Business Role Assignment to User by Organizational Model
We have created the organizational model in our system where we have the levels that are tied to a specific business role. We have been manually assigning all of our users to these organizational model levels in order to have the business role assignment. I am curious if there is a program or easier way to do this than to have to create the assignment to the employee record manually in the org model.
Any help would be greatly appreciated.
Thanks,
Darcie
Hi Robert,
maintaining the user profile directly may be easier with only a few employees but for large companies this method will end up being more maintenance intensive.
for Org you only have to maintain it on the Org unit or position and all employees underneath will inherit the role; whether it's 2 individuals or 2000. and if the person is moved into a different position laterally or through promotion there would be no maintenance required as the information would replicate from HR (if you use/have the system) and the person would inherit the new position and role automatically.
for User parameter if you only have 2 individuals it is easier but 2000 is too much to maintain. there is some automation but would require you to create them and run them yourself.
pfcg at most companies do not fall under general master data maintenance and would require involvement from the security group and they often do not want to generate empty or unnecessary security/authorization profiles - the maintenance workload is shifted to them also in this case.
regards.
Similar Messages
-
Business Role assignment to user
Hi all,
I am learning about the concept of business roles in CRM. In the forum discussions I see that the business role has to be assinged to the user even though we assign the PFCG role (linked to the business role) to the user. Like SU01 where we assign pfcg role to the user, what is the transaction code to assign the business role to the user.
Thanks.
Neha.I'm going to chime in and say this question has been discussed to the detail in this forum. If you would have done a search you would have a pretty good discussion on this topic.
Re: Reg: Business Role
That thread covers all your options in detail.
Thank you,
Stephen -
Organizational Model - WebUI business role assignment
We have created the organizational model in our system where we have the levels that are tied to a specific business role. We have been manually assigning all of our users to these organizational model levels in order to have the business role assignment. I am curious if there is a program or easier way to do this than to have to create the assignment to the employee record manually in the org model.
Any help would be greatly appreciated.
Thanks,
DarcieHi Robert,
maintaining the user profile directly may be easier with only a few employees but for large companies this method will end up being more maintenance intensive.
for Org you only have to maintain it on the Org unit or position and all employees underneath will inherit the role; whether it's 2 individuals or 2000. and if the person is moved into a different position laterally or through promotion there would be no maintenance required as the information would replicate from HR (if you use/have the system) and the person would inherit the new position and role automatically.
for User parameter if you only have 2 individuals it is easier but 2000 is too much to maintain. there is some automation but would require you to create them and run them yourself.
pfcg at most companies do not fall under general master data maintenance and would require involvement from the security group and they often do not want to generate empty or unnecessary security/authorization profiles - the maintenance workload is shifted to them also in this case.
regards. -
SAP CRM 2007 Business role assignment
Hi all,
We are using CRM 2007. and we are trying to assign Business roles to users using the PFCG ROLE ID attribute.
1- We create a PFCG role : "pfcgrole1"
2- We create a Business Role "Businessrole1" and put PFCG Role id = "pfcgrole1"
3- assign the user to the PFCG role "pfcgrole1"
We have two cases :
CASE 1:The user is assigned to a position in Org management but the position does not have any Business roles assigned.
RESULT : The user logs in to CRM, the user gets error message "Logon is not possible because you have not been assigned a business role"
CASE 2:The user is not assigned to any position in Org management.
RESULT : The user logs in to CRM, everything works fine
my interpretation : org management has precedence over business role assignment using PFCG roles and blocks Business role assignment even if the position has no Business roles assigned
Anyone has any idea how to assign business roles using PFCG ROle ID even if the user is assigned to a position without any business roles
Thanks in advance.Please review these old threads first:
Re: Reg: Business Role
Assignment pfcg-role to user and assignment pfcg-role to business role
There is a lot of technical background on how business role to PFCG role assignment works.
Thank you,
Stephen
CRM Forum Moderator -
Business role assignment get lost
Hello *,
from time to time single users report logon problems due to missing business role assignment.
In these cases business role was assigned via user in tx su01 directly. Whenever it happened the affected user itself is shown for last modifier of user record. But the users of course are not authorized to edit this data.
We assume that maybe the personalization in web ui could be the reason but up to know the behaviour was not reproduceable.
Does anyone know this issue?
Kind regards
ThomasHi Thomas,
Sorry but maybe I've explained myself poorly. You said that business roles that were missing are normally assigned directly in SU01. Then, in order to try to understand how they are remove, in SU01 transaction there is a functionality that allows you to see the change history for every add/removal of a role. This will tell you the user that performed the action and which tcode he used.
Check this functionality that it's available as a menu option in SU01. Maybe it can give you some good clues about what's happening.
Kind regards,
Garcia -
Change business role for a user badi
is there any badi to change a business role assigned to a user dynamically i want to change...
inputs will be highly appreciated. i want to change the business role based on some condition...
some thing like component_loading, where we can change the enhancement set.. i am looking for similar kind of thing for changing business role...
thanks in advance.Hi Niraja,
Did check these BADIs
BUPA_ROLE_CHECK
BUPA_ROLE_EXPORT
BUPA_ROLE_IMPORT
BUPA_ROLES_UPDATE
Regards,
Raghu -
Refreshing business role assignment to org. structure
Hi Experts,
I am trying to change the assignment of business role in org. structure but the changes are not coming into effect.
i.e. initially i have assigned servicepro to my org. strcuture & i am getting the relevant screen on login into WEB UI.
Now i have changed it to marketingpro still i am getting the same screen.
Can any one of you suggest that how i can refresh such changes.
& can anyone also suggest how i can assign business role directly to users.
Thanks & regards
Nanda KumarHi Nanda,
I assume the reason for Business Role change not refelecting can be
1. A Profile assigned in SU3 or
2. You are trying to open the Web UI from same browser session using a new tab in IE7 (internet explorer), you need to create a new browser session.IE7 tabbed browser does not recognize the changes in SAP GUI, you need to open in a new browser.
Regards,
Masood Imrani S. -
Function module to get the roles assigned to user
Hi to all experts,
I need a fm to retrieve the roles assigned to user .
if a pass sy-uname as importing parameter i should to get all the roles assigned to that particular userhai,
please try this.
/VIRSA/RE_BAPI_CREATE_ROLE- Create Roles
/VIRSA/ROLE_ASSIGN_CUA_NH
/VIRSA/RE_BAPI_ROLE_TO_USERS
ASSIGN_USERS_HIERARCHY - User Assignment to Role - this is a Normal FM
try this bapis this may work
BAPI_USER_LOCK
- BAPI_USER_PROFILES_ASSIGN
- BAPI_USER_LOCPROFILES_ASSIGN
- BAPI_USER_LOCACTGROUPS_ASSIGN
- BAPI_USER_CHANGE
- BAPI_USER_UNLOCK -
CUP 5.3 sp7.1 - 049:Role assignment to user not executed completely
Hello Experts,
Message received in audit information:
049:Role assignment to user not executed completely
Can anyone help me with why I am receiving this message?
=[],id=6129,reqNo=201000139,actionDate=Tue Oct 19 10:40:27 EDT 2010,action=ROLE_PROVISIONING_FAILED,userId=U03776,path=,stage=,actionValue=PR4-300,description=049:Role assignment to user U10025 not executedHi,
Check that the connector that you have created is working fine and also the user ID that you are using in the backend system is within the valditiy date and all the required authorizations.
Use remote login and ensure that the user can login with out any issues and has all the required authorizations.
Rgds,
Raghu -
Table name to find out roles assigned to USER !!
Hi BW Gurus,
i want to find out all the roles assigned to users , i check in tables USR01, USR02 , USR21, and ADRP ...... i got first name , last name , account number . BUT I NEED ROLES . can anyone kindly help me ,since otherwise i have to copy paste all manaully which takes more time...
100% points are assingned
SHERWINHello,
Check in this tables:
AGR_USERS - Assignment of roles to users
AGR_USERT - Assignment of roles to users
AGR_PROF - Profile name for role
AGR_AGRS - Roles in composite roles
Assign points if this helps
Regards,
Jorge Diogo -
Report alle Business Roles assigned to Position
Hello,
I'm looking for a report wich brings a coomplete Objectdescription of an incorporate position in a organizational Model. Very important is the information which business role (we use CRM 2007) is assigned to the position.
I checked already report rhstru00 but I don't know which structure parameters I have to take to get out the required information.
There must be a way to get this information.
Thanks a lot in advance!
Best Regards
Stephan JungStep1
U should know the Personnel number of the person u want to assign role.
Step2
PA20 to do Org assignment
Info type = get the position number
Step3
Go to PO13 for Position number
You assign the position number to Role (basically you create a relationship b/w Position number and Role here)
Define relationship B 007 Relationship type (Always select this Relationship type)
Step4
Go to SU01; create a user ID for THAT Personnel number ( If the user don't have one)
Step5
Go to PA30 you define relationship between Personnel # and User ID
Create Info Type 105, Subtype 0001
In ID/Number = User ID and save
For personnel number
Step6
Run PFUD
To update user master record i.e. to enter the role that is assigned to that position in org level. Put the Role name and select Reconcile User Master Data and execute.
Or
In SE38 Run report RHPROF0 -
OBPM 10gR3 Dynamic Role Assignment at user login
Hi,
For all the great integration with LDAP in 10gR3, unfortunately, the system is unable to deal with dynamically-defined LDAP groups.
Our goal is to apply a BPM Role to ALL humans defined in our LDAP.
All humans happen to already be defined by a dynamically-defined LDAP group called 'AllPeople'.
It would have been perfect if we could simply assign our BPM Role, 'Employee', to the LDAP group, 'AllPeople'. Sadly you can't (one for the next release pls).
So as a workaround, what we want to do instead is assign the BPM Role 'Employee' to each individual user dynamically when they first login.
Since the FDI library is useless outside of a BPM context (you'll find that some of the familiar methods of RoleAssignment are missing), We opted to create an actual BPM process to conduct role assignments, and we would then trigger it via PAPI.
The question then was, where/when do we invoke the process such that it does the role assignment quickly and soon enough for the appropriate views and applications to appear in their workspace straight after login?
We opted for a customised implementation of the SSOWorkspaceLoginInterface class.
However, we tried making the invocation in the setupAuthenticatedSession() and the processRequest() methods but, although the role assignment was successfully done in either case, sadly the user's session was loaded without the new changes - perhaps loaded quicker than the role assignment could be fed back through the directory.
Therefore, we dumped the invocation in the actual constuctor - and this seems to work for the most part. Yet on the odd ocassion, the role assignment is not quick enough to be realised in the user's workspace session - the user has to logout and back in before the changes are realised.
We've even tried to get the execution to sleep for a second or two, while the PAPI thread goes about doing the role assignment - again not much success.
So I really have 2 questions:
1. Where during login can we make a PAPI call to do a role assignment so that it should be picked up by the time the session is created? perhaps we already are doing it in the right place.
2. How could we refresh/request a new session cookie without explicitly logging out and back in again? Note, page refresh is not enough.
Thanks for reading.Sorry for the belated response - I don't get notified of replies.
The code for my custom SSOLoginModule class is:-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.Properties;
import fuego.workspace.security.SSOWorkspaceLoginInterface;
import fuego.papi.Arguments;
import fuego.papi.CommunicationException;
import fuego.papi.InstanceInfo;
import fuego.papi.OperationException;
import fuego.papi.ProcessService;
import fuego.papi.ProcessServiceSession;
import fuego.sso.SSOLoginException;
import fuego.sso.SSOUserLogin;
import fuego.jsfcomponents.Util;
import fuego.workspace.model.common.WorkspaceApplicationBean;
public class CustomSSOWorkspaceLogin extends SSOUserLogin implements SSOWorkspaceLoginInterface {
private ProcessService pService;
private ProcessServiceSession pServiceSession;
private Properties properties;
public SSOWorkspaceDBLogin() {
//Do the role assignment here because it works, and does not work in the ideal location of setupAuthenticatedSession method
pService = createProcessService();
pServiceSession = createProcessServiceSession();
assignDefaultRole(Util.getHttpServletRequest().getRemoteUser());
private ProcessService createProcessService() {
return WorkspaceApplicationBean.getCurrent().getProcessService();
private ProcessServiceSession createProcessServiceSession() {
return pService.createSession("yourdirectoryusername","yourdirectorypassword",null);
//This method is used to remotely invoke a BPM process to do the role assignment - no external API to do this directly!
private void assignDefaultRole(String email) {
try {
String processId = "myRoleAssignmentProcessId";
String argumentName = "argumentName"; //the name of the input argument to feed in the participant
String argumentValue = email;
Arguments arguments = Arguments.create();
arguments.putArgument(argumentName, argumentValue);
InstanceInfo instance = pServiceSession.processCreateInstance(processId, arguments);
Long waitTime = new Long(1000);
Long timeLimit = new Long(5000);
boolean roleAssigned = false;
boolean timeLimitExceeded = false;
Long startTime = System.currentTimeMillis();
//Allow role assignment thread to complete
while (!roleAssigned && !timeLimitExceeded) {
try {
Thread.sleep(waitTime);
if (pServiceSession.processGetInstance(instance.getId()).isCompleted()) {
roleAssigned = true;
if (System.currentTimeMillis() - startTime > timeLimit) {
timeLimitExceeded = true;
} catch (InterruptedException e) {
e.printStackTrace();
//close process service session
pServiceSession.close();
//Do not close the service itself as it is shared with the Workspace itself!
//pService.close();
} catch (Exception e) {
e.printStackTrace();
public void setupAuthenticatedSession(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
//Unfortunately, the below does not work here because the role assignment is not fast enough
//The result is that the user logs in but cannot see any applications because the role assignment has not been made in time.
//Therefore, we run the below statements from the constructor - ugly but functions.
//pService = createProcessService();
//pServiceSession = createProcessServiceSession();
//assignDefaultRole(httpservletrequest.getRemoteUser());
public void processRequest(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
} -
HR Indirect Role Assignment through HR ORG Distribution Model with ALE
1) When i assigned indirect (position level security) roles in CUA(SolMan) using pfcg click on organization managment to position after that i did user comparsion but i can not see user id in user tab.
2) If personel no is not the same as infotype 0105 assigned user, How do you check your Indirect role assignment If you are using soultion manger. We dont have PA20, PA30, PA48 t-codes in soulution mangers.our CUA a in Soultion manger .
Help is greately appericiated. ThanksI created HR_ORG structure(HRMD_ABA) in dev (HR system-Sending system) and add filters according to help.sap document, generate partner profile using we20. After that I transfered org structure in CAU (SolMan-Non HR systems- Receving system) using ALE run (Run SA38 -RHALEINI) i think its working.
Composite roles are reside in Dev (HR-system), For indirect roles assignment (position level security) i created composit role just only roles name and description with out tcodes and auth object in CUA (SolMan -Non HR system).
For test position assigment, I run pfcg in CUA(SolMan) click on organization management select position and click indirect roles assignment after that i did user comparsion but i cant not see users id in user assignment. Please let me know any helpful Suggession. Thanks for ur quick response.. -
Business Role assignment now working as Expected
Hi All,
We have a User A, B and C , all these users have Business Role X, when these users were logging in they were gettings screens as per the configuration.
However now all of sudden Only User A ,though still has same Business Role X , is getting different Work centers,Logical links Mostly standard(Claim management, worklist, calendar,Email Inbox) .
User B and C who have the same business role are getting correct UI screens.
We are unable to find what went wrong all of sudden.
Thanks in advance for your suggestions
Regards,
Chandu.Chandu,
If the CRM_UI_PROFILE is set to some UI Profile, this takes more priority(than the UI Profile assigned to the Business Role)
and shows the Navigation Bar and Work Centre configured for this UI Profile.
The normal Business Role configs wont work at that time.
Remove this entry and see, it will solve the issue.
Regards,
Masood Imrani S. -
Issue regarding Business Role assignment
Hi All,
1.
I have a user Agent1 which is assigned to position POS_IC_AGENT in my org structure.
In the infotype Business Role I have assigned IC_AGENT (standard) business role.
IC_AGENT has PFCG role SAP_CRM_UIU_IC_AGENT assigned to it.
But, when I run the application (for my user Agent1), only telephony buttons are visible on top, navigation bar and work area is empty (nothing is visible there)
2.
Now, when I open my user Agent1 in SU01 and assign PFCG role SAP_CRM_UIU_IC_AGENT.
Now when I run the application everything is visible (telephony, navigation bar and workarea).
Why is it not visible in first case?
I think it should work without assigning Role in SU01.. I mean it should have taken settings from Org. structure
Regards,
AshishHi Ashish,
As far as work center page context is concerned , its decided by the navigation bar profile and business role customizations ( we add work center home and several related stuff etc in navigation bar profile and make them activate/deactivate, visible/invisible through business role customizing ) .
PFCG role has nothing to do with what you see on the Work Center...it decides whether you can see or not..meaning whether you have authorization for disply of a business object and its related subobjects.
PFCG role basically determines the authorization objects that will be grated to the particular business role ( to which this PFCG role is linked ) PFCG is about CREATE/CHANGE/DELETE authorizations.
In first case, its business role linked authorizations. You dont see the work centers may be because USER has not granted the DISPLAY authorization for the business Object related to BP( i.e Account ) , or BO related to account search (BUPASEARCH ) as the IC agent home basically has Account identification home , or account search home...which overrides the PFCG authorizations attached to the business role.
Remember, individual object authorizations set for a user using transaction PFCG will have more priority over the Business role linked authorizations as 1 business role can be assigned to many users however if one user is not grated to see BP related data, this will still remain enforced even though the business Role PFCG is granting him to see...There is a difference between user specific authorizations and Business Role specific authorization...
In second case,its user linked Authorizations. When you add the PFCG role in SU01, this is being the User Specific Authorizations which will always have the priority and thus granting the display.
This is my basic understanding. I am 100% sure that PFCG role only controls the DISPLAY/CREATE/CHANGE related authorizations and lots more in context of authorizations. However what to include & show is decided by Navigation Profile and Business Role customizations.
If everything is intact in navigation bar profile and business role customizations, and still you dont see anything on the work center, then i am 100% sure that its related to User Authorizations
Refer pg 56 in CR580, it will clear your doubt.
Thanks & regards,
Suchita
Maybe you are looking for
-
Hi All, I have to transfer the last 4-5 yrs of trail balance from old instances of oracle apps to new instance of oracle apps 11.5.10. But i do not know what data i have to extract and what data i have to upload. Wheather i have to extract on GL_Bala
-
dear all, any function module in bw which returns me the calendar year quarter for 0CALQUART1 and 0CALQUARTER. while we on the data subject, what does 0FISCVARNT do? thanks.
-
Acrobat X: Is there an ABBYY FineReader plugin for better OCR accuracy?
Acrobat X's OCR capability is not very good. Based on my testing and comparisons, ABBYY FineReader's OCR capability is much better! Is there a FineReader plugin that can be added to Acrobat X for better OCR accuracy? If not, can this be a possibil
-
TS3634 I have a new iMac with iMovie '11
and a Sony handy cam HDR-SR11 that records in both SD and HD. Unfortunately, it does not seem to 'see' the SD videos nor does the Show drop down menu give me an option other than AVCHD. What to do?I would really appreciate some help with this issue.
-
Calling a report from appserver
Hi all, I read in doc that we can display a query by http://yourAppServer:yourPort/SAP/BW/BEx?CMD=LDOC&TEMPLATE_ID=yourTemplate&STATELESS=X how can I find what my appserver address and port are? please let me know thanks Sabrina.