Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Duplications in Role assignments - Still a problem

Go to solution
former_member608463
Discoverer

‎07-19-2013 4:47 PM

0 Kudos

Hello Everyone,

Am a newbie to SAP Security. Could you please help me with the below question.

Why SAP does not recognize the duplicate assignment of a role during the role assignment for a user ?

For eg : the user ABC has the below roles in SAP

X:P7_9053_VA01  valid until 31.12.9999

X:P7_8200_VA02  valid until 31.12.9999

Whenever I try to assign any of the above two roles once again to user ABC, why don't we get a message that the roles are already assigned and valid ?

It would be very helpful if we get a message during the assignment as it will help to avoid the Profile Overflow problem.

Thanks in advance for your answers.

1 ACCEPTED SOLUTION

Go to solution
jurjen_heeck
Active Contributor

‎07-22-2013 8:59 AM

0 Kudos

hi,

This basically has to do with the fact that role assigments can come from different sources: direct, via a composite role or via organizational assignment. Blocking duplicate assgnments would have serious implications.

To get rid of duplicate direct assignments have a look at report prgn_compress_times.

Jurjen

4 REPLIES 4

Go to solution
jurjen_heeck
Active Contributor

‎07-22-2013 8:59 AM

0 Kudos

hi,

This basically has to do with the fact that role assigments can come from different sources: direct, via a composite role or via organizational assignment. Blocking duplicate assgnments would have serious implications.

To get rid of duplicate direct assignments have a look at report prgn_compress_times.

Jurjen

Go to solution
Former Member

‎07-22-2013 9:28 AM

0 Kudos

Hi,

This is a bit untidy but will not give you "profile overflow".  If you have a look at the profile assignment, you will see that it only assigned once despite there being multiple allocations of the role.

Judging by your example roles, if all of your roles are based around one or two transactions then you will always have problems with the max number of assignable profiles. 

Go to solution
Former Member

‎07-22-2013 10:34 AM

0 Kudos

SAP doesn't restrict the multiple assignment of a role to a user.

This is also useful if you want to assign roles for different durations

EG:

X:P7_9053_VA01  01.04.2013 to 31.12.2013

X:P7_9053_VA01  01.02.2014 to 31.12.9999

prgn_compress_times will remove the duplicate entries.

Eg:

X:P7_9053_VA01  01.04.2013 to 31.12.2013

X:P7_9053_VA01  01.05.2013 to 31.12.2013

X:P7_9053_VA01  01.01.2014 to 31.12.9999

prgn_compress_times will make it as a single entry:

X:P7_9053_VA01  01.04.2013 to 31.12.9999

Regarding the profile overflow issue, there will be only 1 profile assigned to a user for a role.

Regards,

Dinesh

Go to solution
Former Member

‎07-26-2013 1:49 PM

0 Kudos

Hi Sunder

Run program PRGN_COMPRESS_TIMES using SE38 or SA38.

It removes duplicate roles as well as expired roles.

users vs roles can be taken from  table AGR_USERS.

You Can give specific users and execute the program as well

The reason behind sap not restricting duplicate roles is , roles can be assigned directly or indirectly(position based using org structure). So it will be a total mess.