04-05-2014 2:43 PM
HI everybody
An interviewer asked that you have to assign 10 roles to user,but 9 roles it self the max no of (312) profiles, are reached.then how to assign 10 th role
what procedure you follow.Of course i have this doubt since sap career started but i was not much interest to find answer
I read 410993 note and searched all the stuff on net but didn't get solution.
thanks in advance.
regards
siddu
04-05-2014 11:31 PM
That you have not reached this limit indicates that you are doing a good job!
Tell the interviewer that if the limit is reached, then there is a design error.
If the interviewer presses harder, then there are two technical solutions. The first is in the authorizations tab of PFCG to use the "read old and merge new" option via the "Expert options". This you are probably doing hence you don't have the problem, but it can also be triggered manually within the menus in the authorization data.
There is one more joker you can play, but you must first tell the interviewer that they are using "Edit old data" to support a design error in the way they build and maintain roles.
Cheers,
Julius
04-05-2014 11:31 PM
That you have not reached this limit indicates that you are doing a good job!
Tell the interviewer that if the limit is reached, then there is a design error.
If the interviewer presses harder, then there are two technical solutions. The first is in the authorizations tab of PFCG to use the "read old and merge new" option via the "Expert options". This you are probably doing hence you don't have the problem, but it can also be triggered manually within the menus in the authorization data.
There is one more joker you can play, but you must first tell the interviewer that they are using "Edit old data" to support a design error in the way they build and maintain roles.
Cheers,
Julius
04-06-2014 12:00 AM
Very impressive if 9 roles can hit maximum profile. Most places I've seen this is due to 300+ roles assigned to the user.
Redesign and build again to fix root cause. Short term is to compare the roles to see if all of them are necessary
I suspect this question was meant to be more about using you security knowledge and showing you can critically analyse and problem solve
Finally, end your question with fire your architect and let me design and build security so you never have to ask this question again. Smile of course to show confidence.
regards
Colleen
04-06-2014 2:21 AM
Colleen Lee wrote:
I suspect this question was meant to be more about using you security knowledge and showing you can critically analyse and problem solve
I doubt this. I would say that interviewer was looking for reference user.
Mohd: check this blog for info related to reference user. Discussion is full of useful tips.
Cheers
04-06-2014 6:30 AM
Can I change suspicion to hope instead? I would hope part of the question would involve knowing what/why the limitation is and how to fix it?
04-06-2014 7:32 AM
My opinion was influenced by rainy weather. So if you have a nice sunny Sunday then I am not surprised that you have more optimistic view 😉
Cheers
04-06-2014 7:35 AM
There was sun...followed by a thunderstorm and p|ssing down rain. I'm now starting to agree with your assessment
04-06-2014 8:15 AM
Hi Julies,Lee and Martin,
Really thankful to you but unfortunately i haven't showed my confidence with interviewer on this question.
thanks to scn and all of you.
04-06-2014 12:43 PM
Hi Mohd
Do you now understand what the limitation is and why and what are you options to resolve this?
Confidence aside (that comes with experience), if you were asked this question in future (or more importantly faced this scenario in your system) would you know what to do?
Regards
Colleen
04-07-2014 4:08 PM
yes, probably that is the answer being looked for. But it's like saying "we have a bad security design here, how can we mask the problem and pile even more profiles on our users" Reference users aren't supposed to be used to bypass profile limitations, they serve a different purpose. I would be careful seeking employment there, it could be a frustrating system to support.
04-07-2014 7:53 PM
HI siddhu,
Create one Reference user id and assign the addition roles and map to dialog user.