The user has the right roles, the authorization objects are correctly defined, the profiles have been generated and yet they still can’t do what they are supposed to do? Then it’s worth taking a closer look at the user buffer.
It happens from time to time: After a role has been transported into the production system or, for example, after a user has been assigned to the role via the PFCG, they are unable to work. The authorizations are correct, the role is there and assigned and the traffic light fields in both the Authorizations tab and the Users tab are green. And yet: The user’s SU53 displays authorization errors.
With a bit of luck, user synchronization in SU01 or in the PFCG will suffice. If this does not work, use transaction SU56. You first go to the user buffer of your own user. However, you can also view the user buffer of other users via the “Authorization values” field in the menu bar, provided you have the necessary authorizations.
The user buffer is unique and is created for each user when they log on to an SAP system. Here you can see all authorization objects with the associated field values that are assigned to the user – sorted into authorization classes.
Important: The user buffer maps the authorizations that a user receives from their roles. However, it draws these values from the profiles, not from the roles themselves. And this is where the error often lies: if the profiles are not generated correctly or have not been pulled in correctly, the authorization check runs on errors, even though the roles and characteristics are correct.
So look in the user buffer for the object for which the authorization check (according to SU53 or trace) is negative. If this object cannot be found, although you can see it in the role and the role is also assigned to the user, the error is most likely in the user buffer or incorrectly assigned profiles.
Solution: User buffer and user synchronization
In the SU56 ribbon under “Authorization values” you will also find the button to reset the user buffer. You can do this manually and the problem should be solved for your specific case.
Important: You must then regenerate the profile of the affected role or transport the role with the current profile into the target system so that the change is successful.
However, this does not always work. In the HR system, for example, structural authorizations do not access the profiles from the roles and the analysis authorizations also work differently in the BW system. Here you can’t get any further via the user buffer.
However, what almost always works (and not just in the exceptional cases mentioned) is user synchronization via transaction PFUD.
Here you can specify what is to be synchronized. To do this, you select one or more roles to which you want to apply the user comparison and can then choose between:
- Profile matching
- Comparison of indirect assignment from composite roles
- Comparison of HR organizational management
You can also use “Clean up” to remove data remnants that may have arisen after deleting roles and are now causing problems. This function does not apply to individual roles.
User synchronization as a background job
To save yourself work (especially with many users and/or many roles), you should (additionally) ensure that user synchronization is regularly scheduled as a background job. If this does not happen, you will have to trigger the problems mentioned above for each user or role individually or the users will have to log on to the system each time to reset the user buffer.
You can use transaction SE38 to schedule the PFCG_TIME_DEPENDENCY report as a job. It can run every night, for example. In addition, you could use it to run the “Clean” option automatically at regular intervals and thus avoid problems caused by data artifacts.
Good to know: The error message “Authorization XY in the master data, but not present in the user buffer” can be misleading. The problem here is usually not in the user buffer, but in the role in which the profile is not (correctly) generated.