User comparison?

Similar Messages

• User Comparison - Job showing output deleted users in Sol.man

  Hi All,
  I scheduled the User Comparison job for every 4 hrs with respective of the program RHAUTUPD_NEW. In the output it is showing me the list of deleted users as well. like "User EAMANITR does not exist" in Sol.man.
  I am sure it is not a problem, but want to knwo what the job output showing this list as well.
  let me know if any one come up with this issue.
  SV

  Hi,
  Have you checked OSS note 1280891?
  Cheers

• CUP Auto Provisioning Error 260: User Comparison

  I am in the process of configuring the CUP 5.3 module within our ECC and SRM environments.  I believe the path and associated stages are established properly.  I have tested the auto provisioning functionality within both SRM and ECC.  As it relates to SRM, the auto provisioning functionality works without a hitch.  However, when I attempt to auto provision a user into our ECC environment, I receive the following error:
  Auto provisioned for request on 04/07/2010 13:41 
     New User: T00522 created on 04/07/2010 13:42 in System(s): DR4-300.
     User attributes changed for User : T00522 in System(s) :DR4-300.
     Role Provisioning failed for System(s) : DR4-300. Error Message : 260:User master comparison incomplete; see long text
  Speaking with out security team, the only time they have seen this issue was when they attempted to map a user, using PFCG, to a role.  However, I informed them that CUP uses SU01.  They have not experienced such an issue using SU01 and clicking on the user comparison button. 
  Interesting point:  The user record is created and roles assigned to user but have a red light indicator by the role within SU01.  However, when the next day rolls around the role has been changed to a Green light, profile assigned and everything is looking good.  Unfortunately, CUP can't seem to register this and when the Role Owner attempts to approve the role / user request again.  The same error occurs and until I can get around this error, the workflow is not closed out nor is the requester notifiied.
  Questions:
  (1)  How can I fix this issue, I assume it will require a security change to be made within the ECC environment?
  (2)  If this issue can't be fixed, can I get around this issue with a detour or other CUP error processing step?

  Denoted below is the log that corresponds to the 260 comparison error.  Does anyone know what access I am missing within the UME.  I have tested this provisioning process, manually, and do not run into a Comparison error within the SU01 screens:
  2010-04-27 13:44:54,748 [SAPEngine_Application_Thread[impl:3]_31] ERROR com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
  com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
       at com.virsa.ae.service.sap.SAPProvisionDAO.executeRoleOperation(SAPProvisionDAO.java:1706)
       at com.virsa.ae.service.sap.SAPProvisionDAO.assignRoles(SAPProvisionDAO.java:1458)
       at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionInNonCUA(ProvisionSAPUserDAO.java:1232)
       at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionRole(ProvisionSAPUserDAO.java:932)
       at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionUser(ProvisionSAPUserDAO.java:118)
       at com.virsa.ae.accessrequests.bo.ProvisioningBO.autoProvision(ProvisioningBO.java:216)
       at com.virsa.ae.accessrequests.bo.RequestBO.autoProvisioningForApprove(RequestBO.java:4572)
       at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:5565)
       at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5339)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5191)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  2010-04-27 13:44:54,927 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.bo.RequestAuditHelper : logMajorAction() :   : intHstId : 3068
  2010-04-27 13:44:54,972 [SAPEngine_Application_Thread[impl:3]_31] ERROR no dtos exist which are in the same state as the passing dto
  com.virsa.ae.core.ObjectNotFoundException: no dtos exist which are in the same state as the passing dto
       at com.virsa.ae.workflow.bo.WorkFlowBOHelper.getIfUnapprovedPathExists(WorkFlowBOHelper.java:2662)
       at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleWFForNewPathStage(WorkFlowBOHelper.java:2516)
       at com.virsa.ae.workflow.bo.WorkFlowRequestRerouteHelper.rerouteRequest(WorkFlowRequestRerouteHelper.java:68)
       at com.virsa.ae.workflow.bo.WorkFlowBO.rerouteRequest(WorkFlowBO.java:614)
       at com.virsa.ae.accessrequests.bo.RequestBO.rerouteRequestForAutoProvisioningFailure(RequestBO.java:6897)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5239)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  2010-04-27 13:44:55,394 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : confirmRequestApproval() :   : setting context to true, ending context
  2010-04-27 13:44:55,414 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataForwardDAO : findTransactions() :   : sbQuery : SELECT REQNO, REQPATHID, STAGE_NAME, FWDED_BY, APRVRID, ITERATION, FORWARD_TYPE, STATUS FROM VIRSA_AE_RQD_WPFWD WHERE REQNO = ?
  2010-04-27 13:44:55,486 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.SAPConnectorDAO : findAllActiveSAPConnectors :   :  going to return no of records= 3
  2010-04-27 13:44:55,495 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.OracleAppsConnectorDAO : findAllActiveORACLEConnectors :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,498 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.PACSConnectorDAO : findAllActivePACSConnectors :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,502 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.WSConnectorDAO : findAllActive :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,505 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.ApplicationDAO : findAllForContext :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,532 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,535 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,540 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataMitigationDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,579 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() :   : INTO the method
  2010-04-27 13:44:55,580 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() :   : request number : 154
  2010-04-27 13:45:14,055 [SAPEngine_Application_Thread[impl:3]_18] INFO  com.virsa.ae.dao.sqlj.RequestTypeDAO : findAll :   :  going to return no of records= 20

• User Comparison made easy?

  Hello all --
  Sorry if this is an old and already answered question, I did some searching but nothing came up.
  Is it possible to do a "User Comparison" in bulk, or to schedule that as a background job? I find myself go through many roles and check the user comparison manually, but it seems like there should be a way to automate that. I am not that clear on what it actually does, although I believe it applies changes made somewhere.
  Thanks in advance...
  MMPP

  Thanks Raghu for your reply, and sorry for posting in the wrong forum.
  May I ask you for further details regarding your comment?
  Raghu wrote:
  This can play havoc with authorizations if you do not use it properly.
  How is this different from running the user master comparison from within the role? How would you avoid using it "improperly"?

• PFCG, user comparison

  Hi,
  in PFCG trx there is a tab named user and a button "user comparison".
  I cannot understand what is the function of that button.
  After clicked it I can see that the warning icon on the abova tab becomes green.
  Thanks
  Best regards

  Hi,
  This tab does similier job as PFUD for reconcilation of profiles to users.
  Yello tab of User Comparison indicates , though role is assigned to user , it is not up to date and needs to reconsile.
  Green tab indicates , profiles assigned to user is up to date and have all required authorization granted.
  Read Help guidelines :
  Comparing user master records
  o   The user master record comparison that is run automatically by
       report PFCG_TIME_DEPENDENCY can also be executed manually for a
       single role. To do this, choose Compare users on the Users tab. The
       status display on this pushbutton indicates whether or not you need
       to execute the comparison again.
       -   If you make changes to the users assigned to the role or
           generate a corresponding authorization profile, then you need to
           compare the user master records again.
       -   This compares the authorization profiles with the user master
           records, that is, profiles that are no longer current are
           removed from the user master records, and the current profiles
           are entered.
  Regards,
  Edited by: Rupali B on Mar 6, 2012 2:36 PM

• ABAP Program: User comparison

  Hi all,
  I would like to know the name of ABAP report that can enable me to perform user comparison after I have created a new role and added to user.
  thanks

  Hi,
  You can use the program RHAUTUPD_NEW or goto the transaction PFCG->Utilities-> Mass Comparison.
  Hope it helps.
  Regards,
  Gaurav

• User Comparison - Roles contantly going to 'red' inactive

  Hi,
  Can someone shed some light on this issue i'm having here.
  I noticed today while working with a user in SU01 that the role assigned to the user switch from green 'active' to 'red' inactive. There were updates made to the master role  and then passed to the child (derived) roles. I manually ran user comparison and then verified in SU01 that the roles were still green. Couple hours later I noticed the child role went to 'red' inactive. Why is this happening. This happened and I took at as one time incident but this happening more frequently. 
  -Wes

  Could be...
  According to Wes's Business Card he (?) is from the US and for some reason (probably the training documentation in ADM940...!) I have more often than not noticed that US based systems tried to allign the profile names to the "activity group" names when building little single roles - sometimes one role per transaction - as "building blocks" for activities clubbed together into composites.
  @ David: I also hate composites...
  Unless Wes clarifies, I would however still place my bets on a profile name collision as a result of the DEV, QAS and PROD having the same first and third characters in the SID name, or a client disorder in DEV from which the roles are being transported (e.g. "golden security client" implemented later than the productive client transport routes, or a customizing client was used to make the changes).
  AGR_NUM_2 has MANDT as a key field and with derived roles and small singles the limit can be reached with ease, particularly if these were download / uploaded in the past to avoid transport request sequence confusion - which is reasonable in my opinion.
  Cheers,
  Julius

• User Comparison Error

  Hi TEAM,
  When I assign the role to a particular user, after assign the authoraization into that role then I am trying to compare the user from list and select the complete user comparrison - It's not get get assiging...It gives the info like - Information for user master comparrison - "User master record not yet been compared completely" and
  Also gives that info box stating that user is locked by administrator. But I chked the user id is not at all locked any open object also by administrator.
  Any one plz clarify this error --
  SYSTEM INFO : R3 ENT 4.7.0 IDES
  DB : SAPDB
  Regards,
  KAM

  Hi TEAM,
  When I assign the role to a particular user, after assign the authoraization into that role then I am trying to compare the user from list and select the complete user comparrison - It's not get get assiging...It gives the info like - Information for user master comparrison - "User master record not yet been compared completely" and
  Also gives that info box stating that user is locked by administrator. But I chked the user id is not at all locked any open object also by administrator.
  Any one plz clarify this error --
  SYSTEM INFO : R3 ENT 4.7.0 IDES
  DB : SAPDB
  Regards,
  KAM

• Error : User master comparison incomplete

  Dear All,
  I am working on a CUA system. I have modified an existing role(it was a requirement to change Material Mvt typ) and transported to QA system. then run PFCG_TIME_DEPENDENCY.
  But when I check user -> and roles using SU01, I see the role I transported is in RED color. but then when I try to do a user comparison I got new error user "Maximum profile exceeded for user ABCXX" , because of this error I cannot complete user comparison.
  I also tried PFUD -> Cleanups first, then Profile matching unfortunately it still gives User master comparison incomplete.
  Is there a alternative way to compare users except "ABCXX" which has "Maximum profile exceeded for user" or how do I skip this message and complete user comparison ?

  Souyee,
  If user needs access,then remove unimportant tcodes from the user menu.
  or
  If you have similar user id , without profile issues,then you can copy that id .(i.e if it is happening for only one user id)
  NOTE:
  even if you are able to do the user comparsion,Some of our users are not able to execute some transaction codes, even though the required roles are granted. these type of problems will occur.
  Other option is:
  you need to identify the  profiles assigned and ensure that they are below 312, as you canu2019t assign more than 312 profiles to a SAP User ID.
  If the issue happens even with very few profiles, verify the Number of authorizations in User Buffers value in the Instance profile. The value for Auth/authnum ber_in_userbuffer parameter can be increased_. The size of the buffer must always exceed the maximum number of authorizations as authorization checks are made only against those in the buffer. The default value is 800, but this can be set to a value which is between 1u20132000.
  What happens when an instance profile parameter is set outside it's range ?
  Note: Take the help of basis guys,if at all you need to change the Instance value.
  Thanks,
  Sri

• User master comparison

  Hi All,
  In one system I created a role and assigned a user to it without doing the user master comparison. Using this user, I tried accessing the transactions, but it failed just because the user master comparison not done - correcty according to fundamentals.
  In another system, I did the samething but the system assowed to launch the transaction without the user master record is updated.
  Could anyone tell me the catastrophe behind this?
  Thanks a lot for your time.
  Thanks and Regards, Pradeep

  Hi Pradeep,
  please try that once again with a complete empty user. maybe the user had that authorization already through another role/profile.....
  Please also keep in mind, that if you save a user in SU01 the user comparison is also performed automatically.
  b.rgds, bernahrd

• Creation of a user with a particular authorization object (Very Urgent)

  Hi,
  There is a requirement in my project to create a user who can only reset his password. So for this I think a authorization object should be created and assign it to a profile which displays only the tab for reseting the password which is( Logon in SU01). I want to know two things in this regard.
  1. The whole process of creating customised authorization object and assigning it to a profile and
  2. Any other way to achieve the needed scenario.
  Thanks & Regards,
  Sujith
  Edited by: Sujith K on Feb 4, 2008 1:26 PM

  In transaction pfcg ,
  give single/composite role name
  give profile name and description in authorization tab, save it
  enter into change authorization data
  select manually tab
  give authorization objects name (creating auth. objects)
  fields will automatically come inside it
  enter the field values
  save and generate profiles (Profiles created)
  go to su01,
  create users (fill address, logon data, roles )
  In pfcg,
  select the role you created and click on the user comparison for giving the authorization to access.
  award points if useful

• One user cannot see Inactive Addresses in Account Overview

  One user cannot see Inactive Addresses in Account Overview in the CRM 7.0 IC.
  This user has the same roles and authorizations as all the other users.
  We have also performed a user comparison in CRM and ERP and have also reset the user buffers in both systems.
  If I copy the user to another user in CRM and ERP the copied user can see the Inactive addresses. A user comparison shows that the user and copied user are identical.
  Any ideas?
  Aubrey Smith

  Just a gamble, but check his user parameters in SU01.

• Deassignment of users from roles

  Hi,
  We have a couple of users in our system who are assigned to some standard SAP roles.
  These roles are themselves not composite roles , but form a part of some composite roles.
  Now when I try to deassign the "blue" users from these roles, it's not possible.
  How do I go about it?
  Please help.
  Thanks,
  Saba.

  Hi,
  Both ways its not possible.
  When I remove the user from the role, it comes back after user comparison:((
  & the role refuses to get deleted from the user.
  Also, both appear in blue.
  Plsss. help..
  Thanks,
  Saba.

• Posting period authorization for previous period for specific users

  Hi Experts,
  In our company we want to restrict normal users to present period only. (in FI).
  we are having now two user groups core and normal. for core group both periods should be open. for normal users only have access for current period.
  Please suggest how to achieve this requirement in FI.
  Regards,
  Vara
  Moderator: Use authorizations groups in OB52. Please, search before posting

  Hello,
  You need to create a single role with whatever transactions you would like the users to proceed.
  When you assign the users in the role, you assign for the period you would like. Once that period is over, no use is able to transact with those transaction codes.
  Whenever, you make the changes to users in role, you need to do the user comparison, then only the profile get generated in the user masters.
  Please discuss this with your security team with your requirement.
  Regards,
  Ravi

• Users stills appear to have transactions assigned even though roles have been removed.

  Hi,
  I'm currently looking at a number of users with access to sensitive transactions (e.g. SCC4).
  When looking at a combination of the AGR_ROLES and AGR_TCODES tables I can see there is currently only one active role and one active user assigned this access which would fall in line with what was to be expected based on the population I am looking at (we're not concentrating on auth object level for now).
  However when I go through SUIM and filter on users by complex criteria and enter transaction code SCC4, about 20-30 users pop up (this is how many people used to be assigned access to SCC4).
  When access was removed for these 20-30 users, it was done at 'role level' so my question is, even if roles have been removed, when looking through SUIM would a user still appear to have transactions associated with that role assigned - if so, why does this happen? I assumed once a role is removed it would removed the underlying transactions etc with it?
  My assumption at the moment is that even though SUIM is showing users still have access to SCC4 they can't actually use it as the role it was associated with has been removed.
  Any help/clarity on this would be greatly appreciated.

  Hi Johnny,
  Please do perform the User comparison.
  Goto PFCG  -> Role Name -> user comparision
  then check in SUIM still user is having that Tcode or not .
  for detail
  Go to SUIM
  Roles by complex selection criteria -> put Tcode there
  it will give you Roles name having that tcode . and then you go to that Role and you will get list of Users in PFCG (User assignment Tab) .
  same goes with User
  SUIM - Users  by complex selection criteria - > put tcode -> Profiles associated with - > roles assosiated with it .
  But i suggest after you make any changes to Role / Profile you please do user comparision .
  Regards
  Dishant Pathak