Comparing Profiles in the User Master Record with Activity Groups

Activity groups or their assignment to user master records can be delimited. As a result some data will become invalid on a particular day, whilst other data becomes valid.

You cannot set time limits for authorization profiles and their entry in user master records.

To ensure that only authorization profiles which are valid are contained in the user master record each day, you must execute a daily profile comparison.

For the changes in the user master record to be effective, the comparison must take place before the user logs on.

There are two ways to execute the comparison.

  1. As a background job before the start of each day.
  2. If report RHAUTUP1 is run every night, the authorization profiles in the user master will be current each morning (assuming that the job has run correctly). The best procedure is to schedule this as a periodic background job.

    Further details on report RHAUTUP1 are contained in the report documentation.

  3. Using Transaction PFUD, Compare User Master

As an administrator, it is recommended that you use this transaction regularly to check that no errors have occurred in the background job. Any such errors can then be corrected manually.

In Transaction PFUD you are informed if a complete comparison is necessary (if, for example, the last complete comparison - perhaps using RHAUTUP1 - was unsuccessful).

To ensure that the authorization profiles in the user master records are always current, you should always execute a complete comparison (choose Complete comparison).

Following the comparison the system displays a log which includes any errors that occurred (background processing log for background report).

You have the following options in both report RHAUTUP1 and Transaction PFUD:

Authorization profiles are included for a user which are "inherited" due to the user’s place in the organizational structure.

Authorization profiles are generated for planned, but not yet generated, activity groups.

If the selection dialog is displayed, you select all of the authorization profile assignments you want to delete. If the dialog is not displayed, all expired authorization profile assignments are automatically removed from the user master record.

Assigning Authorization Profiles

In Transaction PFUD you additionally have the following options:

The system displays a selection dialog in which the user can choose for which users changes and generation of profiles should take place.

The system displays a list which shows the individual actions necessary to compare the authorization profiles with the user master record.

For each user, the profiles which need to be added to the user master record are displayed first (Insert), followed by the profiles to be deleted (Delete).

In the final part of the table, if necessary, the system displays the authorization profiles which need to be regenerated because of changes to the activity groups (Generate).

The system displays a checkbox for each action. When you choose Compare User Master, only the actions you have marked are executed.

If you choose Insert Lines, you can select profiles to add to the user master. Similarly, choosing Delete Lines allows you to select profiles to be deleted from the user master. There are two additional pushbuttons which you can use to select or deselect all activities for a user. The Generate all profiles pushbutton is self-explanatory.

There are two more pushbuttons which you can use to select or deselect all activities for a user. To do this, the cursor must be positioned on the line containing the appropriate user name.

The checkboxes are filled in according to your choices for the Generate flagged activity groups, Delete expired authorization profiles and Add new profiles checkboxes on the selection screen.