Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SU01: Role assignment to user doesn't compare automatically

Former Member
0 Kudos

Hello all SAP Colleagues and thanks in advance for your replies.

I have the following problem/question scenario: Whenever I assign a role to a user on transaction SU01, after I save it, I manually go to PFCG transaction to check this role I just added to the 'X' user, and when I look into the USER TAB, I notice that it is marked on Yellow light, which means that the user master did not update automatically by itself. Is there any "normal" or particular reason for this?

I know that when we want to limit the activities to a role by time, we schedule a background job with program PFCG_TIME_DEPENDENCY which has to be run every day-night in order to re-adjust the user master, but this is not the case.

Are there any notes out there, or reason that can explain this kind of behaviour? In case there are, is this a normal behaviour?

Thanks again for all of your replies!

Best regards.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

A possible explanation is that the roles themselves could not generate profiles and authorizations (into the USR* and UST* tables) with sufficient values for those maintained in the PFCG UIs. A likely candidate is very complex org. levels which you have maintained.

In that case the profiles are generated but in PFCG you will have received a warning that not all values could be included.

Of course when assigning such a role, the system need to decide and inform that the new authorizations will be incomplete compared to what you are expecting.

Did you see such a warning?

Depending on the cause, there are more and less easy ways to work around it. You first need to analyze which object is causing the problem / decide whether the role is perhaps suboptimally designed / whether the requirement is really needed because it is "grouped" in other constructs and roles anyway.

--> Please open such a role, check it and try to generate the profile again and see what message you are given. That is most likely the problem - then we can see which options are available to fix it in the concept you have.

Cheers,

Julius

16 REPLIES 16

gururaj_srinivasa
Participant
0 Kudos

Hi Ramirez,

This is normal, you will have to do user comparison manually after assignment of roles to user master records. With a complete comparison, all invalid authorization profiles are removed from the user master record and all new authorization profiles are inserted in the user master record.

Like you have mentioned you can schedule a background job PFCG_TIME_DEPENDENCY to

run every night, so that the authorization profiles in the user master will be current each morning.

Or You use Transaction PFUD, Compare User Master after role assignment.

I dont see any alternate ways to do this step.

Guru

SU01: Role assignment to user doesn't compare automatically

Former Member
0 Kudos

ramirez,

PFCG_TIME_DEPENDENCY needs to be scheduled for the problem.Also, in PFCG->..->settings, Check mark, Compare user while saving can do some good.

0 Kudos

Hello Plaban.

Thanks for your reply.

The thing is that, I oddly can't seem to find job PFCG_TIME_DEPENDENCY running or I can't figure out how to find it, in order to determine that the system can automatically update the user master record by itself.

May I look it over on SM37 transaction with a filter to look it for the ABAP program? I already had, and I didn't find it nor by job name "PFCG_ something"  or by program name.

Another possibility I haven't tried is looking it up by the "After event" filter. Any ideas to determine/check if the job is running?

Thanks again for the support!

0 Kudos

Hi Ramirej,

  For finding the job the program related to this PFCG_TIME_DEPENDENCY job, program is PRGN_COMPRESS_TIMES. Please go in SM37 and put this program name in the tab ABAP program name. Select User'*', job name= ' * ' and execute it. This will find all jobs running in the system related to this clean up.

Thanks,

Varun Jain

0 Kudos

Hi Ramirej,

  Also please run SE16 and enter the table name PRGN_CUST. Put F4 in ID field and see the value of  AUTO_USERCOMPARE if it is yes then it will automatically compare the user master everytime when there is a change in user profile and if it is no you need to put the notes in the system to made it.

I hope it will give you complete answer of your question.

Thanks,

Varun Jain

0 Kudos

Thanks a lot Varun.

I did search by ABAP program name "PRGN_COMPRESS_TIMES" in SM37 transaction with no luck.

I also have gone to SE16 transaction and looked into PRGN_CUST table, and when I press F4 key in the "Name Field", in that list I can't tell if the parameter AUTO_USERCOMPARE is set to 'Yes' or not; the only text I can see being displayed is exactly this (see image below)

If it wouldn't be set to 'Yes' if you can tell that by the image I'm providing, how can I set it to this value?

By the way, is there any more documentation regarding PFCG_TIME_DEPENDENCY program/job?

I am noticing that I looked for it into some other systems that don't have this issue, and there doesn't seem to be trace of this job anywhere.

Any further ideas?

Thanks a lot for your reply!

0 Kudos

Hi Ramirej,

  If you tried for the program PRGN_COMPRESS_TIMES with the selection of User and job value='*' and it is not giving any results then it may be possible that in your system there is no PFCG time dependency job is running for profile comparison.

If you want you can schedule the job PFCG_TIME_DEPENDENCY in your system daily in midnight with the program name PRGN_COMPRESS_TIMES and variant is SECURITY_CLEAN with some batch user or your user id. It will help you for automatic profile comparison daily.

If the problem is when allocating via PFCG make sure you have the Automatic user adjustment switched on. (Go into PFCG> Select a role>go to the user tab>Utilities> Settings> tick Automatic User Master Adjustment when Saving Role)

Pls go through the below 2 links, you will find appropriate info.

http://help.sap.com/saphelp_45b/helpdata/en/52/6711ec439b11d1896f0000e8322d00/content.htm

http://sap.ittoolbox.com/groups/technical-functional/sap-security/run-rhautupd_new-via-pfcg_time_dep...

Also I am finiding the help for you to amke the parameter value yes and how to change it and will reply back to you shortly.

Thanks,

varun Jain

0 Kudos

Hello Varun.

I have figured how to set these parameters according to your suggestion.

I go to SM30 transaction and there I select PRGN_CUST table for editing. Then I create the following parameters with the following values:

ASSIGN_ROLE_AUTH = ASSIGN

AUTO_USERCOMPARE = YES

After I click on Save, it prompts me for a Transport Request, and I click on Save. We check on SE16 to check if there are entries, and they are succesfully created.

Problem is that the issue did not resolve with this solution 😕 

I am considering to Patch system or perform system upgrade, due that this could be a program error, isn't it? In case so, which level of BASIS SP is recommended or what notes should I consider to apply in the system?

Thanks a lot for your response!

Best regards.

0 Kudos

Hi Ramirej,

  I did some more research and found this is specific functionality for system version which updates the user master profile automatically in ECC6.0. My system is ECC6, Basis SP is 701 and level 6 and it is working fine.

Thanks,

Varun Jain

0 Kudos

Oh really? Can you please show us the sources of your research that this is ECC 6 related?

Cheers,

Julius

0 Kudos

No. Incorrect.

Job PFCG_TIME_DEPENDENCY runs report PFCG_TIME_DEPENDENCY which calls report RHAUTUPD_NEW.

PRGN_COMPRESS_TIMES is something different.

b.rgds, Bernhard

0 Kudos

Please check also the value for USRCOMPARE_PFUD. If set to YES, profile comparison is only allowed in PFUD/pfcg_time_dependency. The default value is NO.

b.rgds, Bernhard

Former Member
0 Kudos

A possible explanation is that the roles themselves could not generate profiles and authorizations (into the USR* and UST* tables) with sufficient values for those maintained in the PFCG UIs. A likely candidate is very complex org. levels which you have maintained.

In that case the profiles are generated but in PFCG you will have received a warning that not all values could be included.

Of course when assigning such a role, the system need to decide and inform that the new authorizations will be incomplete compared to what you are expecting.

Did you see such a warning?

Depending on the cause, there are more and less easy ways to work around it. You first need to analyze which object is causing the problem / decide whether the role is perhaps suboptimally designed / whether the requirement is really needed because it is "grouped" in other constructs and roles anyway.

--> Please open such a role, check it and try to generate the profile again and see what message you are given. That is most likely the problem - then we can see which options are available to fix it in the concept you have.

Cheers,

Julius

0 Kudos

Thanks Julius.

I decided to go and try creating a role from scratch. I named it Z_TEST_ROLE and just added two authorization objects as a test.

Objects were:

S_USER_AUT

S_USER_GRP

And I clicked on Generate button but no Warnings appeared. I decided to test it, trying to assign this newly created role via  SU01 to a TEST user, but same result: Still noticed the "Yellow" light on the USER Tab when I checked it on PFCG after.

I am guessing it could be because of my BASIS Level,as Varun suggested.

I am running on a BASIS 700 Release SP 15, so I think after Upgrading BASIS Level to 701, problem should be solved.

Again thanks to everyone for your very helpful replies!

Best regards.

0 Kudos

Upgrading the release seems strange to me... though a release upgrade is a great way to solve some UI status problems... at the same time you will apply many other security relevant patches...  🙂

The only thing I am aware of is that Su25 turned too many authorization tabs to "red" status up until a few months ago.

Is it possible that someone ran some unco-ordinated steps in Su25 without your knowledge? Ccheck the date stamps of the 2* steps.

Varun's explanations are not known to me and appear somewhat speculative.

Cheers,

Julius

0 Kudos

Thanks for your tracking and replies Julius!

Well I might look out for any new/missing Hotnews and Patches running ST13 transaction and give a shot to RSECNOTE report, and see if applying these corrections would fix this issue.

Following your suggestion of running SU25 transaction, I checked the Timestamp for the 2* Phases, and it marks last run was on 2005, does it affect in any way now, even it was long time ago? What other steps, or places should I check for any inconsistency or problems?

PS: I did this test on a Development system, should I give it a try into Productive system as well?

Thanks a lot again for your support!

Best regards