Transporting role with user assignments

Similar Messages

• Moving roles with user assignment

  Hi There,
  Need your help...
  We have roles and users created in QA for training, now we want to move roles from QA to Production with user assignment.
  Users that are created in QA for training have also been created in Production, is it possible to move the roles from QA to Production with the user assignment.
  Thanks and Regards,
  Azher.

  Table PRGN_CUST does'nt contain any entries, its an empy table in QA.
  USER_REL_TRANSPORT entry with value NO locks system from TR imports with User assignment. So you have to ensure your target system-Production does not has that entry in PRGN_CUST.
  TR is geting created in Local change request which cannot be moved to Production.
  This TR request are created in Local Change request only when you do not specify a target system/group . All you need to do is specify the "Target" while creating the TR in PFCG (subsequent screen after you hit Create request) and release your TR via SE10. Once released, the TR would be added to the import queue of Production. You/your Basis team can import it manually via STMS_IMPORT (Extras>Other requests>Add TR and CTRL+F11 to import). If there are any errors please have Basis team to review the transport logs.
  P.S:  You can only transport direct user assignments of roles via PFCG transport option described in my post. In case of indirect user assignments that were created using Organizational Management (HR-Org), you will have to use transport functionality in Organizational management.
  Thanks
  Sandipan

• Restrict Moving roles with user assignment

  Hi There,
  Need your help...
  How to restrict to move roles from dev->QA with user assignment. (want to disable the user assignment restirction)
  Thanks and Regards,
  Gnanaprakasam

  Unfortunately this is not the default installation setting, so you need to go into the security settings customizing and change the USER_REL_IMPORT switch to 'NO'.
  This does however NOT make the checkbox disappear in the transport source system. It prevents the import in the target... so you must set it and transport it there first, then it works.
  Cheers,
  Julius

• Transport roles (with assigned group) containing folders and iviews

  Hi,
  This message was in the BI forum before and I think that it suits here better.
  I created a portal role which is contained in a folder X under Portal Content. This portal role is associated with a particular ABAP menu-role by means of Assigned Groups. When I transported the folder X with all dependent objects from Dev to QA, the portal role appeared but the Assigned Groups is empty. Another words, the association between portal role and the ABAP menu-role could not be transported. How can Associated Groups in a Portal Role be transported?
  Then I also tried to do the following steps:
  1. Export and import portal contents which include the whole structure with folders, roles and iviews under each role.
  2. Export and import the same roles as user management data
  The result from 1 was that the whole structure including the roles is imported; however none of the portal role contains the associated assigned group.
  The result from 2 was that the UME roles with assigned group are imported as separat objects.
  Now, the same role appears both as portal role without assigned group and the UME object with assigned group. But, there is no connection between 1 and 2. That means that I cannot use 2 anyway.
  Therefore, I still have to manuelly modify 1 with assigned role once again after importing step 1. Is there a way to import 1 with the associated assigned group without any manuel modification?
  Thank you in advance for any helpful advice.
  Best regards,
  Zabrina

  hi,
  check the following threads
  http://help.sap.com/saphelp_nw04/helpdata/en/6d/7c8cfd410ea040aadf92e1f78107a4/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/6d/7c8cfd410ea040aadf92e1f78107a4/frameset.htm
  Re: Transport management in BW 2004s
  let me know uneed any further info
  bvr

• Fail to create roles with users in LDAP

  I installed and configured two Directory Services one for AM and one for identity. I created an LDAP Data Store for the root realm and can see the LDAP users in the Subjects->User tab in AM. I can create Subjects->Groups and add LDAP users successfully, but I cannot create Subjects->Roles with LDAP users. I get the following error:
  Plug-in com.sun.identity.idm.plugins.files.FilesRepo: Unable to find entry: C:\SFU\app\ironscale\amserver\idRepo\user\awhite
  Any ideas? I also found it odd that my new Group was created in the FileRepo under idRepo/group. I thought it would have been written to the AM DS.
  I deleted the flat file Data Store and the Group/Roles tabs disappeared. Must I import additional LDIFS to my LDAP Identity DS to store roles and groups it that DS?

  Update.
  I deleted LDAPv3 Plug-in Supported Types and Operations values group, user, and role, based on Sun's Access Manager training class examples. I re-added them and deleted the File Data Store and groups now get created in the LDAP Identity repo. However when I create a role and add users the operation sucessfully completes. But I cannot find the roles using an LDAP browser. I can grep the role name from the LDAP database and the roles remain after restarting the db and AM. It appears AM is adding roles in a way other tools cannot see them.

• Room role to user assignments

  Hi,
  Can anyone tell me where the user to collaboration room role assignments are stored? UME? KM? Portal DB?
  It would really help me understand the room architecture. Also if a user gets deleted out of our LDAP (not via the portal) I would like to be able to make sure they do not have any "old" room roles assigned to them.
  Thanks in advance,
  Simon

  Hi
  We are having EP6.0 with MS-AD UME ,
  Now after changing from one ldap to another , some users
  are displayed as ldap id's in the rooms while some are not.
  They are displayed properly with name itself.
  Why is this so? Is this because they have been deleted in the
  ldap but not in the room , something like that.
  Any help on this would be appreciated
  Regards
  Vineeth

• SIngle riole that belong to composite role with user

  HI,
  There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
  BR
  Nina

  There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
  SIngle role is created by pfcg where you assign the role name n safe it as single role n then after t codes been provided the user has been assigned accordingly
  Composite role is same just it contains many roleson to one and similarly the user has been assigned
  Thx
  Mysterious

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Mass load of Roles to User ids - ESS/MSS

  HI all,
  We are implementing ESS/MSS in NW04, EP6 SP13 and want to find out if there is a way to load the appropriate roles to user assignments automatically? We will have 5,000+ users.
  Regards, Neeta

  Neeta,
  http://help.sap.com/saphelp_nw04/helpdata/en/7d/49ae0771924cf4a1fc7e2af7b2e18c/frameset.htm
  You need to do this from UserAdministration->Export.You can choose the details of the users you need to export.
  The text file you are using incase of importing users should look like this (below).
  uid=username
  group=groupname(if needed)
  email_address=
  first_name=
  last_name=
  department=(if needed)
  provide values for all these fields. all of them need to be seperated by semi colon.Repeat this for the no. of users you require.Once this text file is ready you can import it from UserAdmin-Import users.
  here give the path to this text file using the browse tab and then import.
  Please don't forget to reward points.
  Regards,
  James

• Report to see list of roles with no user assignment

  Hi Gurus,
  I need to know the transaction/Report where i can see list of roles which doesnt have any user assignment.
  Pls help me

  HII,
  To search for  roles with no users assignment u can run a report RSUSR070 AFTER EXECUTING TCODE SA38 in the progran field enter the name of the report and click execute button u get roles by complex selection criteria    then scroll down and in the selection according to user assignments  select  without user assignment then cli ck execute button u will get the roles with no user assigments............
                        Thanks and regards

• Transported Roles not Visible for the User Log-in

  I have three roles in the development system.  These roles show up in the top level navigation for the users in the dev system.  All these roles and the underlying BSPs are transported to QA successfully.  I could assign them to users without any problems, but when the users log-in they can not see any of these roles at the top level navigation (In fact, they just get a blank screen).  "Entry Point" setting and "Sort Priority" is maintained for all the three roles.
  As a test, I created a new role with the same BSP links in QA itself and assigned it to the users.  This shows up in the top level navigation for the users.  I am wondering what's wrong with the transported roles!  If someone could help me here that would be great and I will assign points to helpful replies.  I have a very basic knowledge in portal.

  After applying SP12 in the portal landscape (EP 6.0), the role transports only work in our test environment, but not in production.  Even the manual corrections suggested in OSS note 1002832 didn't help.  I can preview all the iviews in the roles with my user id (admin id), but as soon as I log-in with the end user id nothing shows up [Not even the top level navigation tabs show up].  The following is the portal authorization methodology I chose.
  1. I assign users to the user groups
  2. I assign user groups to the roles
  I want to emphasize that all is well in our test environment, it is the production environment that shows inconsistency.  Let me know if anyone has any pointers.

• Assign single role to composite role with alternate logsys assignments

  Dear gurus,
  In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
  Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
  But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
  Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
  Cheers,
  Julius

  Hi Martin and others,
  I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
  While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
  Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
  You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
  There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
  That is a bit of a bummer because it means that you also cannot ever test anything...
  Did anyone ever try to actually use this?
  Cheers,
  Julius

• Assignments to collection with user groups seems to be failing

  We have a collection with users and a collection with groups.  We assign a simple application to a collection with users, that seems to be fine, we can see the app in the application catalog. We then assign the same app to a collection with just a security
  group in the collection, the members of that security group cannot see the app in the application catalog.
  I am trying to trace what the server does when a the request user policy comes in, to see if there is a disconnect between the assignments and the members of the group.
  Any ideas how to debug/troubleshoot this issue?

  Hi,
  Some troubleshooting tips for client communication to the Application Catalog:
  Ensure that the Configuration Manager client is successfully assigned to a site and operational by checking LocationServices.log and ClientIDManagerStartup.log.
  Verify that the client can communicate with the management point. For example, check out any HTTP errors in the CcmMessaging.log file.
  Check the LocationServices.log file for any errors during the time you browsed to the Application Catalog. One typical reason for Application Catalog failures in this log is client communication failures to the management point, indicated by the following
  error: “Failed to send web service info Location Request Message.” In this case, verify that the management point is operational and reachable from the client computer.
  If you have recently installed the Application Catalog roles, the configuration on the site system server might take some time to complete. If you have a central administration site, make sure that sites are replicating successfully. In this scenario, information
  about the Application Catalog roles must replicate to the central administration site and then back to the primary site before the Application Catalog is fully operational. For example, until the replication is complete, users will not be able to request or
  install applications from the Application Catalog.
  Ensure that the domain and user name that is displayed in the top right corner of the Application Catalog matches the user that is logged in to Windows, especially if Internet Explorer prompts the user for credentials.
  Ensure that any required Internet Explorer plugins are enabled and not explicitly blocked in Internet Explorer. For more information, see
  Prerequisites for Client Deployment in Configuration Manager on TechNet.
  If you have configured client settings to add the URL to the trusted sites and the URL is not added to the trusted sites zone, check whether the client successfully downloads client policy and also check group policy settings in your environment to ensure
  that the Configuration Manager client can add the URL to the trusted sites zone.
  If the Application Catalog shows an error page, the error will also be displayed in the ConfigMgrSoftwareCatalog.log. You can find the log file by searching the user profile folder. For example, in Windows 7, you can find the log file inside the following
  folder:
  %systemdrive%\Users\<username>\AppData\LocalLow\Microsoft\Silverlight
  For more infomation, please review the link below:
  Tips and Tricks for Deploying the Application Catalog in System Center 2012 Configuration Manager
  http://blogs.technet.com/b/configmgrteam/archive/2012/07/05/tips-and-tricks-for-deploying-the-application-catalog-in-system-center-2012-configuration-manager.aspx
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How can I remove users assignments on role import?

  Hello,
  I am importing a role that aleady exists in the portal in order to change some of it's assignments. Overwrite is also checked.
  The problem is that if I want to add something to the existing role it is updating but if I want to remove something it is not. For example, I am overwriting a role which has users assigned to it and I would like to remove these assignments at the new import.
  I tried importing it without user= like this:
  [role]
  rid= myRID
  rdesc= myDesc
  group= myGroups
  And also with user= only, like this:
  [role]
  rid= myRID
  user=
  rdesc= myDesc
  group= myGroups
  Yet the users are still assigned to the role.
  Of course I can manually remove the users from the role using the Identity management options but the thing is that I have more than 100 roles that I need to remove the assignments from them and I don't want to do it manually.

  Hi Roy,
  you are partly right. In case of content mirroring the new role would be a delta link to the old role. I assume that when you delete the old role the connection to the original objects will be broken. There is a nice comparison of copy/paste and content mirroring in the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/ed/fd25c7c14c4094a9fbb19851d79dd1/frameset.htm">SAP Library</a>.
  However, keep in mind that you could always re-create the role manually.
  Alternatively you could have a look into the How To Guide regarding the<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/93/28f999daa6434a845da6bf9ab5072c/frameset.htm">XML Content and Actions</a> upload. It sounds promising.
  You will find the How To Guide located at service.sap.com/nw-howtoguides  => Portal, KM and Collaboration => Portal.
  Best regards,
  Martin

• Unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  Hi,
  For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
  I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
  But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
  Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
  BR,
  Mangesh