Hi there,
Today I faced the issue below.
When comparing a single role from Dev with QAS system via SUIM it showed that role in QAS does not contain some auth objects whereas they existed in PFCG/AGR_1251 (after transport was imported into QA). As far as I know SUIM uses UST* tables for reporting. I checked UST12 table (the only UST* table the transport consisted of) and found that indeed some objects were missing for certain profiles.
transport logs for Import phase into QA showed entries like that:
3 entries for UST12 imported (100V_VBAK_AATT-ED78820508A*).#
0 d / 0 i / 0 u / 4 = 100% ucf UST12 #
4 entries for UST12 imported (100V_VBAK_VKOT-ED78820508A*).#
3 entries from UST12 (100V_VBRK_FKAT-ED78820500A%) deleted.#
0 entries from UST12 (100V_VBRK_FKAT-ED78820500A%) deleted.#
0 d / 0 i / 0 u / 3 = 100% ucf UST12 #
3 entries for UST12 imported (100V_VBRK_FKAT-ED78820512A*).#
3 entries from UST12 (100V_VBRK_VKOT-ED78820500A%) deleted.#
0 entries from UST12 (100V_VBRK_VKOT-ED78820500A%) deleted.#
0 d / 0 i / 0 u / 3 = 100% ucf UST12 #
3 entries for UST12 imported (100V_VBUK_FRET-ED78820510A*).#
8 entries from UST12 (100ZERU_BUKRST-ED78820500A%) deleted.#
0 entries from UST12 (100ZERU_BUKRST-ED78820500A%) deleted.#
Newer transport that changed other objects of this role did not contain "deleted" entries in transport log for UST12 table, only "imported' ones. After moving this to QA, UST12 was "synced" with AGR* and SUIM comparison report works as expected.
What is a reason for TMS to not import all entries for UST12 but to delete some?
I tend to think this could happen again and confuse those people using SUIM for security changes controls in our organization.
I checked recent notes regarding SUIM reports but it looks like they have been implemented already.
Thanks in advance,
Igor
Hi,
possibly changes have been performed to the role in DEV after it had been inserted into the transport. In contrast to normal transports role transports behave a bit different at the moment. Only after you have finished your changes and generated the profile you should insert the role into a transport.
As per your description it would have been sufficient, to generate the profile in QAS to have the current profile again. At generation the AGR_data is put into the USR/UST*-tables.
To avoid further inconsistencies after role transport you should strictly follow the standard procedure for transporting roles (create the transport only after finishing any updates to that role).
b.rgds, Bernhard
Add a comment