Monday 30 March 2015

Authorization: User been granted with additional roles unintentionally

During "SM20" audit log review, encounter user was granted with additional access. Ex: user suppose to only have display access for certain tcode but end up with write access etc.

Initial Findings: 
1) Review the problematic user role and profile assignment (Found:composite roles were assigned)
     Aware on the "Validity From" (23.03.2015)

2) Double click any of the roles (in blue) which assigned from composites role to view the role details in "PFCG"

3) Checked on the last modified date/time

4) Use "SUIM" to further track down the role changes (Change Documents -> For Users)

5) Enter the afected user ID, Changed by and date according to the details in step 1 (PFCG) and select the roles tab accordingly.

6) The result clearly shown that there are 76 of roles been added into the affected user

7) Further review the daily schedule job: PFCG_DEPENDENCY_TIME (Based on experience the background job that perform daily maintenance on all the role/profile for all the user)
     - Enter the relevant job name, user and date.

8) Select "Job log"

9) Some activities happen on all the composites role and single role that found assigned to the problematic user

10) Another alternative is to use "sm20" to trace/view all the changes perform by the PFCG_TIME_DEPENDENCY (Enter the relevant user and date/time)

11) Sample of users that been process by the "PFCG_TIME_DEPENDENCY" batch job
      Observe the creation date/time of program: RHAUTUPD_NEW and the user that been changed

12) Continue investigation by executing "SE16N" to view the correct role name that assigned to user (Z_Audit_Finance) and found child roles attach to it.

13) Review the role that suppose to assign (Z_Audit_Finance) in "PFCG" which showing it was a single role instead of composite role

How to simulate the issue:
1) Assigned the same role to a new test user

2) Wait for the schedule job execution to be complete (PFCG_DEPENDENCY_TIME) or execute tcode: PFUD to perform the similar maintenance task

3) Unwanted roles been assigned

Conclusion: Composite roles been assigned to user unintentionally after batch job execution.

1) Apply SAP Note: 1987850


2) Delete all the roles in the affected user, clone the affected role into a new single role name and reassign to the user. Observe after the schedule job complete (PFCG_DEPENDENCY_TIME) and the user should no longer be assign with unwanted roles.