TIP OF THE DAY: SAP AUTHORIZATION PFUD USER COMPARISON

Posted by Klea Duro on Feb 3, 2023 8:15:00 AM

Did you know that there is a feature called "User Comparison" in SAP? Even in S/4HANA?

 

PFUD

 

But what is it for and why in some cases might there be errors?

 

 

PFUD what is it? Why is it used?

This is a transaction that can be run in online or background mode that allows you to check the correct assignments of authorization profiles according to the relevant roles.

 

That is, in the case where there is an assigned role with a certain validity e.g., from today until Dec. 31, 2023, it guarantees on Jan. 1, 2024, this role (and thus profiles) is no longer assigned to the user.

 

Without this feature activated, abilitations would remain active in these situations even though they have expired!

 

It is therefore strongly recommended to plan this program periodically, as for instance, every night.

 

In addition, it is necessary to launch this function whenever a new role is assigned to a user. For example, after a transport from the development environment to the production environment. In these cases, you can either wait for the night job to start (if scheduled) or manually run the program on the affected role.

 

Where can I find this feature?

It is present in several places, in the PFCG transaction, in the PFUD transaction, clearly and finally in the SU01 transaction (read here what transactions are important in SAP authorization management)

 

In the SU01 transaction, in the "Roles" tab you can see the "Status" column in newer SAP releases (e.g. S/4HANA) or the "User master record" button also with the status. In case it is Red you need to take action by doing user comparison.

 

SU01

 

In the PFCG (Profile Generator) transaction in the "Users" tab, again, through the "User Comparison" button or as a switch from PFCG to PFUD in the "Utilities" menu.

 

PFCG

 

Or, of course, in the specific PFUD transaction. Where you can indicate the role or set of roles on which you want to have the comparison initiated.

 

PFUD

 

The program that can be used to schedule the job for this feature is called RHAUTUPD_NEW and you can schedule it through the SM36 transaction or the feature in the PFUD transaction called "Schedule or Check the Background job for the Full Comparison", in this case a standard job name called "PFCG_TIME_DEPENDENCY" will be proposed.

 

Through the "Info" icon at the top of the transaction, it is possible to understand what the various flags in the transaction are for. 

 

Beware, if you have never performed it, this transaction can create disruptions by removing abilitations.

 

Tips -> Through the following OSS note: "2734455 - Optimized user comparison after role imports" the SAP has introduced the possibility after a role-related transport that PFUD is performed automatically, without any manual intervention.

 

What may be some common mistakes?

 

One of the most classic errors you can find in the logs of this transaction is the one called: "Type of role is undetermined". In this case there is a known specification to resolve it, the following: 2555130 - PFUD | Type of role is undetermined

 

The error comes in this form:

 

PFUD _ Type of role is undetermined

 

This error is due to the fact that, for some reason, some roles, do not have correct attributes and therefore the system cannot figure out what type of role it is (whether single or composite). As a result, the program generates the error above.

 

Through a correction program attached to the note (Z_ADD_COLL_FLAG) it is possible to identify and correct these anomalies by fixing the problem.

 

An additional case history could be that related to the "Status" column in red in transaction SU01 (see image above). In this case, it might be sufficient to run the PFUD transaction again or to identify these case histories through the following function module: PRGN_CHECK_USERPROF_STATUS or by querying and correlating the tables AGR_DEFINE, AGR_1016, AGR_USERS, UST04.

 

Iscriviti al blog se ancora non lo hai fatto!

 

 

 

Topics: PFCG SAP transaction, pfud

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all