Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PFUD - profiles are removed, but role is in

Go to solution
Former Member

‎03-29-2010 9:02 PM

0 Kudos

Hello,

I am testing background job based on report RHAUTUPD_NEW. I assign role to a user via SU01 and time-limit it. When limit expires I check user's record via SU01. I see that the profile is being removed from the user's record, but role's assignment still shows in the user's record. Is this a correct behavior? Is there a way to remove role from the user's master record as well?

Thanks

Galina

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-29-2010 9:09 PM

0 Kudos

Report PRGN_COMPRESS_TIMES could help you. And you could have searched it easily.

6 REPLIES 6

Go to solution
Former Member

‎03-29-2010 9:09 PM

0 Kudos

Report PRGN_COMPRESS_TIMES could help you. And you could have searched it easily.

Go to solution
Former Member
In response to Former Member

‎03-30-2010 6:57 PM

0 Kudos

Nishant,

Thank you for your reply. I started with scheduling job containing step RHAUTUPD_NEW and found out that role is still in. I read that this report also cleans and synchronizes user master data. Do I schedule PRGN_COMPRESS_TIMES as a second step in the same job? I am not sure if having just PRGN_COMPRESS_TIMES is sufficient for both, removal of expired roles and synchronization.

Thanks

Galina

Go to solution
Former Member

‎03-29-2010 9:59 PM

0 Kudos

In addition to having searched it, I don't understand why it bothers you?

Do the same roles have other access dependent implications? Personalizations? Java mappings?

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎03-29-2010 10:48 PM

0 Kudos

Julius,

Thanks for your reply. I have my reasons. One of them is that auditors like to see set of roles assigned to users. If we assign role temporary to a user, we want to show that this role has been removed exactly when it was supposed to be removed.

I am testing with newly created single role. No associations with any other users or roles.

Thanks

Galina

Go to solution
Former Member
In response to Former Member

‎03-29-2010 11:10 PM

0 Kudos

That is indeed interesting question.

If might make sense to agree on an approach with them.

If your provisioning of access support model and infrastructure supports it, then removing the role is a better option in my opinion. SAP seems to be going that way as well, since IdM also without deleting the user ID which is usefull.

It helps a lot if you do not have too many (sets of) roles and the tools interogate their validity.

It is without a doubt a very usefull control to set the date of expiry when assigning the access. At that point in time you know most about the user and their request for access!

Cheers,

Julius

Edited by: Julius Bussche on Mar 30, 2010 12:14 AM

Go to solution
Former Member
In response to Former Member

‎03-30-2010 4:42 PM

0 Kudos

Julius,

Thank you.

Galina