Deleting invalid role assignments

Hello,
is there a way to delete role assignments automatically if the validity period is out of date? I know that you can do it manually via transaction SU01/SU10 but maybe there is a report that recognizes if there are invalid assignments.
Kind regards

Hell Dennis,
As pointed out by Juan standard SAP doesnot provide that functionality. However I guess you can do that by writing a simple update report.
Look out for AGR_USERS table as data source.
Regards
Ruchit.

Similar Messages

  • Delete Role Assignments directly from an ABAP System

    Hi folks!
    I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
    Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!
    However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
    I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
    I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
    Thanks for your help!
    Matt

    Hello Matt,
    so you want to remove local administrated role?
    If the object really is to undo the local administration, I would do this:
    Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
    At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
    The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
    Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
    Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
    Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
    Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
    Best regards
    Dominik

  • Provisioning of roles to ABAP system deletes role assignments in backend

    Hi all,
    following scenario:
    user has role A in an ABAP system which is connected to IDM. Assignment of role A to the user is not in the identity store.
    Now you assign role B via workflow to the user and IDM provisions this new assignment to the ABAP system.
    What will happen is that the user will get role B but assignment of role A will be deleted.
    This happens because in the job "SetABAPRole&ProfileForUser" the connector attribute "roles" will only consist the role assignments which are in the identity store. All assignments in the ABAP system which are not yet in the IDS will be overwritten.
    This behaviour can be very critical. If you still allow role assignments directly in the backend system and you read these assignments e.g. once a day to the IDS - but in the meantime assignments have been done via workflow - you will lose data.
    My customer wants to assign roles both directly in the system and also by workflow. Every night an ABAP update job runs which writes new assignments to the IDS.
    Do you have any idea how I could solve this? Is there a way NOT to overwrite assignments with the ABAP connector field "roles"? I tried to use multivalue operator but this didn't do the trick.
    I hope I was able to describe my problem properly and you have answers...
    Best regards
    Jörn Kaplan

    No, there is not a way to avoid that IdM replaces the role assignment in ABAP with the current assignments as know by IdM. IdM is the master!
    This is not directly an issue of IdM: The standard BAPIs in ABAP (up to release 7.0) offer "replace all role assignments" but not "add role assignment" or "remove role role assignment".
    However, there exist an exception: Role assignments in ABAP which are created indirectly by an HR-ORG assignment are not touched by IdM. (There role assignment are viewed in blue in transaction SU01.)
    See  http://help.sap.com/saphelp_nw70/helpdata/EN/50/e9683c5de8676fe10000000a114084/frameset.htm for details.
    Kind regards
    Frank Buchholz

  • SAP R/3 : Indirect Role assignments - Is position unique to every user?

    Hi.
    While am exploring /learning SAP R/3 roles and auth, I would appreciate if I could get clarity on the following :
    This  link on SDN on Indirect role assignments are very informative.
    http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f03e6f6c-8c16-2a10-1581-ed8812e2effe
    This link is also more explanatory : http://my.affinitext.com/public/book/5442/-1/1423831
    So if my understanding is correct, it is better to assign roles - indirectly by position, so that if an employee's position changes, his role can be removed, based on position again ??? And somewhere we are linking with infotype 105.
    My only doubt is : if we are going to assign roles by position and remove the roles by position, so that as the position of an employee changes, the previous roles become null and void and new roles can be assigned as per new position.
    So would like to know :
    as to whether this position number which we see from PA20, is unique to every user on the system ?
    So that, if there is a need to remove a role based on postion, we could remove the role from PO13;
    BY doing that, then will it not affect other users ?
    Can somebody help me understand this.
    Because if i want to see the effect immediately, if i go to PFUD and put the role name and say execute, i see that the role which was removed from PO13 is gone immediately from the user.
    Many thanks
    Indu
    Edited by: Indumathy Narayanan on Nov 22, 2011 9:25 AM

    GOT IT THANKS.
    Hi Prashant.
    Good morning and wishes.
    Can you please help me understand this.
    I understand from HR person that position is uniquely defined (from hire to retire)
    and roles are generally given based on position.
    However, I see a person : whose roles have been assigned as per position all these years.
    He had 2 roles in project A. He now moved into a different project B.
    But. when i check, i still see the roles - reflecting on SU01  & well as in the tab of user of the role X under pfcg.
    BUT when i check PO13 - and put the position / relationship and say overview.
    I dont see the roles at all there.
    Why this is so.  Why the discrepancy on different screens.
    Also How can I get a confirmation that - these roles are actually removed and is not there for the user.
    Rather.
    How could the removal of roles based on position become completely effective on the system.
    So that all screens display the same information.
    Also would like to know - whether it is ok to remove the role expiry date directly from PFCG/ROLE Display/user tab/select user/
    and then make the role invalid or expired / or extend the expiry.
    Many thanks.
    Indu
    Edited by: Indumathy Narayanan on Dec 7, 2011 12:09 PM
    Edited by: Indumathy Narayanan on Dec 7, 2011 1:42 PM
    Edited by: Indumathy Narayanan on Dec 7, 2011 5:17 PM

  • Participant 'userx' does not have role assignments in process '/ProcessP

    I am using Oracle BPM 10.3 MP2 Enterprise Edition
    Version: 10.3.2
    Build: #100486
    Have a process ProcessP and role RoleR.
    User 'userx' is assigned to role 'RoleR', when he tries logging into the workspace,
    getting exception message in page as below:
    "Participant 'userx' does not have role assignments in process '/ProcessP#Default-1.0'. This error usually takes place when the Process Execution Engine has not re-synchronized with the Directory Service. Try re-logging and executing the task again. If the problem persists, contact your Administrator"
    Tried deleting the user 'userx' from process admin and re-creating the user and gave role 'RoleR' but still the issue persists.
    This is working for other user 'usera', 'userb', 'userc' etc.
    Any suggestions.
    Thanks in Advance.

    Is restart of the engine server on which ProcessP deployed is the only solution since the error messages shows up as 'Process Execution Engine has not re-synchronized with the Directory Service. '

  • Mass deletion of roles from users

    I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.

    We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
    This way you can optimize / automate periodic controls.
    There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
    The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
    Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
    Cheers,
    Julius

  • Role assignments not set in ABAP but IdM indicates OK status

    Hi,
    We went live with IDM 7.2 SP8 last month. We have started to see issues with Business Role assignments in target systems. Generally, BR assignments are parsed to respective privileges and assigned correctly. Sometimes privileges in one target will get assigned but not in another target. Occassionally assigning privileges to one target does not get through either. In all cases the IdM assignment is marked as 'OK', but when we check the backend the assignment is not there. Log entries don't show any jobs triggered for the target that failed to update (and consequently there is no log entries in that target either). But why would IdM mark the specific privilege as 'OK' status -- it should either remain 'Pending' or 'Failed' but certainly not 'OK'.
    This effect is inconsistent -- it works correctly at times and fails at others -- increasingly more failures. There is nothing different about the users or environment. We see this in ECC, BW, GTS, etc. We have 36 prd and non-prd systems linked systems. Initially we thought this only affected prd systems as BR's only have prd privileges and the PRD targets are load-balanced. For non-prd systems the assignments are direct privileges, not BRs, and they are not load-balaced. We are now seeing this in behavior in all environments for BR's or direct privilege assignments, in prd and non-prd targets.
    Since BR's have appovers we cannot remove BR's and re-assign in production. So for non-prd targets we have removed the privileges, those that indicated 'OK' but did not get set in the target, and reapplied -- the privileges get deleted successfully without any corresponding job being triggered and then when we re-add it the assignment goes into 'OK' status without any job being triggered.
    When we tried assigning another user the same privileges it went through fine to the target and IDM marked 'OK' -- exactly as it is supposed to work (non-prod privileges have no approvals).
    We are not able to re-produce this in our DEV environment -- the targets are non-load balanced. The assignments work consistently, both BR's and privileges.
    Has anyone seen such behavior by IdM?
    Thanks for your thoughts.
    Ashok

    Hi,
    Thanks for the suggestion. But ours was a different problem.
    The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
    During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
    Best regards,
    Ashok

  • How to delete a role?

    I could not find the catalog which FCPX may keep the role.
    And I also can not delete them within FCPX itself,so...what can I do?

    from the help system:
    Create custom roles and subroles
    You can create custom roles and subroles in addition to the five default roles (Video, Titles, Dialogue, Music, and Effects).
    Important:  Create custom roles and subroles with care. Custom roles (and the names of custom roles) cannot be edited or removed from the roles list. However, you can change the role assignments of clips at any time.

  • Missing user role assignments

    Hello Gurus,
    We have a strange issue in our ECC production environment. The role assignments for a few users are missing. The roles were assigned to these users almost a year back. The change documents do not show any record of the role assignment being deleted.
    In SU01 in display mode the profiles for the roles are still assigned to the user, but when one tries to edit the user master data the profiles also get deleted from user and the change is shown against the name of the admin who has tried to edit the user master.
    This problem is seen to happen randomly for various roles and various users.
    What could be causing such an issue?
    Thanks in advance for your replies.
    Regards,
    Subbu

    Hi Subra,
    Prgn_compress_time removes the expired roles .Also check USH* tables like USH02, USH04 ...for Change history.
    The role assignments for a few users are missing. The roles were assigned to these users almost a year back.
    Did you transport the roles to the production properly after making changes. (if any).
    re-transport the roles once again.
    Thanks,
    Sri

  • Deleting Expired Roles

    Hi,
    can delete expired profiles with PFCG_TIME_DEPENDENCY, but what can I do for roles with no valid date range in the user master dat
    Thanks,
    Sreekar.

    Hi,
    You may want to review notes 312943, 504412, and 313587 to see if there is any helpful information. Below is some documentation that may be helpful for others. We are going from 40B to 47 and had a few issues with role deletion.
    First, the report PFCG_TIME_DEPENDENCY is functioning as designed. It was not designed to remove activity groups.
    Second, in transaction SU10 you must have the "Valid From" and "Valid To" fields filled in with the actual dates (04/08/2002) in order to remove the invalid activity group. You need to be sure that the "Remove User" radio button is set in the role tab. In the profile tab, the "Add User" radio button is selected by default. What you have to do is go to the profile tab and select the "Remove User" radio button. You have to make sure both role and profile have the same radio button selected (i.e. remove from users). Only then when you click save, will it allow you to delete the role from user. In transaction SU10, you need to complete the following steps:
    1. Click on the Authorization data button.
    2. Entry the users name, latimerc.
    3. Click on the execute button.
    4. Put a check in front of the users name.
    5. Click on the transfer button.
    6. Now highlight the user.
    7. Click on the pencil button.
    8. Click on the Activity Groups tab.
    9. Enter the profile name (PM_NOTIFICATION_PROCESSOR).
    10. Enter the valid from and valid to dates (04/08/2002).
    11. Change the radio buttons to remove user from both the Activity Group and Profile Tabs.
    12. Click on the trash can.
    In another customer message the following was provided by developement:
    There is no regular functionality for mass deletion of roles. But, if you want to avoid the deletion by hand or with an own created report, I would suggest the following:
    The report ZDELETE_RY_T_AGRS can delete all roles with names like 'T_....' or 'RY....'. The report gives you a list of all these roles and then deletes the selected ones. You can modify the report to get all your roles in the selection list. Therefore, you have to change the following:
    SELECT * FROM AGR_FLAGS INTO TABLE L_AGR_FLAGS
    WHERE FLAG_TYPE = 'COLL_AGR'
    AND FLAG_VALUE = 'X'.
    SORT L_AGR_FLAGS BY AGR_NAME.
    LOOP AT SINGLE_ACTGROUPS WHERE AGR_NAME+11 <> SPACE AND <<< delete
    ( AGR_NAME(2) = 'T_' OR AGR_NAME(2) = 'RY' ). <<< delete
    LOOP AT SINGLE_ACTGROUPS WHERE AGR_NAME+11 <> SPACE. <<< insert
    READ TABLE L_AGR_FLAGS WITH KEY AGR_NAME = SINGLE_ACTGROUPS-AGR_NAME
    BINARY SEARCH.
    Text from an additional customer message offers further help:
    1. Go on role tab.
    2. Select remove from user.
    3. Enter ZR.PRD.GENERIC and date : 06/04/2002 12/31/9999.
    4. Go to profile tab.
    5. Select remove from user.
    6. Save.
    7. Do the same for ZR:HR:ESS from 01/01/2002 to 12/31/9999 and worked from date for testid was 01/01/2002 and testid2 02/01/2002. In this case, the two assignements were deleted, and the roles were also removed from the two UMR.
    Reward points if found helpfull..
    Cheers,
    Chandra Sekhar.

  • Procedure for deleting a role which is already in Production

    Hi,
    can any one explain me the procedure for deleting a role which is already in production
    i want to know procedure for deletion of
    1.single role
    2.composite role
    3.derived role
    4.parent role
    thanks,
    SSSS

    Hi,
    Role deletion must be done in development box and the deletion must be transported to quality and productuion
    For single and derrived roles create the transport request and delete the role and transport the deletion.
    For Deletion of parent role: you cannot delete the parent role unless all the derrived roles within it are deleted.
    To avoid the transport of user assignment make sure PRGN_CUST is set to 'NO' value for the parameter USER_REL_IMPORT.
    Rakesh

  • How to find the user - role assignments in the database for EP6 SP9?

    L.S.,
    We have a quite specific requirement: to see which users have access to our portal environment (EP6 SP9). It does not immediately matter (though would probably still be nice to know if possible) which roles users have exactly.
    I've been looking in the database to find user-to-role assignments there, but I'm unable to find any. The closest I got is the PID filed in the UME_STRINGS table, but users remain listed there even when all their portal roles are revoked afterwards. Any ideas?
    Kind Regards,
    Steven Dijkman

    hi Steven,
         Sorry but you will have to write some code. the following lines of code will work for you.
    IRoleSearchFilter rolefilter = UMFactory.getRoleFactory().getRoleSearchFilter();
              ISearchResult result = UMFactory.getRoleFactory().searchRoles(rolefilter);
              while (result.hasNext()) {
                   String rolestr = (String) result.next();
                   IRole r = UMFactory.getRoleFactory().getRole(rolestr);
                   response.write(r.getDisplayName());
                   response.write("<br>");
                   Iterator users = r.getMembers(true);
                   while (users.hasNext()){
                        String userstr = (String)users.next();
                        IUser user = UMFactory.getUserFactory().getUser(userstr);
                        response.write(user.getDisplayName());

  • ABAP Role Assignments stored in MSAD

    Hi all,
    unfortunately I have only found contradicting information in relation to the possibility to manage ABAP role assignments using a MS Active Directory.
    We plan to implement a WAS (ABAP) 6.40 SP14, synchronise data between the WAS and the corporate MSAD. While WAS (ABAP) is not capable of MSAD based authentication I suspect it is possible to manage the user/role assignments in MSAD. Am I right in my assumptions (see list below) that the following data entities can/cannot be managed and synchronised/stored with the WAS (ABAP) out of the box?
    WAS ABAP
    1. possible - user master data (e.g. userName, address, etc.)
    2. possible - user/role assignments
    3. not possible - user passwords (however, can be bypassed through SSO based on NTLM)
    Portal UME
    1. possible  - user master data
    2. possible - user password
    3. possible - role/group assignments
    4. possible - group/user assignments
    5. possible - user/group assignments
    6. possible - user/role assignments
    Thanks for the help!!
    Cheers Stefan

    Hi,
    Thanks for the suggestion. But ours was a different problem.
    The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
    During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
    Best regards,
    Ashok

  • Delete request / role in ERM GRC 5.3

    Hi All
    I have a Role in ERM that I need to delete. Buuut, Role deletion is not possible; it has sent for approval.
    In CUP we have already deleted all request (following instructions by SAP note) and there is not any request in the system.
    The problem is that I can't delete this role from ERM because has been sent for approval, but I cant find the request in CUP or ERM, what can I do? Please, help me !!
    Thanks in Advance.
    David. ..

    Hi David,
    I was the same problem when i wanted to create a new role.
    Confirm in the Approval stage what user you assign as approver. The system doesn´t check if this user exists.
    If this user doesn´t exists, the only possibility to delete the role is create a new UME user with this user, giving the necessary roles and log in to CUP to delete the role.
    I hope this help you,
    Sergio

  • Create , delete "security roles" in weblogic console - sample Security providers

    Hi Everyone:
    Weblogic gave out sample Security Providers for version 7.0 and 8.1. In
    those sample Security Provider , the author of codes used property files as
    Security Providers Database, however he/she didn't show how to create a
    Manageable Sample Role Mapping Provider or Manageable Sample Authentication
    Provider, so Administrator of weblogic console can create and delete
    "security roles" in weblogic console.
    Have anyone known how to do that?
    Ming Qin

    "ming qin" <[email protected]> wrote in message news:[email protected]..
    Hi Everyone:
    Weblogic gave out sample Security Providers for version 7.0 and 8.1.In
    those sample Security Provider , the author of codes used property filesas
    Security Providers Database, however he/she didn't show how to create a
    Manageable Sample Role Mapping Provider or Manageable SampleAuthentication
    Provider, so Administrator of weblogic console can create and delete
    "security roles" in weblogic console.
    Have anyone known how to do that?
    I would ask in the weblogic.developer.interest.management.console newsgroup.
    >
    Ming Qin

Maybe you are looking for

  • My ipod wont let me download anything

    My ipod wont let me but anything from the app store, its saying i need to sort out billing issues but when i go to type in my security code it says its unavailable

  • Is there away of converting elements in muse to modules in Business catalyst?

    When I publish my site in Business Catalyst the code is very messy. I want my menus to become dynamic menus, and to be able to convert elements to modules so clients are able to easily edit them. Currently the site comes accross very messy and is dif

  • Change Pixel Aspect Ratio Once Already Started?

    I've been having trouble with my video looking extremely blurry -- I thought it had to do with rendering but it looks the same rendered as it did before rendering. I think I figured out that it has to do with the pixel aspect ratio being too small (o

  • Reg: Basics of business package implementation

    Hi, Can someone provide me some documentation for basics on business package implemantation. and i have a question, once the business package is installed on the portal, the respective roles and the iviews will appear in the specialist folder? or we

  • How to fix inconsistent audio levels

    I've got video footage from a presentation and everytime the speaker turns his head to look at a screen, the audio level drops significantly because the mic was placed on the wrong side.  I have clips where half the audio is fine, but half is signifi