Solved: Users have more than one profile for the same role

Former Member · ‎03-03-2014

Hello,

As I said in my earlier post I'm rather new to SAP.

I'm doing now the security audit of my SAP system. In particular, I'm checking whether business users have access to DEBUG functionality.

I have run report 'Users by complex selection criteria' and found certain number of such users. Then I looked further and discover that all these users have role X assigned to them. The profile P2 of the role X displayed in PFCG has DEBUG functionality deactivated. After second look I discovered that all these users have earlier profile P1 for the same role X assigned to these users. This profile P1 contains the functionality in question.

I solved the issue by revoking the role X from the users and assigning it again. Both P1 and P2 profiles were removed from the users and only P2 was reassigned again.

I used to think that role may have only the profile that is displayed in PFCG? Also, I used to think that if the role profie is regenerated the newly generated profile automatically replace the old one assigned to users. Am I wrong?

Bernhard_SAP · ‎03-04-2014

Hi,

you need to devide between what you see in PFCG (AGR_*tables) and generated profiles (US*-tables like usr10,usr12,etc.).

Of course if you change a profile in PFCG and generate it (means put the AGR-table content into usr-tables) this change will get effective only upon performing the usercomparison.

So pls countercheck, if pfcg_time_dependency or the appropriate variant of rhautupd_new is scheduled in your system. In many cases such inconsistencies have been caused by role imports, when admins failed to run the comparison after import.

In addition to Yves answer: nowadays we have only 1 profile torso assigned to a role. Depending on the number of contained authroiazitons, sub-profiles may get created automatically. the torso has always the end number xxxxxxxx00, the sub profiles start with xxxxxxxx01.

b.rgds, Bernhard

ACE-SAP · ‎03-03-2014

Hi

There is a limitation on the number of authorization objects that a profiles can contain (150).

Based on this a role will generate as many profiles with 150 auth. obj as needed.

Regards

410993 - Maximum number for profiles and authorizations

Due to the length of the AUTHS field (3,750 characters), you can enter the following maximum values in the manual profile maintenance (transaction SU02):

150 authorizations per single profile

Bernhard_SAP · ‎03-04-2014

Hi,

you need to devide between what you see in PFCG (AGR_*tables) and generated profiles (US*-tables like usr10,usr12,etc.).

Of course if you change a profile in PFCG and generate it (means put the AGR-table content into usr-tables) this change will get effective only upon performing the usercomparison.

So pls countercheck, if pfcg_time_dependency or the appropriate variant of rhautupd_new is scheduled in your system. In many cases such inconsistencies have been caused by role imports, when admins failed to run the comparison after import.

In addition to Yves answer: nowadays we have only 1 profile torso assigned to a role. Depending on the number of contained authroiazitons, sub-profiles may get created automatically. the torso has always the end number xxxxxxxx00, the sub profiles start with xxxxxxxx01.

b.rgds, Bernhard

Former Member · ‎03-04-2014

Hi Pavel

In simple and short ..

Role contains authorization objects..

Maximum limit of authorization objects for a role is 150 .

So a role can accommodate 150 authorization objects.

New Profile ABC is created , when ever you create a new role. 1-1 relation.

But if a role has more than 150 authorization objects .. then automatically a new profile ABC01 will be created and it will also be aligned to that role .

if role has 400 auth objects, then profiles will be ABC ,ABC01 ,and ABC02

i hope this helps you

Cheers

Pavan M