Bapi to assign or delete ROLES

hello all,
Does anybody knows a bapi or FM to assign new roles or to delete them to a user?
Thanks,
Ricardo

Ricardo,
check this BAPI_USER_ACTGROUPS_ASSIGN and check FG SU_USER
Thanks
Bala Duvvuri

Similar Messages

  • CUP - Unable to assign and delete role at the same time

    Hello everybody,
    I have an issue with CUP.
    Regarding a change account request, if I assign roles, it works. In the other hand, if I delete roles (also with a change account request) it works too. But if I mix both of them in the same request (assigning and deleting roles) it doesn't works. Only the deletion works. Some times we have no error message and some times we have:
    Error provisioning your request. Request no: 94. Error occurred in the system(s) : n/a, error details :
    DR1CLNT200-ZTEST01-USER CREATE-Function template /VIRSA/BAPI_USER_CHANGE could not be retrieved from DR1CLNT200
    Do you have please an idea to solve this issue?
    For information the CUP used is a 5.3 SP 5.0 version.
    Thanks in advance for any help.
    BMW

    Hi Ben,
    There may be a possibility of such a behaviour in SP05 as many of the changes in code has been done
    till now which may result into such issue and we can't confirm your findings by re-creating it. However, you can check few things functionally which may resolve this issue:-
    1) This error usually comes when the role selected is already assigned to the user or user doesn't exist in the system for which change request is created.
    2) when this error encounters the system, please take the system logs for that time from 'Monitoring' tab under configuration in 'English' and there the error cause can be found out or please paste the logs so that we can analyse.
    3) Also, you can refer to SAP Note:- 1168508 where many of the role related issues have been resolved after SP05, therefore, for smooth functioning of GRC-CUP 5.3, it's better to upgrade to the latest SP i.e. SP18.11(available at SMP).
    Best Regards,
    Akhil Chopra

  • ERROR MESSAGE AMT : CANNOT DELETE TOKEN AFTER IT WAS ASSIGNED TO A ROLE

    We are working on the setup in our sandbox environment and we have noticed that we are unable to delete tokens and remove the protection on BO's.
    the following message appears : "CANNOT DELETE TOKEN AFTER IT WAS ASSIGNED TO A ROLE"
    There is no Token assigned to any role anymore and we have also removed all rules and so on, Still it remains impossioble to remove the token on a protected BO or to remove the protection of a BO.
    Thanks for your help

    Hi Wim,
    Ive replied to your support message, requesting a remote connection so I can
    investigate further.
    Regards,
    Gervase

  • Provisioning of roles to ABAP system deletes role assignments in backend

    Hi all,
    following scenario:
    user has role A in an ABAP system which is connected to IDM. Assignment of role A to the user is not in the identity store.
    Now you assign role B via workflow to the user and IDM provisions this new assignment to the ABAP system.
    What will happen is that the user will get role B but assignment of role A will be deleted.
    This happens because in the job "SetABAPRole&ProfileForUser" the connector attribute "roles" will only consist the role assignments which are in the identity store. All assignments in the ABAP system which are not yet in the IDS will be overwritten.
    This behaviour can be very critical. If you still allow role assignments directly in the backend system and you read these assignments e.g. once a day to the IDS - but in the meantime assignments have been done via workflow - you will lose data.
    My customer wants to assign roles both directly in the system and also by workflow. Every night an ABAP update job runs which writes new assignments to the IDS.
    Do you have any idea how I could solve this? Is there a way NOT to overwrite assignments with the ABAP connector field "roles"? I tried to use multivalue operator but this didn't do the trick.
    I hope I was able to describe my problem properly and you have answers...
    Best regards
    Jörn Kaplan

    No, there is not a way to avoid that IdM replaces the role assignment in ABAP with the current assignments as know by IdM. IdM is the master!
    This is not directly an issue of IdM: The standard BAPIs in ABAP (up to release 7.0) offer "replace all role assignments" but not "add role assignment" or "remove role role assignment".
    However, there exist an exception: Role assignments in ABAP which are created indirectly by an HR-ORG assignment are not touched by IdM. (There role assignment are viewed in blue in transaction SU01.)
    See  http://help.sap.com/saphelp_nw70/helpdata/EN/50/e9683c5de8676fe10000000a114084/frameset.htm for details.
    Kind regards
    Frank Buchholz

  • Delete Role Assignments directly from an ABAP System

    Hi folks!
    I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
    Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!
    However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
    I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
    I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
    Thanks for your help!
    Matt

    Hello Matt,
    so you want to remove local administrated role?
    If the object really is to undo the local administration, I would do this:
    Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
    At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
    The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
    Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
    Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
    Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
    Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
    Best regards
    Dominik

  • Deleting role from BP

    Hi Experts,
    I am using CRM 4.0.
    I have mistakenly assigned a role to a BP and i have saved it.
    How can I remove/delete this role from the BP.?
    Please help.
    Many thanks,
    Neeraj

    Hi,
    Actually you should not be deleting a role assigned to the BP. Here is the explanation.
    Explanations and reasons are following:
    1. Role is not a characteristic of BP, and not also not a field value which can be stored and changed.
    2. Technically, Role is a dynamical link to the group of BP subscreens in
        the table BUT100, this is an only place where this Role is presented
        physically.
    3. This value is not shown anywhere, and used only by a
        transaction BP for internal purposes.
    4. But even after usage of some solution for doing it, nothing can prevent
       automatical detection. That means, if you maintain some BP data, which
       is enough for some particular role, this role will be marked as
       maintained anyway.
    5. This is not an only side effect, which can not be resolved. Kindly
        remember, that actual BP Data is not changed by changing a Role. That
        means, that after deleting of a Role, which provides an access to some
        Role-specific data, this data won't be deleted, just hided from user in
        transaction BP.
    In this case, when some program will request for this data, it will
    receive it without a problem, and potentially this program can determine
    this BP incorrectly.
    Also, when somebody switch a Role for this BP to the "deleted", already maintained data will "suddenly" appear. The same can happen, if this data is shared between several BP Roles (like Sales Area data for Ship-to party and Sold-to Party) - after switching to another Role, data
    for "deleted" Role will appear again.
    If you need further information kindly refer to note 596334.
    Hope this helps.
    Venkat

  • Transport Deleted Roles

    Hi
    I would like to get some information regarding transport of deleted roles from one system to another.
    For some reason we have a set of derived roles in PRD (Around 12) and dont have it in QA.
    I would like to have the same created in the QA. After that I would like to delete all these derived roles in QA. I would like to have the changes cascaded to production  as well.
    My question here is that Since i am going to delete these derived roles I do not want to go through the trouble of assigning the exact authorizations for these derived roles (as what is present in PRD) coz doing so would consume a lot of time. I would just like to create the child roles (with the same name as its in PRD) and then I would like to cascade the deletion.  Is that possible ? How ?
    Is it sufficient to just have a role by the same name (without all the authorization data) and do a cascade delete ?
    Should you have some reference document which can be shared please do so.
    Please advise
    best regards
    Ravi
    Note: I am not using Central User Administration.

    Hi ,
    The roles ( the main role and the derieved roles will also be downloaded ) can be downloaded  from the PRD by using the T code PFCG -
    > utilities -
    > mass download or role----> download from the menu bar onto the desktop and log on to QA and and again use PFCG  Transacion then uploaded from role   -
    >  upload  after which the roles uploaded need to be generated .
    This will have all the roles in the QA system with the derieved roles as well and  if the roles are deleted in the QA and then if the main role is again uploaded to PRD the it will overide the existing roles with the new ones from QA with all the new changes done in QA .
    Hope i am not missing anything ,
    Regards,
    Sagar

  • Error while Assigning database level role (db_datareader) to SQL login (Domain Account)

    Team,
    I got an error while creating a User for Domain Account. Below is the screen shot of the error (error : 15401)
    Database instance is on SQL 2000 SP3. ( I know it is out of support, But the customer is relutanct to upgrade)
    On Google search, i found below article which is best matching for this error
    http://support.microsoft.com/kb/324321
    I have follows each step of troubleshooting. But still the issue persists.
    Step 1. The login does not exist == The login is very much exist in the domain as i am able to add the same domain id to other database instances
    Step 2. Duplicate security identifiers == i have used this query to find duplicate SID
    /*  SELECT name FROM syslogins WHERE sid = SUSER_SID ('YourDomain\YourLogin') */
    But there was only one row returned with create date of today's.
    Error while Assigning database level role (db_datareader) to SQL login (Domain Account) 
    Step 3. Authentication failure == Domain is available. User is able to login on other servers via RDP connection.
    Step 4. Case sensitivity == Database collation is set to Case insensitivity. (CI)
    Other two 5. Local Accounts & 6. Name resolution == is not applicable to me.
    I tried other ways also.
    A. Creating login and providing permission in one go only = User account is not created
    B. Instead of GUI, use query to create login and provide required permission = Same error.
    Does anybody has faced any such situation
    Chetan

    See the below output
    srvid
    sid
    xstatus
    xdate1
    xdate2
    name
    password
    dbid
    language
    isrpcinmap
    ishqoutmap
    selfoutmap
    NULL
    0x010500000000000515000000A1F66E1BFC1DC75D26E72530A2B80400
    14
    20:25.9
    57:33.4
    UKBAA\LHRAPPMuttavarapuS
    NULL
    1
    us_english
    0
    0
    0
    Chetan

  • Need procedure for creation of BW Roles, Assigning Queries,Publishing Roles

    Hi Experts,
      Could you please let me know the procedure for creation of BW Roles, Assigning Queries,Publishing Roles in Business Explorer (BEx - BW 3.5)
    Thanks in advance,
    Andy

    Hi,
    Creating BW Roles
    http://help.sap.com/saphelp_nw04/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm
    Assigning Queries
    After creating the query, save the query to a role from the query designer.
    Publishing Roles in Business Explorer
    https://websmp101.sap-ag.de/~sapdownload/011000358700002894802003E/HowToBIPortal1.pdf
    Hope this helps you..!
    -Pradnya

  • Unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

    unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

    Hi,
    For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
    I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
    But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
    Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
    BR,
    Mangesh

  • Error while assigning the fallowing role to the user

    Hi,
    ERROR 2007-01-18 14:13:25
    CJS-30196  Role SAP_BC_JSF_COMMUNICATION_RO is not assigned to user SAPJSF
    i am getting the fallowing error while trying to assigning the fallowing role to the user any body through some light in to it.
    Thanks
    kiran.B

    Hi,
    Standard roles are not assigned to users directly.Make sure that copy the role from standard roles then change naming convention like your company specification.
    Ex: standard role : SAP_BC_JSF_COMMUNICATION_RO
    Step:1: go to t-code: PFCG and give the role name in role tab SAP_BC_JSF_COMMUNICATION_RO
    Step:2: press copy button and change the naming convention.
    Step:3: Assign to the user.
    I hope it will help you.
    kiran kumar.v

  • Getting dump while assigning resource to role

    Hi,
    We are using BAPI_BUS2177_STAFFING_ADD  to assign resource to role.
    It is assigning first resource to first role in first project. And giving dump for next resource to role assignment for the same project.
    Short dump description is like as follows:
    The exception 'CX_DPR_FATAL_ERROR' was raised, but it was not caught anywhere
      along
    the call hierarchy.
    Since exceptions represent error situations and this error was not
    adequately responded to, the running ABAP program
      'CL_DPR_AUTHORIZATION_SERVICES=CP' has to be
    terminated.
    The problem is of "COMMIT". I ma not understanding where to write exact commit. Even if we are commiting at project level it is giving dump.
    Could you please give any suggestion on it.
    Thanks & Regards,
    Anil Salekar

    Hello Kaixiang,
    When you add staffing to project then commit after each resource assignment. That will avoid the dump.
    Use:
    CALL FUNCTION 'BAPI_CPROJECTS_COMMIT_WORK'
             TABLES
               return = it_return.
    Note: Re award if useful
    Thanks,
    Appasaheb..

  • One or more of the specified resources could not be re-assigned. This can happen if the proposed resource to be assigned has already an assignment on the given task or the specified assignment is deleted or rejected.

    I create a brand new plan based on a template.
    A task in that plan has a team resource assigned. the task is fixed work. The PM may change the work and duration but not the team resource.
    The plan is published.
    I delegate my self as a team resource: and try add myself to team task in the timesheet area (using insert row). I can choose some tasks and the add. Most tasks throw this error. This happens if nothing on the plan is changed - it is brand new - minutes
    old
    One or more of the specified resources could not be re-assigned. This can happen if the proposed resource to be assigned has already an assignment on the given task or the specified assignment is deleted or rejected.
    How can I stop the alert:
    One or more of the specified resources could not be re-assigned. This can happen if the proposed resource to be assigned has already an assignment on the given task or the specified assignment is deleted or rejected.
    Trying to stop the swap to Salesforce - but the errors keep a coming

    oooch - I can fix it - I need delete the task and recreate it. Which is amazingly tedious as I cannot see if a task needs recreating or not. There's 10 template plans and an average of 200 tasks - then I have to rename the template - the assign the
    new template to the EPT - this will be a long night; with only complaints at the end.
    Trying to stop the swap to Salesforce - but the errors keep a coming

  • Unable to assign all security roles to a user with a new custom security role

    Dear All,
    Happy New Year.!
    I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
    any desired security role to the new user.
    However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
    'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
    For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
    to assign some other security roles, including 'Support User Role', to new user 'y'.
    I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
    'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
    Appreciate any help that you can provide on the above issue.
    Thanks in anticipation.

    Hi,
    Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
    Refer:-
    http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
    Hope this helps!!!
    Thanks,
    Prasad
    Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

  • Portal:  Tab displayed but not assigned to any roles of user

    HI Experts,
    I have a problem need your great help.
    When I logon portal as a specific user, there are 5 tab in home page. When I check the role list, 3 tabs doesn't assigned to any roles this user owned.
    Then I try to copy current user into a new user, and logon in . There are only 2 tabs left, which belonged to assigned role.
    How those 3 tab assigned into this user? Can we assign iView/Page/Workset directly to user without  role?
    Any suggestion appreciate. Thanks so  much!
    Edited by: Jalyn Liang on Nov 13, 2009 9:29 AM
    Edited by: Jalyn Liang on Nov 13, 2009 9:30 AM

    Jalyn Liang ,
    You can find if the user id belong to a particular group with the following ways,
    Log in as an admin and go to User Admin -> Users- > Seach -> Enter the user Id and serach for the user -> Select the 5th icon with the  tool tip ->Assigned Groups"
    or
    User Admin -> Group -> Search for the group.
    or
    You can use UME API to find out whether the is belowng to a group though coding.
    Ram

Maybe you are looking for

  • How can we stop jre 7 from blowing us all out of the water?

    I would like to put forth a issue that greatly concerns me which is java 7. In recent times, some browsers have summarily decided that they only allow calls to "current" versions of java. So in Mozilla's mindset, the only current version of java now

  • Element name and attribute completion in XML editor?

    With either WebLogic Workshop 9.2.2 or 10.x, is it possible to get completion assistance on elements and attributes? It works in the JSP editor, but I need to know whether this will work for XML documents. For some of these namespaces, they are defin

  • In BO 6.5.1 BO(DeskI) report Large Amounts are truncated/devided by 100

    hie all, we are using BO6.5.1 SP2 on windows DB:Oracle10g. In BusinessObjects(Desktop Intelligence) report  i am facing this problem. "small amounts is showing correct values and for large amounts are incorrect. In the sense if the amounts are large

  • Importing itunes xml file..

    Since the other day, about every 1 in 4 times I open itunes, it will stall, then say "importing itunes xml file" before giving me a message that it's a damaged file and then allowing the program to pop up with all the default first-time playlists etc

  • Struts 1.3.10 problem

    Hello I have a page that has two active portions, "feed" by session objects and iterated. It works fine monolithically. I now want to break it up into a frameset using the struts frame tag for the individual segmented portions. Before I launch to my