Skip to Content

User Comparison

Is there a way to run user comparison for a perticual user not for all user through PFUD or PFCG_TIME_DEPENDENCY.

Problem is we have two types of user administrator

A. Who only creates blank account for user

B. Who assign roles into user account as per requirment.

But those who assign roles into user account through PFCG do not have access to run user comparison.Everytime they contact the other adminitrator to run user comparison.These administrator are not having change access for SU01.

Issue in this case is although roles are assignes B but change log of the user shows roles assigne by A as he is the one who run the comparison.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • avatar image
    Former Member
    Oct 17, 2008 at 12:47 PM

    Hi Manish,

    It looks to me that your company is following good Segregation of Duties practice for Basis SoD Conflicts.

    I agree that User Creation and Role Assignment must be handled by two people in an ideal case although most companies will have both authorizations given to a single Basis person.

    I dont understand why is that User Comparison a big problem because in most cases there will be a Background job running daily to reconcile User Master data.

    I strongly suggest that only 2 people be involved for (User Creation) and (Role Assignment+User Comparison)

    It is the background job that will do the User Comparison and Profile Adjustment of all roles on a daily basis.

    Regards,

    Kiran Kandepalli.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Manish Shrivastava

      I agree with Saby here.

      The only other way I can think of is to use one of the exits for user management to run the compare each time a user:role assignment changes in PFCG on the event "user_save"... but I don't think you will have a security gain from this and the exit (I am told by a very reliable source) is obsolete in a coming release anyway.

      Rather enjoy the weekend 😊

      Cheers,

      Julius

  • avatar image
    Former Member
    Oct 17, 2008 at 11:42 AM

    Your basic problem is that (as far as i know) a user compare implies a change to the user master record.

    That cannot be done without sufficient rights.

    Add comment
    10|10000 characters needed characters exceeded

    • The role for user 'B' appears to need additional authorizations. They probably have PFCG but this should have included S_USER_GRP auth object. There is a separate activity value for this object that permits the assignment of roles to users. You should verify that this role has this object and the correct activity code included.

  • avatar image
    Former Member
    Oct 17, 2008 at 12:43 PM

    If I remember correctly, the user comparison is checking the role (S_USER_AGR) and the profile (S_USER_PRO) authority for the activity of assigning users to them (actvt 22).

    That should be sufficient to seperate the two, but there is also a customizing switch in table PRGN_CUST via which you can force an S_TCODE check on 'PFUD' regardless whether the user is running it from PFCG or PFUD or SM37... => place your cursor in the field "PATH" and hit F4 on the keyboard. The documentation implies that you can only do a user comparison from tcode PFUD, which is not exactly true... but rather that you only can if you are authorized for PFUD tcode.

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 18, 2008 at 07:09 PM

    Report PFCG_TIME_DEPENDENCY must also have run after each import of role from other systems.

    Using Transaction PFUD, Compare User Master

    As an administrator, it is recommended that you use this transaction regularly to check that no errors have occurred in the background job. Any sch errors can then be corrected manually.

    To ensure that the authorization profiles in the user master records arealways current, you should always execute a complete comparison of all rles (by choosing Complete comparison).

    Following the comparison the system displays a log which includes any erors that occurred (background processing log for background report).

    You have the following options in Transaction PFUD:

    Schedule or check job for the full comparison

    Here you can start report PFCG_TIME_DEPENDENCY by specifying the time whn the job is to start. The overview displays the status of jobs that hav already been scheduled.

    In your case, you have to go for Manual profile selection.

    Manual profile selection

    Before scheduling the PFCG_TIME_DEPENDENCY job, for comparing the user master record, you can select the profiles tha are to be compared. The system displays an overview of the user master ecords to which profiles have been added, or from which profiles have ben removed, during the comparison. If you deselect the relevant checkbox,you can exclude the profiles that should not be included in the user maser record comparison. You start the comparison by choosing User master cmp.

    Regards

    Anandm

    Add comment
    10|10000 characters needed characters exceeded