06-12-2008 7:48 PM
I've assigned some roles to users that allowed them access for only a certain period of time. Now this access has expired a week ago and I found out that they can still acess the tcodes under the expired role. Why is this happening? I thought when the role expired, users will no longer have access to it. Is there a way to automatically delete the roles when it reached its expiry date?
Thanks in advance!
06-12-2008 8:03 PM
Search the forum for the term "PFCG_TIME_DEPENDENCY", or the access is in a different role.
Cheers,
Julius
06-12-2008 9:21 PM
I've already scheduled RHAUTUPD_NEW to run daily which is why I'm confused as to why users can still access the tcodes from the expired role. I don't see a difference between RHAUTUPD_NEW or PFCG_TIME_DEPENDENCY.
06-12-2008 9:41 PM
Which release are you on, and how do you know they are accessing the tcodes?
I am not doubting that they are, just want to know where you get the information from. If it is from the Security Audit Log or the STAT collectors, then there are 2 logical explanations.
Check whether they have authority to use these transactions in other role(s), regardless of the S_TCODE(context) to start the use of it.
Cheers,
Julius
06-12-2008 10:01 PM
I'm on ECC6 and it was the team lead that informed me about this. A member of his staff was able to access the tcode and create/post. They even got him to try again and he still could. Eventually I removed the role and it was only then that he no longer has access to the tcodes. FYI, the tcode is only in this expired role.
06-13-2008 12:55 AM
Hi,
Make sure that PFCG_TIME_DEPENDENCY is functioning properly.
Once the report is scheduled and running in the background, it performs the User Master Comparison and deletes the profiles which are expired.
http://help.sap.com/saphelp_erp2005/helpdata/en/52/6711ec439b11d1896f0000e8322d00/frameset.htm
Rakesh
06-13-2008 6:56 AM
> I'm on ECC6 and it was the team lead that informed me about this. A member of his staff was able to access the tcode and create/post.
I can imagine that it is difficult to solve a problem when there is no end user, to contact.
> Eventually I removed the role and it was only then that he no longer has access to the tcodes.
So the problem is solved?
02-26-2014 12:54 PM
02-27-2014 9:12 AM
Hello,
Did you checked whether the same transaction code is available in any other roles which is assigned to him/her.
1.There might be a possibility user is getting access for same transaction code from different valid Role.
2. Check any standard profile assigned to that user
Regards
Kiran.S
02-27-2014 9:27 AM
There is possibility of another role having same Tcodes, whichever you resticricted.
So Go to SUIM--> Roles by Complex Selcetion Criteria-->enter USERNAME In selction according to user assignments tab -->Enter Tcode whichever you blocked in selction by assigned application in Menu -->Exexute-->
This will show roles which are having access of Tcodes, whichever you blocked.
From corresspondance role you can remove Tcode.
02-27-2014 4:57 PM
There are two options. 1. User authorized requested transactions with other role.
2. Required transactions is accessed through any called transaction.