06-26-2008 12:43 PM
Hello Gurus,
Is it normal to be able to assign the same role several times to the same users when defining different dates in field valid from with T-Code PFCG?
Furthermore, if I try to delete that double entry via T_code SU10, it does not work! I receive a green traffic light but nothing is updated at user assignment (table AGR-USERS). In the other, the function "add" roles works perfectly.
Kind regards
Chris
06-26-2008 12:58 PM
Hi,
It's normal to be able to add multiple roles with different date ranges.
The deletion is harder - if you put a wide date range then you will delete both entries for the role which isn't good.
A simple way would be to create a catt/ecatt which, based on AGR_USERS loops through each user at a time and removes the duplicates based on role name, valid from & valid to dates
06-26-2008 12:58 PM
Hi,
It's normal to be able to add multiple roles with different date ranges.
The deletion is harder - if you put a wide date range then you will delete both entries for the role which isn't good.
A simple way would be to create a catt/ecatt which, based on AGR_USERS loops through each user at a time and removes the duplicates based on role name, valid from & valid to dates
06-26-2008 1:01 PM
you can also use the actual version of report PRGN_COMPRESS_TIMES.
Unfortunately the developement of a CUA-enabled version is not finished yet. But in a standalone system it works fine.
b.rgds, Bernhard
06-26-2008 1:05 PM
Hello Alex
- It's normal to be able to add multiple roles with different date ranges. => What is the goal behind that?
- The deletion is harder - if you put a wide date range then you will delete both entries for the role which isn't good. => In my case I have specified a date because the date maintained in field valid from is different. Then only one line should be deleted. If it does not work, why this button is available ?
Kind regards
Chris
Edited by: Tison Christofer on Jun 26, 2008 2:05 PM
Edited by: Tison Christofer on Jun 26, 2008 2:06 PM
06-26-2008 1:25 PM
I don't know what the goal is, I don't really use the dates other than expiration.
Have you also selected to delete profiles too?
06-26-2008 2:19 PM
Hi Tison,
Q1: 2 reasons:
a) organisatoric question: a user may have his roles form different tasks he fulfills in his organisation.
For instance (ok I know it is a cheap example...) a FI-superuser has authorization through role FI-SUPERUSER all the time. Additionally he gets this role assigned a second time as supervisor as he is member of the year end project from december 1st to december 31st.
For the user admin it might be easier to assign this second assignement to all members of the supervisor group,(and removing it again by 1.1.) than check first each user, if he has already this role and except them form that assignement.
b) second reason - the historic one.
Maybe you are too young, but there have been times, when no change logs existed for role assignements. Only profile assignements have been logged.
It was not possible to check, in which intervals in the past a user had a role assigned. Only a look into SU01 (resp agr_users) gave that information (if the admin had not deleted the expired assignements).
Q2: removal.
please have a look at the solution of [SAP Note 312943|https://service.sap.com/sap/support/notes/312943] -->point 2.
I think that is a good source to explain, what happens in SU10 with multiple assignements.
Once again: there is the report PRGN_COMPRESS_TIMES to merge such multiple assignements.
b.rgds, Bernhard
06-26-2008 2:35 PM
>
> you can also use the actual version of report PRGN_COMPRESS_TIMES.
rightly.... I would just go with this
> Unfortunately the developement of a CUA-enabled version is not finished yet. But in a standalone system it works fine.
>
I have heard via ASUG that CUA might be scrapped totally. Not sure if SAP would enhance any functionality further
06-26-2008 3:25 PM
>
> I have heard via ASUG that CUA might be scrapped totally. Not sure if SAP would enhance any functionality further
Those rumours have been flying about since 2003 & it's still alive & kicking
06-26-2008 4:59 PM
06-27-2008 11:12 AM
Hi,
no news from SAP.
Also in the next release, which is developed right now, CUA is supported....
b.rgds, Bernhard
07-23-2009 9:45 AM
Also in the next release, which is developed right now, CUA is supported....
b.rgds, Bernhard
When?
07-23-2009 12:08 PM
Easy way to delete the double entry roles through SU10 is give the Validity range of role form 01.01.0001 to 31.12.9999 and delete it. Whcih will delete the all the entries, If you really require role(Single entry) again assign it through SU10.