Assign user external dir to group using MaxL

Similar Messages

• Assigning the role to the group using MAXL

  Hi,
  We are using Essbase 11.1.1.3 and Hyperion Financial Reports 11.1.13.
  I have created a role called "Standard_user_HFR" in shared Services and assgined Explorer and viewer to the role and i need to assign the role to the groups and i have around 1600 groups to which i have assign the role. Is there any Maxl Script to assign the role to the groups. As of now i am manually adding the role to the group.
  Regards,
  VJ

  Also look into Aggregated Roles to possibly reduce the number of Groups.
  Oracle states:
  Aggregated roles, also known as custom roles, aggregate multiple predefined application roles. An aggregated role can contain other aggregated roles. For example, a Shared Services Administrator or Provisioning Manager can create an aggregated role that combines the Planner and View User roles of a Oracle Hyperion Planning, Fusion Edition, application. Aggregating roles can simplify the administration of applications that have several granular roles. Global Shared Services roles can be included in aggregated roles. You cannot create an aggregated role that spans applications or products.
  Thank you,
  Todd Rebner

• Assign User ids to Recipient Group

  Hi All
  Could any one please tell us how to assign users into a recipient group.
  Recipient group can be found from SPRO IMG
  Training and event management --> Day to day Activities --> Correspondance --> Notification Abbreviations
  Regards
  Pritam

  Dear Pritam,
  With the Definition of the recepient groups you can specify for which recipient group which function module should be linked / should be used.
  In the function module it is decided whom the correppondece will be sent.
  F.e.:
  Recipient group Prebooked  -> RH_GET_ADDR_PREB (function module)
  If you prebook a course with one of your Objects (Person, User, Candidate, Org. Unit, etc..) than the object automatically belongs to the Prebooked group.
  For the "prebooked" group you can specify different notification types they call the function module.
  I hope i could clearify the question.
  Kind regards,
  Zsolt

• Shared Services 11.1.2 Unable to remove assigned user from a security group

  In Shared Services 11.1.2 - trying to remove a user from the assigned users list of a security group. Initially, I am able to remove the user and the assigned users total decreases by one - but when I relaunch the group properties - this user is still in there? The change does not hold. Any suggestions would be appreciated - thanks,
  Paul

  Hello Paul,
  Not sure if this is related to yours, but it might be worth having a look at the following articles on Oracle support --
  External users in EPM Shared Services (e.g. MSAD users) cannot be removed from Native groups if they have multiple IDs in the external user directory. [ID 1526569.1]
  Users from External User Directories Cannot be Removed from Native Groups [ID 1272309.1]
  Thanks,
  hyperionEPM
  Please mark answers as correct or helpful for others to find them easily.

• Assign user role to network group people

  Hi everyone,
  What user role should I assign to network people if they wan to be able to discovery(add) and manage their network devices by themselves. I have tried Advanced Operator and Operator two roles, but non of them came up with Discovery Wizard option. I really don't
  want to assign them to Operations Manager Administrators group because I'm pretty sure they will mess up SCOM within couple mins!!!!!

  Hi,
  We can create runas account for discovery with the network discovery wizard, the runas account type is community string only.
  Network devices that use SNMP v1 or v2 require a Run As account that specifies a community string, which acts like a password to provide read-only access to the device.
  Regards, Yan Li
  Hi Yan Li,
  After reading your post couple times, I'm confused now. I did have two run as account created for community string and snmpv3 authentication. When I ran Discovery Wizard for network devices, I can select either one of them to run without problem,
  and discover network devices. My account is under Operation Manager Administrators role, so I have full permissions to do anything I want.
  My question is that how to configure or create User Roles for network group people, so they can also run Discovery Wizard and manage their network devices without putting them into Operation Manager Administrators group. Ex: there is not Administration
  tab for them, they only see Network Monitoring folder under Monitoring. Because I don't want them to mess up those options under Administration.
  Is it just like the previous post said that only two options?  Thank you.
  1) grant them as a SCOM administrators right
  2) scom administrator help them to do network discovery

• Adding a domain user to Local Admin Groups using MDT 2012

  I don't know if this will help anyone, but it did me after weeks of searching.  If you are trying to add a domain user or domain groups to the local administrators group using MDT, simply go to the cs.ini and add "SkipAdminAccounts=No". 
  But the administrators accounts page will only appear if you choose to join a domain. 

  Correct, if you were to go into the %DeployRoot%\Scripts\DeployWiz_Definition_ENU.xml file you would see the entry for the DeployWiz_AdminAccounts.xml page as follows:
  <Pane id="AdministratorAccounts" reference="DeployWiz_AdminAccounts.xml">
  <Condition><![CDATA[ UCase(Property("SkipAdminAccounts")) = "NO" and UCase(Property("DeploymentType"))<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("JoinDomain") <> "" ]]></Condition>
  </Pane>
  Most Wizard Pages are displayed by default, and you can turn them off by using the SkipXxxXxxxxx Page variable to hide them during wizard execution. This page is different, since it was added for MDT 2012, the MDT team decided to leave it *OFF* by default,
  instead you must explicitly turn off the SkipAdminAccounts variable by setting it to "NO".
  Additionally, you would not need to display this page if you were running a Refresh or a Custom Task Sequence.
  Finally, this page does not actually *create* accounts, instead it just adds pre-existing user accounts and adds them to the local Administrators group. This scenario is only valid when you are joining the machine to a domain, so you must Join to the Domain.
  If you are interested in adding other local users to the Administrators Group, you should write a script to create the account(s) and add them to the local group. Windows 8.1 has some *gotchas* that have to do with Microsoft Accounts, but that's a different
  Story :^).
  Keith Garner - keithga.wordpress.com

• Assigning permission to SharePoint 2013 group using REST API

  Hi All,
  I was trying to assign permission to a group using REST but it failing with error message "Bad Request". Below is my REST code to assign Contribute permission to group with ID 95, It would great help if someone can help me to fix this.
  // Set permission on a specific group
  $.ajax({
  url: "<Site URL>/_api/web/roleassignments/addroleassignment(principalid=95, roledefid=1073741827)",
  type: "POST",
  contentType: "application/json;odata=verbose",
  headers: { "Accept": "application/json; odata=verbose","X-RequestDigest": $("#__REQUESTDIGEST").val(),"X-HTTP-Method": "POST" },
  success: function (data) {
  // Returning the results
  alert('Contribute permission set on group');
  alert("Error: " + JSON.stringify(data));
  error: function (data) {
  alert("Error: " + JSON.stringify(data));
  ~Harish

  Hi Harish,
  I have same problem and I just find solution for this error.
  You must set body/data to null value --> It's work for me  !!! :)
  See my code with RequestExecutor (I develop an SharePoint App)
  // Set the new role assignment for the group on the list.
          this.setNewRoleForGroup = function (listTitle, newRoleDefId, groupId) {
              var deferred = $.Deferred();
              //First we must call the EnsureSetup method
              JSRequest.EnsureSetup();
              var hostweburl = decodeURIComponent(JSRequest.QueryString["SPHostUrl"]);
              var appweburl = decodeURIComponent(JSRequest.QueryString["SPAppWebUrl"]);
              //Tip to have a title formated to REST call
              var arrayTitle = decodeURIComponent(listTitle).split("'");
              var restQueryUrl = appweburl + "/_api/SP.AppContextSite(@target)/web/lists/GetByTitle('" + arrayTitle.join("''") + "')/roleassignments/addroleassignment(principalid=" + groupId + ",roledefid=" + newRoleDefId + ")?@target='" + hostweburl + "'";
              var executor = new SP.RequestExecutor(appweburl);
              executor.executeAsync({
                  url: restQueryUrl,
                  body: null,
                  method: "POST",
                  headers: {
                      "Content-Type": "application/json;odata=verbose",
                      "Accept": "application/json; odata=verbose",
                      "X-HTTP-Method": "POST"
                  success: function (data, textStatus, xhr) {
                      deferred.resolve({ updated: true });
                  error: function (xhr, textStatus, errorThrown) {
                      deferred.reject(JSON.parse(xhr.body).error.message.value);
              return deferred;

• Adding users in Local Administrators Group using GP Restricted Group

  Hi Experts.
  I have approx 200 servers. There are user1, user2 and user3 which I have added in
  Local Administrators Group using GP Restricted Group in all 200 servers. This works fine. In Add Group option I added "Administrator" and Added user1, user2 and user3 in "Members of this Group". Now all 3 users are reflected as a Local
  Administrators member.
  Now there is a need that user 4 should be in Local Administrators Group using GP Restricted Group for certain servers only. Lets say 50.
  In Add Group option I added "Administrator" and Added user4 in "Members of this Group". BUT it doesn't work.
  Any idea?
  Regards Suman B. Singh

  Hi,
  How is it going? I agree with Martin. To do this, we can configure the setting in two different GPOs. For instance, in GPO1, we add user1, user2, and user3 to the local admin group; in GPO2, we add user1, user2, user3, and user4 to the local admin group;
  and then we can use Security Filtering to apply the specific GPOs to specific computers.
  Regarding security filtering, the following article can be referred to for more information.
  Security filtering using GPMC
  https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
  Filter Using Security Groups
  https://technet.microsoft.com/en-us/library/cc752992.aspx
  Besides, in addition to Restricted Groups, we can also use Group Policy Preferences Local Users and Groups to do this, in which way we can configure two Local Group items in one GPO and utilize Item-Level Targeting to apply the specific items to specific
  computers.
  Regarding GPP Local Users and Groups, the following article can be referred to for more information.
  Configure a Local Group Item
  https://technet.microsoft.com/en-us/library/cc732525.aspx
  How to use Group Policy Preferences to Secure Local Administrator Groups
  http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
  Regarding Item-Level Targeting, the following article can be referred to for more information.
  Preference Item-Level Targeting
  https://msdn.microsoft.com/en-us/library/cc733022.aspx
  Best regards,
  Frank Shen

• Accessing users home dir from W7 using net use

  Hi!
  Probably I'm doing something wrong. OES11SP1 on SLES11SP2. User home dir accessible using net use from Windows XP, but not from Windows 7. Already tried to change LmCompatibilityLevel in registry (to 1), but didn't help. I recall, some year ago I had same problem from W7 (64bit) and then I installed Novell Client, now I'm trying to wo the client, should be possible?
  More thanks, Alar.

  On 10.10.2013 13:56, NovAlf wrote:
  >
  > Hi!
  > Probably I'm doing something wrong. OES11SP1 on SLES11SP2. User home dir
  > accessible using net use from Windows XP, but not from Windows 7.
  > Already tried to change LmCompatibilityLevel in registry (to 1), but
  > didn't help. I recall, some year ago I had same problem from W7 (64bit)
  > and then I installed Novell Client, now I'm trying to wo the client,
  > should be possible?
  > More thanks, Alar.
  If you can or can't access a share on OES11 without the Novell CLient
  depends on if you have configured and enabled CIFS on the server.
  Note that "Net Use" is an universal command, and uses the Novell CLient
  too *if* it is installed. Many People believe "Net Use" would somehow be
  Microsoft Network specific, but it isn't. It uses whatever network
  client is isnstalled and able to access the resource.
  CU,
  Massimo Rosen
  Novell Knowledge Partner
  No emails please!
  http://www.cfc-it.de

• Unassign user from a OIM Group using API/Java Code

  Hello OIMers,
  Can you please tell me how should I Un-assign a group membership through code?
  This is the case:
  When the user is deleted from Active Directory, I want to Unassign the User from a group, assume the name of the group is "FullTime Employees".
  Currently How I do this is Click on the User Profile in Admin Console then select Group Membership from drop down and then select unassign for that group.
  Please tell me how should I do the above task programmatically, This would solve my problem.
  Thanks everyone in advance.
  Regards,
  VSN

  Hi all,
  I am using the following api:
  uintgroupf = (tcGroupOperationsIntf)tcUtilityFactory.getUtility(db, "Thor.API.Operations.tcGroupOperationsIntf");
  uintgroupf.removeMemberUser(arg0, arg1);
  arg0 - is group key............Can you tell me how should I fetch this Group Key??
  Thanks.
  Regards,
  VSN

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• How to check logged in user belongs to particular group using workflow

  HI All,
  I have a list  and I want o implement row level security based on the list filed called Relevant group.
  I have a list filed called RelevantGroup , this filed is a choice filed and it has  couple of SharePoint site's groups that I have created. Now what I want to do is give current logged in user to edit the record based on his/her security group. For example
  if I logged in and if I m a member of  the current record RelevantGroup I can edit the record, if I m not a member of the RelevantGroup then the system shouldn't allow to edit the record. 
  I want to do this SharePoint designer workflow. Can someone please help me. Using SPD2013. 
  Thanks. 
  d.n weerasinghe

  Is the form being served up from livecycle? If not how is the form being served up to the user?

• Trying to assign User to ADS-Group

  Hi,
  i'm trying to assign a User to an ADS group using the script "sap_getGroupDN".
  Unfortunately the mskey given to that method is the mskey from the user and not from the group.
  Any suggestions or ideas?
  How managed you that case?
  Kind regards,
  Achim Heinekamp
  CONET Solutions GmbH

  Hi folks,
  it seems I'm having a very similar problem to Achim, although the sympton is a little different. When I run the task to assign a role (1 AS ABAP, 1 AS Java and 1 AD OU) on the task AssignUserToADSGroupI get an error message that reads:
  PrivDN: !ERROR:No such attribute
  I've assigned the privelege to the role, and it seems to recognize that and create the user, however...the groups don't get assigned.
  The full output s below:
  <?xml version="1.0" encoding="UTF-8"?>
  <mx:EMSLOG xmlns:mx="http://www.maxware.com/EMS">
  <mx:GENERAL>
  <mx:DATE>21.07.2009 20:57:41</mx:DATE>
  <mx:VERSION>DSE.JAR version: 7.10.02.0 Built: 01.07.2009 15:49:23 (c) Copyright 2008 SAP AG. All rights reserved.</mx:VERSION>
  <mx:MACHINE>clklabvm3-disp01</mx:MACHINE>
  <mx:JOBID>045EB0C2-E35B-4AD7-8D0A-84B51594EAAF</mx:JOBID>
  <mx:WORKAREA>C:/Program Files (x86)/SAP/IdM/Identity Center/Jobs/045EB0C2-E35B-4AD7-8D0A-84B51594EAAF</mx:WORKAREA>
  <mx:JOB>jdbc:sqlserver://clklabvm3\idm:1988;responseBuffering=full;encrypt=false;databaseName=mxmc_db;selectMethod=direct;trustServerCertificate=false;lastUpdateCount=true; - MACHINE:clklabvm3-disp01</mx:JOB>
  <mx:PRODUCT>Provisioning</mx:PRODUCT>
  <mx:CUSTOMER>SAP customer : f9c1c5cd66189d133765ac44ea6c127a</mx:CUSTOMER>
  <mx:TIMEUSED>5</mx:TIMEUSED>
  <mx:NERRORS>0</mx:NERRORS>
  <mx:NWARNINGS>3</mx:NWARNINGS>
  <mx:NENTRIES adds="3" mods="0" dels="0" noops="0" markdels="0">3</mx:NENTRIES>
  </mx:GENERAL>
  <mx:PASSES>
  <mx:PASS name="Job Initialization" title="Messages that occurred before the job was loaded" type="init" seq="0">
  <mx:MESSAGES>
  <WARNING seq="1">
  <mx:TEXT>Failed loading JDBC Driver class com.microsoft.jdbc.sqlserver.SQLServerDriver</mx:TEXT>
  <mx:TEXT>java.lang.ClassNotFoundException: com.microsoft.jdbc.sqlserver.SQLServerDriver</mx:TEXT>
  </WARNING>
  <WARNING seq="2">
  <mx:TEXT>Failed loading JDBC Driver class com.sap.dbtech.jdbc.DriverSapDB</mx:TEXT>
  <mx:TEXT>java.lang.ClassNotFoundException: com.sap.dbtech.jdbc.DriverSapDB</mx:TEXT>
  </WARNING>
  <WARNING seq="3">
  <mx:TEXT>Failed loading JDBC Driver class org.gjt.mm.mysql.Driver</mx:TEXT>
  <mx:TEXT>java.lang.ClassNotFoundException: org.gjt.mm.mysql.Driver</mx:TEXT>
  </WARNING>
  <WARNING seq="4">
  <mx:TEXT>Failed loading JDBC Driver class oracle.jdbc.driver.OracleDriver</mx:TEXT>
  <mx:TEXT>java.lang.ClassNotFoundException: oracle.jdbc.driver.OracleDriver</mx:TEXT>
  </WARNING>
  <WARNING seq="5">
  <mx:TEXT>Failed loading JDBC Driver class COM.ibm.db2.jdbc.app.DB2Driver</mx:TEXT>
  <mx:TEXT>java.lang.ClassNotFoundException: COM.ibm.db2.jdbc.app.DB2Driver</mx:TEXT>
  </WARNING>
  <WARNING seq="6">
  <mx:TEXT>Failed loading JDBC Driver class COM.ibm.db2.jcc.DB2Driver</mx:TEXT>
  <mx:TEXT>java.lang.ClassNotFoundException: COM.ibm.db2.jcc.DB2Driver</mx:TEXT>
  </WARNING>
  <WARNING seq="7">
  <mx:TEXT>Failed loading JDBC Driver class COM.ibm.db2.jdbc.net.DB2Driver</mx:TEXT>
  <mx:TEXT>java.lang.ClassNotFoundException: COM.ibm.db2.jdbc.net.DB2Driver</mx:TEXT>
  </WARNING>
  </mx:MESSAGES>
  </mx:PASS>
  <mx:PASS name="6D5485D1-2CF6-4E5B-9972-7141CB9051EA" title="AssignUserToADSGroup" type="ToLDIF" seq="1">
  <mx:MESSAGES>
  <mx:WARNING seq="1">
  <mx:TEXT>PrivDN: !ERROR:No such attribute</mx:TEXT>
  <mx:ENTRY/>
  </mx:WARNING>
  <mx:WARNING seq="2">
  <mx:TEXT>PrivDN: !ERROR:No such attribute</mx:TEXT>
  <mx:ENTRY/>
  </mx:WARNING>
  <mx:WARNING seq="3">
  <mx:TEXT>PrivDN: !ERROR:No such attribute</mx:TEXT>
  <mx:ENTRY/>
  </mx:WARNING>
  </mx:MESSAGES>
  <mx:DELTA>0</mx:DELTA>
  <mx:TIMEUSED>2</mx:TIMEUSED>
  <mx:NENTRIES adds="3" mods="0" dels="0" noops="0" markdels="0">3</mx:NENTRIES>
  <mx:NERRORS>0</mx:NERRORS>
  <mx:NWARNINGS>3</mx:NWARNINGS>
  </mx:PASS>
  </mx:PASSES>
  </mx:EMSLOG>

• Unable to remove user from SharePoint Group using PowerShell

  I am trying to remove a user from a SharePoint Group using PowerShell.
  I can see the user in the Site Collection as part of the SharePoint Group, however, when I attempt to run the script, I get an error message stating "Can not find the user with ID: 10"
  Below is the PowerShell script that I am using:
  $url = "https://sharepointdev.spfarm.spcorp.com/sites/desitecoll"
  $userName = "spfarm\sp2013_svc"
  #$userName = "spfarm\spprofileimport";
  $site = New-Object Microsoft.SharePoint.SPSite($url)
  $web = $site.OpenWeb()
  $siteGroups = $web.SiteGroups;
  Clear-Host
  $mySiteGroups = @();
  foreach($group in $siteGroups)
  Write-Host $group
  $mySiteGroups += $group;
  }#foreach
  $members = $web.SiteGroups[$mySiteGroups[0]];
  $owners = $web.SiteGroups[$mySiteGroups[1]];
  $visitors = $web.SiteGroups[$mySiteGroups[2]];
  #Remove the user from the specified SharePoint Group
  $spUser = Get-SPUser -Identity $userName -Web $url
  Write-Host $spUser.ID
  Remove-SPUser -Identity $spUser -Web $url -Group $owners
  $web.Update();
  $web.Dispose();
  Write-Host "User " $userName "removed from " $owners
  Please advise.

  I had to update the code to the following because Get-SPUser was not working properly:
  $url = "https://sharepointdev.spfarm.spcorp.com/sites/desitecoll"
  $userName = "spfarm\spprofileimport";
  $site = New-Object Microsoft.SharePoint.SPSite($url)
  $web = $site.OpenWeb()
  $siteGroups = $web.Groups;
  Clear-Host
  $mySiteGroups = @();
  foreach($group in $siteGroups)
  Write-Host $group
  $mySiteGroups += $group;
  }#foreach
  $members = $web.Groups[$mySiteGroups[0]];
  $owners = $web.Groups[$mySiteGroups[1]];
  $visitors = $web.Groups[$mySiteGroups[2]];
  #Convert the user name to an SPUser account
  $spUser = $web.Site.RootWeb.EnsureUser($userName);
  Write-Host $spUser.ID
  Remove-SPUser -Identity $spUser -Web $url -Group $owners
  $web.Update();
  $web.Dispose();
  Write-Host "User " $userName "removed from " $owners
  Was I not using Get-SPUser correctly?

• What is t-code SHD0's 'Variant Groups' used for?

  hi all:
  What is t-code SHD0's 'Variant Groups' used for?
  It seems can't work,who can help me?
  thanksss.

  Variant groups
  An extension of the standard variants is involved in the variant groups; the standard groups are often insufficient:
  Different users (groups) should work with different variants;
  Some users should be able to execute a transaction with different variants.
  This is possible - in addition to the advantages that the standard variants offer - with variant groups:
  Variants from variant groups are automatically applied, but only for users that are assigned to them.
  A user can be assigned to several groups and can change the assignment.
  The values of the groups are not applied in the batch input mode.
  If a transaction is started with another transaction variant, the values are not additionally applied to a variant group.
  How are the variant groups maintained?
  You can enter the group names on the "Variant Group" tab and maintain variant groups with the "Create" or "Change" functions.
  The group name must be in the "correct" namespace.
  In addition, there are two Where-Used Lists:
  Which users are assigned to the group,
  For which transactions the group applies.
  Which transaction variants belong to the groups?
  The name of a transaction variant that is to belong to a group meets the following naming conventions:
  <Name of variant group><name of transaction code>. Example: A transaction variant is to be created for the XYZ transaction that belongs to GROUP1. The name of the transaction variant is then GROUP1XYZ.
  Due to this naming convention, the group name must be in the "correct" namespace.
  Transaction variants that (randomly) meet this naming convention do not necessarily belong to a group. The group assignment is activated by
  1. Creating a group
  2. Assigning users to this group
  A transaction variant that belongs to a group can also be used this way, like a transaction variant without a group.
  How are the transaction variants that belong to a group maintained?
  Transaction variants that belong to a group are maintained in the same way as all other transaction variants, they are distinguished using a naming convention (<name of variant group> <name of transaction codes>).
  They can be maintained in the "transaction variants" tab or in the "variant groups" tab. If you maintain them in the "variant groups" tab, you must always enter the transaction code so that the name of the transaction variant can be determined.
  Under what conditions is a variant from a group applied?
  A variant from a group is applied if users are assigned.
  (Only for the assigned users, all other users get the original transaction with a variant from a different group.)
  It is NOT sufficient to
  Create a group
  Create a variant that satisfies the naming convention.
  How do you assign users to groups?
  You can assign users in the "variant groups" tab in the "user assignment".
  Enter the user name.
  The user is assigned to the group with the "assign" function, but they see original transaction(s) or the transactions with variants from another group as the proposal.
  The assignment of users to the group is deleted using the "delete assignment" function.
  The user is assigned to the group using the "Set Proposal" function and the relevant transactions are started for this user with the corresponding variants.
  The proposal is canceled with the "Cancel Proposal" function, the assignment itself remains.
  If you enter the user names generically (*), you receive a selection screen in which you can
  Choose whether assignments or proposals are to be changed
  Further restrict user names (the group in the "all users from group" option has nothing to do with the variant group, it concerns the "user group for authorization check" from the user master record (logon data)).
  By choosing "Execute", you receive a list in which you can further restrict the user selection. The "Save" function saves the assignments for all selected users.
  If you want to start the report in the background, you can choose if just the list should be outputted, or if the database changes should also be performed.
  If a user is additionally also to be able to execute the original transaction, he must be assigned to the "empty group", the allocation takes place in the same way, in this case, nothing is simply entered in the group name field.
  Regards,
  Joy.