07-19-2013 4:47 PM
Hello Everyone,
Am a newbie to SAP Security. Could you please help me with the below question.
Why SAP does not recognize the duplicate assignment of a role during the role assignment for a user ?
For eg : the user ABC has the below roles in SAP
X:P7_9053_VA01 valid until 31.12.9999
X:P7_8200_VA02 valid until 31.12.9999
Whenever I try to assign any of the above two roles once again to user ABC, why don't we get a message that the roles are already assigned and valid ?
It would be very helpful if we get a message during the assignment as it will help to avoid the Profile Overflow problem.
Thanks in advance for your answers.
07-22-2013 8:59 AM
hi,
This basically has to do with the fact that role assigments can come from different sources: direct, via a composite role or via organizational assignment. Blocking duplicate assgnments would have serious implications.
To get rid of duplicate direct assignments have a look at report prgn_compress_times.
Jurjen
07-22-2013 8:59 AM
hi,
This basically has to do with the fact that role assigments can come from different sources: direct, via a composite role or via organizational assignment. Blocking duplicate assgnments would have serious implications.
To get rid of duplicate direct assignments have a look at report prgn_compress_times.
Jurjen
07-22-2013 9:28 AM
Hi,
This is a bit untidy but will not give you "profile overflow". If you have a look at the profile assignment, you will see that it only assigned once despite there being multiple allocations of the role.
Judging by your example roles, if all of your roles are based around one or two transactions then you will always have problems with the max number of assignable profiles.
07-22-2013 10:34 AM
SAP doesn't restrict the multiple assignment of a role to a user.
This is also useful if you want to assign roles for different durations
EG:
X:P7_9053_VA01 01.04.2013 to 31.12.2013
X:P7_9053_VA01 01.02.2014 to 31.12.9999
prgn_compress_times will remove the duplicate entries.
Eg:
X:P7_9053_VA01 01.04.2013 to 31.12.2013
X:P7_9053_VA01 01.05.2013 to 31.12.2013
X:P7_9053_VA01 01.01.2014 to 31.12.9999
prgn_compress_times will make it as a single entry:
X:P7_9053_VA01 01.04.2013 to 31.12.9999
Regarding the profile overflow issue, there will be only 1 profile assigned to a user for a role.
Regards,
Dinesh
07-26-2013 1:49 PM
Hi Sunder
Run program PRGN_COMPRESS_TIMES using SE38 or SA38.
It removes duplicate roles as well as expired roles.
users vs roles can be taken from table AGR_USERS.
You Can give specific users and execute the program as well
The reason behind sap not restricting duplicate roles is , roles can be assigned directly or indirectly(position based using org structure). So it will be a total mess.