Symptom
The report to audit on changes to RBP roles assignments can be found under Role Based Permission > RBP user role change audit. After running the report you experience the following:
- The "Changed By User (Username)" field shows changes done by a user who does not have access to Role Based Permissions
- The "Changed By User (Username)" field will be “SCHEDULED_JOB” or "QUARTZ"
- The "Changed By User (Username)" field will be empty
Environment
SAP SuccessFactors HCM Suite
Cause
This is expected behavior of Change Audit > Role Based Permission > Change Audit permissions.
Resolution
- If the "Changed By User (Username)" field is showing changes done by a user who does not have access to Role Based Permissions:
This is expected any filled changes related with the RBP user role change, it will record anyone who changes the filed values (which are set as dynamic group filters) of users, that will affect the Change Audit Report records, also when some of the user information change(e.g. status, type, etc.), the relevant group/role/rule change will be recorded in the RBP_USER_ROLE_CHANGE_REPORT, it does not mean that the user changed them within RBP directly or should require RBP admin permissions. It means any attribute changes may trigger RBP jobs to refresh groups definition, rules mapping relationships or permission roles definition, who changes the attribute reacting on changes of RBP definitions or relationships will be recorded as 'changed by' users in the report.”
- If the "Changed By User (Username)" field is shown be “SCHEDULED_JOB” or "QUARTZ" in the Change Audit Report "RBP User Role Change report":
This is expected since there was an enhancement to this Report that shows the “SCHEDULED_JOB” value or "QUARTZ" when the change was made by scheduled jobs. This changes include:
- Direct changes: when RBP configurations are changed (mostly happens in the RBP Management UI).
- Indirect changes: someone's attribute is changed, which makes related permission group membership changed. Since permission group is dynamic, this also will impact user role relationship.
You cannot set-up a job to test behavior manually because the Change Audit Data Extractor Job will record the Job Creator/Executor as the "Changed By User (Username)".
For example, you schedule or run a job to update some role or rule for some users, you can see the job executor/creator on Provisioning and will be
recorded as "Changed By User (Username)" into the audit report. Therefore, it can only record as "SCHEDULED_JOB" or "QUARTZ" through the job been triggered.
Note¹: Due to the code logic, any action done by an entity with invalid user name will be recorded as “SHCEDULED_JOB” or "QUARTZ" (thus, other than scheduled job, behavior may also include database admin manually change in database level, non internal user who doesn’t not have valid user ID to conduct the change.
Note²: The 'User Role Change Report' is not recommended to track direct RBP changes. To audit any direct changes to RBP configurations, we recommend the following audit report: RBP Role Change Report & RBP Group Change Report.
- The "Changed By User (Username)" field will be empty in the Change Audit Reports "RBP Group Change Report" and "RBP Static Group Membership Change Report":
On b2105 release, "Changed By User (Username)" information enhancement will be published of those reports that will be filled with “SCHEDULED_JOB” or "QUARTZ"for role changes caused by scheduled jobs, including first name, last name, username for those changes. The details of the job causing the change will not be recorded in the report.
See Also
- KBA 2618848 - Enabling Change Audit Feature
- For more details on Change Audit for Role Based Permissions please see SAP Help Help Admin Guide RBP User Role Change Audit
Keywords
Change Audit , Role Based Permission , RBP User role change , RBP , PLA-17829 , INC0268000, PLA-12876 , change audit , rbp , wrong data , scheduled_job, QUARTZ, INC9924191 , KBA , LOD-SF-PLT-CHA , Change Audit , LOD-SF-PLT-RBP , Role Based Permissions , How To