Solved: role to access PFCG in "read-only mode"

Former Member · ‎01-25-2008

Hi,

I've created a role to access transaction PFCG in "read-only mode", because some functional consultants asked for it.

However, it still gives them access to perform the "User Comparison" and I would like to remove that as well.

The role has the following authorization objects and values:

S_TCODE-TCD = PFCG

S_USER_AGR-ACTVT = 03

S_USER_AGR-ACT_GROUP = Y-, Z- (these are the allowed role names)

I really don't know what to do... any ideas?

thanks

Former Member · ‎02-13-2008

Hi António,

But is this not just a illusion that they actually coud do anything with the "User Compare" button.

Is not the main reason for doing a user compare to assign the profile to the users?

To assign profiles you need S_USER_PRO with activity 22.

Although you can press the button user compare but there is nothing happening. When the button is yellow you will get an error that you do not have enough authorization but if it is green you will not get any error because the "user compare" does not do anything.

Best Regards

Mattias Lind

Former Member · ‎01-25-2008

Hi Antonio,

There is a customizing switch in table PRGN_CUST (ID = USRCOMPARE_PFUD). If not present (which is the default), the default (PATH = 'NO') is that a user compare can be done from PFCG.

Try to add this ID to the table and enter PATH = 'YES' , in which case a user compare can only be done from transaction PFUD.

If you place your cursor in the ID field and hit F4, you will see your available options.

Cheers,

Julius

Edited by: Julius Bussche on Jan 25, 2008 5:30 PM

Got "yes" and "no" the wrong way round.

Former Member · ‎01-25-2008

Hi,

thanks for your answer...

I've inserted that record on table PRGN_CUST but users still have access to the "User Comparison" feature...

Should I do anything more?

Thanks

Antonio

Former Member · ‎01-25-2008

Antonio,

The first which comes to mind, is that they are authorized for transaction PFUD.

Sorry, my comment above should have been "only do the user compare if they are authorized for transaction PFUD".

If you have the user compare running as a daily job, then you should also check whether the user of this job is authorized for transaction PFUD...

Cheers,

Julius

Former Member · ‎01-25-2008

If a user has S_AGR_USER with only 03 and * for Roles

and S_USER_GRP and only 03 for Groups

S_TCODE has PFCG

They should get an error message if they attempt to run the user comparison button. "you do not have authorization to assign roles"

Check to see if they any any other S_USER objects in any other role.

Former Member · ‎01-25-2008

Hello Gary,

Yes, I also noticed that. The restriction of a user compare in PFCG in the F4 help in PRGN_CUST, is the same SAP note as that for activity 22 (assigning the user to the role)...

You could have posted this on Sunday evening, that way Monday morning is closer to test it

Cheers,

Julius

PS: We now have at least two "Gary Morris" at SDN and have for some time been trying to contact the "real one(s)" to determine who-is-who. Another "name sake" is: https://forums.sdn.sap.com/profile.jspa?userID=3618541&start=0 for example.

If you have any concerns, feel free to email me (see my business card) or SDN (at) SAP (dot) COM.

Former Member · ‎01-29-2008

Hi,

thanks for all your answers...

I've uploaded a print screen to a web server, where you can see the authorizations on the role:

[url]http://www.mj23.org/sap/role_Z_PFCG_READ.jpg[url]

I've created a user to test the role and he only has this one assigned. However, he can still use the "User Comparison" button.

Former Member · ‎01-29-2008

I tested this once last week and go an authorization error, now I am not getting an error, and my test id can successfuly use the comparison button also. I will let you know what I find out.

Former Member · ‎02-13-2008

Hi,

any developments on this issue?

I couldn't find an answer to it yet...

thanks

Antonio

Former Member · ‎02-13-2008

Hi António,

But is this not just a illusion that they actually coud do anything with the "User Compare" button.

Is not the main reason for doing a user compare to assign the profile to the users?

To assign profiles you need S_USER_PRO with activity 22.

Although you can press the button user compare but there is nothing happening. When the button is yellow you will get an error that you do not have enough authorization but if it is green you will not get any error because the "user compare" does not do anything.

Best Regards

Mattias Lind

Former Member · ‎02-13-2008

Thanks Mattias, this is good to know. I thought I saw an authorization error.

Former Member · ‎02-13-2008

Hi Gary,

Perhaps the authorization error happened when you saved a role assignment, or without the ASSIGN setting in PRGN_CUST, the system threw a message because of '02' when you did the user compare?

The "user compare" would require that a new role assignment or validity date change has been saved (if authorized - which I was not) after which, I would think that it does not matter who runs PFUD (often it runs at night automatically anyway).

Or am I missing something? I only had access to an old system, so everything was yellow anyway

Cheers,

Julius

Former Member · ‎02-19-2008

thank you all...

Mattias is absolutely right!