Solved: How can I find the username of the person who assi...

Former Member · ‎11-12-2015

During my nightly user reconciliation job, 3 roles were assigned to numerous users within the same jobid.

I need to determine, who assigned the roles to the job.

Can someone please shed some light on where I can find this information?

Thanks for your help.

Pam Jimenez

Former Member · ‎11-19-2015

The auditors have found 3 roles assigned to a specific user by our SECBATCH user. This batch user runs the PFUD job nightly.

They are asking for documentation for the role assignment. I found in SUIM that the 3 roles were assigned to 30 users at the same time frame by SECBATCH user.

All 30 users were in the same job. Therefore it was roles assigned to a job by a specific user. I need to know what specific user assigned the roles to the job. So I can go back to that specific user and see if they have any documentation to back up the role assignment to the job level.

Hope that sheds more light on my issue.

Thanks for your help.

Pam

Former Member · ‎11-19-2015

Can you please provide some more information on this ?

mohan26050908 · ‎11-19-2015

Hi Pam/Naresh,

Try this T Code:AL08 and SM04 for active users

Try this tables USR02 for User ID lock / validity status

Try this tables : SE16 and enter : "AGR_USERS" to get the list of roles assigned and valid date

Also try this Using : SUIM transaction, select USER --> Users by Complex Selection Criteria --> By Authorization Values --> Execute for criteria and then select Roles.

Thanks

RMP

Former Member · ‎11-20-2015

Dear Poluboyena,

Thanks for reply, but question is some thing different.

please go through once.

Former Member · ‎11-19-2015

The auditors have found 3 roles assigned to a specific user by our SECBATCH user. This batch user runs the PFUD job nightly.

They are asking for documentation for the role assignment. I found in SUIM that the 3 roles were assigned to 30 users at the same time frame by SECBATCH user.

All 30 users were in the same job. Therefore it was roles assigned to a job by a specific user. I need to know what specific user assigned the roles to the job. So I can go back to that specific user and see if they have any documentation to back up the role assignment to the job level.

Hope that sheds more light on my issue.

Thanks for your help.

Pam

Former Member · ‎11-20-2015

This sounds like you are using indirect role assignment via HR-OM (or something very similar). Unfortunately, SUIM (RSSCD100_PFCG) would probably only record the assignment done by your SECBATCH, I assume?

In HR-OM I would get the required Information by analyzing the relationships on the HR-object in PP01. I will attach a hardcopy of a HR-Position to which I have attached a role yesterday. The change documents in the HR-object show that I was the one to add this relationship. Of course, this applies to indirect role-assignment using HR-OM only.

Former Member · ‎11-20-2015

Thanks to Mylene. This answered my question.

It didn't shed any new light on who made the change on the specific date but it does show the log entry of the last modification. Unfortunately, all dates are prior to 2015. So I'm still unsure why the PFUD proposed the role assignments.

Thanks so much for all of your input.

Pam

Former Member · ‎11-23-2015

Thanks for your response. Glad, I could help!

One more chance for PFUD's reaction (though I suspect, not even SAP knows exactly how that should work anymore).

Go to PPOME, click on the position (or Job), right-click and in the menu GoTo RoleHandling Overview. Click on the role. Are there periods? I will attach a hardcopy to show you where to look. The tricky part is - in case there are periods - to find out when there would be an overlap. The periods shown in PPOME are not necessarily the same shown in PFCG (when you go to users/Organisation Management) and in PFCG (unfortunately) PFUD never deletes old periods and handles the period assignement differently from HR-OM which leads to some really funny s***.

PPOME:

The same view from PFCG (Users -> Organizational Management):

In this case there are no periods in PPOME and the time slices in PFCG are consistent with that, so all is well. This is not necessarily the case, especially if you have roles that are a lot older and have seen much use - e.g. many different relations over time.

Message was edited by: Mylene Euridice Dorias EDIT: Just to rectify my opinion that even SAP has difficulties with PFUD in the indirect-role assignment configuration - I just checked the notes on this. Still recent - many of them (and why can't I insert a link here??) 2031631 1979299 1416149 1871405 1816508 and many, many more. An interesting read: 1793251 which describes how the implementation of some previous notes leads to inconsistencies in some tables.

santiobejero · ‎11-20-2015

Hi Pam,

If the role was assigned by a BATCH user, we can safely say that an external action was used to assign this (indirect assignment). Maybe you have GRC, IdM or CUA in your landscape which manages the assignments of roles.

If the BATCH user is running only the PFUD, can you go up in your SUIM result, the logs might give you more clarity. Did you just check that the last change was the Batch user, maybe what happened is someone assign the roles and then the batch job for PFUD run that's why the last change was the batch user.

Regards,

Santi

How can I find the username of the person who assigned a role at the job level?