10-12-2012 2:14 AM
Hi Gurus,
We sent a mass transport to production system and the users reported that they lost access to transactions. When we checked, it was user comparision issues in production as the user master data showed red roles for users. We ran PFUD for all the roles in production which corrected the issue. There is an background job scheduled daily at 1 am.
But, we have to find an RCA for this. Why this happened as we never faced this issue as we did mass transport previously in production.
Any idea, why we need to run PFUD after transport ?
Please advise.
Thanks,
Salman
10-12-2012 8:18 AM
Is it possible that when the transport was created, the "User Assignment" checkbox was selected by accident?
I've never done it, but this would transport the roles with their corresponding user assignments in dev, which would then mismatch with the role assignments in the Prd system.
Since I've never done it I can't be sure that the symptoms you describe are what you would see, but it's the first thing I would check.
10-12-2012 8:18 AM
Is it possible that when the transport was created, the "User Assignment" checkbox was selected by accident?
I've never done it, but this would transport the roles with their corresponding user assignments in dev, which would then mismatch with the role assignments in the Prd system.
Since I've never done it I can't be sure that the symptoms you describe are what you would see, but it's the first thing I would check.
10-12-2012 12:41 PM
No, transport was created with uncheck on user assignment.
This mass transport contains some roles which we deleted as part of garbage roles along with new roles. Is that the reason it occurs and users looses access till we run PFUD ?
Not sure, why it happened, I never faced this issue whenever did mass transport for roles.
10-16-2012 2:06 PM
Hello Salman,
first of all: whenever you import roles (with profiles), you need to run the user comparison (PFUD) so that changes take effect (new authorizations need to be added, outdate need to be removed from user buffer).
If you had no problems in the past w/o running pfud, that is more a coincidence.
second:
but what I have seen already is, that such problems can occur, if SAP note #1614407 has not been implemented into all systems of your transport landscape. As this note improves the transport function, its recommendable toapply it soon.
b.rgds, Bernhard
10-13-2012 3:01 AM
FYI, We use customized profiles instead of default profiles inside the roles.
When we transported the roles some roles had default profile names instead of custmized profile names in production and devlopment had the customized profile name. Also, users reported loss of access instead of running PFUD manually. The issue was derived roles got messed up so we pushed all the derivations through the master roles to resolve this issue in production
We use catt script to update the profile names to our naming convention.
Why this issue didn't appeared in QAS testing. Please advise if anyone has faced this issue.
Regards
Salman
10-13-2012 10:34 AM
Renaming profiles is very silly...
You should reset the number range in table AGR_NUM_2. Then clean out the old names which are colliding and generate new ones. That will solve the problem.
Cheers,
Julius
10-14-2012 10:55 PM
Thanks Julius! I agree renaming profiles is silly. I have to find RCA for what caused us to run pfud manually and adjust the derive roles. Is the RCA = due to collision between old profiles and new custom profiles in production??
10-16-2012 2:09 PM
pls see my memo above.
there is a remark in the said note 1614407:
Important:
For technical reasons, you can no longer transport roles with generic
profiles in the same request as manually created profiles and
authorizations after you implement the correction. Their data is deleted
when the request is released.
Maybe there is a relation to that, if you have applied that note already in the DEV system of your roles...
b.rgds, Bernhard
10-17-2012 7:37 AM
Dear Salman,
I have faced this sitution sometimes back, this generally happens when the role in transport is too heavy (i.e. multiple profiles exists for a role) or the transport has too many roles (profiles) inside and yes regenerating the parent role and passing on the updated authorization to all derived role and then PFUD is the correct solution to regain lost access.
Possible reasons for this Glitch (Please check and put relevant one in your RCA)
Hope this helps,
Regards,
Amit