Deleting roles from CUP

Similar Messages

• Deleting roles from GRC AC CUP

  Hi
  We had GRC 5.3 installed with SP05. We have archived all our existing requests and are trying to delete some of the roles from CUP. However when trying to delete the role it is giving a message "Cannot delete because this is referenced by request". Is there something else which i need to take care of? Will application of latest support packs help in this situation?
  Appreciate your help regarding the same.
  Thank you.
  Anjan Pandey

  Hi Anajan,
  I feel some requests are still exist in GRC CUP for that particler role. Please follow the below steps and try to delete the Role  again.
  Go to  CUP configuration tab  > click on Request option under the workflow> choose deleting requests > next> then its asks to delete all requests and then choose Submit option.
  once you click on submit button, you will get the message all existing requests are deleted with Job id.
  finally go to the Roles and delete the required roles form the GRC CUP.
  Regards,
  Arjuna.

• Unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  Hi,
  For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
  I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
  But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
  Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
  BR,
  Mangesh

• Deleting roles from multiple users simultaneously

  I need to delete all of the roles from multiple users and I was wondering if anyone knows of a way to do it simultaneously other than  a Mercury script(it wont take the roles away that are lower than the initial 20)?

  Hi there,
  there could be easier ways to do it, but this is how I'd go about it if I didn't want to go to each user ID.
  Get a list of all roles assigned to your users you want to restrict from SUIM (display the list of users via tcode S_BCE_68001400).  Click on the 'roles' button and it will pull up a list of all the roles assigned to those users.  Extract and save that).
  Filter the list so you have only one entry of each role name.
  Then go to SU10, enter in all your user IDs to change and go to the role tab, enter the unique list and put wide dates on it say from 01.01.1995 - 31.12.9999 (you want them earlier than the earliest role 'valid from' date and later than the latest role 'valid to' assignment).
  Click the 'Remove' box and save and you should have all roles removed.
  Good luck with it.
  Cheers,
  Dianne

• Deleting role from BP

  Hi Experts,
  I am using CRM 4.0.
  I have mistakenly assigned a role to a BP and i have saved it.
  How can I remove/delete this role from the BP.?
  Please help.
  Many thanks,
  Neeraj

  Hi,
  Actually you should not be deleting a role assigned to the BP. Here is the explanation.
  Explanations and reasons are following:
  1. Role is not a characteristic of BP, and not also not a field value which can be stored and changed.
  2. Technically, Role is a dynamical link to the group of BP subscreens in
      the table BUT100, this is an only place where this Role is presented
      physically.
  3. This value is not shown anywhere, and used only by a
      transaction BP for internal purposes.
  4. But even after usage of some solution for doing it, nothing can prevent
     automatical detection. That means, if you maintain some BP data, which
     is enough for some particular role, this role will be marked as
     maintained anyway.
  5. This is not an only side effect, which can not be resolved. Kindly
      remember, that actual BP Data is not changed by changing a Role. That
      means, that after deleting of a Role, which provides an access to some
      Role-specific data, this data won't be deleted, just hided from user in
      transaction BP.
  In this case, when some program will request for this data, it will
  receive it without a problem, and potentially this program can determine
  this BP incorrectly.
  Also, when somebody switch a Role for this BP to the "deleted", already maintained data will "suddenly" appear. The same can happen, if this data is shared between several BP Roles (like Sales Area data for Ship-to party and Sold-to Party) - after switching to another Role, data
  for "deleted" Role will appear again.
  If you need further information kindly refer to note 596334.
  Hope this helps.
  Venkat

• Unable to delete role from a project

  hi
  i added a role to a project.   i staffed it with a resource.  Now when i try to remove this staffing.. i get the message
  "Cannot delete project role staffing"
  the help is as follows
  Cannot delete project role staffing
  Message no. DPR_BUPA_LINK020
  Diagnosis
  You are trying to delete a staffing. However, the resource of this staffing is entered as a responsible resource for at least one project element or is assigned to at least one task. The status of the assigned project element does not permit changes. This means that the links cannot be deleted and therefore, the actual staffing cannot be deleted either.
  System Response
  The system does not delete the project role staffing and issues appropriate messages.
  Procedure
  Reset the status of the assigned project element so that the changes can be made.
  Make sure that the links are removed by authorized users or obtain the relevant authorization from your system administrator.
  But i have added the role and staffed it afresh.  i am also not able to delete any newly added roles.
  Pls suggest!
  Regards,
  Sujata.

  Hi,
  Have u tried by following dignosis solution given in message help. Please try by removing the responsible resource from basic data tab of phase or task for which the person is assigned. also check the status of task or phase for which he is assigned as responsible person. if the perticualar task is complete then I beleive tht u will not be able to remove responsible person.
  Pramod

• Error Provisioning the Federated roles from CUP to enterprise portal

  Hi Gurus,
  Need help. I am trying to provision the roles to enterprise portal using GRC CUP. I have created the connectors and field mapping and the connection is successful. We have a enterprise portal with producer consumer relation ship. The Enterprise portal acts as consumer for the BI portal. The BI portal Roles are federated to Enterprise portal and i get an error "noSuchIdentifier" when I try to provision the federated BI Portal role on the Enterprise portal. I can successfully provision the local portal roles and UME roles on the enterprise portal. I get the error only when trying to provision the roles which are from BI portal.
  Appreciate any help, in this regards.
  Thanks,
  Pavan

  Hi Alma,
  This is one of the security issue.We had faced it sometime back.We searched some CSN's and found a solution.
  Go to Service Market palce and download the latest Cryptographic Tool kit (Service Market place---->software downloads)
  You will get a sca/sda something like tc/iaik./security(something like this)
  Deploy this on to your instance using your SDM.
  After that,Restart the Portal patching.It will go fine.
  reward points if helpful................

• Transport Deleted Roles

  Hi
  I would like to get some information regarding transport of deleted roles from one system to another.
  For some reason we have a set of derived roles in PRD (Around 12) and dont have it in QA.
  I would like to have the same created in the QA. After that I would like to delete all these derived roles in QA. I would like to have the changes cascaded to production  as well.
  My question here is that Since i am going to delete these derived roles I do not want to go through the trouble of assigning the exact authorizations for these derived roles (as what is present in PRD) coz doing so would consume a lot of time. I would just like to create the child roles (with the same name as its in PRD) and then I would like to cascade the deletion.  Is that possible ? How ?
  Is it sufficient to just have a role by the same name (without all the authorization data) and do a cascade delete ?
  Should you have some reference document which can be shared please do so.
  Please advise
  best regards
  Ravi
  Note: I am not using Central User Administration.

  Hi ,
  The roles ( the main role and the derieved roles will also be downloaded ) can be downloaded  from the PRD by using the T code PFCG -
  > utilities -
  > mass download or role----> download from the menu bar onto the desktop and log on to QA and and again use PFCG  Transacion then uploaded from role   -
  >  upload  after which the roles uploaded need to be generated .
  This will have all the roles in the QA system with the derieved roles as well and  if the roles are deleted in the QA and then if the main role is again uploaded to PRD the it will overide the existing roles with the new ones from QA with all the new changes done in QA .
  Hope i am not missing anything ,
  Regards,
  Sagar

• Deletion of mass roles from GRC CUP 5.3

  Dear All,
  I have requirement to delete 1000 roles from GRC CUP 5.3.
  I can see option to delete the roles individually under "search role" option but I am not able to find option to delete mass roles.
  Please advice.
  Regards
  Trinadh Bokka

  Hello Trinadh,
  It is not possible to delete all the roles at once through the User Interface. However, you can select a lot of roles at the same time by searching for a role pattern. For example, retrieve all roles starting with Z*:
  Hope it helps,
  Fernando

• CUP - Unable to assign and delete role at the same time

  Hello everybody,
  I have an issue with CUP.
  Regarding a change account request, if I assign roles, it works. In the other hand, if I delete roles (also with a change account request) it works too. But if I mix both of them in the same request (assigning and deleting roles) it doesn't works. Only the deletion works. Some times we have no error message and some times we have:
  Error provisioning your request. Request no: 94. Error occurred in the system(s) : n/a, error details :
  DR1CLNT200-ZTEST01-USER CREATE-Function template /VIRSA/BAPI_USER_CHANGE could not be retrieved from DR1CLNT200
  Do you have please an idea to solve this issue?
  For information the CUP used is a 5.3 SP 5.0 version.
  Thanks in advance for any help.
  BMW

  Hi Ben,
  There may be a possibility of such a behaviour in SP05 as many of the changes in code has been done
  till now which may result into such issue and we can't confirm your findings by re-creating it. However, you can check few things functionally which may resolve this issue:-
  1) This error usually comes when the role selected is already assigned to the user or user doesn't exist in the system for which change request is created.
  2) when this error encounters the system, please take the system logs for that time from 'Monitoring' tab under configuration in 'English' and there the error cause can be found out or please paste the logs so that we can analyse.
  3) Also, you can refer to SAP Note:- 1168508 where many of the role related issues have been resolved after SP05, therefore, for smooth functioning of GRC-CUP 5.3, it's better to upgrade to the latest SP i.e. SP18.11(available at SMP).
  Best Regards,
  Akhil Chopra

• Deleting photos from the camera rol but not from photostream

  When deleting photos from the camera rol, sometimes the delete action triggers the deletion of the photo in the photostream as well, sometimes not.  What triggers this and how to prevent the photo to be deleted from the photostream as well ?

  My Photo Stream FAQ - Apple Support
  Get help using My Photo Stream - Apple Support

• I have a photo in an album and in camera roll. I am trying to delete the photo from the camera rol and the only option that i get is : delete everywhere?     Noooooo i just want to delete it from camera roll!!!!!

  I have the same photo in an album and in camera roll. I am trying to delete the photo from the camera rol and the only option that i get is : delete everywhere?     Noooooo i just want to delete it from camera roll!!!!!

  The way that I understand that it works, is that the photos are not copied into the new albums, instead it just points to the photos - the number of photos on the iPad in Settings > General > About doesn't increase when you create new album so I assume from that that it isn't copying the photo, just pointing to it. So if you delete the photo from the camera roll you will therefore also be deleting all the pointers to it

• Mass deletion of roles from users

  I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.

  We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
  This way you can optimize / automate periodic controls.
  There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
  The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
  Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
  Cheers,
  Julius

• Delete Role Assignments directly from an ABAP System

  Hi folks!
  I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
  Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!
  However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
  I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
  I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
  Thanks for your help!
  Matt

  Hello Matt,
  so you want to remove local administrated role?
  If the object really is to undo the local administration, I would do this:
  Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
  At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
  The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
  Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
  Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
  Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
  Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
  Best regards
  Dominik

• Mass deletion of SAP roles from users

  Hello All,
  i need to delete all assinged roles from a big number of users. I know the users but not the roles which the users have. I need to delete all roles from the users-id's.
  I know SU10 and i can select all my needed users. But in the role tab i can not work with roles-names like Z* to delete. I can select all z*-roles and select "remove" but when i click to save, i get the message no changes made on the users???
  Any idea?
  Gruß
  Toni

  Hi David.
  David Berry wrote:
  I take it this is being run in PRD? What checks are being carried out during the table entry deletions and are you 100% happy sitting at your keyboard when pressing the 'run' button?
  Changes are made in PRD. The program was tested and is approved by each customer.
  Is there an easy way back to the previous state should it go wrong and how do you explain it to the auditors if needed that you assigned-number of roles in PRD against your own user ID possibly with no CDHDR/CSDPOS entries to back you up.
  Sorry for the 'negative vibes' but I don't like direct table maintenance in PRD for security.
  Best wishes
  David
  The way back is uploading the old role assignment previously exported from AGR_USERS. The program takes an excel sheet. In addition this excel sheet is attached to the change requests.
  From risk perspective we say (and experienced): mass changes through copy and paste lead to much more errors and faulty authorizations.
  Regarding direct table maintenance: standard function modules are used (like the one mentioned above) and the changes are visible in the change documents, Therefore the auditors grant an exception for using such tools.
  Cheers, Tobias