We have added search box. Key in SAP issue keyword to search

Announcement: wanna exchange links? contact me at sapchatroom@gmail.com.

Re: [sap-security] PFCG_UPDATE_ALL_ROLES in Production

Posted by Admin at
Share this post:
Ma.gnolia DiggIt! Del.icio.us Yahoo Furl Technorati Reddit

Reply from SAPAUSSEC on Jun 27 at 6:57 PM
This is incorrect as 2 issues have not been clearly separated.

First when you build a role and after defining the authorisations the
profile should be generated. This makes role available with its

Roles should be built and generated in a development system before being
assigned to a transport. a mass generate of roles and authorisations
can be accomplished with transaction SUPC or it's associated ABAP. If
profiles are not generated this suggests to me either a problem with
transporting from DEV, or changing roles directly in PRD. Less likely
is a problem with the transport.

Once a role has been generated ir can be assigned to a user. This will
need to be done in each system. Roles assigned to users are often date
delimited - i.e. have a validity period. To ensure roles are correctly
assigned to users the user must be entered in the user tab of the role.
Running PFCG_TIME_DEPENDENCY will ensure roles and users only have roles
for the specified validity period. This should be run daily in each
system after transportation to ensure users only have access for the
intended time period.

If roles have been transported with out generated authorisations I would
transport the roles again from the DEV system as there is guarantee that
a user has the authorisations currently defined in the role. I would
only run SUPC in PRD if I was certain the roles in PRD exactly matched
the roles in DEV. The downside of SUPC in PRD is users access may
change as they may not have the correct authorisations.

As mentioned above PFCG_TIME_DEPENDENCY should be run daily in PRD and
other systems. This is really security basics and it may be worthwhile
for both to get further security training.

---------------Original Message---------------
From: sheffeld
Sent: Tuesday, June 27, 2017 9:55 AM
Subject: PFCG_UPDATE_ALL_ROLES in Production

The primary con is that you can remove an end user's access for the role
being generated, while they are using it.

The primary pro is that end user's may not have access to the
authorizations in a role requiring generation until the role has been

My preference (and what has been considered a best practice) is to run
program PFCG_TIME_DEPENDENCY on a periodic basis in Production. The
timing would depending upon the frequency of transports with
role/authorization object/field/transaction modifications being promoted
to Production. Look for the period of least end user logins and then
coordinate with your Basis team to choose a time or times with the least
amount of traffic.


Reply to this email to post your response.
Manage Settings | Unsubscribe | Create FAQ | Send Feedback
© 2017 Ziff Davis, LLC. and message author.
Ziff Davis, LLC. 28 E 28th Street New York, NY 10016

Mark as helpful
View this online
Ask a new question
In the Spotlight
Have a technical question? Need to find IT solutions? Ask your peers in the Toolbox for IT community.



Post a Comment

T r a n s l a t e to your language