User Can Still Access Tcodes From Role That Has Al...

Former Member · ‎06-12-2008

I've assigned some roles to users that allowed them access for only a certain period of time. Now this access has expired a week ago and I found out that they can still acess the tcodes under the expired role. Why is this happening? I thought when the role expired, users will no longer have access to it. Is there a way to automatically delete the roles when it reached its expiry date?

Thanks in advance!

Former Member · ‎06-12-2008

Search the forum for the term "PFCG_TIME_DEPENDENCY", or the access is in a different role.

Cheers,

Julius

Former Member · ‎06-12-2008

I've already scheduled RHAUTUPD_NEW to run daily which is why I'm confused as to why users can still access the tcodes from the expired role. I don't see a difference between RHAUTUPD_NEW or PFCG_TIME_DEPENDENCY.

Former Member · ‎06-12-2008

Which release are you on, and how do you know they are accessing the tcodes?

I am not doubting that they are, just want to know where you get the information from. If it is from the Security Audit Log or the STAT collectors, then there are 2 logical explanations.

Check whether they have authority to use these transactions in other role(s), regardless of the S_TCODE(context) to start the use of it.

Cheers,

Julius

Former Member · ‎06-12-2008

I'm on ECC6 and it was the team lead that informed me about this. A member of his staff was able to access the tcode and create/post. They even got him to try again and he still could. Eventually I removed the role and it was only then that he no longer has access to the tcodes. FYI, the tcode is only in this expired role.

Former Member · ‎06-13-2008

Hi,

Make sure that PFCG_TIME_DEPENDENCY is functioning properly.

Once the report is scheduled and running in the background, it performs the User Master Comparison and deletes the profiles which are expired.

http://help.sap.com/saphelp_erp2005/helpdata/en/52/6711ec439b11d1896f0000e8322d00/frameset.htm

Rakesh

Former Member · ‎06-13-2008

> I'm on ECC6 and it was the team lead that informed me about this. A member of his staff was able to access the tcode and create/post.

I can imagine that it is difficult to solve a problem when there is no end user, to contact.

> Eventually I removed the role and it was only then that he no longer has access to the tcodes.

So the problem is solved?

aamir_aamir · ‎02-26-2014

This message was moderated.

Former Member · ‎02-27-2014

Hello,

Did you checked whether the same transaction code is available in any other roles which is assigned to him/her.

1.There might be a possibility user is getting access for same transaction code from different valid Role.

2. Check any standard profile assigned to that user

Regards

Kiran.S

Former Member · ‎02-27-2014

There is possibility of another role having same Tcodes, whichever you resticricted.

So Go to SUIM--> Roles by Complex Selcetion Criteria-->enter USERNAME In selction according to user assignments tab -->Enter Tcode whichever you blocked in selction by assigned application in Menu -->Exexute-->

This will show roles which are having access of Tcodes, whichever you blocked.

From corresspondance role you can remove Tcode.

Former Member · ‎02-27-2014

There are two options. 1. User authorized requested transactions with other role.

2. Required transactions is accessed through any called transaction.

User Can Still Access Tcodes From Role That Has Already Expired