Symptom
- Unable to search for user after they have been hired/created, even as a Super Admin user.
- After creating a New Hire in the system, based on the RBP Permission Group definition in Admin Center, the new user should be added to a Permission Group but it did not.
When opening the Permission Group pop-up window and clicking the "Update" button and the new user will be added to the group
**** Remember - as a customer, you do not have access to Provisioning. To complete tasks in Provisioning, contact SAP Cloud Support.
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
Employee Central – Role Based Permissions
Reproducing the Issue
- Add New Hire
- New Hire logs in but they have no permissions
Cause
When a new users is hired into the system, they are added to Dynamic Groups so that they are granted permissions to access the system. The Dynamic Groups are updated by the background job "Realtime Refresh DG Membership" (Job Type ID: dgRefreshRealTime). This job can be found in Provisioning > Monitor Jobs
The possible reasons for the user not being added to the groups are -:
- The background job dgRefreshRealTime failed. So the new user did not get refreshed in to the permission group (dynamic group).
- Although the background job dgRefreshRealTime succeeded, the user is still not in the Permission Group (Dynamic Group) due to the Permission Group definition.
Resolution
Steps to Check dgRefreshRealTime Job
Check the Job in Provisioning
In the Provisioning
- Go to Job Monitor
- Choose Job Type: Realtime Refresh DG Membership
- Click the Refresh button
We can find the Status and Details (can be shown in a background job) of the background job.
Check the Background Job Detailed Server Log
In the Job Detail pop-up, we can get the background job execution ID. The following screen shot we can see the execution id is 23449097.
Then we can sue the keyword "<company-id> 23449097" to get the detailed server log for this background job.
Steps to Check the Permission Group Users
Here are the steps in to get the permission group users list, to validate if the user is in the permission group or not. We will use the Data Inspector tool to check the back end data. The following link is the user guide:
If you don’t have permission to the Data Inspector tool, please grant yourself permission. The Data Inspector permission is found in the Manage Permission Roles > Manage System Properties category
Step 1. Check the current Permission Group
In the Admin Center / Manage Permission Groups page, to check the Permission Group we want to check.
In the following screen shot, we take the group "Pre Hire" as the example. we can find there are 9 active members in this group.
Step 2. Check table USERS_GROUP to get the User Group ID
In the Data Inspector tool, we check the entity TABLE_USERS_GROUP, with the filter criteria:
- User Group Type = dynamic
- User Group Subtype = permission
We can find the User Group ID for "Pre Hires" is 2536.
Step 3. Check if the User exists in the table USRGRP_MAP
In the Data Inspector tool, we check the entity TABLE_USRGRP_MAP, with the filter criteria:
- User Group ID = 2536
We can find the "Users Sys(tem) ID" list in the group.
We can validate if the new user's ID exits in this permission group or not in this screen.
If the cause is due to one of the following issues described here, please open up an case with SAP Cloud Support. Please also ensure that you have performed the necessary steps mentioned in this article, and include the info gathered from these processes in the case
Remember: As a customer, you do not have access to Provisioning. To complete tasks in Provisioning, contact your Partner (if applicable) or SAP Cloud Support
Keywords
New Hire, New Hire Permissions, Role Based Permissions, RBP, Permission Groups, Permission Roles, Data Inspector, unable to find user, default permission, Realtime Refresh DG Membership,New Refresh Framework, RBP Changes, Permissions, Real-time refresh, Refresh Framework , KBA , LOD-SF-EC-RBP , Roles & Permissions (EC Core only) , LOD-SF-EC-HIR , Hire & Rehire Wizards , Problem