User Comparison

former_member585246 · ‎10-17-2008

Is there a way to run user comparison for a perticual user not for all user through PFUD or PFCG_TIME_DEPENDENCY.

Problem is we have two types of user administrator

A. Who only creates blank account for user

B. Who assign roles into user account as per requirment.

But those who assign roles into user account through PFCG do not have access to run user comparison.Everytime they contact the other adminitrator to run user comparison.These administrator are not having change access for SU01.

Issue in this case is although roles are assignes B but change log of the user shows roles assigne by A as he is the one who run the comparison.

jurjen_heeck · ‎10-17-2008

Your basic problem is that (as far as i know) a user compare implies a change to the user master record.

That cannot be done without sufficient rights.

ps0907 · ‎10-17-2008

The role for user 'B' appears to need additional authorizations. They probably have PFCG but this should have included S_USER_GRP auth object. There is a separate activity value for this object that permits the assignment of roles to users. You should verify that this role has this object and the correct activity code included.

Former Member · ‎10-17-2008

If I remember correctly, the user comparison is checking the role (S_USER_AGR) and the profile (S_USER_PRO) authority for the activity of assigning users to them (actvt 22).

That should be sufficient to seperate the two, but there is also a customizing switch in table PRGN_CUST via which you can force an S_TCODE check on 'PFUD' regardless whether the user is running it from PFCG or PFUD or SM37... => place your cursor in the field "PATH" and hit F4 on the keyboard. The documentation implies that you can only do a user comparison from tcode PFUD, which is not exactly true... but rather that you only can if you are authorized for PFUD tcode.

Cheers,

Julius

Former Member · ‎10-17-2008

Hi Manish,

It looks to me that your company is following good Segregation of Duties practice for Basis SoD Conflicts.

I agree that User Creation and Role Assignment must be handled by two people in an ideal case although most companies will have both authorizations given to a single Basis person.

I dont understand why is that User Comparison a big problem because in most cases there will be a Background job running daily to reconcile User Master data.

I strongly suggest that only 2 people be involved for (User Creation) and (Role Assignment+User Comparison)

It is the background job that will do the User Comparison and Profile Adjustment of all roles on a daily basis.

Regards,

Kiran Kandepalli.

former_member585246 · ‎10-17-2008

Hi Karan,

Your are right that background job will reconcile the data.

In our case also user comparison is done by the background job at the end of the day.

Problem is when Role administrator assign number of roles into user account and user wants to use his account immediatoly we have to do user comparison by selecting each and evry role.It is a bit time consuming task.

Other thing is as we are using SOX tool,when i run the user comparison for a role,it adds my name in all user master record for whom user comparison was not done that i have aaded that role into their account.

My only query is:

__Is there a way to run user comparison for a single user.__

Former Member · ‎10-17-2008

Hi Manish,

I don't think it's possible to run user comparision for a single user however i'm not very sure.

My undersanding is that, whenever we run a user comparision you would notice that the comparision is basically initiated through the roles be it in PFUD or through the role assignment tab of a particular role in PFCG.

Probably, the algorithm opted by SAP is such that the user master record is only updated through the comparision of roles and not through an user assigned to the roles.

Thanks,

Saby..

Former Member · ‎10-17-2008

I agree with Saby here.

The only other way I can think of is to use one of the exits for user management to run the compare each time a user:role assignment changes in PFCG on the event "user_save"... but I don't think you will have a security gain from this and the exit (I am told by a very reliable source) is obsolete in a coming release anyway.

Rather enjoy the weekend

Cheers,

Julius

Former Member · ‎10-18-2008

Report PFCG_TIME_DEPENDENCY must also have run after each import of role from other systems.

Using Transaction PFUD, Compare User Master

As an administrator, it is recommended that you use this transaction regularly to check that no errors have occurred in the background job. Any sch errors can then be corrected manually.

To ensure that the authorization profiles in the user master records arealways current, you should always execute a complete comparison of all rles (by choosing Complete comparison).

Following the comparison the system displays a log which includes any erors that occurred (background processing log for background report).

You have the following options in Transaction PFUD:

Schedule or check job for the full comparison

Here you can start report PFCG_TIME_DEPENDENCY by specifying the time whn the job is to start. The overview displays the status of jobs that hav already been scheduled.

In your case, you have to go for Manual profile selection.

Manual profile selection

Before scheduling the PFCG_TIME_DEPENDENCY job, for comparing the user master record, you can select the profiles tha are to be compared. The system displays an overview of the user master ecords to which profiles have been added, or from which profiles have ben removed, during the comparison. If you deselect the relevant checkbox,you can exclude the profiles that should not be included in the user maser record comparison. You start the comparison by choosing User master cmp.

Regards

Anandm