Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Change documents for Role assignments - MULTIPLE ROLES

Former Member

‎02-27-2008 5:59 PM

0 Kudos

I hope there's someone out there that can point me to a secret SAP report providing the needed functionality ...

For Audit purposes we perform regular reviews on our role assignments. We are using reports

(1) RSUSR100 (Change documents for users - S_BCE_68001439) and

(2) RSSCD100_PFCG (Change documents for role assignments - RSSCD100_PFCG_USER)

Each of these reports is not ideal as (1) is only providing the profile names (but is pretty quick) and we do use composite roles a lot and (2) can not be run for a couple of days or multiple roles (other than a specific pattern).

What would already be sufficient is RSSCD100_PFCG with the option of entering multiple roles (as possible in other SUIM reports) - ideally with better performance than right now. The Function Module (CHANGEDOCUMENT_READ) is unfortunately not much quicker either and does also not provide the multiple selection option. I suspect the reason for not having a multiple selection on this is the performance.

Any idea how to get the information quicker?

Or do we need to rename all our roles so we can use the patterns ...?

Thanks!

8 REPLIES 8

jurjen_heeck
Active Contributor

‎02-27-2008 8:42 PM

0 Kudos

>

> Or do we need to rename all our roles so we can use the patterns ...?

At least you've found the argument for a proper naming convention so that's certainly something to plan for the future. If I have something on your original question I'll post it.

Former Member
In response to jurjen_heeck

‎02-28-2008 9:11 AM

0 Kudos

Just to clarify - we do have a naming convention for our roles and so far it suited us fine. When we started with SAP there was no Profile Generator in sight hence the conventions are still from that time (although we are not sticking to 12 characters anymore).

The problem is that the naming conventions focus on country. E.g. roles that cover all countries (or are not country specific) start with Z:AC. A US role would start with Z:US. But the reviews we are doing are not focused on country but whether it's Business roles or Technical Team roles. We don't distinguish these roles in the name - just by a prefix in the short text.

Any further ideas would be much appreciated.

jurjen_heeck
Active Contributor
In response to jurjen_heeck

‎02-28-2008 10:00 AM

0 Kudos

Hello Petra,

I had a look at the RSSCD100_PFCG report and noticed that when you select the technical view you can hit F4 in the table field. From there it was obvious that the user assignment is taken directly from table AGR_USERS.

Misread and edited. This table only contains current assignments. I'll dig further to find the change history.

Edited by: Jurjen Heeck on Feb 28, 2008 11:09 AM

Former Member
In response to jurjen_heeck

‎02-28-2008 10:18 AM

0 Kudos

Thanks Jurjen but I'm not looking at actual assignments but need the change documents. How should AGR_USERS be of help with that?

The review is done once a month to verify that no inappropriate assignment has been done the previous month. AGR_USERS is not keeping that information.

I have identified the tables that do contain the change documents (CDHDR and CDPOS) but they also can't be queried easily. And the function module doing that (CHANGEDOCUMENT_READ) is not providing the multiple selection option. So I'm really stuck.

jurjen_heeck
Active Contributor
In response to jurjen_heeck

‎02-28-2008 10:27 AM

0 Kudos

> 

> And the function module doing that (CHANGEDOCUMENT_READ) is not providing the multiple selection option. So I'm really stuck.

I think you should contact an abaper to see if a copy of this FM can be modified to accept multiple selections or if a report can be written that accepts the selections and fires the FM for each one of them sequentially.

I had a look in the CD* tables as well and got really stuck. Which leaves me as open to suggestions as you are. Can't wait till I had my abap course

Jurjen

Former Member
In response to jurjen_heeck

‎02-28-2008 12:30 PM

0 Kudos

since you got a naming convention for your roles you might want to consider using report RCS00120 on object PFCG.

caution: running this report without specifying at least a bit of the key will cause enormous memory consumption and might end in a TSV_TNEW_PAGE_ALLOC_FAILED. of course the performance of this report is slightly sub-optimal. you might want to consider running it in background.

as for performance of all reports concerned. you might want to consider archiving your user data using transaction SARA objects:

US_AUTH

US_PASS

US_PROF

US_USER

refer to SAP-documentation for details.

Former Member
In response to jurjen_heeck

‎06-17-2015 3:38 PM

0 Kudos

Hello Mylene, All,

Is there a way the archive data can be accessed via SAP standard tcodes for objects like US_AUTH, US_PASS, US_PROF and US_USER? Is any Archive info structure(AIS) available for these objects?

Regards,

Ankit Goel

Former Member

‎07-24-2009 10:10 AM

0 Kudos

All,

just wanted to let you know that SAP meanwhile developed a new report RSUSR100N. I think it's only available with a certain SP level (at least in ECC 5.0).

The performance is much better and there's now also an option to enter multiple roles (ranges as well as multiple single values - i.e. the normal mulitple selection option).

I therefore close this thread.

Regards

Petra