Symptom
- Sometimes in RBP User Role Change Audit report, non Role Based Permission Admin users are recorded in the "Changed By" field.
- In some specific situation, an irrelevant user who did not change any relative data was recorded as Changed By user.
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
SAP SuccessFactors HCM Suite
Reproducing the Issue
- Go to Change Audit Report and run RBP User Role Change Audit report
- Sometimes you will find in RBP User Role Change Audit report, non RBP Admin users were recorded as Changed By users in the report, in some specific situation an irrelevant user who even did not change the relative data was recorded as Changed By user.
Cause
Non RBP admin users can be recorded in the "Changed by" in the following scenarios:
- The user modified a field that is associated with the dynamic group filters defined in RBP Dynamic Groups. This modification impacts the relationship between the user and RBP Roles.
- The user made a change to another user or to oneself that triggered a refresh job at a very close time to when the relevant user/group was modified. This triggered an additional request for RBP refresh job.
Resolution
1. Any field changes related with the dynamic group filters defined in RBP Dynamic Groups will affect the relationship of the User and RBP Roles.
eg: HR manager may change the City, job-code etc. of a user. If the updated field is one of dynamic group filters in role granted group, this HR Manager may be recorded as "Changed by user" in the report even if they are not a RBP admin.
Please see the image below which illustrates this scenario:
2. When changes are made to users, a RBP refresh job is triggered to ensure that the RBP will be updated accordingly. If multiple refresh jobs are triggered by different users at very close time, the "Changed By User" may record the user whose action triggered the previous job.
eg: In the "Changed By User" column for user "A" RBP change, the entry shows "sfadmin" user. However, the change was actually made by user "tzhang".
The context is that tzhang changed user A’s city which triggered a Refresh Access Membership job at 11:56:07.132. In the meantime, sfadmin user made a change to another user that requested for another RBP refresh job just a few seconds before at 11:56:03.068.
In this scenario, sfadmin was recorded as the "Changed By User" in the report, despite not actually making any changes to user "A".
Please note that for RBP User Role Change Audit report this is working as designed due to refresh jobs that are asynchronous requested by change events. Always consider that if the changes are made by different users at very close time, it is possible that the changed by user is recorded as another user.
Note: if the jobs in provisioning have not been triggered at close time and the instance has refresh framework enabled in provisioning, it might be that the second job was queued and executed by a refresh framework job later. Even in such scenarios, the report will consider that the job was requested and the user who made the first change might be recorded in the report.
See Also
2754942 - Change Audit: RBP User Role Change Report - SAP for Me
RBP User Role Change Report | SAP Help Portal
2766870 - Role Based Permissions (RBP) Refresh Framework FAQ - SuccessFactors - SAP for Me
Keywords
Change Audit, Role Based Permission, RBP User role change, RBP, INC2275060, change audit, rbp, wrong data, dg-filter, changed by user, SF, SuccessFactors , KBA , LOD-SF-PLT-CHA , Change Audit , LOD-SF-PLT-RBP , Role Based Permissions , How To