Role user assignment compression

When you run a system for longer time, you might see that users have roles assigned that are obsolete (end validity date in the past), or having a role assigned multiple times.

With the role user assignment compression program you can clean up.

Role user assignment compression program

Start program PRGN_COMPRESS_TIMES:

Select the Delete Expired Assignments to delete role assignments with validity date in the past as well.

If you want you can first run with the simulation option to see what the program will do, and run without the simulation option to perform the actual clean up.

Clean up on a CUA managed landscape

If you run a CUA system, the compression program needs to run on the CUA system and not on the local system.

User role comparison

When you have updated a role this update needs to be reconciled with the existing users assigned to the role. This blog will explain how to do this.

Questions that will be answered are:

  • How to execute user role comparison?
  • How to perform mass execution?
  • What should I do in a productive system?

User compare in role building

User compare in role building is pretty easy. In PFCG when you get the yellow traffic light in the user tab the screen looks as follows:

Role user comparison

Simply hit the User Comparison button and you are done:

After PFUD run

Mass run of user comparison

With transaction PFUD you can do a mass user assignment comparison:

PFUD start screen

More information on PFUD can be found in OSS note 511200 – PFCG/PFUD/SU01/SU10: Role assignment and profile comparison.

Running after transports and running in productive system

When you transport a role some changes might end up into the roles being updated, but the user comparison is not done. The end result is that the assigned authorization does not work, and you might get lots of complaints.

In oss note 571276 – PFCG: Transport of roles, SAP explains regarding the cleanup option: “If you schedule the user comparison in a way that means that there might be time overlaps with role imports, you should always deactivate the “Cleanups” option. Otherwise, imported profile data might be deleted.” and “The cleanup is not a security issue, so it does not have to be active for every comparison. Experience shows that it is sufficient to execute it once a week. However, it must be scheduled so that no role import is in progress at the same time.”.

That’s why it is wise to run the program behind PFUD, RHAUTUPD_NEW, in each system on daily or bi-daily basis without the cleanup option. And run it once per week in the weekend with the cleanup option enabled.

PFUD_AIMP transaction

OSS note 2734455 – Optimized user comparison after role imports contains optimized way for the comparison in some cases when you transport roles. It also explains the new PFUD_AIMP transaction.