Mass consolidation of Roles

Similar Messages

• Mass  Generation Of  Roles

  Hi
  Which option does user have to choose from the list to output the mass generation of roles at PFCG?
  Nag.

  Hi ,
  unfortunately there is no way in standard to bypass the manual work.
  IF SU24-values have been changed for a t-code, all roles that contain that t-code, have to be adapted manually and afterwards regenerated.
  The profile gets the status ' To adjust' until you have maintained the authorizations once and saved. Until then no mass generation (SUPC) will be able to regenerate thos profiles.
  Please consider enough time to adapt your roles during your test upgrade. A good idea is to adapt all roles to the new authorizations in a test environement and save them afterwards in a transport. AFter you have performed the upgrade in your productive environement, you can import then this transport and you don't have to perform this time consuming  'adaption-work' again in your p-environement....
  b.rgds, Bernhard

• VIRSA mass creation of roles

  Hi All:
          Can anyone tell me how to perform mass creation of roles using VIRSA role expert,also if you could point me to some documentation it will be very helpful.
          Thanks,
            J D

  Hi Olivier,
  I am afraid, my help is limited to this forum.
  However, I can help you with some ABAP logic :
  Table AGR_1252 is used to store the ORG values of derived roles.
  You can start working with an ABAP'er to get his coding magic started. Though I am not familiar with ABAP, I believe our ABAP'er debugged PFCG and  knew what needed to be done. I have no clue what he did
  the logic:
  Start of Selection
  Load information into internal tables for use in creating report
  Upload the Organsational Changes Spreadsheet
  Ensure Roles exist and there are no duplicates
  Ensure Organistional levels exist and there are no duplicates
  *Checks if the file exists
  Role must exist
  Ignore duplicate roles
  Authority Check Role for user
  IMP Logic checks-
  For Add High range of Role must be greater than low range
  *...if adding specific ranges - remove existing * or space entry if it
    exists
  *...if adding * access remove other accesses if they exist
  *Process All Org Levels for each role
  ...submit report to generate profiles
  You can start working with your ABAP'er with this logic.
  *Disclaimer* - this may need enhancements to meet your requirements. Also, I have just put the logic what I could remember at the top of my head. I may have missed something.
  Hope it helps
  Abhishek

• Reg: Mass generation of roles with open authorization

  Hi,
           Is there an option to mass generate roles with open authorizations ?
           It would be helpful if it there exists some transactions or reports that would help in doing so unlike CATT scripts or batch sessions.
  Regards,

  Hi Arravind,
  Why cant you correct the roles by filling up those open fields?? I guess you can create a CATT script to acheive your objective but I suggest better to check why there are open fields in the role then generating them blindly.
  Do let us know if you need any more information from our side. If you want to know how to create a CATt script then search for it in SDN/Google you will surely get your answer.

• Su25 - mass generation of roles

  Hello,
  I have one problem in my upgrade project that...my client has done the upgradation but he has not done that su25 2a - 2d steps....noe i want to do that 2c steps to complete
  when i clicked it 2c steps in su25 it shows me long list of roles to be maintained ...os is there any way to do maintainance of all the roles at the same time....and generating all profiles in the roles at the same time....
  awaitng for ur reply....will give full reward for usefull answer

  Hi ,
  unfortunately there is no way in standard to bypass the manual work.
  IF SU24-values have been changed for a t-code, all roles that contain that t-code, have to be adapted manually and afterwards regenerated.
  The profile gets the status ' To adjust' until you have maintained the authorizations once and saved. Until then no mass generation (SUPC) will be able to regenerate thos profiles.
  Please consider enough time to adapt your roles during your test upgrade. A good idea is to adapt all roles to the new authorizations in a test environement and save them afterwards in a transport. AFter you have performed the upgrade in your productive environement, you can import then this transport and you don't have to perform this time consuming  'adaption-work' again in your p-environement....
  b.rgds, Bernhard

• Mass selection of roles in SU10

  Hi
  I have to remove lot of roles from 2000 users which have more than 20 roles in SU10.
  I am doing part by part by pasting 20 roles in SU10.
  Is there a way to select mass roles in su10 like the user selection.
  Thanks
  Baskar R

  > I have to enter every 20 roles in su10 roles tab. Instead of that,
  >
  > i want to paste entire 500 roles in one short in su10 roles tab.
  You want to assign 500 roles to each user!!!!!!! Did you think about the maximum number of profile assignment limit for each user id? If not, then i would like to request you to check the following SAP Notes:
  [Note 841612 - Maximum number of profiles per user|https://service.sap.com/sap/support/notes/841612]
  [Note 410993 - Maximum number for profiles and authorizations|https://service.sap.com/sap/support/notes/410993]
  [Note 511200 - PFCG/PFUD/SU01/SU10: Role assignment and profile comparison|https://service.sap.com/sap/support/notes/511200]
  Also, if you need to assign so many roles to each user id then it is missing the important topic SOD. Also the design is itself Incorrect.
  Regards,
  Dipanjan
  Edited by: Dipanjan Sanpui on Oct 22, 2009 3:21 PM

• Mass add BP role to BP

  Hi experts,
  Is there a way to add BP Role to business partners with no BP role assigned (just has BP General) .
  "Mass" transaction only allows change of BP role on BP which has atleast one BP role assigned.
  I want to add BP role Competitor for 100000 BPs.
  Please advice.
  Thanks

  If you know the LSMW you can create your own if not need to take their help,this is the easy method and which exactly match your requirement.
  Ram

• Mass Reprovisioning Business Roles

  Hello,
  I have a situation where we are updating 100+ existing business roles that are currently assigned to user for our next release of SAP. I am wondering, is there a way to update the business role via import template (add / remove roles) and then push the changes out to users on a mass level?
  We use the role methodology “provisioning” stage to push these changes under normal circumstance but with 100+ roles that would be quite cumbersome.
  I also know there is an option under Role Update > Authorization Data Sync, but that doesn’t appear to update the user assignment. Only authorization under the role. 
  Any suggestion would be appreciated!

  Business Roles concept and usability in GRC AC10 - Governance, Risk and Compliance - SCN Wiki
  the link above says that "update assignment" button will do the update and will be enabled when the business role has been provisioned at least once.
  I guess this is what you have already tried, but i can see your dilemma when you may have many business roles. I wish there was an option under the mass update functionality (unless I have not found it).
  maybe it's time to go to #ideaplace.

• Mass deletion of roles from users

  I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.

  We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
  This way you can optimize / automate periodic controls.
  There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
  The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
  Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
  Cheers,
  Julius

• ECATT to mass delete singles roles from a composite

  Hi,
  I am creating an eCATT to delete singles roles from multiples Composites roles. The eCATT takes the same position of the single role for each composite.  And of course the single role may differ per role.
  Could someone help?
  Thank you in advance,
  Yolanda

  HI Garcia,
  I didnot quite get your example as I am not familiar with the roles tables or transactions.
  But, if I understood ur requirement, you want to delete all those single roles (some specific role) from a list of roles.
  I am not sure how the transaction looks here, but a standard way of doing it is to record one execution of deleting the role using TCD or SAPGUI using the position button when available, entering the role name, selecting the delete button on the screen and then save.
  Now, when you check the database table for the number of occurances that this type of role is present, collect the count of the table into a local parameter and execute the earlier script of deleting multiple times using DO command.
  Select count from <tabname> where <role field> is <value> into <Local parameter>.
  and use the earlier script with in
  DO (<local parameter>).
          SCRIPT
  ENDDO.
  This ideally works. You can come back if u need any additional inputs.
  Best regards,
  Harsha

• Mass load of Roles to User ids - ESS/MSS

  HI all,
  We are implementing ESS/MSS in NW04, EP6 SP13 and want to find out if there is a way to load the appropriate roles to user assignments automatically? We will have 5,000+ users.
  Regards, Neeta

  Neeta,
  http://help.sap.com/saphelp_nw04/helpdata/en/7d/49ae0771924cf4a1fc7e2af7b2e18c/frameset.htm
  You need to do this from UserAdministration->Export.You can choose the details of the users you need to export.
  The text file you are using incase of importing users should look like this (below).
  uid=username
  group=groupname(if needed)
  email_address=
  first_name=
  last_name=
  department=(if needed)
  provide values for all these fields. all of them need to be seperated by semi colon.Repeat this for the no. of users you require.Once this text file is ready you can import it from UserAdmin-Import users.
  here give the path to this text file using the browse tab and then import.
  Please don't forget to reward points.
  Regards,
  James

• Mass Removal of Roles through SU10

  I have thousands of expired accounts that still have valid roles. I want to remove all roles from these expired accounts. In Su10 to remove roles do you have to list the roles you want to remove? Is there a function in SU10 to simply remove any roles these users have? In Su10 I tried checking the remove box and the change box but then when I execute it is not removing any of the roles when I look in SU01. So to actaully remove the roles does it require you to list them?
  Edited by: Alex Williams on Apr 23, 2008 3:13 PM

  Sorry I misread your post. I suppose there is a reason why you want to keep the expired accounts ? Otherwise the quickest way is simply to delete the expired accounts.
  You can use SU10, but you would need to list every role. You also have to make sure that the role dates encompass the dates of the roles that are assigned to the ids. Usually it is the start date - so you may want to put in a start date prior to even implementation to catch everything.
  Edited by: JC on Apr 23, 2008 9:47 AM

• GRC 10 Role Management - Mass Role Derivation

  Hi All - 
  Does anyone know if it is possible to propagate the authorization data from multiple parent roles to their relevant child derived roles in mass in GRC 10? 
  Using the standard 'Role Management -> Role Maintenance' feature you can propagate one parent role's auth data to all it's children derived roles; or alternatively if accessing one child role you can copy the auth data from the parent role.  Either of these options would require you to open each parent role or each child role to push/pull auth data from a parent role to a child role. 
  If this is not possible, it seems to leave a gap in the process of creating derived roles in mass?
  Via the 'Role Mass Maintenance -> Role Derivation' feature you can create derived roles in mass across multiple parent roles with multiple levels of derivation from each using Org Maps.  This will crate my derived roles and populate the organizational values only in PFCG. You can also update the derived role's org values in mass if they change by updating your Org Maps and using the 'Role Mass Maintenance -> Derived Role Org values Update' feature. 
  However these features do not propagate the non-org authorizations from the parent roles.  Without a way to push/pull the non-org authorizations from the parent to the child, creating all the derived roles in mass doesn't quite actually create usable roles. 
  I've noticed when propagating authorization on a one-by-one basis, GRC creates a background job "Auth Data Propagate".  I'm really just hoping there is a way to do this in mass and I am just missing the obvious.  I also know it would be possible via an eCATT script directly in SAP, but I'm looking specifically for options via the GRC tool.
  Thanks for the help!

  Nick -
  I actually just received a "final" response from SAP OSS support on this one.  Had a note open for the past 9 months or so where apparently the product management & development teams were discussing this issue.  The last update I received was about 10 days ago and essentially said this is not currently part of the tool:
  "This is an enhancement and is not currently supported. We will take it up in a future release. Please log this in the ideaplace under Access Controls"
  While I respect the decision, I can't necessarily say I agree that a "Mass Derivation" tool is working as intended if it cannot push / copy authorizations from a parent to a child role. If it can't create roles that are actually usable it would seem to be an issue with the current solution rather than a future enhancement imo. 
  The best workaround to this, is to utilize an eCATT script to go through all your derived roles you create in mass via GRC and have it go into PFCG and 'copy from' the parent authorizations and then regenerate the profiles.  That will give you actually complete & usable roles in a semi-automated fashion.

• How to generate mass roles in SUPC

  Hi All,
  I have to generate mass roles at one time. There are 3000 roles to be generated. I am using tcode SUPC to do this but when give the list of roles and click on generate button it is taking only one role.
  I am generating derived roles.
  Please advise..
  Thanks,
  Masood

  > I am generating derived roles.
  Perhaps Salman123 wrote a CATT to hit the "Adjust derived roles" function once, or dug deeper?
  If you have less than 50 roles and all standard and maintained authorizations you are better off using the delete menu and import from role option in my opinion. (make sure the root node is small and use redundancy compression).
  If you have more than 50 roles, then (shame on me...) try to keep them very small with only selected objects and use the option to delete their profiles completely and upload them on mass. Such roles are anyway usually best suited for BW systems and an entirely different concept (Analysis Authorizations).
  You can avoid derived roles completely this way.
  Cheers,
  Julius

• Mass Role Import of derived roles.

  Hi All,
  I am trying to mass import derived roles. I have created the files Bulk Download File, Role Expert Information File and Primary Org Level File.
  All these files are tab delemited text files.
  But when i am uploading, it gives me error on Primary Org Level file format is incorrect.
  Please suggest me on file format of Primary Org Level. We are on Role Expert 5.2.
  Format I am using is
  ROLE NAME<TAB>DERIVED ORG LEVEL<TAB>FROM VALUE<TAB>TO VALUE
  My To Value is blank.
  Thanks in Advance.
  Regards,
  Pravin

  Hi Alpesh,
  I was able to upload all the derived roles. What i found was that, there is a limitation on number of rows for primary org value file. It could be limitation of RE 5.2 SP9.
  Whenever, primary org value file use to exceed 500 rows, it gives format error.
  So, then i restricted the primary org value file within 500 rows & upload went smoothly.
  Now, there is one query.
  Is it possible, that all the roles which are uploaded can be set to phase generated.
  Please suggest.
  Thanks in Advance.
  Regards,
  Pravin