BAPI_USER_ACTGROUPS_ASSIGN deleting roles

Similar Messages

• Unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  Hi,
  For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
  I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
  But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
  Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
  BR,
  Mangesh

• Delete Role Assignments directly from an ABAP System

  Hi folks!
  I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
  Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!
  However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
  I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
  I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
  Thanks for your help!
  Matt

  Hello Matt,
  so you want to remove local administrated role?
  If the object really is to undo the local administration, I would do this:
  Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
  At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
  The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
  Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
  Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
  Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
  Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
  Best regards
  Dominik

• How to delete role through Transport Request

  Hi,
  when I am deleting Role it is Not asking me for transport request ..this is what i needed.can anybody solve my problem
  regards
  Gaurav

  Hi,
  Please check if your role is already locked under some Transport request. If so it wont pop up any TR.
  If it is locked under some TR, make sure you detach it from the TR and try again it will pop up a TR screen
  Please revert in case of issues
  Regards,
  Pramod

• Deleting roles from CUP

  Gurus,
  We accidently synced CUP with our EP which points to an ABAP stack (therefore tens of thousands of roles!). There are over 6,000 pages of roles in CUP that need to be deleted. Do we have to do this page by page or is there another way?
  Thanks,
  Grace Rae

  Hi Grace,
  Role deletion in CUP can be either rolewise or pagewise. However there is an easier method where you can disable the Roles in one go. The Disabled Roles do not get displayed to Users at the time of Request creation.
  The Role Upload Template which is used for importing these Roles in CUP would be needed here. There is a 5th field for Systems in the template, which had to be modified.
  If the System for these Roles is EP then just replace it with EP(D) in the Role Upload Template. After this modification import the Template again and check the Overwrite Existing Roles option.
  Hope this will minimize your efforts in deleting Roles.
  Regards,
  Nikita.

• Deleting role from BP

  Hi Experts,
  I am using CRM 4.0.
  I have mistakenly assigned a role to a BP and i have saved it.
  How can I remove/delete this role from the BP.?
  Please help.
  Many thanks,
  Neeraj

  Hi,
  Actually you should not be deleting a role assigned to the BP. Here is the explanation.
  Explanations and reasons are following:
  1. Role is not a characteristic of BP, and not also not a field value which can be stored and changed.
  2. Technically, Role is a dynamical link to the group of BP subscreens in
      the table BUT100, this is an only place where this Role is presented
      physically.
  3. This value is not shown anywhere, and used only by a
      transaction BP for internal purposes.
  4. But even after usage of some solution for doing it, nothing can prevent
     automatical detection. That means, if you maintain some BP data, which
     is enough for some particular role, this role will be marked as
     maintained anyway.
  5. This is not an only side effect, which can not be resolved. Kindly
      remember, that actual BP Data is not changed by changing a Role. That
      means, that after deleting of a Role, which provides an access to some
      Role-specific data, this data won't be deleted, just hided from user in
      transaction BP.
  In this case, when some program will request for this data, it will
  receive it without a problem, and potentially this program can determine
  this BP incorrectly.
  Also, when somebody switch a Role for this BP to the "deleted", already maintained data will "suddenly" appear. The same can happen, if this data is shared between several BP Roles (like Sales Area data for Ship-to party and Sold-to Party) - after switching to another Role, data
  for "deleted" Role will appear again.
  If you need further information kindly refer to note 596334.
  Hope this helps.
  Venkat

• CUP - Unable to assign and delete role at the same time

  Hello everybody,
  I have an issue with CUP.
  Regarding a change account request, if I assign roles, it works. In the other hand, if I delete roles (also with a change account request) it works too. But if I mix both of them in the same request (assigning and deleting roles) it doesn't works. Only the deletion works. Some times we have no error message and some times we have:
  Error provisioning your request. Request no: 94. Error occurred in the system(s) : n/a, error details :
  DR1CLNT200-ZTEST01-USER CREATE-Function template /VIRSA/BAPI_USER_CHANGE could not be retrieved from DR1CLNT200
  Do you have please an idea to solve this issue?
  For information the CUP used is a 5.3 SP 5.0 version.
  Thanks in advance for any help.
  BMW

  Hi Ben,
  There may be a possibility of such a behaviour in SP05 as many of the changes in code has been done
  till now which may result into such issue and we can't confirm your findings by re-creating it. However, you can check few things functionally which may resolve this issue:-
  1) This error usually comes when the role selected is already assigned to the user or user doesn't exist in the system for which change request is created.
  2) when this error encounters the system, please take the system logs for that time from 'Monitoring' tab under configuration in 'English' and there the error cause can be found out or please paste the logs so that we can analyse.
  3) Also, you can refer to SAP Note:- 1168508 where many of the role related issues have been resolved after SP05, therefore, for smooth functioning of GRC-CUP 5.3, it's better to upgrade to the latest SP i.e. SP18.11(available at SMP).
  Best Regards,
  Akhil Chopra

• Transport Deleted Roles

  Hi
  I would like to get some information regarding transport of deleted roles from one system to another.
  For some reason we have a set of derived roles in PRD (Around 12) and dont have it in QA.
  I would like to have the same created in the QA. After that I would like to delete all these derived roles in QA. I would like to have the changes cascaded to production  as well.
  My question here is that Since i am going to delete these derived roles I do not want to go through the trouble of assigning the exact authorizations for these derived roles (as what is present in PRD) coz doing so would consume a lot of time. I would just like to create the child roles (with the same name as its in PRD) and then I would like to cascade the deletion.  Is that possible ? How ?
  Is it sufficient to just have a role by the same name (without all the authorization data) and do a cascade delete ?
  Should you have some reference document which can be shared please do so.
  Please advise
  best regards
  Ravi
  Note: I am not using Central User Administration.

  Hi ,
  The roles ( the main role and the derieved roles will also be downloaded ) can be downloaded  from the PRD by using the T code PFCG -
  > utilities -
  > mass download or role----> download from the menu bar onto the desktop and log on to QA and and again use PFCG  Transacion then uploaded from role   -
  >  upload  after which the roles uploaded need to be generated .
  This will have all the roles in the QA system with the derieved roles as well and  if the roles are deleted in the QA and then if the main role is again uploaded to PRD the it will overide the existing roles with the new ones from QA with all the new changes done in QA .
  Hope i am not missing anything ,
  Regards,
  Sagar

• Delete Role Request Template

  Hi,
  I want to be able to use the Delete role request template in code to create a request that deletes a role.
  So I supposed that you will have to give the role name or role key with the request.
  But when I check the DeleteRoleDataSet, it doesn't contain any attributes.
  Just :
  <?xml version = '1.0' encoding = 'UTF-8'?>
  <xl-ddm-data version="2.0.1.0" user="XELSYSADM" database="jdbc:oracle:thin:@oristb1l.solaris.nbb:1551/ISTB1L.NBB" exported-date="1315573110831" description="bla"><RequestDataset repo-type="MDS" name="DeleteRoleDataSet" mds-path="/metadata/iam-features-requestactions/model-data" mds-file="DeleteRoleDataSet.xml"><completeXml><request-data-set xmlns="http://www.oracle.com/schema/oim/request" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/request" name="DeleteRoleDataSet" entity="Role" operation="DELETE">
  <DataSetValidator name="DeleteRoleDataValidator" classname="oracle.iam.requestactions.plugins.datavalidator.DeleteRoleDataValidator"/>
  <Attribute name="RequestorID" available-in-bulk="false" type="Clob" length="1024" widget="text" required="false"/>
  <Attribute name="FAOpData" available-in-bulk="false" type="Clob" length="4096" widget="text" required="false"/>
  </request-data-set></completeXml></RequestDataset></xl-ddm-data>
  How can I use this then ?
  How does it now which Role to delete ?
  Thx for your help

  WHat do you mean by "Delete Role Request Template" ?
  I can't see any Request Type with name "Delete Role" under Request Template.

• Bapi to assign or delete ROLES

  hello all,
  Does anybody knows a bapi or FM to assign new roles or to delete them to a user?
  Thanks,
  Ricardo

  Ricardo,
  check this BAPI_USER_ACTGROUPS_ASSIGN and check FG SU_USER
  Thanks
  Bala Duvvuri

• Unable to delete role from a project

  hi
  i added a role to a project.   i staffed it with a resource.  Now when i try to remove this staffing.. i get the message
  "Cannot delete project role staffing"
  the help is as follows
  Cannot delete project role staffing
  Message no. DPR_BUPA_LINK020
  Diagnosis
  You are trying to delete a staffing. However, the resource of this staffing is entered as a responsible resource for at least one project element or is assigned to at least one task. The status of the assigned project element does not permit changes. This means that the links cannot be deleted and therefore, the actual staffing cannot be deleted either.
  System Response
  The system does not delete the project role staffing and issues appropriate messages.
  Procedure
  Reset the status of the assigned project element so that the changes can be made.
  Make sure that the links are removed by authorized users or obtain the relevant authorization from your system administrator.
  But i have added the role and staffed it afresh.  i am also not able to delete any newly added roles.
  Pls suggest!
  Regards,
  Sujata.

  Hi,
  Have u tried by following dignosis solution given in message help. Please try by removing the responsible resource from basic data tab of phase or task for which the person is assigned. also check the status of task or phase for which he is assigned as responsible person. if the perticualar task is complete then I beleive tht u will not be able to remove responsible person.
  Pramod

• Provisioning of roles to ABAP system deletes role assignments in backend

  Hi all,
  following scenario:
  user has role A in an ABAP system which is connected to IDM. Assignment of role A to the user is not in the identity store.
  Now you assign role B via workflow to the user and IDM provisions this new assignment to the ABAP system.
  What will happen is that the user will get role B but assignment of role A will be deleted.
  This happens because in the job "SetABAPRole&ProfileForUser" the connector attribute "roles" will only consist the role assignments which are in the identity store. All assignments in the ABAP system which are not yet in the IDS will be overwritten.
  This behaviour can be very critical. If you still allow role assignments directly in the backend system and you read these assignments e.g. once a day to the IDS - but in the meantime assignments have been done via workflow - you will lose data.
  My customer wants to assign roles both directly in the system and also by workflow. Every night an ABAP update job runs which writes new assignments to the IDS.
  Do you have any idea how I could solve this? Is there a way NOT to overwrite assignments with the ABAP connector field "roles"? I tried to use multivalue operator but this didn't do the trick.
  I hope I was able to describe my problem properly and you have answers...
  Best regards
  Jörn Kaplan

  No, there is not a way to avoid that IdM replaces the role assignment in ABAP with the current assignments as know by IdM. IdM is the master!
  This is not directly an issue of IdM: The standard BAPIs in ABAP (up to release 7.0) offer "replace all role assignments" but not "add role assignment" or "remove role role assignment".
  However, there exist an exception: Role assignments in ABAP which are created indirectly by an HR-ORG assignment are not touched by IdM. (There role assignment are viewed in blue in transaction SU01.)
  See  http://help.sap.com/saphelp_nw70/helpdata/EN/50/e9683c5de8676fe10000000a114084/frameset.htm for details.
  Kind regards
  Frank Buchholz

• Deleting roles from GRC AC CUP

  Hi
  We had GRC 5.3 installed with SP05. We have archived all our existing requests and are trying to delete some of the roles from CUP. However when trying to delete the role it is giving a message "Cannot delete because this is referenced by request". Is there something else which i need to take care of? Will application of latest support packs help in this situation?
  Appreciate your help regarding the same.
  Thank you.
  Anjan Pandey

  Hi Anajan,
  I feel some requests are still exist in GRC CUP for that particler role. Please follow the below steps and try to delete the Role  again.
  Go to  CUP configuration tab  > click on Request option under the workflow> choose deleting requests > next> then its asks to delete all requests and then choose Submit option.
  once you click on submit button, you will get the message all existing requests are deleted with Job id.
  finally go to the Roles and delete the required roles form the GRC CUP.
  Regards,
  Arjuna.

• Do you really have to delete roles if you deactivate a user?

  I was searching through threads trying to find a recommendation regarding the best way to deactivate users in SAP.  I understand locking and changing the validity date, but I am also seeing recommendations to delete the roles...  In addition to roles do you also recommend deleting profiles (ones not associated with a specific role)?  I'm just asking because I was under the impression it was good for security purposes to know what roles/profiles (authorizations) the user had in the past if something happened that required research and the ability to identify "who had the ability to do what".  If we delete all of that information from their account, is their still a way to determine what they did have when they were an active user?  If it is OK to leave roles in and maybe just set their expiration date, how should profiles not associated to roles be handled?
  I guess most importantly, is there a known recommendation straight from SAP that I can reference?  My searches have come up empty.

  In my opinion, best is to:
  - Retire the user ID by locking the account (not just the password).
  - Set the validity on the user account to expire (preferably when this is known already, and not when a piece of paper becomes current...).
  - Setting the validity of roles is subject to the user compare to a large extent. It is very usefull.
  - Manual profiles are a bugger - dirty trick is to import them as a template into a role.
  > I guess most importantly, is there a known recommendation straight from SAP that I can reference? My searches have come up empty.
  I know that the technical explanations of how it works is to a large extent available, release dependently.
  If you search for the reports associated to the "user compare" (tcode PFUD) then you will find a lot of infos.
  Recommendations are more tricky, as it depends on what you want. SAP enables a lot of stuff and is responsible for the correct checks in the programs. But how you build your roles and profiles is up to you, and you have a lot of freedom in that area. You can also shoot yourself in the foot
  I am assuming that you are not on SAP release R/2. Perhaps a bit more details would help...
  Cheers,
  Julius

• Deleting roles from multiple users simultaneously

  I need to delete all of the roles from multiple users and I was wondering if anyone knows of a way to do it simultaneously other than  a Mercury script(it wont take the roles away that are lower than the initial 20)?

  Hi there,
  there could be easier ways to do it, but this is how I'd go about it if I didn't want to go to each user ID.
  Get a list of all roles assigned to your users you want to restrict from SUIM (display the list of users via tcode S_BCE_68001400).  Click on the 'roles' button and it will pull up a list of all the roles assigned to those users.  Extract and save that).
  Filter the list so you have only one entry of each role name.
  Then go to SU10, enter in all your user IDs to change and go to the role tab, enter the unique list and put wide dates on it say from 01.01.1995 - 31.12.9999 (you want them earlier than the earliest role 'valid from' date and later than the latest role 'valid to' assignment).
  Click the 'Remove' box and save and you should have all roles removed.
  Good luck with it.
  Cheers,
  Dianne