When you have updated a role this update needs to be reconciled with the existing users assigned to the role. This blog will explain how to do this.
Questions that will be answered are:
- How to execute user role comparison?
- How to perform mass execution?
- What should I do in a productive system?
User compare in role building
User compare in role building is pretty easy. In PFCG when you get the yellow traffic light in the user tab the screen looks as follows:
Simply hit the User Comparison button and you are done:
Mass run of user comparison
With transaction PFUD you can do a mass user assignment comparison:
More information on PFUD can be found in OSS note 511200 – PFCG/PFUD/SU01/SU10: Role assignment and profile comparison.
Bug fix notes:
- 3152506 – PFUD/PFCG: Incorrect comparison status after profile comparison
- 3221436 – PFCG: User Master Data comparison is not working properly
Running after transports and running in productive system
When you transport a role some changes might end up into the roles being updated, but the user comparison is not done. The end result is that the assigned authorization does not work, and you might get lots of complaints.
In oss note 571276 – PFCG: Transport of roles, SAP explains regarding the cleanup option: “If you schedule the user comparison in a way that means that there might be time overlaps with role imports, you should always deactivate the “Cleanups” option. Otherwise, imported profile data might be deleted.” and “The cleanup is not a security issue, so it does not have to be active for every comparison. Experience shows that it is sufficient to execute it once a week. However, it must be scheduled so that no role import is in progress at the same time.”.
That’s why it is wise to run the program behind PFUD, RHAUTUPD_NEW, in each system on daily or bi-daily basis without the cleanup option. And run it once per week in the weekend with the cleanup option enabled.
OSS note 2734455 – Optimized user comparison after role imports contains optimized way for the comparison in some cases when you transport roles. It also explains the new PFUD_AIMP transaction.