I agree that the user's authorization is no longer valid once the roles expire but it still shows va. SU01 as still assigned. For some users the list of expired roles assigned to them is long and someone has to manually remove them. PFCG_TIME_DEPENDENCY doesn't do it?

So you are looking for a reporting requirement?

Try SUIM to consider the real authorizations and their validity. The "meta data" is irrelevant if you do a compare, save in SU01 or wait until midnight.

If you want a "morning after pill" then see report RSUSR405.

I suspect that you have some reporting based on selects of single fields of SAP tables which you have interpreted to be the correct ones, and expect that SAP works the same way that you think.

Well... you are not on your own in that assumption - but you are still wrong, together with many "guilty" developers.

Cheers,

Julius

Which authorization analysis tool are you using?

May be I wasn't clear in my question.

User is assigned a role via. SU01 and in the Valid to date it is setup to expire in 6 months. AFter six months the role expires and the light turns red. It remains like this until someone manually removes it via. SU01. We have this situation with 1000s of users so manually removing the expired role from each user is not an option.

My question is, how can we remove expired roles from users without manually removing them via. SU01? Did some checking in the past threads and found that PFCG_TIME_DEPENDENCY is not designed to do this. If this is the case, what options do we have to REMOVE the expired roles from UMRs in batch mode?

Perhaps you want to read some of the help.sap.com documentation on roles and profiles?

Using a search here on SDN for the difference will help you further, more likely. Some of the interview question threads are old, so extend the date range.

Again, which reporting tool are you using?

It appears to be badly programmed or misinterpreting the relational nature of SAP tables in a relational database. That happens when you use SE16 too much...

Cheers,

Julius

ps: Are you ONLY using the delimitation of roles? So never removing them? Depending on your naming convention and number of roles, your overview will eventually be screwed.

In that you are correct...

But if you build bigger and better roles then you should be okay. It is an art form actually and you cannot respond to each request with a new role.... but it does work if you have a plan which is sustainable .

Cheers,

Julius

PRGN_COMPRESS_TIMES

Hello Julius.

I have found your reply very helpful!!  But I have had another problem/question which has given me some headaches

I am facing, that whenever I assign to any user a role via SU01, I notice that when I go to check it on PFCG transaction, the user master is out-dated because it is marked with the yellow light.

This seems odd to me and there is no sign that this job PFCG_TIME_DEPENDENCY is running or I can't figure out how to find it, in order to determine that the system can automatically update the user master record by itself. What is the reason for this?

Anyway, I have worked into other systems and this behaviour doesn't happen. I normally do a role assignation via SU01 and I don't find that the user master is out-dated when I check the role on PFCG (because it marks green light). As far as I know, the system should update this record by itself whenever you assign a role via SU01 after you click on save.

Any help on this would be kindly appreciated!

Best regards.

This problem is magnified when combined with tools which down load tables (sometimes the wrong ones, or wrong single fields) and draw conclusions from them.

Just because the peanut gallery is in the majority, does not make the situation any better.

But I agree: PRGN_COMPRESS_TIMES is very usefull anyway to clean up the duplicates so that a good auditor does not ask why there are duplicates....

Cheers,

Julius

Hi all,

Can this program run in CUA?

If not what is the solution for this in an active cua landscape.

Hi Sandeep,

You need to disconnect the child client by running RSDELCUA.

Then run PRGN_COMPRESS_TIMES in the child system with "remove validity periods that have already expired" checked.

Now re-connect the systems.