User role comparison

Compare user assignments

When you have updated a role this update needs to be reconciled with the existing users assigned to the role. This blog will explain how to do this.

Questions that will be answered are:

  • How to execute user role comparison?
  • How to perform mass execution?
  • What should I do in a productive system?

User compare in role building

User compare in role building is pretty easy. In PFCG when you get the yellow traffic light in the user tab the screen looks as follows:

Role user comparison

Simply hit the User Comparison button and you are done:

After PFUD run

Mass run of user comparison

With transaction PFUD you can do a mass user assignment comparison:

PFUD start screen

More information on PFUD can be found in OSS note 511200 – PFCG/PFUD/SU01/SU10: Role assignment and profile comparison.

Bug fix notes:

Running after transports and running in productive system

When you transport a role some changes might end up into the roles being updated, but the user comparison is not done. The end result is that the assigned authorization does not work, and you might get lots of complaints.

In oss note 571276 – PFCG: Transport of roles, SAP explains regarding the cleanup option: “If you schedule the user comparison in a way that means that there might be time overlaps with role imports, you should always deactivate the “Cleanups” option. Otherwise, imported profile data might be deleted.” and “The cleanup is not a security issue, so it does not have to be active for every comparison. Experience shows that it is sufficient to execute it once a week. However, it must be scheduled so that no role import is in progress at the same time.”.

That’s why it is wise to run the program behind PFUD, RHAUTUPD_NEW, in each system on daily or bi-daily basis without the cleanup option. And run it once per week in the weekend with the cleanup option enabled.

PFUD_AIMP transaction

OSS note 2734455 – Optimized user comparison after role imports contains optimized way for the comparison in some cases when you transport roles. It also explains the new PFUD_AIMP transaction.

One thought on “User role comparison”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.