Solved: PFCG_TIME_DEPENDENCY

Former Member · ‎07-17-2014

Hi Experts.

Just a quick one, I currently performing an audit, SAP basis review, and in one the tests I check if PFCG_TIME_DEPENDENCY job is run on a daily basis for user master data comparison.

However on this particular client, this job is not scheduled to run, not running at all, and the excuse is that they are using GRC to for access provisioning.

But my take is even if they use GRC this job should still be scheduled to run on production.

Is that correct?

m_coenjaerts · ‎07-18-2014

Yes it is required. The only thing GRC does, is setting VALID-FROM/VALID-TO in the role assignment in the user master. The PFCG_TIME_DEPENDENCY does more: it ensures that the underlying profiles are added / removed from the user masters. If this job does not run, that the role assignment may become invalid (because the valid-to date passed), but the user still has the associated profile, and still has the access.

It is also convenient to run PRGN_COMPRESS_TIMES, to ensure double role assignments are correclty 'compressed' (it removes double role assignments, and removes role assignments from the user master where the valid-to date has passed.

Former Member · ‎07-17-2014

Check the report: GRAC_REPOSITORY_OBJECT_SYNC with SE38 and execute.

m_coenjaerts · ‎07-18-2014

Yes it is required. The only thing GRC does, is setting VALID-FROM/VALID-TO in the role assignment in the user master. The PFCG_TIME_DEPENDENCY does more: it ensures that the underlying profiles are added / removed from the user masters. If this job does not run, that the role assignment may become invalid (because the valid-to date passed), but the user still has the associated profile, and still has the access.

It is also convenient to run PRGN_COMPRESS_TIMES, to ensure double role assignments are correclty 'compressed' (it removes double role assignments, and removes role assignments from the user master where the valid-to date has passed.

Colleen · ‎07-18-2014

HI

prgn_compress_times should not be run when business profiles are provisioned via GRC as it can cause issues if the same single role is provisioned from multiple business roles with different validity dates

have you checked if RHAUTUPD_NEW has been scheduled instead?

m_coenjaerts · ‎07-18-2014

We use GRC CUP and it provisions about 15 SAP systems. In all of these we also schedule a daily PFCG_TIME_DEPENDENCY (which is the same as RHAUTHUPD_NEW) but also the PRGN_COMPRESS_TIMES is scheduled daily.

We never encountered issues. I believe the PRGN_COMPRESS_TIMES is "smart" enough not touch roles which were assigned via a composite role (of course it will compress composite roles).

We schedule both programs in 1 job, with two steps: first the PRGN_COMPRESS_TIMES, and in the second step the PFCG_TIMEPENDENCY/RHAUTHUPD_NEW). So the user master includes all the actions of the PRGN_COMPRESS_TIMES. (so maybe this "covers" the issues you stated: if you run the RHAUTHUPD_NEW after the PRGN_COMPRESS_TIMES)

And we use a mixture of composite and single role concepts.

But indeed is is wise not "just" to start using PRGN_COMPRESS_TIMES. We made sure that we implemented all the relevant SAP Notes, and tested it in our QA environment.

Colleen · ‎07-18-2014

do you use business roles in GRC? These are not SAP technical roles?

i only made this comment as it's in a KB article and the question was in relation to GRC being used

Former Member · ‎07-18-2014

Thanks M. Coenjerats,

My take was also that it still needs to run even if GRC is used. Thanks, you answered my question.

Have a blessed one, that was helpful.

Regards,

PT

m_coenjaerts · ‎07-18-2014

Hello Colleen,

Yes we use business roles (I'm not sure what you mean with SAP Technical roles). We have created own roles via PFCG. Most systems in our company use a tempate-derive role concept, and quite some systems use , besides these single roles also composite roles.

We use GRC 5.3, modules SPM, RAR and CUP (not the ERM part)

If you could provide the link to the KB article, then that would be great, as i can also investigate what the exact nature is of the issue.

Colleen · ‎07-18-2014

please find below a SCN document the business role suggestions with the KB referenced at the bottom.

if you have your system operating with the job running and no issue to GRC repository could you add your comment as this was written by a SAP employee.

by technical, I mean PFCG role (single, derived or composite)

Also, I'm referring to GRC 10.x if there is a difference in this scenario to 5.3

regards

Colleen

m_coenjaerts · ‎07-18-2014

Thanks for the information Colleen,

I suspect this answer is applicable for GRC 10.X system. We currently use GRC 5.3 which is fundamentally different than GRC 10.X (GRC 5.3 is Java -based) and GRC 10.X is a complete rewrite, returning to ABAP stack).

So it is quite possible that this not occur in GRC 5.3, (If i recall correctly, we even had to activate it when using GRC 5.3, to ensure smooth operation of user provisioning process, with RAR simulation, in order to avoid timeouts)

But we are planning to upgrade to 10.1 in the near future, so we should definitely look into this issue. So you link definitely helps.

m_coenjaerts · ‎07-18-2014

Thx,

And please also take into account the advice of Colleen: PRGN_COMPRESS_TIMES should not be used when using GRC 10.X.

Former Member · ‎07-18-2014

Thanks considered, thanks Colleen.