cancel
Showing results for 
Search instead for 
Did you mean: 

SP3: Synchronization of PFCG Role Users and Screen Personas Group Users

Former Member
0 Kudos


The features blog says ...

"The synchronization program can be .... scheduled as a background job to run on regular intervals.... "

.... but it doesn't say how to do this.

Can anyone help?

Regards.

Patrick.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Anyone?

Nicolas
Active Contributor
0 Kudos

Hello,

Please check Personas 2.0 SP03 Features - SAP Imagineering - SCN Wiki, section "Synchronization of PFCG Role Users and Screen Personas Group Users". In the screenshot, you can see on top a button named "Apply in Background...".

Regards,

Nicolas

Former Member
0 Kudos


Thanks Nicholas - I missed that in the release notes.

Nicolas
Active Contributor
0 Kudos

Hello,

I am glad to know that your problem is solved . Please close the thread.

Regards,

Nicolas

Former Member
0 Kudos


No obvious way to close this thread Nicolas.

Answers (1)

Answers (1)

Former Member
0 Kudos

After following the screenshots from the guide referenced above, I was not able to successfully synch PFCG roles with Personas. I received an authorization error. Can someone help direct me in what I should request from our SAP security and/or configuration team to get this access set up please?

Note: I am testing SP3 in our QE3 environment.

tamas_hoznek
Product and Topic Expert
Product and Topic Expert
0 Kudos

If you send that SU53 output to the security team, they should be able to add the necessary authorization

Former Member
0 Kudos

I did share this with our security team and they were slightly confused. It seems that configuration changes of some sort need to happen. Was this detailed in the install guide for SP3? Do you have any guidance on what updates security needs to make?

tamas_hoznek
Product and Topic Expert
Product and Topic Expert
0 Kudos

Looks like adding this transaction to the admin role was forgotten when this feature was introduced with SP3.

My suggestion would be to change the transaction authorizations for the role /PERSOS/ADMIN_ROLE and allow all transactions that start with /PERSOS/ - so instead of just allowing /PERSOS/ADMIN_UI, change that to /PERSOS/* and activate the profile.

chinthan_yajamaan
Active Contributor
0 Kudos

You can

* go to PFCG

* search for /PERSOS/ADMIN role (and make a copy if required)

* edit the role

* go to authorization tab

* click "change authorization data" button

* add /PERSOS/PFCG_SYNCH transaction in 2 places highlighted below

* click on save

* click on generate toolbar button

Assign the role to your user (if you created a copy) and you should be able to run sync program now.

Former Member
0 Kudos

Thank you both for assisting in getting access, that has been resolved.

I worked with the SAP Security analyst in my company to configure and test this feature and it doesn't seem to work how we interpreted. The only guidance I can find is the short paragraph in the Personas 2.0 SP03 Features article. Could someone provide an overview with more details of how this should work?

We were expecting the synchronization to match PFCG users with Personas group each time it run, which would include adding and removing users. For instance, we tested adding a user to a PFCG role and we saw it added to the Personas group. When we removed a users from a PFCG role it was not removed from the Personas. Should we expect this to occur?

chinthan_yajamaan
Active Contributor
0 Kudos

Yes you should . There was an issue with initial version and was fixed in note#2162894. So please upgrade all the notes from parent note#1964257.

BTW above mentioned security changes are also listed as new note#2194034 in parent note#1964257 now.