Accessing Users In NW Roles from MII

Similar Messages

• SAP user assigned with roles from HR-ORG incorrectly

  Hi All
  I have an issue where a SAP user appears to be receiving role assignments from some HR-ORG object erroneously.
  I have checked the user's HR positions and organisational assignments and they do not have any roles assigned.
  I also checked the job and no roles are assigned there as well.
  Where could these roles be coming from if they are not coming from the position or org unit?
  User currently has direct role assignments in SU01 except for 3 roles which appear as indirect assignments (HR assignments) in SU01.
  Is this is a bug and is there a note to fix it?
  Please could someone let me know why this is happening.
  Thanks
  Ran

  Hi Colleen.... Thanks for your email.
  Please see below screenshot, it is an Org assignment but single roles also belong to composite roles.
  PBS is not meant to be active and PFUD is scheduled as a daily job. CUA is not active here.
  User is assigned to a position and org unit but roles are not provisioned via the Org/position. So there is a 0105 mapping, I have checked those positions and org units but no roles are assigned there.
  Basis release 731 and level 0005, SP - SAPKB73105.

• Restiction on SAP Lumira user with BI_DATA_ANALYST role

  Hi,
  Is there an option to disable the SAP Lumira user with BI_DATA_ANALYST role from loading the Excel data into SAP Hana?   We would like the user to be able to create story boards and publish it on SAP LUMIRA server using HANA views but not allow him to load any flat file data.
  Thanks,
  Lakshmi

  Manish - if you are on BI4 there is no need for the SAP Integration Kit with Web Intelligence
  You can connect using the BEx Query
  For Lumira right now you can connect using the BEx query but only in the Visualize room - more enhancements are planned in 1.27 - see SAP Lumira Webcast including H1 Plans with BW Updates
  I don't think Gateway is needed in these scenarios
  Tammy

• Hiding specific Roles from specific users

  Dear All,
  Is there any way in the database that can hide a role from a user. For instance, if I create a role, then this role can be viewed by all the users defined in the database and then these users can grant priviliges of their own objects to such role. I want to create a Role where certain users can not see and should not be allowed to grant any priviliges for this Role...
  is this possible....
  Thanks
  Bil

  For instance, if I create a role, then this role can be viewed by all the users defined in the database no, I do not think so. Roles are only "visible" to powerful users that have access to the dictionary
  SQL> create role SECRETROLE123;
  Role created.
  SQL> grant create session to SECRETROLE123;
  Grant succeeded.
  SQL> grant select on scott.emp to SECRETROLE123;
  Grant succeeded.
  SQL> grant recovery_catalog_owner to SECRETROLE123;
  Grant succeeded.
  SQL> grant update (sal) on scott.emp to SECRETROLE123;
  Grant succeeded.
  SQL> conn blake/paper                                              
  Connected.
  SQL> select * from dba_roles;
  select * from dba_roles
  ERROR at line 1:
  ORA-00942: table or view does not exist
  SQL> select * from role_tab_privs;
  no rows selected
  SQL> select * from role_sys_privs;
  no rows selected
  SQL> select * from role_role_privs;
  no rows selectedHowever, you cannot that easily prevent an user from granting a table privilege on its own table to a role
  SQL> grant all on t to secretrole123;                            
  Grant succeeded.
  SQL> select distinct grantee from user_tab_privs;
  GRANTEE
  SECRETROLE123Perhaps you can setup a database trigger
  Message was edited by:
  Laurent Schneider

• Access User Roles

  Hi,
  Can I access user roles by using the following code and if so, then how do I retrieve the role information from the iterator.
  //This is code for getting Username and role.
  IWDClientUser user1 = WDClientUser.forceLoggedInClientUser();
  IUser user2 = user1.getSAPUser();
       try{
            if (user2 != null) { IUserAccount[] acct = user2.getUserAccounts();
            if(acct[0] != null)
                String strUserid = acct[0].getLogonUid();
                 wdComponentAPI.getMessageManager().reportSuccess("name"+strUserid);
                 Iterator it = acct[0].getRoles(true);
       catch (UMException e) {
            wdComponentAPI.getMessageManager().reportSuccess(e.toString());
  Thanks,
  Jay

  Hi
    This should help you.
  //Get Role Information
    if (it.hasNext()) {
      IRoleFactory rfact = UMFactory.getRoleFactory();
      while (it.hasNext()) {
          String roleName = (String) it.next();
          IRole role = null;
          try {
              role = rfact.getRole(roleName);
              wdComponentAPI.getMessageManager().reportSuccess("Role:" + roleName 
              + "Display Name:"    + role.getDisplayName()
              + "ID: " + role.getUniqueID()
              + "Uniquename: " + role.getUniqueName()
              + "Description: " + role.getDescription());
          } catch (UMException e) {
          wdComponentAPI.getMessageManager.reportException("error: " + e.getLocalizedMessage(),true);
  regards
  ravi

• Unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  Hi,
  For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
  I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
  But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
  Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
  BR,
  Mangesh

• Users are not removed from role using UME API

  Hello,
  I am using this code to remove users from a batch of roles that I have.
  Everything is running OK, no exception is thrown and at the System.out I see all the actions that needs to be taken correctly. The problem is that if I'll go later to one of the roles the users are still assigned to it. Any idea what I'm doing wrong here?
  try
  IRoleFactory roles = UMFactory.getRoleFactory();
  IUserFactory users = UMFactory.getUserFactory();
  IRoleSearchFilter filter = roles.getRoleSearchFilter();
  filter.setUniqueName("<My_filter>", ISearchAttribute.LIKE_OPERATOR, false);
  ISearchResult sresult = roles.searchRoles(filter);
  if ( sresult.getState() == ISearchResult.SEARCH_RESULT_OK )
       while(sresult.hasNext())
       String id = (String)sresult.next();
       IRole role = UMFactory.getRoleFactory().getMutableRole(id);
       Iterator i = role.getUserMembers(false);
       while (i.hasNext())
                       String uid = (String)i.next();
            IUser user = users.getUser(uid);
            role.removeUserMember(user.getUniqueName());
            System.out.println("Removed user: " + user.getUniqueName() + " from role: " + role.getDisplayName());
       role.save();
       role.commit();
  catch (Exception e)
       manager.reportException(new WDNonFatalException(e), false);

  Solved it!
  It needs the FQDN User ID...

• Pull User Role from identity manager in BPM process

  Hi,
  How can I pull user name, user role from different identity manager in order to configure hierarchy workflow in BPM process? can any one guide me on that??
  Regards,
  Amik

  I'm having the same problem on WebLogic 10.3

• Mass deletion of roles from users

  I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.

  We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
  This way you can optimize / automate periodic controls.
  There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
  The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
  Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
  Cheers,
  Julius

• Receiving an error when trying to remove P00 Security role from the user

  Hi All,
  I am receiving an error when trying to remove P00 Security role from the user.
  After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
  I click on Select Roles/Groups
  On the next screen,
  I click on Existing Roles/Groups
  ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
  Regards,
  Vineet

  Hi Vineet,
  My be your selection is incorrect
  Try this
  in Applicaiton Area -- Select ALL
  Functional Area  -
  Select ALL
  Company           -
  Select ALL
  Role/Profile/Group Names --- Give p00* and execute the report
  if you give only p00 it wont give any result
  Hope this helps
  Thank you,
  Kishore

• GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis

  Hello Gurus,
  We have done configuration of GRC AC 10, and uploaded files via
  SoD rules -->Upload Rules
  After that we generated SoD rules for Risk Id : B001 and B002
  Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
  The report shows (for Group Rule level : Action)
  Number of Active rules : 0
  Number of Disabled Rules : 0
  Number of Functions :  151
  Where as for Group Rule level : Action Risk
  The report shows
  Number of Active Risk : 42
  Disabled risk : 161
  Nmr. of functions : 151 .
  When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
  Note: All the background jobs have run successfully.
  Also the SoD files also have been uploaded successfully.
  Will you please guide how can i activate the "rules" for the uploaded risk ??
  regards,
  Victor

  Hello Victor/ Inder,
  For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
  Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
  BUSINESS     Business Roles     SAP
  SAP_BAS_LG     SAP Basis     SAP
  SAP_CRM_LG     SAP CRM     SAP
  SAP_ECC_LG     SAP ECCS     SAP
  SAP_HR_LG     SAP HR     SAP
  SAP_NHR_LG     SAP R3 - NON HR Basis Logical Group     SAP
  SAP_R3_LG     SAP R3     SAP
  SAP_SRM_LG     SAP SRM     SAP
  (If not present then manually you can create the same)
  Select SAP_BAS_LG and put connector type as SAP,  select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
  Post this activity re generate SOD for B001 and then check for user level and role level analysis.
  Hope it will resolve your issue.
  Regards,
  Sudesh

• Remove role from user

  HI how do i remove a role from a user when he id terminated or disabled.
  I am assigning a role in the following way during creation with the help of a rule
  <setvar name='newuser.waveset.roles'>
  <filterdup>
  <appendAll>
  <ref>accounts[Lighthouse].roles</ref>
  <s>General-Provision-Role</s>
  <rule name='Get Location Role'>
  <argument name='LocationCode' value='$(newuser.global.LocationCode)'/>
  </rule>
  </appendAll>
  </filterdup>
  </setvar>
  How do I remove this role when termination of user.

  We looking for a way to automate the removing of a user (US) or role (AG) from a position (S).
  There is a report called RHGRENZ2 which can be used to delimit specific OM infotypes (like IT1001- Relationships) specifying the end-date and Position ID (Object Type S and Object ID= Position) manually. In your case, I believe IT1001's Relationship A008 and B007 have to be delimited in order to remove a user (US) or role (AG) from a position (S) but this report cannot be run for specific relationship types of IT1001 (atleast I did never find an option to filter based on relationship types).
  You can try using report RHRHDL00 to delete IT1001 relationships from PP Database but you should consider the consequences of such deletions and restrict the selection based in infotypes and relationship types carefully.
  Alternatively, you can also build a LSMW script to automate the process of mass delimit/deletion of IT1001's relationship types using transaction PP02 (PP01 is not compatible to BDC/background processing)
  Thanks
  Sandipan

• Remove roles from users

  Hi All,
  I would like to ask what can I do if I would like to remove multiple roles from ALL users in the system?
  Normally, for a list of users , I use SU10 to do it.
  However, since there are 1 thousand something users in the system, is there a more efficient way to do it?
  Thanks for your help.
  Regards,
  Chris

  Thanks.
  I would say, in my case, it's the best to use PFCG sinceI only need to remove 3X something roles from them. (I don't know which users have those particular roles, the only thing I need to do is to make sure that the 3X roles have no corresponding users).
  Thanks again !
  Regards,
  Chris

• Deleting roles from multiple users simultaneously

  I need to delete all of the roles from multiple users and I was wondering if anyone knows of a way to do it simultaneously other than  a Mercury script(it wont take the roles away that are lower than the initial 20)?

  Hi there,
  there could be easier ways to do it, but this is how I'd go about it if I didn't want to go to each user ID.
  Get a list of all roles assigned to your users you want to restrict from SUIM (display the list of users via tcode S_BCE_68001400).  Click on the 'roles' button and it will pull up a list of all the roles assigned to those users.  Extract and save that).
  Filter the list so you have only one entry of each role name.
  Then go to SU10, enter in all your user IDs to change and go to the role tab, enter the unique list and put wide dates on it say from 01.01.1995 - 31.12.9999 (you want them earlier than the earliest role 'valid from' date and later than the latest role 'valid to' assignment).
  Click the 'Remove' box and save and you should have all roles removed.
  Good luck with it.
  Cheers,
  Dianne

• Revoke roles from users

  I want to revoke a number of roles from users. What I found is if one or more roles were not granted to the user before, then the whole 'revoke' statement will fail, i.e. the granted roles will not be revoked from the user. Is there a way to let the statement revoke the granted roles even though there may be some roles were not granted. For example;
  REVOKE role1,role2,role3 from user;
  I want to revoke role1 and role2 even though role3 were not granted to the user.

  Why don't you test this yourself?
  satyaki>
  satyaki>select * from v$Version;
  BANNER
  Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Prod
  PL/SQL Release 10.2.0.3.0 - Production
  CORE    10.2.0.3.0      Production
  TNS for 32-bit Windows: Version 10.2.0.3.0 - Production
  NLSRTL Version 10.2.0.3.0 - Production
  Elapsed: 00:00:00.98
  satyaki>
  satyaki>
  satyaki>
  satyaki>
  satyaki>create role r1;
  Role created.
  Elapsed: 00:00:01.80
  satyaki>
  satyaki>
  satyaki>GRANT select  ON emp   TO r1;
  Grant succeeded.
  Elapsed: 00:00:00.51
  satyaki>
  satyaki>
  satyaki>create role r2;
  Role created.
  Elapsed: 00:00:00.02
  satyaki>
  satyaki>grant update on emp to r2;
  Grant succeeded.
  Elapsed: 00:00:00.05
  satyaki>
  satyaki>
  satyaki>grant r1 to hr;
  Grant succeeded.
  Elapsed: 00:00:00.17
  satyaki>
  satyaki>grant r2 to titan;
  Grant succeeded.
  Elapsed: 00:00:00.07
  satyaki>
  satyaki>
  satyaki>revoke r2 from hr;
  revoke r2 from hr
  ERROR at line 1:
  ORA-01951: ROLE 'R2' not granted to 'HR'
  Elapsed: 00:00:00.12
  satyaki>
  satyaki>Regards.
  Satyaki De.