profiles in the user master will be updated with every run of the report.So, if a role is valid for any user then the user will not be affected for that particular role (i.e no changes to the auth. profiles) when the report is run.

Thanks,

Saby..

0 Kudos

> Does everyone agree that any user with all valid role dates will not be effected by PFCG_TIME_DEPENDENCY ?

YES .. will not be affected.

0 Kudos

>

> Does everyone agree that any user with all valid role dates will not be effected by PFCG_TIME_DEPENDENCY ?

>

> Thanks

> Jamie

It it unlikely, though not impossible, that users with valid roles will temporarily lose access when a user compare is run.

sdipanjan
Active Contributor
0 Kudos

Hi,

The only work done by this is to remove "Profile" of the "Expired" (validity over) roles from user master record. No other changes performed. So Roles in validity will not be tampered.

But you should also take the system usage and it's utilization into account while thinking to run this hourly.

Best practices is to run it in Operation Mode / during idle time of the system and Once in a day.

Why don't you perform role assignment manually through SU01? Role changes are not so huge activities in a Live project. If you need to change roles for a huge number of users very frequently then I must say that the role design is not good. Please don't depend on some interface to maintain master records (my opinion).

Regards,

Dipanjan

Former Member
0 Kudos

Why should usage be considered, for system performance reasons ?

I understand it is "best practice" to run off ours nightly but what continues to evade me and is absent from all the documentation is why this is best practice ?

We are in the "go-live" phase so users generally have the roles they need, but still many role assignments are being refined, and many new users are coming on board.

Many Thanks,

Jamie

Former Member
0 Kudos

HII,

The report pfcg_time _dependency that is run in background and should be run nightly if u do this the user which is assinged with profile but no role attached to it gets automtaically deleted frm user master record so this could crictically for the user who works on temp basis to whom we do not attached any role but only profile so before doing this we need to check the valdity of temp user if u do iit the temp user cannot perform work as the profile get lost for that user ,so be careful before doing this

byeeeeeeeeeeeeee