01-25-2008 4:59 PM
Hi,
I've created a role to access transaction PFCG in "read-only mode", because some functional consultants asked for it.
However, it still gives them access to perform the "User Comparison" and I would like to remove that as well.
The role has the following authorization objects and values:
S_TCODE-TCD = PFCG
S_USER_AGR-ACTVT = 03
S_USER_AGR-ACT_GROUP = Y-, Z- (these are the allowed role names)
I really don't know what to do... any ideas?
thanks
02-13-2008 3:48 PM
Hi António,
But is this not just a illusion that they actually coud do anything with the "User Compare" button.
Is not the main reason for doing a user compare to assign the profile to the users?
To assign profiles you need S_USER_PRO with activity 22.
Although you can press the button user compare but there is nothing happening. When the button is yellow you will get an error that you do not have enough authorization but if it is green you will not get any error because the "user compare" does not do anything.
Best Regards
Mattias Lind
01-25-2008 5:25 PM
Hi Antonio,
There is a customizing switch in table PRGN_CUST (ID = USRCOMPARE_PFUD). If not present (which is the default), the default (PATH = 'NO') is that a user compare can be done from PFCG.
Try to add this ID to the table and enter PATH = 'YES' , in which case a user compare can only be done from transaction PFUD.
If you place your cursor in the ID field and hit F4, you will see your available options.
Cheers,
Julius
Edited by: Julius Bussche on Jan 25, 2008 5:30 PM
Got "yes" and "no" the wrong way round.
01-25-2008 6:04 PM
Hi,
thanks for your answer...
I've inserted that record on table PRGN_CUST but users still have access to the "User Comparison" feature...
Should I do anything more?
Thanks
Antonio
01-25-2008 6:29 PM
Antonio,
The first which comes to mind, is that they are authorized for transaction PFUD.
Sorry, my comment above should have been "only do the user compare if they are authorized for transaction PFUD".
If you have the user compare running as a daily job, then you should also check whether the user of this job is authorized for transaction PFUD...
Cheers,
Julius
01-25-2008 10:34 PM
If a user has S_AGR_USER with only 03 and * for Roles
and S_USER_GRP and only 03 for Groups
S_TCODE has PFCG
They should get an error message if they attempt to run the user comparison button. "you do not have authorization to assign roles"
Check to see if they any any other S_USER objects in any other role.
01-25-2008 11:11 PM
Hello Gary,
Yes, I also noticed that. The restriction of a user compare in PFCG in the F4 help in PRGN_CUST, is the same SAP note as that for activity 22 (assigning the user to the role)...
You could have posted this on Sunday evening, that way Monday morning is closer to test it
Cheers,
Julius
PS: We now have at least two "Gary Morris" at SDN and have for some time been trying to contact the "real one(s)" to determine who-is-who. Another "name sake" is: https://forums.sdn.sap.com/profile.jspa?userID=3618541&start=0 for example.
If you have any concerns, feel free to email me (see my business card) or SDN (at) SAP (dot) COM.
01-29-2008 2:31 PM
Hi,
thanks for all your answers...
I've uploaded a print screen to a web server, where you can see the authorizations on the role:
[url]http://www.mj23.org/sap/role_Z_PFCG_READ.jpg[url]
I've created a user to test the role and he only has this one assigned. However, he can still use the "User Comparison" button.
01-29-2008 3:49 PM
I tested this once last week and go an authorization error, now I am not getting an error, and my test id can successfuly use the comparison button also. I will let you know what I find out.
02-13-2008 8:25 AM
Hi,
any developments on this issue?
I couldn't find an answer to it yet...
thanks
Antonio
02-13-2008 3:48 PM
Hi António,
But is this not just a illusion that they actually coud do anything with the "User Compare" button.
Is not the main reason for doing a user compare to assign the profile to the users?
To assign profiles you need S_USER_PRO with activity 22.
Although you can press the button user compare but there is nothing happening. When the button is yellow you will get an error that you do not have enough authorization but if it is green you will not get any error because the "user compare" does not do anything.
Best Regards
Mattias Lind
02-13-2008 4:07 PM
Thanks Mattias, this is good to know. I thought I saw an authorization error.
02-13-2008 5:12 PM
Hi Gary,
Perhaps the authorization error happened when you saved a role assignment, or without the ASSIGN setting in PRGN_CUST, the system threw a message because of '02' when you did the user compare?
The "user compare" would require that a new role assignment or validity date change has been saved (if authorized - which I was not) after which, I would think that it does not matter who runs PFUD (often it runs at night automatically anyway).
Or am I missing something? I only had access to an old system, so everything was yellow anyway
Cheers,
Julius
02-19-2008 8:50 AM