Creation of user roles

Hi all,
can someone please explain me how to create the user roles.
is this a IMG part of Logistics? please explain me in detail.
kumar

PFCG is the T.Code for creating roles,& you need to check in T.Code SUIM, which all are the roles that are currently being used in your organization by entering details, like you can enter T.Code: VA01 & execute, it will give you details of all the roles having T Code: VA01, also if you want to check, for any user that what all are the roles which are assigned to him then enter T.Code: YU03.....roles can be attached to to a user through T.Code: SU01..this part is normally done by the basis guys.
Reward points if it helps
Regards,
N

Similar Messages

User role component

In one of my projects I need a component that features creation of users, roles and role assignments. Ofcourse, finally to user those user-roles to enable/disable a feature.
Since this is a very generic requirement, I believe there must be some open source component/code to do this.
any of you have any idea about it?
thanks a lot in advance
Dayanand.

As for my concern I would go for page definition files.

SECATT - Mass creation of users with different assigned roles

Hello! I've been tasked with creating an eCATT to do a mass creation of users and each user will have a different role assigned (besides the general roles). We're doing this to test out the different roles we have created. I've done some searching through the forums and found some different ideas but I'm not sure they are exactly what I need. One suggestion was to use SU10 to make the role assignement but I'm guessing I would still need to setup a parameter for each role so I would initially need to know how many roles would be entered. I would like for the eCATT to be able to handle assigning multiple roles to a user with each user possibly getting a different number of roles. Would anyone be able to suggest a way to assign different roles to different users through an eCATT?
Thank you!

Hi Wendy,
To create users, maybe SU01 or SU10 can be used. To assign users to a role, maybe you can try with PFCG.
SU01 and SU10 have the view from the user - for each user, different roles can be selected and assigned to that user.
PFCG has the view of roles - for each role, different users can be selected and assigned to that role.
Hence if you know which roles should be assigned to which users, PFCG might be easier.
Hope such information is helpful for you.
Kind Regards, Qian

Security Issues with the BP Internet user role creation--SU01

Hi All,
We are implementing the B2B Internet sales scenario using CRM 4.0. we
have contact persons who logs in and chose the distributor and then
start placing orders or look at product catalog .... Now contact person
is created as a BP in CRM and relation ship is maintained to sold to
(bp). During this process the contact person should be created under
the Internet user role which uses the SU01. so we will be able to
change password or change the roles of the users while creating BP
under the internet user role -- same as what we do in SU01.
This is now a security Issue because who ever can access the BP
(create/change) will be able to do the things we can do under
transaction SU01. But we still need to access the Internet user role in-order to assign the user id to the contact person . Is there any other
way of doing this.
Please advice ASAP.
Thanks
Vasu

Hi Ashwini,
you need to modify the logon routine and then in the user management (isauseradmin application) to do this. Then there are likely changes to the catalog identification, and very likely to most processes in the shop. I really wouldn't advise doing so. As accounts usually have contact persons: Why does your client insist in providing a login for the organization and not for a person?
To achieve something that looks almost like the desired solution you, e.g., could model a dummy contact person for each account that shall get a logon, that then does the job. The contact person could be named like the company and then you are back to plain standard.
Rgds
Thomas

Creation Of User in EBS

Hello All,
There is one request to "Create a user" in Oracle Apps 11i.
Normally we create the user based on "Mirror access" i.e. other similar user with same set of responsibilities.
But now there is a requirement, that the user is new and he needs to do the below activity.
Creation of New Role(i.e. Oracle access should be view only and they will only need to see down to level 2 on BOM's)
If someone could help like how to make users as read only and what responsibilities needs to be added, that would be really great.
Thanks

Hi Linus,
Following 2 MOS docs are available . pl.refer it.
R12: How To create read only responsibility [ID 1290228.1]
How To Make All The Responsibilities Read Only For A User? [363298.1]
HTH
Sanjay

Access Policy is not getting trigggered after creation of user through GTC

Hi,
I have an access policy for ALL USER role and that provision users to an RO after getting created in oim. I have a trusted source flat file reconciliation GTC for user creation. I am facing issue when user is getting created through GTC, access policy is not getting triggered. But while creating an user through web console the same access policy is working fine and user is getting provisioned with RO.
If anybody have any idea how to resolve this, please help me in this regards.
Regards,
Avijit

Hi ,
its good to know that its working. As per my experience it works for once (through reconciliation) but then stops working. Now to confirm try to revoke the user by changing the group member-ship through reconciliation and see if the resource is revoked or not (repeat it for 2 -3 times). Note that don't do it form within IDM web admin console, do it through reconciliation.
do post your results.......
Regards.

Windows Small Business Server User Roles - Missing or deleted

I have a small business server sbs 2008 r2.
The user roles, Standard, Administrator, Standard w/ admin are no longer available. I don't know why, or how. All I can guess is the previous IT admin, removed the roles, without permission.
I am wondering is there a way to simply get them back?

As Robert says, You can create them manually.
http://technet.microsoft.com/en-us/library/cc794287(v=ws.10).aspx
KnowHow :
Behind the scenes, each User Role is created as a disabled user account in Active Directory, and these accounts are used as “Templates” for user creation. To view these, open Active Directory Users and Computers (from the
Administrative Tools start menu folder, or through Start à Type “dsa.msc” and press enter. Drill down to the SBSUsers folder under “<yourdomain>\MyBusiness\Users\” and you’ll see several disabled user accounts listed.
Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Modify Script to Create User Role on Single Database.

Hi All,
Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
Can anyone help me to modify the script?
--===================================================================================
-- Description
-- Database Type: MSSQL
-- This script creates a role called 'gdmmonitor' for ALL databases.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
-- before runnign this script
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
-- Note:
-- If you wish to use a different login name (instead of 'sqlguard') you need to change
-- the value of the variable '@Guardium_user' in the script below;
-- (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
-- after runnign this script
-- Nothing to do, the script already creates the db user
-- User/Password to use
-- User: sqlguard (or any other name, if changed)
-- Pass: user defined
-- Role: gdmmonitor
--===================================================================================
PRINT '>>>==================================================================>>>'
PRINT '>>> Creating role: "gdmmonitor" at the server level.'
PRINT '>>>==================================================================>>>'
-- Change to the master database
USE master
-- *** If a different login name is desired, define it here. ***
DECLARE @Guardium_user AS varchar(50)
set @Guardium_user = 'sqlguard'
DECLARE @dbName AS varchar(256)
DECLARE @memberName AS varchar(256)
DECLARE @dbVer AS nvarchar(128)
SET @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
SET @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
IF (@dbVer = '8') SET @dbVer = '2000'
ELSE IF (@dbVer = '9') SET @dbVer = '2005'
ELSE IF (@dbVer = '10') SET @dbVer = '2008'
ELSE IF (@dbVer = '11') SET @dbVer = '2012'
ELSE SET @dbVer = '''Unsupported Version'''
IF (@dbVer != '2000')
BEGIN
-- This privilege is required to peform a specific MSSQL test.
-- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key)
-- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop
-- Purpose: To display provider property, not changing anything.
PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
END
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if they exist
CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the role gdmmonitor on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.spt_values TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysconfigures TO gdmmonitor
GRANT SELECT ON dbo.sysdatabases TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syslogins TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
-- Grant execute privileges to the role for MSSql Common
PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON sp_helpdbfixedrole TO gdmmonitor
GRANT EXECUTE ON sp_helprotect TO gdmmonitor
GRANT EXECUTE ON sp_helprolemember TO gdmmonitor
GRANT EXECUTE ON sp_helpsrvrolemember TO gdmmonitor
GRANT EXECUTE ON sp_tables TO gdmmonitor
GRANT EXECUTE ON sp_validatelogins TO gdmmonitor
GRANT EXECUTE ON sp_server_info TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sql_logins TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
GRANT SELECT ON sys.server_role_members TO gdmmonitor
GRANT SELECT ON sys.configurations TO gdmmonitor
GRANT SELECT ON sys.master_key_passwords TO gdmmonitor
GRANT SELECT ON sys.server_principals TO gdmmonitor
GRANT SELECT ON sys.server_permissions TO gdmmonitor
GRANT SELECT ON sys.credentials
TO gdmmonitor
--This is called by master.dbo.sp_MSset_oledb_prop.
--By defautl it should have already been granted to public.
GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR
END
-- Re-add the dropped members
IF EXISTS (SELECT 1 FROM #rolemember)
BEGIN
PRINT '==> Re-adding the role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- END of role creation on database
PRINT '==> END of role creation on: ' + @dbName
PRINT ''
-- Change to the msdb database
USE msdb
set @memberName = ''
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if it exists
TRUNCATE TABLE #rolemember
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the gdmmonitor role on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
GRANT SELECT ON dbo.backupset TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
-- Grant execute privileges to the role for MSSql 2005 or above
PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
END
IF (@dbVer > '2000' and @dbVer < '2012')
--This sp is not available in SQL 2012
BEGIN
GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
END
-- Re-add the dropped members
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the temporary table
DROP TABLE #rolemember
-- END of role creation on database
PRINT '==> END of gdmmonitor role creation on: ' + @dbName
-- Role creation complete
PRINT '<<<==================================================================<<<'
PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
PRINT '<<<==================================================================<<<'
PRINT ''
PRINT '>>>==================================================================>>>'
PRINT '>>> Starting application database role creation'
PRINT '>>>==================================================================>>>'
use master
DECLARE @databaseName AS varchar(80)
DECLARE @executeString AS varchar(7950)
DECLARE @dbcounter as int
set @dbcounter = 0
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
and not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @dbcounter = @dbcounter + 1
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
'/*find any members of the role if it exists*/ ' +
'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
'INSERT INTO #rolemember ' +
'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
'WHERE usr.uid = mbr.memberuid ' +
'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'/*Drop the Role Members If they exist*/ ' +
'IF EXISTS (SELECT * FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/*drop the role if it exists*/ ' +
'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'BEGIN ' +
'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_droprole ''gdmmonitor'' ' +
'END ' +
'/* Create the role */ ' +
'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_addrole ''gdmmonitor'' ' +
'/* Grant select privileges to the role for MSSql Common */ ' +
'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON dbo.sysmembers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysobjects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysprotects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysusers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
'/* Check if the version is 2005 or greater */ ' +
'IF (' + @dbVer + ' != ''2000'') ' +
'BEGIN ' +
'/* Grant select privileges to the role for MSSql 2005 and above */ ' +
'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
'GRANT SELECT ON sys.all_objects TO gdmmonitor ' +
'GRANT SELECT ON sys.database_principals TO gdmmonitor ' +
'GRANT SELECT ON sys.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON sys.database_role_members TO gdmmonitor ' +
'END ' +
'/* Re-add the dropped members */ ' +
'IF EXISTS (SELECT 1 FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/* drop the temporary table */ ' +
'DROP TABLE #rolemember ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT '' ''' +
'PRINT '' '''
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
-- Adding user to all the databases
-- and grant gdmmonitor role, only if login exists.
PRINT '>>>==================================================================>>>'
PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '>>> on all databases.'
PRINT '>>>==================================================================>>>'
USE master
/* Check if @Guardium_user is a login exist, if not do nothing.*/
IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
BEGIN
PRINT ''
PRINT '************************************************************************'
PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
PRINT '*** Please add the login and re-run this script.'
PRINT '************************************************************************'
PRINT ''
END
ELSE
BEGIN
DECLARE @counter AS smallint
set @counter = 0
-- This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
-- 99% of the time, this is totally unnecessary. But in some rare case on SQL 2005
-- the loop skips some databases when it tried to add the @Guardium_user.
-- After two to three executions, the user is added in all the dbs.
-- Might be a SQL Server bug.
WHILE @counter <= 3
BEGIN
set @counter = @counter + 1
set @databaseName = ''
set @executeString = ''
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
where not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'/*Check if the login already has access to this database */ ' +
'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'/*Check if login already have gdmmonitor role*/ ' +
'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'AND usr.name = ''' + @Guardium_user + ''') ' +
'BEGIN ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END ' +
'END ' +
'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
'execute sp_adduser [' + @Guardium_user + '] ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END '
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
END -- end while
-- Required for Version 2005 or greater.
IF (@dbVer != '2000')
BEGIN
-- Grant system privileges to the @guardium_user. This is a requirement for >= SQL 2005
-- or else some system catalogs will filter our result from assessment test.
-- This will show up in sys.server_permissions view.
PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
END
PRINT '<<<==================================================================<<<'
PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '<<< on all databases.'
PRINT '<<<==================================================================<<<'
PRINT ''
END
GO

Thanks a lot Sir... it worked.
Can you also help me in troubleshooting below issue?
This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
SA account with highest privileges is been used for script execution. errors received are as follow:
>>>==================================================================>>>
>>> Creating role: "gdmmonitor" at the server level.
>>>==================================================================>>>
==> Granting MSSSQL 2005 and above setupadmin server role
==> Starting MSSql 2005 role creation on database: master
(0 row(s) affected)
==> Dropping the gdmmonitor role members on: master
==> Creating the role gdmmonitor on: master
Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
The procedure 'sys.sp_addrole' cannot be executed within a transaction.
==> Granting common SELECT privileges on: master
Msg 15151, Level 16, State 1, Line 117
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 118
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 119
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 120
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 121
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 122
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 123
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 124
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 125
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 126
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
==> Granting common EXECUTE privileges on: master
Msg 15151, Level 16, State 1, Line 130
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 131
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 132
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 133
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 134
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 135
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 136
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.

User roles and role mapping

I've just start as an intern in Change Management team that is helping to implement SD. My two tasks are to "develop SAP user roles specific to the new business processes" and "manage the role to position mapping for provision of security roles." None of the real employees in my team has ever done this, and my manager is now on three weeks leave. I'm new to SAP and I don't really know where to start. Can anyone offer any advice, or point me to some references? Thanks.

Intern,
Its a pretty cold manager who will dump a task on a inexperienced subordinate without any guidance or mentoring, and then take three weeks off.
Anyhow, you first need to get some insights as to what the expectations of the client are: What type of users will there be? What tasks will each user be responsible for carrying out?
You also will want to collect a list of names of the actual users. Your Basis people will tell you which bits of data will have to be collected in order to create users on the system
Next, you need to talk to the SD expert on your team about the solutions that will be implemented. Quotes? Consignment? Scheduling agreements? Pricing? Customer Service? Marketing? Customer Master? Material Master? The SD expert should be able to tell you at a very minimum which transactions should be made available.
There are standard roles available delivered in the system. These are pretty much un-usable as delivered, but they make a good starting point. Review http://help.sap.com/erp2005_ehp_04/helpdata/EN/b4/3f9c41919eae5fe10000000a1550b0/frameset.htm
and
http://help.sap.com/erp2005_ehp_04/helpdata/EN/06/57683801b5c412e10000009b38f842/frameset.htm
Once you have all the info needed from the client and your SD experts, you then design the supporting roles at a high level. I usually use an Excel Spreadsheet with two tabs: One tab listing roles to be developed, with all the transactions and authorization object limitations for each one; and another tab listing Users and the supporting data needed to create a user. If you are a Basis expert, you already know the next steps. If not, then you typically hand your designs to the Basis team for creation of the actual Roles.
Good luck. Remember not to treat your interns the same way you have been treated.
DB49

Use of "User Role" tab in T.Code - VL10G

Hi,
Can anyone help me in providing more information or document on "User Role" tab in T.Code-VL10G.
Rahul

This controls what type of documents are processed (orders vs purchase orders) and in what manner (i.e. actually execute delivery or just list delivery relevant items). Some key fields to note: Role, F. code profile, Dlv creation profile.

MM End user roles Segregating - Suggestions

Dear SAP Experts,
In our company, Purchase Dept 10 persons are using SAP MM Screen. We would like to minimize the work as well as for logging in SAP Screen usage.
Kindly tell your all suggest that, Work profile allocating on daily basis, so that we can control manpower, work allocating and SAP Screen logging.
Kindly send your all suggestion for end user roles - How to do and Who should do and When can do.
Awaiting your valuable suggestions.
Thanks & regards,
Ramana

Vendor Master - Display
Material Master - Display
Condition Master - Display
Inforecord - Display
Maintain Source List
Display Source List
Purchase Req - Create
Purchase Req - Change
Purchase Req - Display
Purchase Req - Release
Purchase Order - Create
Purchase Order - Change
Purchase Order - Display
Purchase Order - Release
Stores Dept Transactions
Goods Receipt for PO/Return Delivery to Vendor
Transfer Posting
Goods Issue
Inventory Stock Reports
Display material document
Capture of Excise Invoice
Create/Change/Display Depot Excise Invoice
Create Sub-contracting challan
Change Sub-contracting challan
Display Sub-contracting challan
Reconcile Sub-Conrating challan
Complete/Reversals/Recredit of S/C Challan
Depot Stock With Balances
Annexure IV Report
Excise Dept Transactions
Excise Master Maintainance
Update RG1 Register
Extract & Print Excise Registers
Create Tax Code
Sales Tax register
Reversal of Excise duty for rejected items
Change/Posting of Excise Invoice
Monthly Utilization
Excise JV'S
List of Excise Invoices
Invoice Verificaiton
Enter Invoice
Park Invoice
Invoice Verification in Back Ground
Display invoice Document
Cancel Invoice Document
Release Block invoices
Display list of invoices
Invoice Overview
Output Messages
Evaluated Receipt Settlement
Automatic Delivery cost settlement
Invoicing plan Settlement
GR/IR account Maintaince
Display/Cancel Account Maintaince Transaction
Change Material document
Enter Goods Issue
Enter Transfer posting
Enter other goods receipt
Create Reservation
Change Reservation
Display Reservation
List Display Reservations
Reservation list inventory management
Goods receipt for order
Plant Stock Availability
Stock on posting date
Shelf life list
Output from goods movement
Stocks at sub contractor
Enter return delivery
Cancel material document
Material analysis-stock selection
Material analysis-receipts/issues-selection
key figure:Slow moving terms
Key figure:stock value
Key figure-Dead stock
Stock requirements list
Changes to source list
Reorganize source list
Source list for material
Changes to purchasing info record
Quotation price history
Info records per vendor
Info records per material
Purchase order price history
Release(Approve) purchasing documents
Purchasing documents for material group
Purchasing documents per project
Purchasing documents per account assignment
Purchasing documents per vendor
Purchasing documents for material
Purchasing documents per document no.
SC stock monitoring for vendor
Purchasing documents per supplying plant
Create Contract
Change Contract
Display Contract
Purchasing documents for material group
Purchasing documents per vendor
Purchasing documents for material
Create RFQ
Change RFQ
Display RFQ
Maintain Quotation
Display Quotation
Price comparison list
Purchasing documents per requirement tracking no.
Purchasing documents for material group
Purchasing documents per vendor
Purchasing documents for material
Purchasing documents per document no.
RFQs per collective no.
Release:Purchase requisition
Collective release of purchase requisitions
Assign source of supply to requisitions
Assign and process purchase requisitions
Ordering:Assigned purchase requisitions
Automatic creation of purchase orders from requisitions
List display of purchase requisitions
List display of purchase requisitions
Maintain vendor evaluation
Calculate scores for semi automatic & automatic sub criteria
Evaluation Comparison
Ranking list of vendors
General evaluations
Analysis of purchase order values
Message output
Message output
Create physical inventory document
Change physical inventory document
Display physical inventory document
Enter inventory count
Change inventory count
Display inventory count
Post inventory difference
Post count and difference
Enter recount
List of inventory differences
Print physical inventory document
Physical inventory list
Selected data for physical inventory documents w/o special stock
Display vendor
Service entry sheet
Display changes
Extend material view(s)
Materials list
Close period for material master records
Price change
Debit/credit material
Revaluation with logistics invoice verification
Display inspection lot
Display usage decision
Inspection lot selection
Create quality cert receipt
Change quality certificate
Display quality certificate
Record results
Change results
Display results
Result printout
Display QM Info Record
QM Info Record Collective Processing
Create notification
Change notification
Display notification
Display inspection plan
Task list changes
Display master inspection characteristic version
Display material specification
Maintain Service Master
Display Line Items (Vendor)
Display Balances (Vendor)
Due Date Analysis for Open Items
List of Vendor Line Items
Print Subcontracting Challan
Country India Localization Menu
Down Payment Request - Header Data.
List of Vendors Purchasing.
Information System
Create Vendor (Centrally)
Change Vendor (Centrally).
Display Vendor (Centrally)
Vendor Account Changes.
Block / Unblock Vendor.
Flag for Deletion Vendor.
Change Account Group.
Create Vendor.
Change Vendor
Vendor Account Changes.
Block / Unblock Vendor.
Flag for Deletion Vendor.
Planned Vendor.
Planned Vendor A/C. Changes.
Display in future Vendor.
Create Info Record
Change Info Record.
Changes to Purchasing Info Record.
Flag Info Record for Deletion.
Change Document.
Invco. Stck/reqt. Analysis - Selection.
Purchase Register.
Converting SAP Script (OTF) or ABAP List Spool job to PDF.
Display Document.
Pick list
Message Output.
Release Purchase Requisition
Stck/Reqt Analysis Selection
Release Purchase Order
Release purchase order

How to assign a Bex report to the user role

Hi Expert
in the Excel, when you open a query, the system will display history, faviourate, infoarea, role button on the left side of the popup screen. if you click the role button, you can see the user authorized Bex report. now I have created a Bex report and I want to assign it to the user role.
how to do that?
does anyboday know which transcation or setting can solve this problem?
thank you in advance!

Hi,
You need to add the object S_RS_COMP:
S_RS_COMP: Authorizations for using different components for the query definition. This authorization object is very important for reporting
The authorization object S_RS_COMP restricts query component activities. For example, it restricts if someone can create queries, change queries, or execute queries. You can restrict query creation, change, and execution by the InfoArea and InfoCube. If your company has one InfoCube for sales information and another for financial data, you can restrict a user to only those queries written for the sales InfoCube or the financial InfoCube.
You could also use S_RS_COMP if you want to protect by query name. For example, you have an InfoCube for sales data. Every sales manager needs access to this InfoCube. However, sales managers in different lines of business are not allowed to execute the same query.
Please visit:
http://www.*********************/bw_security/bw_security_auth_obj_2.htm
to know more about BW Objects.
Hope it helps.
Please award points if it is useful.
Thanks & Regards,
Santosh

Restrict GL / Cost Centre combinations for users/roles?

Hi,
Please could someone advise if it is possible to restrict Cost Centre and GL Account combinations during PO creation for specific users/roles?
For example:
Valid Combinations:
CC A1 GL 99
CC B2 GL 88
Scenarios:
Create PO with A1, 99 -> Allowed
Create PO with B2, 77 -> Not Allowed
I've found a related post, but not exactly my requirement - any other thoughts? Or has anyone done this themselves?
Authorisations - User Profile for purchasing - restrict by cost centre

Use the user exit MM06E005 to control the CC and G/L for user dependent.
to do that - ask ABAPer to create the custom table for user, CC and GL combination and let teh user exit read the combination from the table and give a error or warning based on your requirements.

Creation of user mysites under different managed paths

Hi,
Regarding creation of user Mysites, can two users have different mysites under two different managed paths?
The scenario for my case is like this:
I've a SharePoint 2013 farm attached to a domain contosso.com. Under that AD, I've created two different OUs (Organizational Units), say org1.local and org2.local. Two users are created under the OUs, the usernames being [email protected] and [email protected]
In my SharePoint 2013 farm I've created a Web Application, say SharePoint - 80, to host the MySite Host Site Collections. I've also created two managed paths under SharePoint - 80, say, /personal and /sites.
Now I want to create two user mysites, for the users created above. My question is that can we form the urls for the user mysites as below:
http://HostSiteCollection1/personal/user1_org1_local (for user1 of OU org1.local) and
http://HostSiteCollection2/sites/user1_org2_local (for user1 of OU org2.local)
Please suggest as we are totally stuck.
Thanks in advance,
Arnab

Hi,
According to your post, my understanding is that you wants to create different MySites under different managed paths.
We can create different managed paths for different MySites for UPA in partitioned mode.
Harbar has written a good blog about creating the MySite host using that same multi-tenant setup.
http://www.harbar.net/archive/2010/09/14/sp2010mt6.aspx
Specifically, you use Set-SPSiteSubscriptionConfig to point to a particular OU for user accounts.
Next, you create a site using New-SPSite bound to that subscription for your MySite Host (e.g. New-SPSite
https://customerA.sharepoint.com/mysites -Template "SPSMSITEHOST#0")
And finally you connect to the UPA Proxy that you previously created in partitioned mode to synchronize users with that particular subscription using Add-SPSiteSubscriptionProfileConfig -ID <Subscription ID> -SynchronizationOU CustomerA -MySiteHostLocation
"https://customerA.sharepoint.com/mysites".
For more reference:
https://social.technet.microsoft.com/Forums/office/en-US/820b1937-4b83-4fd3-8997-118ea13e23ef/sharepoint-2013-my-sites-for-host-based-site-collections?forum=sharepointgeneral
Thanks & Regards,
Jason
Jason Guo
TechNet Community Support

Need procedure for creation of BW Roles, Assigning Queries,Publishing Roles

Hi Experts,
Could you please let me know the procedure for creation of BW Roles, Assigning Queries,Publishing Roles in Business Explorer (BEx - BW 3.5)
Thanks in advance,
Andy

Hi,
Creating BW Roles
http://help.sap.com/saphelp_nw04/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm
Assigning Queries
After creating the query, save the query to a role from the query designer.
Publishing Roles in Business Explorer
https://websmp101.sap-ag.de/~sapdownload/011000358700002894802003E/HowToBIPortal1.pdf
Hope this helps you..!
-Pradnya

Creation of user roles

Similar Messages

Maybe you are looking for