Bapi to assign or delete ROLES
hello all,
Does anybody knows a bapi or FM to assign new roles or to delete them to a user?
Thanks,
Ricardo
Ricardo,
check this BAPI_USER_ACTGROUPS_ASSIGN and check FG SU_USER
Thanks
Bala Duvvuri
Similar Messages
-
CUP - Unable to assign and delete role at the same time
Hello everybody,
I have an issue with CUP.
Regarding a change account request, if I assign roles, it works. In the other hand, if I delete roles (also with a change account request) it works too. But if I mix both of them in the same request (assigning and deleting roles) it doesn't works. Only the deletion works. Some times we have no error message and some times we have:
Error provisioning your request. Request no: 94. Error occurred in the system(s) : n/a, error details :
DR1CLNT200-ZTEST01-USER CREATE-Function template /VIRSA/BAPI_USER_CHANGE could not be retrieved from DR1CLNT200
Do you have please an idea to solve this issue?
For information the CUP used is a 5.3 SP 5.0 version.
Thanks in advance for any help.
BMWHi Ben,
There may be a possibility of such a behaviour in SP05 as many of the changes in code has been done
till now which may result into such issue and we can't confirm your findings by re-creating it. However, you can check few things functionally which may resolve this issue:-
1) This error usually comes when the role selected is already assigned to the user or user doesn't exist in the system for which change request is created.
2) when this error encounters the system, please take the system logs for that time from 'Monitoring' tab under configuration in 'English' and there the error cause can be found out or please paste the logs so that we can analyse.
3) Also, you can refer to SAP Note:- 1168508 where many of the role related issues have been resolved after SP05, therefore, for smooth functioning of GRC-CUP 5.3, it's better to upgrade to the latest SP i.e. SP18.11(available at SMP).
Best Regards,
Akhil Chopra -
ERROR MESSAGE AMT : CANNOT DELETE TOKEN AFTER IT WAS ASSIGNED TO A ROLE
We are working on the setup in our sandbox environment and we have noticed that we are unable to delete tokens and remove the protection on BO's.
the following message appears : "CANNOT DELETE TOKEN AFTER IT WAS ASSIGNED TO A ROLE"
There is no Token assigned to any role anymore and we have also removed all rules and so on, Still it remains impossioble to remove the token on a protected BO or to remove the protection of a BO.
Thanks for your helpHi Wim,
Ive replied to your support message, requesting a remote connection so I can
investigate further.
Regards,
Gervase -
Provisioning of roles to ABAP system deletes role assignments in backend
Hi all,
following scenario:
user has role A in an ABAP system which is connected to IDM. Assignment of role A to the user is not in the identity store.
Now you assign role B via workflow to the user and IDM provisions this new assignment to the ABAP system.
What will happen is that the user will get role B but assignment of role A will be deleted.
This happens because in the job "SetABAPRole&ProfileForUser" the connector attribute "roles" will only consist the role assignments which are in the identity store. All assignments in the ABAP system which are not yet in the IDS will be overwritten.
This behaviour can be very critical. If you still allow role assignments directly in the backend system and you read these assignments e.g. once a day to the IDS - but in the meantime assignments have been done via workflow - you will lose data.
My customer wants to assign roles both directly in the system and also by workflow. Every night an ABAP update job runs which writes new assignments to the IDS.
Do you have any idea how I could solve this? Is there a way NOT to overwrite assignments with the ABAP connector field "roles"? I tried to use multivalue operator but this didn't do the trick.
I hope I was able to describe my problem properly and you have answers...
Best regards
Jörn KaplanNo, there is not a way to avoid that IdM replaces the role assignment in ABAP with the current assignments as know by IdM. IdM is the master!
This is not directly an issue of IdM: The standard BAPIs in ABAP (up to release 7.0) offer "replace all role assignments" but not "add role assignment" or "remove role role assignment".
However, there exist an exception: Role assignments in ABAP which are created indirectly by an HR-ORG assignment are not touched by IdM. (There role assignment are viewed in blue in transaction SU01.)
See http://help.sap.com/saphelp_nw70/helpdata/EN/50/e9683c5de8676fe10000000a114084/frameset.htm for details.
Kind regards
Frank Buchholz -
Delete Role Assignments directly from an ABAP System
Hi folks!
I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend. Easy enough!
However if the privilege is not in IDM but is in the back-end, it needs to be removed. Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
I looked in the business suite and plain ABAP portions of the framework. I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
Thanks for your help!
MattHello Matt,
so you want to remove local administrated role?
If the object really is to undo the local administration, I would do this:
Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
Best regards
Dominik -
Hi Experts,
I am using CRM 4.0.
I have mistakenly assigned a role to a BP and i have saved it.
How can I remove/delete this role from the BP.?
Please help.
Many thanks,
NeerajHi,
Actually you should not be deleting a role assigned to the BP. Here is the explanation.
Explanations and reasons are following:
1. Role is not a characteristic of BP, and not also not a field value which can be stored and changed.
2. Technically, Role is a dynamical link to the group of BP subscreens in
the table BUT100, this is an only place where this Role is presented
physically.
3. This value is not shown anywhere, and used only by a
transaction BP for internal purposes.
4. But even after usage of some solution for doing it, nothing can prevent
automatical detection. That means, if you maintain some BP data, which
is enough for some particular role, this role will be marked as
maintained anyway.
5. This is not an only side effect, which can not be resolved. Kindly
remember, that actual BP Data is not changed by changing a Role. That
means, that after deleting of a Role, which provides an access to some
Role-specific data, this data won't be deleted, just hided from user in
transaction BP.
In this case, when some program will request for this data, it will
receive it without a problem, and potentially this program can determine
this BP incorrectly.
Also, when somebody switch a Role for this BP to the "deleted", already maintained data will "suddenly" appear. The same can happen, if this data is shared between several BP Roles (like Sales Area data for Ship-to party and Sold-to Party) - after switching to another Role, data
for "deleted" Role will appear again.
If you need further information kindly refer to note 596334.
Hope this helps.
Venkat -
Hi
I would like to get some information regarding transport of deleted roles from one system to another.
For some reason we have a set of derived roles in PRD (Around 12) and dont have it in QA.
I would like to have the same created in the QA. After that I would like to delete all these derived roles in QA. I would like to have the changes cascaded to production as well.
My question here is that Since i am going to delete these derived roles I do not want to go through the trouble of assigning the exact authorizations for these derived roles (as what is present in PRD) coz doing so would consume a lot of time. I would just like to create the child roles (with the same name as its in PRD) and then I would like to cascade the deletion. Is that possible ? How ?
Is it sufficient to just have a role by the same name (without all the authorization data) and do a cascade delete ?
Should you have some reference document which can be shared please do so.
Please advise
best regards
Ravi
Note: I am not using Central User Administration.Hi ,
The roles ( the main role and the derieved roles will also be downloaded ) can be downloaded from the PRD by using the T code PFCG -
> utilities -
> mass download or role----> download from the menu bar onto the desktop and log on to QA and and again use PFCG Transacion then uploaded from role -
> upload after which the roles uploaded need to be generated .
This will have all the roles in the QA system with the derieved roles as well and if the roles are deleted in the QA and then if the main role is again uploaded to PRD the it will overide the existing roles with the new ones from QA with all the new changes done in QA .
Hope i am not missing anything ,
Regards,
Sagar -
Team,
I got an error while creating a User for Domain Account. Below is the screen shot of the error (error : 15401)
Database instance is on SQL 2000 SP3. ( I know it is out of support, But the customer is relutanct to upgrade)
On Google search, i found below article which is best matching for this error
http://support.microsoft.com/kb/324321
I have follows each step of troubleshooting. But still the issue persists.
Step 1. The login does not exist == The login is very much exist in the domain as i am able to add the same domain id to other database instances
Step 2. Duplicate security identifiers == i have used this query to find duplicate SID
/* SELECT name FROM syslogins WHERE sid = SUSER_SID ('YourDomain\YourLogin') */
But there was only one row returned with create date of today's.
Error while Assigning database level role (db_datareader) to SQL login (Domain Account)
Step 3. Authentication failure == Domain is available. User is able to login on other servers via RDP connection.
Step 4. Case sensitivity == Database collation is set to Case insensitivity. (CI)
Other two 5. Local Accounts & 6. Name resolution == is not applicable to me.
I tried other ways also.
A. Creating login and providing permission in one go only = User account is not created
B. Instead of GUI, use query to create login and provide required permission = Same error.
Does anybody has faced any such situation
ChetanSee the below output
srvid
sid
xstatus
xdate1
xdate2
name
password
dbid
language
isrpcinmap
ishqoutmap
selfoutmap
NULL
0x010500000000000515000000A1F66E1BFC1DC75D26E72530A2B80400
14
20:25.9
57:33.4
UKBAA\LHRAPPMuttavarapuS
NULL
1
us_english
0
0
0
Chetan -
Need procedure for creation of BW Roles, Assigning Queries,Publishing Roles
Hi Experts,
Could you please let me know the procedure for creation of BW Roles, Assigning Queries,Publishing Roles in Business Explorer (BEx - BW 3.5)
Thanks in advance,
AndyHi,
Creating BW Roles
http://help.sap.com/saphelp_nw04/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm
Assigning Queries
After creating the query, save the query to a role from the query designer.
Publishing Roles in Business Explorer
https://websmp101.sap-ag.de/~sapdownload/011000358700002894802003E/HowToBIPortal1.pdf
Hope this helps you..!
-Pradnya -
unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest
Hi,
For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
BR,
Mangesh -
Error while assigning the fallowing role to the user
Hi,
ERROR 2007-01-18 14:13:25
CJS-30196 Role SAP_BC_JSF_COMMUNICATION_RO is not assigned to user SAPJSF
i am getting the fallowing error while trying to assigning the fallowing role to the user any body through some light in to it.
Thanks
kiran.BHi,
Standard roles are not assigned to users directly.Make sure that copy the role from standard roles then change naming convention like your company specification.
Ex: standard role : SAP_BC_JSF_COMMUNICATION_RO
Step:1: go to t-code: PFCG and give the role name in role tab SAP_BC_JSF_COMMUNICATION_RO
Step:2: press copy button and change the naming convention.
Step:3: Assign to the user.
I hope it will help you.
kiran kumar.v -
Getting dump while assigning resource to role
Hi,
We are using BAPI_BUS2177_STAFFING_ADD to assign resource to role.
It is assigning first resource to first role in first project. And giving dump for next resource to role assignment for the same project.
Short dump description is like as follows:
The exception 'CX_DPR_FATAL_ERROR' was raised, but it was not caught anywhere
along
the call hierarchy.
Since exceptions represent error situations and this error was not
adequately responded to, the running ABAP program
'CL_DPR_AUTHORIZATION_SERVICES=CP' has to be
terminated.
The problem is of "COMMIT". I ma not understanding where to write exact commit. Even if we are commiting at project level it is giving dump.
Could you please give any suggestion on it.
Thanks & Regards,
Anil SalekarHello Kaixiang,
When you add staffing to project then commit after each resource assignment. That will avoid the dump.
Use:
CALL FUNCTION 'BAPI_CPROJECTS_COMMIT_WORK'
TABLES
return = it_return.
Note: Re award if useful
Thanks,
Appasaheb.. -
I create a brand new plan based on a template.
A task in that plan has a team resource assigned. the task is fixed work. The PM may change the work and duration but not the team resource.
The plan is published.
I delegate my self as a team resource: and try add myself to team task in the timesheet area (using insert row). I can choose some tasks and the add. Most tasks throw this error. This happens if nothing on the plan is changed - it is brand new - minutes
old
One or more of the specified resources could not be re-assigned. This can happen if the proposed resource to be assigned has already an assignment on the given task or the specified assignment is deleted or rejected.
How can I stop the alert:
One or more of the specified resources could not be re-assigned. This can happen if the proposed resource to be assigned has already an assignment on the given task or the specified assignment is deleted or rejected.
Trying to stop the swap to Salesforce - but the errors keep a comingoooch - I can fix it - I need delete the task and recreate it. Which is amazingly tedious as I cannot see if a task needs recreating or not. There's 10 template plans and an average of 200 tasks - then I have to rename the template - the assign the
new template to the EPT - this will be a long night; with only complaints at the end.
Trying to stop the swap to Salesforce - but the errors keep a coming -
Unable to assign all security roles to a user with a new custom security role
Dear All,
Happy New Year.!
I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
any desired security role to the new user.
However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
to assign some other security roles, including 'Support User Role', to new user 'y'.
I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
Appreciate any help that you can provide on the above issue.
Thanks in anticipation.Hi,
Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
Refer:-
http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
Hope this helps!!!
Thanks,
Prasad
Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question -
Portal: Tab displayed but not assigned to any roles of user
HI Experts,
I have a problem need your great help.
When I logon portal as a specific user, there are 5 tab in home page. When I check the role list, 3 tabs doesn't assigned to any roles this user owned.
Then I try to copy current user into a new user, and logon in . There are only 2 tabs left, which belonged to assigned role.
How those 3 tab assigned into this user? Can we assign iView/Page/Workset directly to user without role?
Any suggestion appreciate. Thanks so much!
Edited by: Jalyn Liang on Nov 13, 2009 9:29 AM
Edited by: Jalyn Liang on Nov 13, 2009 9:30 AMJalyn Liang ,
You can find if the user id belong to a particular group with the following ways,
Log in as an admin and go to User Admin -> Users- > Seach -> Enter the user Id and serach for the user -> Select the 5th icon with the tool tip ->Assigned Groups"
or
User Admin -> Group -> Search for the group.
or
You can use UME API to find out whether the is belowng to a group though coding.
Ram
Maybe you are looking for
-
How can we stop jre 7 from blowing us all out of the water?
I would like to put forth a issue that greatly concerns me which is java 7. In recent times, some browsers have summarily decided that they only allow calls to "current" versions of java. So in Mozilla's mindset, the only current version of java now
-
Element name and attribute completion in XML editor?
With either WebLogic Workshop 9.2.2 or 10.x, is it possible to get completion assistance on elements and attributes? It works in the JSP editor, but I need to know whether this will work for XML documents. For some of these namespaces, they are defin
-
In BO 6.5.1 BO(DeskI) report Large Amounts are truncated/devided by 100
hie all, we are using BO6.5.1 SP2 on windows DB:Oracle10g. In BusinessObjects(Desktop Intelligence) report i am facing this problem. "small amounts is showing correct values and for large amounts are incorrect. In the sense if the amounts are large
-
Importing itunes xml file..
Since the other day, about every 1 in 4 times I open itunes, it will stall, then say "importing itunes xml file" before giving me a message that it's a damaged file and then allowing the program to pop up with all the default first-time playlists etc
-
Struts 1.3.10 problem
Hello I have a page that has two active portions, "feed" by session objects and iterated. It works fine monolithically. I now want to break it up into a frameset using the struts frame tag for the individual segmented portions. Before I launch to my