Skip to Content
avatar image
Former Member

PFCG_TIME_DEPENDENCY not removing expired roles!

In our company we have a process where certain security roles are assigned to non employees for a period of 6 months. Recently we noticed via. SU01 that many of the users still have those roles assigned if the rol had expired in the UMR. We have PFCG_TIME_DEPENDENCY setup to run daily as BG job.

Is PFCG_TIME_DEPENDENCY is desgned to remove the expired roles from UMRs?If yes, what may be the reason, it is not workng for us. If no, what other ways we can automatically remove the expired roles from the users?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • avatar image
    Former Member
    Jan 20, 2010 at 09:01 PM

    Think about it...

    You are not removing the role, only time delimiting it.

    You are TIME DEPENDENTLY for your job removing the authorizations for the user to actually be able to do something. That counts on the ABAP side for PFCF and transports. SU01 is different.

    Java systems with ABAP UME roles are a slightly different variant as well.

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hello Julius.

      I have found your reply very helpful!!  But I have had another problem/question which has given me some headaches 🤪


      I am facing, that whenever I assign to any user a role via SU01, I notice that when I go to check it on PFCG transaction, the user master is out-dated because it is marked with the yellow light.

      This seems odd to me and there is no sign that this job PFCG_TIME_DEPENDENCY is running or I can't figure out how to find it, in order to determine that the system can automatically update the user master record by itself. What is the reason for this?

      Anyway, I have worked into other systems and this behaviour doesn't happen. I normally do a role assignation via SU01 and I don't find that the user master is out-dated when I check the role on PFCG (because it marks green light). As far as I know, the system should update this record by itself whenever you assign a role via SU01 after you click on save.

      Any help on this would be kindly appreciated!

      Best regards.

  • Jan 21, 2010 at 08:39 AM

    Julius,

    The thing is - auditors are visual creatures, as are most managers. As far as they are concerned, SAP authorizations for user are based on the roles assigned to the user in question. So if the user has the role, he obviously must have the authorizations! Right!?

    The answer is not that simple; and we know it. But no one likes a UMR polluted with expired roles - least of all the two aforementioned creatures. PRGN_COMPRESS_TIMES is the solution for keeping it tidy and, most importantly, relevant. 😊

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Sandeep,

      You need to disconnect the child client by running RSDELCUA.

      Then run PRGN_COMPRESS_TIMES in the child system with "remove validity periods that have already expired" checked.

      Now re-connect the systems. 😊