04-28-2010 5:31 PM
Hi Guys,
I have a role assigned to a user with a validity date (say 01/20/10 to 04/20/10). However after the expiry date the user is able to perform actions related to that role. I do have PFUD scheduled which runs every day. I understand that prgn_compress_time removes the expired roles but ideally the validity date should serve in restricting the access after the expired date.
Please advise if something needs to be corrected in our system
System SAP BW 3.5
04-28-2010 6:04 PM
Once the role validity is expired, user can't run those tcodes.
Please check any manual profiles assinged to user and check any other valid role assigned to user.
you can create a test id with those expired roles and you can test id with expired role.
04-28-2010 10:27 PM
Hi,
you can see user's authorization buffer in transaction SU56. Here you have list of mall authorizations with authorization profiles as well. The links between roles and profiles are stored in the table AGR_1016. This should help you to identify which roles are still assigned to user.
Cheers
04-28-2010 11:28 PM
04-29-2010 2:41 PM
Hi Sindu,
The automatic adjustments of roles validity can be done through running the report PFCG_TIME_DEPENDENCY.
This report can be run on a daily basis in background.
This compares the user master records for all roles and updates the authorizations for the user master records.
You can run this report via SA38 if you want to use it on a daily basis or through SE38 if you wanna execute it once .
For more details on this ,
Goto Tcode PFCG
click on Tab "user"
Next to user comparison button you will have the "i" information button. Click on it ...
Hope it will he helpful,
Cheers!
Veena BJ
05-14-2010 4:14 PM
Hi,
This may sound silly but please check if the dates are given in the correct format ( dd-mm-yyyy etc. ) as if the role is expired the user shouldn't be able to access the TCODES in that role .
Check for any profiles directly assigned to that user and moreover, it may be possible that the user is getting that access through some other role. You can check SUIM for that.
Regards,
Manisha
05-18-2010 9:28 PM
One thing to note is the date format ...but if you enter an incorrect date format the system immediately tell incorrect date format ..but its a good pointer you putforth..most often the errors are user propelled !
If the user has an passed out date meaning the date is not of today or of the future -- th euser is "Expired " and hence will not be able to log in. this is certian.
05-18-2010 8:09 AM
Hi Sindhu,
If you are sure about below then contact SAP as SAP is not performing something what it should in your system
I have a role assigned to a user with a validity date (say 01/20/10 to 04/20/10). However after the expiry date the user is able to perform actions related to that role. I do have PFUD scheduled which runs every day
Apart from that I will suggest you to see whether the batch job ran that day or not.
Cheers,
Arpan
05-18-2010 9:49 PM
05-19-2010 8:16 AM
>
> Run report RSUSR405, wait about 1 hour and then voila...
>
> Cheers,
> Julius
Perhaps you might want to try this trick with one single user first: SE37, SUSR_USER_BUFFER_AFTER_CHANGE ... just in case you have several 1000 users ... better safe than sorry.