Accessing Users In NW Roles from MII
We are using 12.1. Is there an easy way from MII to get a list of all the users that are in an SAP NW role? For example, if a certain event occurs I want to e-mail everyone in a particular role from an MII transaction. How do I get the list of users that are in the role?
Thanks,
Mike
Jeremy,
Thanks for the help. This almost gets me there. If I do this
http://servernamehere/XMII/Illuminator?Service=SystemInfo&Mode=RoleList&Content-Type=text/xml
from a browser it works fine (I see XML that has what I need). If I do the same thing from an XML Loader action in an MII transaction I get the following error:
"The markup in the document following the root element must be well formed." "XML Document cannot be loaded."
I need to be able to get to this info from within a transaction.
Thanks,
Mike
Similar Messages
-
SAP user assigned with roles from HR-ORG incorrectly
Hi All
I have an issue where a SAP user appears to be receiving role assignments from some HR-ORG object erroneously.
I have checked the user's HR positions and organisational assignments and they do not have any roles assigned.
I also checked the job and no roles are assigned there as well.
Where could these roles be coming from if they are not coming from the position or org unit?
User currently has direct role assignments in SU01 except for 3 roles which appear as indirect assignments (HR assignments) in SU01.
Is this is a bug and is there a note to fix it?
Please could someone let me know why this is happening.
Thanks
RanHi Colleen.... Thanks for your email.
Please see below screenshot, it is an Org assignment but single roles also belong to composite roles.
PBS is not meant to be active and PFUD is scheduled as a daily job. CUA is not active here.
User is assigned to a position and org unit but roles are not provisioned via the Org/position. So there is a 0105 mapping, I have checked those positions and org units but no roles are assigned there.
Basis release 731 and level 0005, SP - SAPKB73105. -
Restiction on SAP Lumira user with BI_DATA_ANALYST role
Hi,
Is there an option to disable the SAP Lumira user with BI_DATA_ANALYST role from loading the Excel data into SAP Hana? We would like the user to be able to create story boards and publish it on SAP LUMIRA server using HANA views but not allow him to load any flat file data.
Thanks,
LakshmiManish - if you are on BI4 there is no need for the SAP Integration Kit with Web Intelligence
You can connect using the BEx Query
For Lumira right now you can connect using the BEx query but only in the Visualize room - more enhancements are planned in 1.27 - see SAP Lumira Webcast including H1 Plans with BW Updates
I don't think Gateway is needed in these scenarios
Tammy -
Hiding specific Roles from specific users
Dear All,
Is there any way in the database that can hide a role from a user. For instance, if I create a role, then this role can be viewed by all the users defined in the database and then these users can grant priviliges of their own objects to such role. I want to create a Role where certain users can not see and should not be allowed to grant any priviliges for this Role...
is this possible....
Thanks
BilFor instance, if I create a role, then this role can be viewed by all the users defined in the database no, I do not think so. Roles are only "visible" to powerful users that have access to the dictionary
SQL> create role SECRETROLE123;
Role created.
SQL> grant create session to SECRETROLE123;
Grant succeeded.
SQL> grant select on scott.emp to SECRETROLE123;
Grant succeeded.
SQL> grant recovery_catalog_owner to SECRETROLE123;
Grant succeeded.
SQL> grant update (sal) on scott.emp to SECRETROLE123;
Grant succeeded.
SQL> conn blake/paper
Connected.
SQL> select * from dba_roles;
select * from dba_roles
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> select * from role_tab_privs;
no rows selected
SQL> select * from role_sys_privs;
no rows selected
SQL> select * from role_role_privs;
no rows selectedHowever, you cannot that easily prevent an user from granting a table privilege on its own table to a role
SQL> grant all on t to secretrole123;
Grant succeeded.
SQL> select distinct grantee from user_tab_privs;
GRANTEE
SECRETROLE123Perhaps you can setup a database trigger
Message was edited by:
Laurent Schneider -
Hi,
Can I access user roles by using the following code and if so, then how do I retrieve the role information from the iterator.
//This is code for getting Username and role.
IWDClientUser user1 = WDClientUser.forceLoggedInClientUser();
IUser user2 = user1.getSAPUser();
try{
if (user2 != null) { IUserAccount[] acct = user2.getUserAccounts();
if(acct[0] != null)
String strUserid = acct[0].getLogonUid();
wdComponentAPI.getMessageManager().reportSuccess("name"+strUserid);
Iterator it = acct[0].getRoles(true);
catch (UMException e) {
wdComponentAPI.getMessageManager().reportSuccess(e.toString());
Thanks,
JayHi
This should help you.
//Get Role Information
if (it.hasNext()) {
IRoleFactory rfact = UMFactory.getRoleFactory();
while (it.hasNext()) {
String roleName = (String) it.next();
IRole role = null;
try {
role = rfact.getRole(roleName);
wdComponentAPI.getMessageManager().reportSuccess("Role:" + roleName
+ "Display Name:" + role.getDisplayName()
+ "ID: " + role.getUniqueID()
+ "Uniquename: " + role.getUniqueName()
+ "Description: " + role.getDescription());
} catch (UMException e) {
wdComponentAPI.getMessageManager.reportException("error: " + e.getLocalizedMessage(),true);
regards
ravi -
unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest
Hi,
For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
BR,
Mangesh -
Users are not removed from role using UME API
Hello,
I am using this code to remove users from a batch of roles that I have.
Everything is running OK, no exception is thrown and at the System.out I see all the actions that needs to be taken correctly. The problem is that if I'll go later to one of the roles the users are still assigned to it. Any idea what I'm doing wrong here?
try
IRoleFactory roles = UMFactory.getRoleFactory();
IUserFactory users = UMFactory.getUserFactory();
IRoleSearchFilter filter = roles.getRoleSearchFilter();
filter.setUniqueName("<My_filter>", ISearchAttribute.LIKE_OPERATOR, false);
ISearchResult sresult = roles.searchRoles(filter);
if ( sresult.getState() == ISearchResult.SEARCH_RESULT_OK )
while(sresult.hasNext())
String id = (String)sresult.next();
IRole role = UMFactory.getRoleFactory().getMutableRole(id);
Iterator i = role.getUserMembers(false);
while (i.hasNext())
String uid = (String)i.next();
IUser user = users.getUser(uid);
role.removeUserMember(user.getUniqueName());
System.out.println("Removed user: " + user.getUniqueName() + " from role: " + role.getDisplayName());
role.save();
role.commit();
catch (Exception e)
manager.reportException(new WDNonFatalException(e), false);Solved it!
It needs the FQDN User ID... -
Pull User Role from identity manager in BPM process
Hi,
How can I pull user name, user role from different identity manager in order to configure hierarchy workflow in BPM process? can any one guide me on that??
Regards,
AmikI'm having the same problem on WebLogic 10.3
-
Mass deletion of roles from users
I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.
We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
This way you can optimize / automate periodic controls.
There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
Cheers,
Julius -
Receiving an error when trying to remove P00 Security role from the user
Hi All,
I am receiving an error when trying to remove P00 Security role from the user.
After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
I click on Select Roles/Groups
On the next screen,
I click on Existing Roles/Groups
ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
Regards,
VineetHi Vineet,
My be your selection is incorrect
Try this
in Applicaiton Area -- Select ALL
Functional Area -
Select ALL
Company -
Select ALL
Role/Profile/Group Names --- Give p00* and execute the report
if you give only p00 it wont give any result
Hope this helps
Thank you,
Kishore -
GRC AC 10:How to generate Access Rule? No output from User or Risk Analysis
Hello Gurus,
We have done configuration of GRC AC 10, and uploaded files via
SoD rules -->Upload Rules
After that we generated SoD rules for Risk Id : B001 and B002
Now when we go to NWBC --> Reports & Analytics >Access Dashboards>Access Rule Library
The report shows (for Group Rule level : Action)
Number of Active rules : 0
Number of Disabled Rules : 0
Number of Functions : 151
Where as for Group Rule level : Action Risk
The report shows
Number of Active Risk : 42
Disabled risk : 161
Nmr. of functions : 151 .
When we perform Risk Analysis at User Level or Role Level, the output is empty !!!
Note: All the background jobs have run successfully.
Also the SoD files also have been uploaded successfully.
Will you please guide how can i activate the "rules" for the uploaded risk ??
regards,
VictorHello Victor/ Inder,
For Risk ID B001functions are BS02 and BS11 if you open any one of them you can see system maintained as SAP BASIS which is SAP_BAS_LG (logical connector group).
Post installation you can check in SPRO>Governance, Risk and Compliance-> common Component---> integration framework-> maintain connector and connector types->select SAP and click Define connector Group.
BUSINESS Business Roles SAP
SAP_BAS_LG SAP Basis SAP
SAP_CRM_LG SAP CRM SAP
SAP_ECC_LG SAP ECCS SAP
SAP_HR_LG SAP HR SAP
SAP_NHR_LG SAP R3 - NON HR Basis Logical Group SAP
SAP_R3_LG SAP R3 SAP
SAP_SRM_LG SAP SRM SAP
(If not present then manually you can create the same)
Select SAP_BAS_LG and put connector type as SAP, select SAP_BAS_LG and click Assign Connector group to group types as AM & LG, then click on Assign Connector to connector group and maintain you connector.
Post this activity re generate SOD for B001 and then check for user level and role level analysis.
Hope it will resolve your issue.
Regards,
Sudesh -
HI how do i remove a role from a user when he id terminated or disabled.
I am assigning a role in the following way during creation with the help of a rule
<setvar name='newuser.waveset.roles'>
<filterdup>
<appendAll>
<ref>accounts[Lighthouse].roles</ref>
<s>General-Provision-Role</s>
<rule name='Get Location Role'>
<argument name='LocationCode' value='$(newuser.global.LocationCode)'/>
</rule>
</appendAll>
</filterdup>
</setvar>
How do I remove this role when termination of user.We looking for a way to automate the removing of a user (US) or role (AG) from a position (S).
There is a report called RHGRENZ2 which can be used to delimit specific OM infotypes (like IT1001- Relationships) specifying the end-date and Position ID (Object Type S and Object ID= Position) manually. In your case, I believe IT1001's Relationship A008 and B007 have to be delimited in order to remove a user (US) or role (AG) from a position (S) but this report cannot be run for specific relationship types of IT1001 (atleast I did never find an option to filter based on relationship types).
You can try using report RHRHDL00 to delete IT1001 relationships from PP Database but you should consider the consequences of such deletions and restrict the selection based in infotypes and relationship types carefully.
Alternatively, you can also build a LSMW script to automate the process of mass delimit/deletion of IT1001's relationship types using transaction PP02 (PP01 is not compatible to BDC/background processing)
Thanks
Sandipan -
Hi All,
I would like to ask what can I do if I would like to remove multiple roles from ALL users in the system?
Normally, for a list of users , I use SU10 to do it.
However, since there are 1 thousand something users in the system, is there a more efficient way to do it?
Thanks for your help.
Regards,
ChrisThanks.
I would say, in my case, it's the best to use PFCG sinceI only need to remove 3X something roles from them. (I don't know which users have those particular roles, the only thing I need to do is to make sure that the 3X roles have no corresponding users).
Thanks again !
Regards,
Chris -
Deleting roles from multiple users simultaneously
I need to delete all of the roles from multiple users and I was wondering if anyone knows of a way to do it simultaneously other than a Mercury script(it wont take the roles away that are lower than the initial 20)?
Hi there,
there could be easier ways to do it, but this is how I'd go about it if I didn't want to go to each user ID.
Get a list of all roles assigned to your users you want to restrict from SUIM (display the list of users via tcode S_BCE_68001400). Click on the 'roles' button and it will pull up a list of all the roles assigned to those users. Extract and save that).
Filter the list so you have only one entry of each role name.
Then go to SU10, enter in all your user IDs to change and go to the role tab, enter the unique list and put wide dates on it say from 01.01.1995 - 31.12.9999 (you want them earlier than the earliest role 'valid from' date and later than the latest role 'valid to' assignment).
Click the 'Remove' box and save and you should have all roles removed.
Good luck with it.
Cheers,
Dianne -
I want to revoke a number of roles from users. What I found is if one or more roles were not granted to the user before, then the whole 'revoke' statement will fail, i.e. the granted roles will not be revoked from the user. Is there a way to let the statement revoke the granted roles even though there may be some roles were not granted. For example;
REVOKE role1,role2,role3 from user;
I want to revoke role1 and role2 even though role3 were not granted to the user.Why don't you test this yourself?
satyaki>
satyaki>select * from v$Version;
BANNER
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Prod
PL/SQL Release 10.2.0.3.0 - Production
CORE 10.2.0.3.0 Production
TNS for 32-bit Windows: Version 10.2.0.3.0 - Production
NLSRTL Version 10.2.0.3.0 - Production
Elapsed: 00:00:00.98
satyaki>
satyaki>
satyaki>
satyaki>
satyaki>create role r1;
Role created.
Elapsed: 00:00:01.80
satyaki>
satyaki>
satyaki>GRANT select ON emp TO r1;
Grant succeeded.
Elapsed: 00:00:00.51
satyaki>
satyaki>
satyaki>create role r2;
Role created.
Elapsed: 00:00:00.02
satyaki>
satyaki>grant update on emp to r2;
Grant succeeded.
Elapsed: 00:00:00.05
satyaki>
satyaki>
satyaki>grant r1 to hr;
Grant succeeded.
Elapsed: 00:00:00.17
satyaki>
satyaki>grant r2 to titan;
Grant succeeded.
Elapsed: 00:00:00.07
satyaki>
satyaki>
satyaki>revoke r2 from hr;
revoke r2 from hr
ERROR at line 1:
ORA-01951: ROLE 'R2' not granted to 'HR'
Elapsed: 00:00:00.12
satyaki>
satyaki>Regards.
Satyaki De.
Maybe you are looking for
-
I can not send email from my iPad . Says SMTP is incorrect
Why can't I send email from my iPad ? It says my SMTP is incorrect but it will not let me correct it
-
hi friends i am looking for a report where i want to have these details in that PO number,PO QTY,Po Value,GR number,gr qty,GR value,IR number,IR value,Parked invoice number,parked invoice value, payment made to vendor,clearing document number,mode of
-
Hello Guru: I have created the query and the result like this. Customer Product Sales Volume 1 A 100 B 200 Result 300 I preferred to show like this Customer Product Sal
-
Not enough RAM error while running batch command
Bug in photoshop creative cloud. When using the "batch" editing feature after 5 images being edited the same way (batch processing) an error code pops up. "Error:not enough ram" and then i have to restart which does the same thing over and over again
-
There is no webdynpro perspective
hello, i get the Sap Netweaver 7.2 from a friend but i cannot see the Webdynpro perspective in "Window-openPrespective" altough he uses that one and i have the plugins. why thats missing? thnx in advance.