Deassignment of users from roles

Similar Messages

• How to get list of user from Role in workflow

  Hi,
  I want to send notification to all user belongs to a certain role in OIM.
  How can i do this?
  My req:- User put's request for provisioning. now we have to send notification to all the approver about the request.
  I know i have to use BPEL for sending notification.
  But can some one let me know how can i get email id of approver in BPEL.

  Make a groups in OIM and assign all the approves for that role in that group.
  Select this group as an approve in SOA composite.
  Now when ever any approval request is send for provisioning it will go to all the members of that group.

• Users are not removed from role using UME API

  Hello,
  I am using this code to remove users from a batch of roles that I have.
  Everything is running OK, no exception is thrown and at the System.out I see all the actions that needs to be taken correctly. The problem is that if I'll go later to one of the roles the users are still assigned to it. Any idea what I'm doing wrong here?
  try
  IRoleFactory roles = UMFactory.getRoleFactory();
  IUserFactory users = UMFactory.getUserFactory();
  IRoleSearchFilter filter = roles.getRoleSearchFilter();
  filter.setUniqueName("<My_filter>", ISearchAttribute.LIKE_OPERATOR, false);
  ISearchResult sresult = roles.searchRoles(filter);
  if ( sresult.getState() == ISearchResult.SEARCH_RESULT_OK )
       while(sresult.hasNext())
       String id = (String)sresult.next();
       IRole role = UMFactory.getRoleFactory().getMutableRole(id);
       Iterator i = role.getUserMembers(false);
       while (i.hasNext())
                       String uid = (String)i.next();
            IUser user = users.getUser(uid);
            role.removeUserMember(user.getUniqueName());
            System.out.println("Removed user: " + user.getUniqueName() + " from role: " + role.getDisplayName());
       role.save();
       role.commit();
  catch (Exception e)
       manager.reportException(new WDNonFatalException(e), false);

  Solved it!
  It needs the FQDN User ID...

• BAPI or Function Module to change PFCG role of an User from Background

  Hello Experts,
  I have a requirement to change PFCG role assigned in User from background and I need a BAPI , FM or any other method to do the same, I have gone through BAPI_BUPA_ROLE_REMOVE and BAPI_BUPA_ROLE_ADD_2 but as per my understanding , these are related to business role not PFCG.
  Please help!!!
  regards,
  Arnab.

  Resolved by myself.
  regards.
  arnab

• Restrict users from changing roles

  Is there a way to restrict users from changing roles
  themselves? If a user goes to My Connections and then clicks Edit,
  they could, in theory, change to any group they want--except to the
  administrator group because you have to enter a password. If the
  admin isn't watching the site 24/7, the user can change their roll,
  let's say from a writer to a publisher, and publish something
  before the admin can notice.
  Is there anything that can be done to restrict that?

  You can use connection keys...this will only allow a user to
  change their name and email address (I think...I can check on this
  tomorrow). We use these at my work and it allows for a lot more
  control over who is assigned to the proper groups.

• How to tranport the users from SAP R/3 to portal ?

  Hi All,
  I had connected to SAP R/3  system from portal. I am trying to tranport the users from SAP development server . So that everyuser can enter through the portal only and work on SAP.
  Please guide me the procudure how can  i tranport the users from SAP system to portal.
  Please urgent replies are appreciated .

  Hi Abhishek,
  Thanks for your information.
  please let me tell you the detailed information. My basis guy had configured the system for me as i didnt have any idea on installation procedure. So i am facing th e fallowing problems.
  <b> First Problem</b>
  I am not able to create  the user from portal directly. Its showing the fallowing error.
  <b>An error occurred in the persistence; contact your system administrator</b>.
  so i had created the users in WAS by SU01.
  <b>Second</b>
  We have some users at production server ( Assume 5 users ). and those users need to be mapped at portal. So that those users can directly enter into portal and operate on SAP system .
  <i>If u dont mine Please provide with  me the steps to fallow</i>
  <b>Third</b>
  i had created some transactional Iviews that are working fine when i am log in with Administrator( super administrator role). The problem is that the reports are  not showing  when i am log in with general user ( with out super administrator role ) .
  Its showing the error
                         <b>Could not able to look up the system.</b>
  And the problem with user mapping also .
  For aministrator its working fine .and for a general end user ( created on WAS )
  i am not able to provide user mapping. Its showing
  There are no systems available for user mapping for the selected principal
  wat could be the problem ?
  Your solutions will be appreciated .please urgent

• Can i recover my all active directory domain computers and users from IFM and in-cooperate them in new forest ??

  My only Active Directory Server on win server 2008 R2 with one domain controller crashed today. The only backup that i had was IFM media.
  So what i have done till now to recover it is a follow
  I reintalled window server but this time it is winserver 2012. I added AD DS role to it. Promoted it to Domain Controller. (functionality level is 2008 R2)
  On second server i installed win 2008 R2 and trying to add additional domain controller from IFM to recover all of my domain users,computers and GPO's. but i am getting this error
  Could not replicate the directory partition CN=schema, CN= configuration, DC=XXX, DC=com from the remote domain
  the naming context specified for this replication operation is invalid
  i dont know weather my approach is correct or not
  but my simple questions is
  Can i recover my all domain computers and users from IFM and in-cooperate them in new forest ?? if yes how can i do that?? urgent help required.

  yup exactly i created a new domain(in new forest) with same previous name in window server 2012 on SERVER-1. As ifm file that i had was generated from 2008 r2 so on second server i installed window 2008 r2 and tried to add role of additional domain controller
  from ifm file on SERVER-2 using dcpromo /adv . every step went ok but in last step when it starts replicating domain controllers it poup following error
  Could not replicate the directory partition CN=schema, CN= configuration, DC=XYZ, DC=com. .  .
  and roll backs every thing.

• How to restrict the user from making any changes in Sales order- item level

  Hi to all
  How to restrict the users from making any changes in sales order at item level if the same sales order is released by senior user through status profile.
  Regards
  Anish Parikh
  Edited by: anish parikh on Jan 24, 2008 5:16 AM

  Hi Anish,
  This can be achieved through the roles and authorization.
  This can be done through the basis team. they can create user profiles and roles.
  For the roles they assign some transaction codes so that they can view the only assigned tr. codes.
  Like that ur requirement can be done.
  Also u can prevent the user to change any fields in the sales order screen (VA02). for that please modify the authorisations.
  Hope i answers.
  Reward points if useful.
  Edited by: kaleeswaran bhoopathy on Jan 24, 2008 9:57 AM

• Blocking User from accessing wrong customer code in VA01

  Hi SAP SD GURU,
  my finance user uses rebate recipent in sales order creation for rebate settlement.
  my operation user uses one-time customer code in sales order for sales.
  Both type of customer codes can be used in sales order creation under different order type.
  The problem arises when operation staff uses rebate recipent code to create sales order and then billing.
  My finance User want this to stop.
  How can I block the operation User from continuing the sales entry when they select the rebate recipent in a sales order entry?
  Is there any available setting in the customer master that allow me to do so?
  Is there any setting in the SPRO that can control this?

  Hi Colin,
  Well you need to control these through the user profile & roles
  you can do this in SU01 which a Basis person can help you out with .....
  now as said User X wants authorisation to va01  ( Rebate)
                    User Y wants Authorisation to va01 ( One time)
  since here we are not restricting any user for VA01 auth , the Basis person can define the role only till the transaction level not beyond that in standard SAP transaction and here you want to restrict user to not use different customer code
  as per my knowledge i dont think that is possible but still have a check with the Basis team
  Hope this helps
  Cheers

• Restrict users from saving own search in existing Named Searches

  Hello,
  I have created some Named Searches that will be used by the MDM users. These users are only allowed to use these named searches (in their search selections) but they are not allowed to 'overwrite' any of the named searches by their own search criteria.
  How can I prevent the user from 'overwriting' the Named Searches? 
  Because even when I set the user role to "None" for all functions and "Read-Only" for all tables and fields, the user can still make their own search and Save that as Named Search (and thus 'overwriting' the existing Named Search which impacts also the other users that make use of these Named Searches).
  We are using MDM 5.5 SP5 (5.5.42.106).
  Or is this an autorisation bug in MDM?
  Thanks for your answers!
  Regards,
  Marcel

  All,
  Just for your information:
  We have upgraded to MDM 5.5 SP06 Patch 3 (build 5.5.63.57) and they have introduced new role feature to protect named searched to be overwritten (see also release notes of patch 3 - OSS Note 1234675).
  So you can now change the Role (in MDM Console) and under section MDM Data Manager, you can set None or Execute for the function of Saving a Named Search.
  If you set it to None, then the menu option in the MDM Data Manager of saving an search as a Named Search (and hence overwriting the named search) is greyed out. Only when you set it to Execute (which is automatically set during upgrade to thi snew version when the role has set it's Default function to Execute), then the user can overwrite the named search with his own search.
  So, issue solved!
  Regards,
  Marcel

• How to use the user and role API's and where to use it

  Hi All,
  I have configured SSO for my UCM11g. Now my application authenticates through the Oracle SSO login page. Currently it is working with SQL authenticator.
  Now, i have to use LDAP authenticator. when i will configure the LDAP authenticator, i have to use the user and role API's to fetch the user profile information from LDAP. i have got the API's which will be used to fetch the respected information, but i am not getting as where i will write those java programs and how this API will be used in my application. what settings i need to do on it so that application uses the API's. ?
  Please can anyone help me on this.
  thanks,
  Saurabh

  Hi, Mithu,
  Thanks a lot for your help in advance.
  I have carefully read the document: https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6b66d7ea-0c01-0010-14af-b3ee523210b5.
  Now, I think I have to set the processor of every actions in every process if I use the GP for processing the workflow.
  I am better to hope that I can set the processor to the role for every actions in every process in the runtime through get the organizational structure in the WDA(webdynpro for java or webdynpro for java). Thus, the customer don't set the processor to the role for every action in every process when runing in the GP.   I don't know how to do this. 
  Whether the function is not supported in the GP? If so, I have to config two organizational structure: in the R/3 and in the Portal. I don't think our customer don't receipt this solution.
  Do you give me some hints? Thanks a lot.  My email: [email protected]
  Thanks again.
  Thanks & Regards,
  Tao

• Different Risk Analysis Results with the same user from 2 different RAR

  Hi..
  I've loaded the same Risks, Rules, etc, into 2 GRC RAR environments (Sandbox and Quality systems); both of them are connected with the same SAP ECC system. But when I do a User Risk analysis (authorization level), the result from Sandbox is different from Quality system. I donu2019t have users or roles mitigated yet, users are synchronized, rules are exactly the same and I donu2019t know what happen??... Please, help me.
  Thanks...

  Hi...
  If I do a Full Sync of users to the same ECC system from both RAR boxes, I got different number of users loaded (i.e. 18757 vs. 18141), similar case with the full sync of roles. (13100 vs.  13150).
  If I load exactly the same set of functions to both RAR systems and I generate the rules, I got the same problem, different number of rules is generated.
  I've verified both RAR configuration and they are the same (excluded users, roles mitigated, etc.)
  Is it a normal behavior? What could be wrong?
  Thanks in advance!!

• How can I stop authenticated users from getting other user's information?

  We recently discovered that it is possible for authenticated users, via KMu2019s details view, to view details about the other users that have access to the same resource as you.  Our portal (7.0 sp15) is used for an external facing web site.  We have secured it against anonymous users but the problem still remains for authenticated users.  Here is an example:
  The KM folder documents\Public Documents has been assigned read permissions for the group Everyone.  An authenticated user can open the URL https://<host>/irj/go/km/navigation/documents/Public%20Documents and a list of folders are shown.  The user can then select the Details from the menu for one of the folders and the Details iview is displayed.  They then select the menu item Settings > Permissions and the users/groups/roles assigned to this folder are shown.  The user can then select a user and view that users name and email address or the user could select a group and view for each member of the group the user id, name, and email address which could then be used to help attack the site.
  So I thought it would be easy enough to disable the details view for all users but content managers or administrators but I seem to running into difficulty. 
  I tried disabling the Details KM command with limited success.  Even with it disabled, if you know the URL for the details component you can still access it.  So it seems the better option is to take away access to the details component.  It seems that the users are getting access to the Details iView from the standard eu_role.  If I remove the iView from this role then all user have no access to the Details in KM.  I tried to add the iView to another role that content managers would have but when logged in with a user that had that other role I still was not able to access the Details iView. 
  This SAP Help document [http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm |http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm ]discusses the eu_role(Standard User role) and it states that
  By default, the Everyone group is assigned to the Standard User role. If you choose to use the other every user roles instead, you need to remove these assignments from the Standard User role and apply them to the Every User Core and Control Center User roles.
    But, when I look at what groups the role is assigned to or what roles are assigned to the Everyone group they donu2019t appear to be linked contrary to what the documentation says.  So, what Iu2019m thinking here is that I can create a copy of this role and remove the Details iView from the original and then assign the copy to the content managers and administrators.  Doing this causes all users to lose access, even the content managers.
  I thought Iu2019d give the Security Zones a try to see if this could help me but when I take away rights from here it still allows access.
  Iu2019m stumped.  Iu2019m sure there is some key piece that eludes me.  What can I do to allow users read only access to some KM folders and files while preventing them from viewing the permission/user details?

  The only 3d party apps are Hazel...
  And that's your problem!
  From the Hazel site's description:
  Hazel watches whatever folders you tell it to, automatically organizing your files according to the rules you create.
  Hazel, is a prefPane so you must have some rule (or it supplied the rule as a default) to put pictures (jpg's) from your Desktop (folder) into your Pictures folder.
  Open your System Preferences and Hazel in there and either turn off Hazel or change or delete the appropriate rule covering this situation.

• Erorr in while mapping users to role

  in Jdeveloper . When we assign names to role in Organization, it is unable to retrieve roles form the connection. We have installed the jar file availbe in demo community . The connection to Application Server is successful. Is any body can help to overcome this issue.
  Edited by: Venkat Ram on May 14, 2010 6:14 AM

  Hi,
  I am also facing the same issue while trying to map the users to the Role. What I am doing is:
  1) Open the Organization from BPM Navigator.
  2) Select Roles tab and try to add the Members to the Role.
  3) Choose option User from the Type drop down.
  4) Click on Add icon (+).
  5) Create server connection. (Tests successful)
  Once done, the realms do not get retrieved in the Realm drop down. When I click the search icon I get an error in pop up saying "Server Exception: Connection Refused from server". I can not see a stack trace in the JDeveloper's Messages/Log section
  I am using the BPM11g VM and the Lab guide says, roles seeding and user seeding is already done for the VM image so I did not attempt that.
  Venkat are you facing the same problem?
  Edited by: user12272414 on May 14, 2010 10:54 AM

• Exporting and Importing Portal users from Source system to Target system

  Hi All,
  I have exported all portal users from source portal in to file Users.txt do i need to convert this file in to some other format so that i can import these users in Target portal.
  any links documents
  Regards,
  Murali

  Hi,
  If you look in to User.txt
  I have role also i have deleted role in User.txt uploded file with rest of the otherdata including group it it able to create users.
  so in Nut shell let's say
  1. UID-Murali
     Role- Manager
    Group- HRGroup
  user existing  in DEV and i want to trnasfer data to PRD
  Role:Manger should exist in PRD, and group is not mandatory optional
  but the link http://help.sap.com/saphelp_nw70/helpdata/EN/ae/7cdf3dffadd95ee10000000a114084/frameset.htm
  says while uploading users role is optional it throws waring but i got error.
  i am bit confused.
  Now let's sau there are 10 users, 10 roles and 2 groups in source system if i want to export all users,roles,groups to target system what sequnce i have to follow without getting any error , warining is there any restriction on number of users, roles, groups i know file size should be less than 1MB.
  Points are on the way.
  Regards,
  Murali