When you run a system for longer time, you might see that users have roles assigned that are obsolete (end validity date in the past), or having a role assigned multiple times.
With the role user assignment compression program you can clean up.
Questions that will be answered in this blog are:
How can I remove roles from expired users?
How can I remove duplicate roles from users?
How can I remove overlapping date ranges for roles assigned to users?
Role user assignment compression program
Start program PRGN_COMPRESS_TIMES:
Select the Delete Expired Assignments to delete role assignments with validity date in the past as well.
If you want you can first run with the simulation option to see what the program will do, and run without the simulation option to perform the actual clean up.
Running after transports and running in productive system
When you transport a role some changes might end up into the roles being updated, but the user comparison is not done. The end result is that the assigned authorization does not work, and you might get lots of complaints.
In oss note 571276 – PFCG: Transport of roles, SAP explains regarding the cleanup option: “If you schedule the user comparison in a way that means that there might be time overlaps with role imports, you should always deactivate the “Cleanups” option. Otherwise, imported profile data might be deleted.” and “The cleanup is not a security issue, so it does not have to be active for every comparison. Experience shows that it is sufficient to execute it once a week. However, it must be scheduled so that no role import is in progress at the same time.”.
That’s why it is wise to run the program behind PFUD, RHAUTUPD_NEW, in each system on daily or bi-daily basis without the cleanup option. And run it once per week in the weekend with the cleanup option enabled.