11.1.1.3  Dropping users from groups during EPMA migration

Similar Messages

• How to drag and drop user from one node to other node.

  Dear All,
  How to drag and drop user from one node to other node.I tried but no success.
  What are precautions to be taken.
  Cay anybody kindly explain it.
  Thank you.

  Hello, if you had this message you had created BP....
  Now you don't have to user USERS_GEN this transaction is used only in first action, when you create the user in R/3 and then you pass this user to EBP in the organizational structure.
  Now you have to:
  1) Go to PPOMA_BBP
  2) Double click on organizational unit that you want to put this user (purchasing organization or purchasing group box for example)
  3) Select assign button in the top of the functions in the transaction
  4) Click on incorporates -- position
  5) Put userID that you want to add in this organizational unit
  6) Click Save
  Thanks
  Rosa

• CSSImport Utility - Remove Users from Groups

  We have a security group that has a few hundred users assigned to the group. When there is a need to remove a user from the group it is difficult to find the user as I have comb through the list to find the user i am trying to remove. Two questions: is there a way to sort the users in the group in Share Services? The second question is can users be removed using the CSSImport utility by specifying the "delete" option in the importexport.properties? Does the "delete" option remove the user from the secuity group and or does it delete it completely from ShareServices? (we are using Hyperion v9.3.0.1.0 Build 5)

  Hi,
  I am not so sure about the sorting but removing users from groups can be done with the CSSImportExport utility, I see you are on 9.3.0, try and get hold of the 9.3.1 version as it is backward compatible to the 9.3.0 version and more stable.
  When removing users from groups, just set your import operation to update
  import.operation=update
  and in your import csv just put the group children elements and the users you want in the group.
  #group_children
  id,group_id,group_provider,user_id,user_provider
  TestGroup,,,UserToKeepInGroup,Native Directory
  This way it will keep the users in the import file and remove the users from the group that are not in the file, also it does not remove the user from shared services only from the group.
  Ok?
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Can i recovered dropped users from Flash Back Database

  I am having confusion on step by step process for Recovering dropped user from Flash Back Database or from RMAN.
  And Which case we will use Flash Back Database or RMAN?

  1) Restore database (PITR- Point In Time Recovery) until the schema was dropped.
  RECOVER DATABASE UNTIL SCN XXXXX;
  2) If you only want a table:
  flashback table XXXX to before drop;
  3) Flashback database (if you have flashback on):
  FLASHBACK DATABASE TO SCN XXXXX;
  or
  FLASHBACK DATABASE TO TIME "TO_DATE('XX/XX/XX','MM/DD/YY')";
  You have some examples at documentation:
  http://docs.oracle.com/cd/B28359_01/backup.111/b28270/rcmflash.htm

• Remove user from group with MaxL

  hello,is it possible to remove a user from all groups he belongs to without knowing these groups?I want to execute a command such as "alter user my_user remove from ALL_GROUPS;"thanks for your help/

  Not sure if it's feesible, but you could use the 'drop user' command to remove the user from the system, which would of course remove them from all groups, then use the 'create user' command to recreate the user and reassign them to the proper groups.Good luck

• How to assign users to group during upload ?

  Hi all,
  we have to upload a lot of users into our EP6.
  according to the documentation it is possible to assign those users to roles during the upload, but we want to use Group-Assignments instead of directly assigning roles to users.
  Is there any possibility to assign groups instead of roles during a user-upload ?
  The doc shows in the Standard-File-Format" the parameters <namespace>:<name> , may those be used for this purpose, when yes, then how ?
  Thanx for any hints...
  Stefan

  Hi,
  do you mean uploading role-group assignments or user-group assignments?
  User-group assignments can be uploaded using the following format (extraxt from UME documentation - section: Standard Format):
  [Group]
  gid=HappyBuyers
  gdesc=This is a group of all satisfied buyers
  user=MarcPeters;JackSmith;Alan_Fox
  Make sure that you upload the groups in a second step after you have already uploaded the users. The userIds you name in the property "user" must exist.
  For uploading role-group assignments I don't know a way but usually you so not have that many ...
  Best regards,
  Oliver

• Block users from retrieving during manual calculation

  Hi Everyone,
  I am wondering if anyone knows how to block users from retrieving or pulling in Essbase while a calculation is running manually in EAS. We have a currency conversion calculation that manipulates the data for several minutes. Users who pull the data see erroneous data for some time and it becomes an issue.
  Thanks,
  Mark

  You would have to log them out, then disable connects while you run your script. You could execute maxl commands from EAS.

• Removed user from group, user no longer has access to documents even though user is owner of documents

  I'm running a server 2012 std domain and I'm in the process of rebuilding our fileserver after we had some pretty serious permission issues. Bad permissions (Everyone had full access to user documents share) were migrated when we move to the new server and
  then by some strange Monday morning freak out all users lost access to their documents. I restored from backups, redirected everyone's folders back to local computer and started to reconfigure the share permissions. I moved our administration group back to
  the server after securing proper permissions for folder redirection (permissions copied from https://technet.microsoft.com/en-us/library/jj649078.aspx?f=255&MSPPError=-2147217396 table 1, only difference is instead of creating a new security group
  for redirection users, I used the everyone group) to test and everything went perfectly. The GPO created the users folders under the root and redirection was good to go. Along with that, other users cannot access other users documents anymore which was the
  intended outcome. 
  Last night I was looking at security groups and see that our administration group (back office group: accounting, HR, etc..) was a member of the domain admins. I removed them from the domain admins group and added them to the administrators group (they do
  need regular admin access) then went on like normal. This morning, all users in that group can no longer access their documents on the server. I immediately think that permissions were broken again and started to get angry, but then realize that all the files
  are still accessible on the server (no lost permissions like before) and the user is still shown as the owner with full permissions, but the files are inaccessible to those users. I re-added them to the domain admins group, logged out, logged back in and documents
  are back and accessible by the user. Remove them from the domain admins group, log out, log back in and the documents are inaccessible again. Re-add to the domain admins group and back to normal. 
  Which leads me to now. If the users are part of the domain admins group, they have access to their files. If they are removed from the domain admins group, they lose access. When they lose access, they are still the owners of the files/folders with full
  permissions, yet they can't access their documents. Also, just to add, the domain admins group has no specified permissions on the files or folders. See screenshots below..
  Here is the root share. 
  And the user's desktop folder. The folder is owned by the user with full permissions. This is the folder the redirection GPO created.
  Any ideas why removing the group from domain admins would drop access to their files? They are still the owners of the files and should have full access but they don't. Is there something I'm not seeing here?

  Effective Access shows the user has full control of the Desktop folder
  This is a problem with the Effective Access tab when using CREATOR OWNER.  As you have noticed, the user doesn't really have the access that the tab says it does.  This is because of how CREATOR OWNER works.
  CREATOR OWNER is only evaluated when a file/folder is created. 
  IF a user can create a file/folder, then the permissions assigned to CREATOR OWNER are copied to a new permissions entry for that user.
  To see this:
  Logon as an administrator and create a file in the Desktop folder in your screenshot.
  Examine the permissions of the new file.
  You'll see that there is a new entry for the account you logged on with.
  CREATOR OWNER is gone.  CREATOR OWNER would still be there if you created a folder (because of "subfolders and files").
  In the Desktop folder (in your screenshot), only SYSTEM and Administrator can create/access files.
  To fix this, you need to grant the users the ability to list the directory contents and create new files/folders.  This corresponds with the suggestion of Table 1 in the document you found.
  I see what you're saying about Administrators domain group. I'll just add them as local admins via GPO and that should solve that issue. 
  No, scary!  This will grant those users administrative permission on your server.  They will be able to see any file anywhere on that server.
  If your goal is to provide a place that is private for each user, then the simplest approach is to grant each user permission to their own folder.  Like this for Test User:
  Notes for above:
  I set the user's permission to Modify because there is no good reason why the user should change these permissions
  The owner of this folder is unimportant.  I leave it set to Administrators
  You can, and I do, remove CREATOR OWNER.  It adds no value in this situation and just causes confusion.
  As for the second screen shot, the *-Admins folder is the root to which Everyone has special permissions on and can create folders. The folder for M* was created by the GPO, which makes M* the owner to which they have Full control of subfolders and files.
  The GPO also created the Desktop folder, giving owner full permissions of subfolders and files. Inside the Desktop folder, permissions remain Full control for owner for subfolders and files. Even if it was the case that they only had permissions on subfolders
  and files, wouldn't each subfolder under that one be considered a subfolder and file of the top folder?
  If this works as you say, then Yes, it should work.  But, I don't see the entries for use M*.  Remember, there should be entries for the M* user that is a duplicate of CREATOR OWNER.
  I suspect that Group Policy is creating the directories (elevated) and then changing the owner to M* afterward.  This does not duplicate the CREATOR OWNER entries as needed.  If this is the case, I consider it a flaw because your permissions do
  not allow user M* to create files/folders, and group policy shouldn't bypass security.
  I'm not saying your wrong, I'm just curious why the technet article would advise Creator/Owner giving full control of subfolders and files only if that were not correct. I can add the permissions for the users easily, I just don't see why I need to give
  explicit permissions to access something when the GPO created those folders for me, which Microsoft recommends you allow. If the GPO can create folders and the folders are owned by the user, then the user can obviously add/create/modify/view those files and
  folders. 
  When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.
  A couple things:
  The article instructed the use of Folder Redirection Users group that had permissions to create files.  Your examples didn't have that.  Because of this, your user could create new files.
  The article assumes that the directories you are creating will be empty.  Existing files will be unreadable to everyone except Admins.
  If you follow the directions in the article, then anyone in the Folder Redirection Users group can write files to anyone else's directory.
  One benefit of the document's approach is that all the users could be redirected to the same folder using the article, and it would work.  A benefit, I guess.
  But, I like my user's separate and unable to see each other's files -- at all.  This is why I recommend replacing CREATOR OWNER with the specific user.
  I believe this document is a "how to get it done" document, not necessarily a best practices document.  I see it as a starting point, and that's why I didn't follow it exactly.
  Lastly, CREATOR OWNER permissions are useful but confusing.  I avoid them unless I have the rare circumstance where they are perfect.
  When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.
  To summarize:
  In the user's directory, you need to provide permission to list and create new files/folders, and you need grant the user permission to the existing files.
  -Tony

• To remove user from Group

  I created a new user account from SSH connection to our cluster. The user belongs to two groups by default: nobody and wheel. I tried to delete him from the two group by using dscl command, I got the following error:
  /NetInfo/root/Groups > delete wheel GroupMembership ryan
  <main> attribute status: eDSAttributeNotFound
  /NetInfo/root/Groups > read wheel
  AppleMetaNodeLocation: /NetInfo/root
  GeneratedUID: ABCDEFAB-CDEF-......
  GroupMembership: root
  Password: *
  PrimaryGroupID: 0
  RealName: System Group
  RecordName: wheel
  RecordType: dsRecTypeStandard:Groups
  SMBSID: ......
  I would like to know how to remove him from the two groups. Thank you very much.
  Apple Cluster   Mac OS X (10.4.3)  

  I had to update the code to the following because Get-SPUser was not working properly:
  $url = "https://sharepointdev.spfarm.spcorp.com/sites/desitecoll"
  $userName = "spfarm\spprofileimport";
  $site = New-Object Microsoft.SharePoint.SPSite($url)
  $web = $site.OpenWeb()
  $siteGroups = $web.Groups;
  Clear-Host
  $mySiteGroups = @();
  foreach($group in $siteGroups)
  Write-Host $group
  $mySiteGroups += $group;
  }#foreach
  $members = $web.Groups[$mySiteGroups[0]];
  $owners = $web.Groups[$mySiteGroups[1]];
  $visitors = $web.Groups[$mySiteGroups[2]];
  #Convert the user name to an SPUser account
  $spUser = $web.Site.RootWeb.EnsureUser($userName);
  Write-Host $spUser.ID
  Remove-SPUser -Identity $spUser -Web $url -Group $owners
  $web.Update();
  $web.Dispose();
  Write-Host "User " $userName "removed from " $owners
  Was I not using Get-SPUser correctly?

• Getting error while removinf user from AD group

  Hi,
  In AD User process definition, there is a default taks called :Remove user from Group. This task runs after another task called Organization Name Update . Whenever, an user is moved from one org to another org, his organization gets updated in AD user form and this task"Remove user from Group" runs. The work of this task is to remove the user from old groups. BUt the task is getting rejected and i see the below error in log files.
  11/07/04 00:24:17 Data AccessException:
  11/07/04 00:24:17 com.thortech.xl.orb.dataaccess.tcDataAccessException: DB_READ_FAILEDDetail: SQL: select UD_ADUSRC_GROUPNAME from UD_ADUSRC where UD_ADUSRC_KEY = Description: ORA-00936: missing expression
  SQL State: 42000Vendor Code: 936Additional Debug Info:com.thortech.xl.orb.dataaccess.tcDataAccessException
  at com.thortech.xl.dataaccess.tcDataAccessExceptionUtil.createException(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataBase.createException(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(Unknown Source)
  at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.getChildTableFieldValue(Unknown Source)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.getRunTimeValue(Unknown Source)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.getRunTimeValue(Unknown Source)
  at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADREMOVEUSERFROMGROUP.implementation(adpADREMOVEUSERFROMGROUP.java:48)
  If anybody knows the solution for this then plz let me know.
  Thanks,
  Kalpana.

  I think the mappings and all would be correct. Here is what Kevin meant:
  - Let's assume the AD user account is a part of GroupA, GroupB and GroupC
  - Now on Change Organization completion if you invoke Remove user from Group then the adapter/process task has no way to know that which 3 of those groups has to be removed (or all 3 for your case)
  - Alternatively if you use API's to remove the group then this task would be invoked by the original OIM process/triggers and so the actual value would be known to adapter/process task.

• How to Remove User from Built in Administrators group With Group Policy Enabled

  Hi,
  I want to remove user from Administrator group which is in restricted group. So I cannot remove him through Active Directory what is the way to remove user from Administrator restricted group.
  Thanks
  Jibran Ishtiaq

  > Disable Group policy
  "Edit", not "Disable"
  > Under Domain click Delegation and went to the restricted group account.
  > Remove User from group.
  Why "Delegation"? Simply edit the GP object where the "Restricted
  Groups" setting is in place...
  > Also we have two DNS but one from where I remove account is the primary.
  How is DNS related to group policy?
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Maxl statement (display user in group all;) is not working.

  Hello,
  Hyperion version 9.3.1 upgraded to 9.3.3. Not sure the below issue is because of this
  I have an interesting issue with a maxl statement : "display user in group all;". When I execute this statement through command prompt doing essmsh, it does give out any records and also doesn't end. I will have to end it with ctrl+c.
  When I execute it through EAS console, then EAS console just hangs.
  But, if I try to retrieve the users from groups individually ( I mean "display user in group 'examplegrp';"), then its working fine and throwing out the records.
  It is giving me a hard time and my dumb mind not able to figure it out.
  Any ideas please?
  Thanks

  Hi CL, Yes I ran it on the Essbase Server. We actually set it up through a scheduled batch script which was perfectly fine till last month (I guess). We noticed this just a week ago. The only change we had in our environment is that we upgraded 9.3.1 to 9.3.3 recently. Not sure whether it is making any difference.
  Thanks,
  KK

• Remove users from Shared Services/ EPM

  Gurus
  I have some users who have gone to different department and some who are no more with the companies. I was just wondering if there is a script I can run in the EPM Environment/ Shared Services to remove users and the provisioning in bulk.
  Thank you for your response.

  Hi John,
  I got it.
  What I did was that I exported the GROUPS under APPLICATION GROUP -> FOUNDATION > SHARED SERVICES -> NATIVE DIRECTORY -> GROUP. Created a CSV file and deleted the user and then imported back again.
  This is how it works right?
  ALSO, can I totally erase the user. The above process deleted user from group. But if I need to delete the user overall from everywhere in the EPM app, is there a way to do so?
  OR do I need to ask the server team to remove the user from MSAD.
  Thanks

• Command Line - Remove user and group updates

  I am remote at the moment and not able to access the GUI on a number of OS X server boxes. How do I remove a user and the user from group via the command line.
  Thanks

  I am remote at the moment and not able to access the GUI on a number of OS X server boxes. How do I remove a user and the user from group via the command line.
  Thanks

• Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?

  I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the  same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
  I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.

  If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
  Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server. 
  You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
  Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
  The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way?