Register Login

Authorization check with role assignment PFCG

Updated May 18, 2018

Import the Support Package or correction instructions.

The Support Packages specified in 576937 are prerequisites for importing the correction instructions.

Manual change
Provided that you use the correction instructions, you must create the following system messages manually using transaction SE91:

Related: PFCG Roles and Authorization Concept

  • Release 4.5B

           Number 293 in the S# message class

           "The automatic user master comparison is deactivated globally. "

           Leave the "self-explanatory" checkbox blank. The long text for the message is only available by Support Package.

  • Release 4.6B:

           No manual changes required.

  • As of Release 4.6C

           Number 127 in the S# message class:

           "Function not possible due to missing change authorization for role &"

           Define this message as "self-explanatory".

After you import the correction, the ASSIGN_ROLE_AUTH switch described in note 312682 (PRGN_CUST table) is also effective in the PFCG. If you have set ASSIGN_RpE_AUTH=ASSIGN, in addition to S_USER_GRP, ACTVT=22 you only need S_USER_AGR, ACTVT=22 for the user assignment but you no longer need S_USER_AGR, ACTVT=02. However, you can no longer assign users if you only have change authorization for the role (S_USER_AGR, ACTVT=02).

Depending on the authorization you have, the system behaves as follows:
1. You only have authorization for the user assignment (S_USER_AGR, ACTVT=22):
Since you are not allowed to change the role itself, first you can change to change mode after you have navigated to the "user" tab in the display mode. Provided that you are still in change mode when you exit this tab, the system automatically switches back to display mode. If you have not saved changed user assignments yet, a dialog box appears asking you whether you wan to do this. Note that the text in this dialog box appears in English if you have imported the solution using correction instructions.

2. You only have authorization to change the role (S_USER_AGR, ACTVT=02):
You can change to change mode everywhere, however, you cannot change the user assignment because the corresponding fields on the "User" tab are not ready for input and the pushbuttons (Select, Delete, and so on) are missing for processing entries that already exist.

3. You have both authorizations (S_USER_AGR, ACTVT=02 and 22):
All change options provided are available on each tab.

If ASSIGN_ROLE_AUTH does not have the ASSIGN value (which is the default value), you need both the role as well as the S_USER_AGR, ACTVT=02 user assignment to make changes.

More comments:

  • Basically, the two "User master comparison" and "HR Organizational Management" functions on the tab are also active in display mode. This does not result in any safety hazards because the role itself cannot be changed by these functions and the required authorizations, in particular S_USER_AGR, ACTVT=22, are always checked. However, if you want to deactivate the two functions in display mode, set the USRPROF_IN_DISP_MODE switch in the PRGN_CUST table to NO. Both pushbuttons can then no longer be selected but the status specifications (green or red traffic lights) continue to be displayed.
  • On the "Display/change roles (activity groups)" screen of the PFCG, you can call the "Settings: Role maintenance (activity group maintenance)" the dialog box under the "Utilities" -> "Settings" menu path. There you will find the checkbox "Automatic comparison of user master when saving the role (activity group)" as the first item. When you select this field, you define that a user master comparison is performed each time a role is saved. The setting is only valid for the user who has set it (in this case, you) and only in the current client. For more information about this, also refer to note 511200.
    If the automatic user master comparison is deactivated globally (AUTO_USERCOMPARE=NO in table PRGN_CUST), you cannot make any individual changes. In this case, the checkbox as of Release 4.6C is inactive and in Release 4.6B, it is hidden altogether. In Release 4.5B, the 293(S#) error message (see above) appears instead of the "Settings: Activity group maintenance" dialog box.