EP role assignment to user id's deleted

Similar Messages

• Function module to get the roles assigned to user

  Hi to all experts,
  I need a fm to retrieve the roles assigned to user .
  if a pass sy-uname as importing parameter i should to get all the roles assigned to that particular user

  hai,
  please try this.
  /VIRSA/RE_BAPI_CREATE_ROLE- Create Roles
  /VIRSA/ROLE_ASSIGN_CUA_NH
  /VIRSA/RE_BAPI_ROLE_TO_USERS
  ASSIGN_USERS_HIERARCHY - User Assignment to Role - this is a Normal FM
  try this bapis this may work
  BAPI_USER_LOCK
  - BAPI_USER_PROFILES_ASSIGN
  - BAPI_USER_LOCPROFILES_ASSIGN
  - BAPI_USER_LOCACTGROUPS_ASSIGN
  - BAPI_USER_CHANGE
  - BAPI_USER_UNLOCK

• CUP 5.3 sp7.1 - 049:Role assignment to user not executed completely

  Hello Experts,
  Message received in audit information:
  049:Role assignment to user not executed completely
  Can anyone help me with why I am receiving this message?
  =[],id=6129,reqNo=201000139,actionDate=Tue Oct 19 10:40:27 EDT 2010,action=ROLE_PROVISIONING_FAILED,userId=U03776,path=,stage=,actionValue=PR4-300,description=049:Role assignment to user U10025 not executed

  Hi,
  Check that the connector that you have created is working fine and also the user ID that you are using in the backend system is within the valditiy date and all the required authorizations.
  Use remote login and ensure that the user can login with out any issues and has all the required authorizations.
  Rgds,
  Raghu

• Table name to find out roles assigned to USER !!

  Hi BW Gurus,
  i want to find out all the roles assigned to users , i check in tables USR01, USR02 , USR21, and ADRP ...... i got first name , last name , account number . BUT I NEED ROLES . can anyone kindly help me ,since otherwise i have to copy paste all manaully which takes more time...
  100% points are assingned
  SHERWIN

  Hello,
  Check in this tables:
  AGR_USERS - Assignment of roles to users
  AGR_USERT - Assignment of roles to users
  AGR_PROF - Profile name for role
  AGR_AGRS - Roles in composite roles
  Assign points if this helps
  Regards,
  Jorge Diogo

• Role assignment to user in child system

  Hi,
  We have a CUA with role assignment in SCUM defined as global. There is any way of assigning roles to users in child system when CUA system is not available? There is any way to allow roles assignement  in both Parent and  child systems?
  Many thanks for your help!!
  Raquel

  One way would be to temporarily delete the CUA assignment in the child and then maintain locally, but you will need to attach it again... and decide whether you want the CUA master to know about what you have done.
  Plan B on older Support Packs is to take a look at the correction instructions of [SAP Note 1504495|https://service.sap.com/sap/support/notes/1504495] but for this you need full access () to the S_USER objects, in which case you could detatch the CUA anyway.
  However as a temporary workaround in Test systems it could have been usefull.
  Plan C: Allow reference user assignments locally and authorize the role indirectly. Via the available authorizations of and access to the reference users you can then contain the scenario. Works fine for me if the concept of reference users is understood.
  However in most cases you should do it via the CUA and will end up doing this anyway via the CUA - that is what you have a CUA for. So... logon to your CUA in the morning, give the SAPGui scheme a nice bright colour and administrate the users and role assignments there. This is a small price to pay compared to not having a CUA or IdM...
  Cheers,
  Julius

• Report to see user type and roles assigned to users in EP?

  Hi,
  a) Is there any reporting mechanism in EP? Any specific report which throws up user types and roles assigned to the users? There is an option of 'Export' in the user management role but unfortunately it does not give information on User Type.
  b) If  the group is assigned a role, How can we see ( in any report) the roles assigned to a group? In the 'export' option of the 'User Management' this information does not come.

  By default Portal UME comes along with the installation of portal.
  Sometimes we may integrate external users using LDAP. At that time users come from ABAP stack or some active directories.  But you can also create users in the portal UME.  The purpose of using LDAP is to maintain the users centrally rather than creating again in portal.
  You can check them in user administration->identity management and search for the users.
  THere you can see some users will be from UME and some from LDAP.
  User Admin tool is nothing but User Administration only.
  Raghu

• OBPM 10gR3 Dynamic Role Assignment at user login

  Hi,
  For all the great integration with LDAP in 10gR3, unfortunately, the system is unable to deal with dynamically-defined LDAP groups.
  Our goal is to apply a BPM Role to ALL humans defined in our LDAP.
  All humans happen to already be defined by a dynamically-defined LDAP group called 'AllPeople'.
  It would have been perfect if we could simply assign our BPM Role, 'Employee', to the LDAP group, 'AllPeople'. Sadly you can't (one for the next release pls).
  So as a workaround, what we want to do instead is assign the BPM Role 'Employee' to each individual user dynamically when they first login.
  Since the FDI library is useless outside of a BPM context (you'll find that some of the familiar methods of RoleAssignment are missing), We opted to create an actual BPM process to conduct role assignments, and we would then trigger it via PAPI.
  The question then was, where/when do we invoke the process such that it does the role assignment quickly and soon enough for the appropriate views and applications to appear in their workspace straight after login?
  We opted for a customised implementation of the SSOWorkspaceLoginInterface class.
  However, we tried making the invocation in the setupAuthenticatedSession() and the processRequest() methods but, although the role assignment was successfully done in either case, sadly the user's session was loaded without the new changes - perhaps loaded quicker than the role assignment could be fed back through the directory.
  Therefore, we dumped the invocation in the actual constuctor - and this seems to work for the most part. Yet on the odd ocassion, the role assignment is not quick enough to be realised in the user's workspace session - the user has to logout and back in before the changes are realised.
  We've even tried to get the execution to sleep for a second or two, while the PAPI thread goes about doing the role assignment - again not much success.
  So I really have 2 questions:
  1. Where during login can we make a PAPI call to do a role assignment so that it should be picked up by the time the session is created? perhaps we already are doing it in the right place.
  2. How could we refresh/request a new session cookie without explicitly logging out and back in again? Note, page refresh is not enough.
  Thanks for reading.

  Sorry for the belated response - I don't get notified of replies.
  The code for my custom SSOLoginModule class is:-
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import java.io.FileInputStream;
  import java.io.IOException;
  import java.util.Properties;
  import fuego.workspace.security.SSOWorkspaceLoginInterface;
  import fuego.papi.Arguments;
  import fuego.papi.CommunicationException;
  import fuego.papi.InstanceInfo;
  import fuego.papi.OperationException;
  import fuego.papi.ProcessService;
  import fuego.papi.ProcessServiceSession;
  import fuego.sso.SSOLoginException;
  import fuego.sso.SSOUserLogin;
  import fuego.jsfcomponents.Util;
  import fuego.workspace.model.common.WorkspaceApplicationBean;
  public class CustomSSOWorkspaceLogin extends SSOUserLogin implements SSOWorkspaceLoginInterface {
  private ProcessService pService;
  private ProcessServiceSession pServiceSession;
  private Properties properties;
  public SSOWorkspaceDBLogin() {
  //Do the role assignment here because it works, and does not work in the ideal location of setupAuthenticatedSession method
  pService = createProcessService();
  pServiceSession = createProcessServiceSession();
  assignDefaultRole(Util.getHttpServletRequest().getRemoteUser());
  private ProcessService createProcessService() {
  return WorkspaceApplicationBean.getCurrent().getProcessService();
  private ProcessServiceSession createProcessServiceSession() {
  return pService.createSession("yourdirectoryusername","yourdirectorypassword",null);
  //This method is used to remotely invoke a BPM process to do the role assignment - no external API to do this directly!
  private void assignDefaultRole(String email) {
  try {
  String processId = "myRoleAssignmentProcessId";
  String argumentName = "argumentName"; //the name of the input argument to feed in the participant
  String argumentValue = email;
  Arguments arguments = Arguments.create();
  arguments.putArgument(argumentName, argumentValue);
  InstanceInfo instance = pServiceSession.processCreateInstance(processId, arguments);
  Long waitTime = new Long(1000);
  Long timeLimit = new Long(5000);
  boolean roleAssigned = false;
  boolean timeLimitExceeded = false;
  Long startTime = System.currentTimeMillis();
  //Allow role assignment thread to complete
  while (!roleAssigned && !timeLimitExceeded) {
  try {
  Thread.sleep(waitTime);
  if (pServiceSession.processGetInstance(instance.getId()).isCompleted()) {
  roleAssigned = true;
  if (System.currentTimeMillis() - startTime > timeLimit) {
  timeLimitExceeded = true;
  } catch (InterruptedException e) {
  e.printStackTrace();
  //close process service session
  pServiceSession.close();
  //Do not close the service itself as it is shared with the Workspace itself!
  //pService.close();
  } catch (Exception e) {
  e.printStackTrace();
  public void setupAuthenticatedSession(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  //Unfortunately, the below does not work here because the role assignment is not fast enough
  //The result is that the user logs in but cannot see any applications because the role assignment has not been made in time.
  //Therefore, we run the below statements from the constructor - ugly but functions.
  //pService = createProcessService();
  //pServiceSession = createProcessServiceSession();
  //assignDefaultRole(httpservletrequest.getRemoteUser());
  public void processRequest(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  }

• Role assignment to users (Change documents)

  Hi
  I was looking through the change documents for users and here i came across  "START_REPORT" under the Transaction column along with SU01 and PFCG. I was not quite sure about what this "STATUS_REPORT" was all about. I was wondering if this is a program. It certainly is not a batch coz we dont run batches here. I am trying to track down this change to the user but STATUS_REPORT is leading me nowhere....
  Any ideas?
  ravi

  Hi ravi
  Could you please explain the problem once more ?
  If you want to see the changes in the profiles of the user(which i take as one example of change documents) then you can use the transaction SUIM and there it'll give you options for change documents as below:
  1) For users
  2) For role assignment
  3) For Roles
  4) For profiles
  5) For authorizations
  and then you can choose the option you want.
  If I can help in some other way then kindly let me know.
  Cheers

• Business Role assignment to user

  Hi all,
     I am learning about the concept of  business roles in CRM. In the forum discussions I see that the business role has to be assinged to the user even though we assign the PFCG role (linked to the business role) to the user. Like SU01 where we assign pfcg role to the user, what is the transaction code to assign the business role to the user.
  Thanks.
  Neha.

  I'm going to chime in and say this question has been discussed to the detail in this forum.  If you would have done a search you would have a pretty good discussion on this topic.
  Re: Reg: Business Role
  That thread covers all your options in detail.
  Thank you,
  Stephen

• EP Role assignment to User.

  Hi,
  I have recently installed EP. When i assigned a New role Created (role i created) to a new User, The Contents assigned to that role is not getting displayed. But, when i also assign a super admin role to the user, the content of new role is getting displayed along with the content of super admin role.
  Infact, when i assign content administration role to the user, it is not geting displayed when i log in as a new user to which it is assigned. however, when i assign the super admin role to the user, the contents of content admin role is getting displayed.
  Is there any Post EP Installation setting required to solve this issue.
  Please help me in solving this issue?

  Hello Shabir,
  Initially all the contents can be viewed only if u have super_admin role. If u want to give access of any folder to a particular user, just open the permission editor of the folder and assign any particular role (say content_admin role) and select the end user checkbox.
  Now assign the user the same role u have specified in the permission editor of the folder. Then the user can view that folder.
  This will solve ur problem.
  Regards
  Deb
  [Reward points for helpful answers]

• Business Role Assignment to User by Organizational Model

  We have created the organizational model in our system where we have the levels that are tied to a specific business role. We have been manually assigning all of our users to these organizational model levels in order to have the business role assignment. I am curious if there is a program or easier way to do this than to have to create the assignment to the employee record manually in the org model.
  Any help would be greatly appreciated.
  Thanks,
  Darcie

  Hi Robert,
  maintaining the user profile directly may be easier with only a few employees but for large companies this method will end up being more maintenance intensive.
  for Org you only have to maintain it on the Org unit or position and all employees underneath will inherit the role; whether it's 2 individuals or 2000. and if the person is moved into a different position laterally or through promotion there would be no maintenance required as the information would replicate from HR (if you use/have the system) and the person would inherit the new position and role automatically.
  for User parameter if you only have 2 individuals it is easier but 2000 is too much to maintain. there is some automation but would require you to create them and run them yourself.
  pfcg at most companies do not fall under general master data maintenance and would require involvement from the security group and they often do not want to generate empty or unnecessary security/authorization profiles - the maintenance workload is shifted to them also in this case.
  regards.

• Massive portal role assign to users

  Hello, im trying to assign a portal role to almost 5000 users, as extra information, the portal has ABAP UME. How can i achieve this in a more practical way than doing it handly?
  Regards.

  Hi,
  Since UME is ABAP ,map the portal role with backend role in portal and then write some cat scripts in backend to assign the role to massive users
  Thanks
  Bala Duvvuri

• Maximum roles assignment per user

  Hi,
  I am in a security project and after role designing is done there are lot of roles designed by our functional consultants. And there are 33 company codes present in the company. And few end users are responsible for 20 company codes, So when I saw per user more then 450 deriroles created. Now my question is can I assign 450 roles to a user?
  As far as I know 312 roles can be assigned to user max. But is there any profile parameter available in SAP so that I can assign more then default maximum roles.
  Thanks,
  Sudip

  An auditor once had the task to audit a system of "mine" and ended up going for speculation about improvement possibilities in his presentation to the CIO (who was originally an ABAP developer when he started in the company!)
  <blabla>The overall security of the roles could be improved by using composite roles to reduce the number of roles (okay... you can use "personalization" attached to composites...) and therefore profiles assigned to the users. This will (apparently) make maintenance easier (I think he wanted to derive the composites?) and produce less SoD conflicts requiring mitigating controls, thereby avoiding long debates with the auditors each time.</blabla>
  I let him walk into that one on his own steam... the resultant discussion was like a Montypython scene, or possibly even Blackadder...
  Cheers,
  Julius
  ps: Regarding [my hat|http://www.google.ch/imgres?imgurl=http://www.chocolates-ala-carte.com/look/news/candy_mag_feb07/c_i_hat.jpg&imgrefurl=http://www.chocolates-ala-carte.com/look/news/candy_mag_feb07/index.html&usg=__m6YWntia9g543IgeOxZBu_JYSSw=&h=361&w=458&sz=137&hl=de&start=0&zoom=1&tbnid=GQ3eRe-oXx12_M:&tbnh=135&tbnw=172&ei=WkltTc_-Aoa6vwOflpm5BA&prev=/images%3Fq%3Dchocolate%2BAND%2Bhat%26um%3D1%26hl%3Dde%26rlz%3D1R2ADSA_deCH392%26biw%3D1259%26bih%3D544%26tbs%3Disch:1&um=1&itbs=1&iact=hc&vpx=126&vpy=74&dur=9750&hovh=199&hovw=253&tx=143&ty=108&oei=WkltTc_-Aoa6vwOflpm5BA&page=1&ndsp=21&ved=1t:429,r:0,s:0]: easter is around the corner.
  pps:
  If someone can convince me that it's a good idea to increase the max number then I will eat Julius' hat
  Actually I can smell blood in the water here via object K_REPO_CCA... 
  Edited by: Julius Bussche on Mar 1, 2011 8:40 PM

• Ran CATT Script for the role assignment to users

  Hi All,
  I have ran ECATT script for doing role assignment in QAS and completed successfully. I did this through CUA. What is the next step after running catt script? Do I need to doing anything with PFUD in each child system? Because I checked in the child systems many derived single roles are not generated in QAS.(RED). Is it because of running catt script or it might have came like that only from development? Please advise..
  Regards,
  Masood

  >
  Salman123 wrote:
  > Please let me know how should I proceed from here
  Hi,
  I have told you why the error message is there.  What do you not understand about the resolution? Your parent roles are out of sync with the child roles so you need to re-sync them.   An example of how do do this is to "adjust derived" from the master role.  Only when you have done this will your roles be in sync again.

• Role Assignement to USER ID

  Hi,
  In our system structural(indirect) authorization is maintained, business needs to convert to direct assignment.
  For this I required any FM or BAPI to assign mass roles to user id without changing the current assignment.
  I found a one bapi "BAPI_USER_ACTGROUPS_ASSIGN" but it  will overwrite the existing assignment.
  is there any way to do?
  Thanks & Regards,
  Arpit Shah

  Hello Arpit,
  Step 1. Use the BAPI 'BAPI_USER_GET_DETAIL' to get the ACTIVITYGROUPS.
  Step 2. You can then insert / update / delete records(as per your requirement) from the ACTIVITYGROUPS table & pass to BAPI_USER_ACTGROUPS_ASSIGN.
  BR,
  Suhas