Fetch Admin Roles from User Object

Similar Messages

• Unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  Hi,
  For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
  I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
  But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
  Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
  BR,
  Mangesh

• How to copy and remove admin Role from SAP_ALL profile

  Hi SDN Experts,
  I need to copy SAP_ALL profile to another in CRM 5.0 system, thereafter i need to remove admin Role from SAP_ALL profile. Can any help regarding this point..
  regds
  gcp

  Chandra,
  I saw ur post in this forum regarding configuring sap intergration with genesys gplus adapter. We are in need of the same configuration. Can you please help me in configuring sap phone for gplus adapter. Reply me on [email protected]
  Thanks in Advance

• Revoke roles from users

  I want to revoke a number of roles from users. What I found is if one or more roles were not granted to the user before, then the whole 'revoke' statement will fail, i.e. the granted roles will not be revoked from the user. Is there a way to let the statement revoke the granted roles even though there may be some roles were not granted. For example;
  REVOKE role1,role2,role3 from user;
  I want to revoke role1 and role2 even though role3 were not granted to the user.

  Why don't you test this yourself?
  satyaki>
  satyaki>select * from v$Version;
  BANNER
  Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Prod
  PL/SQL Release 10.2.0.3.0 - Production
  CORE    10.2.0.3.0      Production
  TNS for 32-bit Windows: Version 10.2.0.3.0 - Production
  NLSRTL Version 10.2.0.3.0 - Production
  Elapsed: 00:00:00.98
  satyaki>
  satyaki>
  satyaki>
  satyaki>
  satyaki>create role r1;
  Role created.
  Elapsed: 00:00:01.80
  satyaki>
  satyaki>
  satyaki>GRANT select  ON emp   TO r1;
  Grant succeeded.
  Elapsed: 00:00:00.51
  satyaki>
  satyaki>
  satyaki>create role r2;
  Role created.
  Elapsed: 00:00:00.02
  satyaki>
  satyaki>grant update on emp to r2;
  Grant succeeded.
  Elapsed: 00:00:00.05
  satyaki>
  satyaki>
  satyaki>grant r1 to hr;
  Grant succeeded.
  Elapsed: 00:00:00.17
  satyaki>
  satyaki>grant r2 to titan;
  Grant succeeded.
  Elapsed: 00:00:00.07
  satyaki>
  satyaki>
  satyaki>revoke r2 from hr;
  revoke r2 from hr
  ERROR at line 1:
  ORA-01951: ROLE 'R2' not granted to 'HR'
  Elapsed: 00:00:00.12
  satyaki>
  satyaki>Regards.
  Satyaki De.

• Remove role from user

  HI how do i remove a role from a user when he id terminated or disabled.
  I am assigning a role in the following way during creation with the help of a rule
  <setvar name='newuser.waveset.roles'>
  <filterdup>
  <appendAll>
  <ref>accounts[Lighthouse].roles</ref>
  <s>General-Provision-Role</s>
  <rule name='Get Location Role'>
  <argument name='LocationCode' value='$(newuser.global.LocationCode)'/>
  </rule>
  </appendAll>
  </filterdup>
  </setvar>
  How do I remove this role when termination of user.

  We looking for a way to automate the removing of a user (US) or role (AG) from a position (S).
  There is a report called RHGRENZ2 which can be used to delimit specific OM infotypes (like IT1001- Relationships) specifying the end-date and Position ID (Object Type S and Object ID= Position) manually. In your case, I believe IT1001's Relationship A008 and B007 have to be delimited in order to remove a user (US) or role (AG) from a position (S) but this report cannot be run for specific relationship types of IT1001 (atleast I did never find an option to filter based on relationship types).
  You can try using report RHRHDL00 to delete IT1001 relationships from PP Database but you should consider the consequences of such deletions and restrict the selection based in infotypes and relationship types carefully.
  Alternatively, you can also build a LSMW script to automate the process of mass delimit/deletion of IT1001's relationship types using transaction PP02 (PP01 is not compatible to BDC/background processing)
  Thanks
  Sandipan

• Help required for linking Organization Admin Roles to User Profile in R2

  Hi,
  We are using OIM 11.1.2.0 (Without any patch).
  Current Requirement:
  We have requirement to provide search capability to end users to search/see users of other Organizations in OIM.
  For example: I belong to Org1: UK, So OOTB OIM just support searching/viewing profile of UK Organization users. I can not search/view user info of Org2: Italy.
  To overcome this issue,Oracle has suggested us to add both the following roles in order to see user information of other organization.
  • User Viewer
  • Organization Viewer
  After just logged in using xelsysadm, I can able to assign Admin Roles of each organization to end users.
  We want some API info/ how to automate this assignment to Admin Roles(Which are available to Organization) to end users?
  We went through the APIs available for OIM 11.1.2.0, but could not find any API related to Admin Roles of OIM.
  Please suggest.
  Regards,
  J

  Hi,
  Has any one implemented this method?
  addAdminRoleMembership(oracle.iam.platform.authopss.vo.AdminRoleMembership membership) Add a admin role membership.
  Regards,
  J

• Mass deletion of roles from users

  I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.

  We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
  This way you can optimize / automate periodic controls.
  There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
  The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
  Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
  Cheers,
  Julius

• Remove roles from users

  Hi All,
  I would like to ask what can I do if I would like to remove multiple roles from ALL users in the system?
  Normally, for a list of users , I use SU10 to do it.
  However, since there are 1 thousand something users in the system, is there a more efficient way to do it?
  Thanks for your help.
  Regards,
  Chris

  Thanks.
  I would say, in my case, it's the best to use PFCG sinceI only need to remove 3X something roles from them. (I don't know which users have those particular roles, the only thing I need to do is to make sure that the 3X roles have no corresponding users).
  Thanks again !
  Regards,
  Chris

• Mass deletion of SAP roles from users

  Hello All,
  i need to delete all assinged roles from a big number of users. I know the users but not the roles which the users have. I need to delete all roles from the users-id's.
  I know SU10 and i can select all my needed users. But in the role tab i can not work with roles-names like Z* to delete. I can select all z*-roles and select "remove" but when i click to save, i get the message no changes made on the users???
  Any idea?
  Gruß
  Toni

  Hi David.
  David Berry wrote:
  I take it this is being run in PRD? What checks are being carried out during the table entry deletions and are you 100% happy sitting at your keyboard when pressing the 'run' button?
  Changes are made in PRD. The program was tested and is approved by each customer.
  Is there an easy way back to the previous state should it go wrong and how do you explain it to the auditors if needed that you assigned-number of roles in PRD against your own user ID possibly with no CDHDR/CSDPOS entries to back you up.
  Sorry for the 'negative vibes' but I don't like direct table maintenance in PRD for security.
  Best wishes
  David
  The way back is uploading the old role assignment previously exported from AGR_USERS. The program takes an excel sheet. In addition this excel sheet is attached to the change requests.
  From risk perspective we say (and experienced): mass changes through copy and paste lead to much more errors and faulty authorizations.
  Regarding direct table maintenance: standard function modules are used (like the one mentioned above) and the changes are visible in the change documents, Therefore the auditors grant an exception for using such tools.
  Cheers, Tobias

• Exchange 2003 - bulk create smtp contacts from user objects, bulk forward to smtp contacts, bulk turn off forwarding

  Exchange 2003 running on Windows server 2003.  ~50 Users all in same OU on same domain with primary email address [email protected]  objective is to create smtp contacts from each of the user objects imported back into the same domain in
  a different OU with mail, targetAddress, proxyAddresses/SMTP on the contacts being [email protected] and the options 'automatically update email addresses based on recipient policy' disabled and hidden from GAL for all.   At a later time will require
  a method to bulk forward all of the user objects to their corresponding  [email protected] contact object and a way to to bulk disable the forwarding at a later time.   
  ldifde created the contacts via export/import but Exchange seems to like rewriting the mail & proxyaddresses  or replacing domain2.com with one of the internal recipient policy domains requiring manual change in AD.
  ldifde -f export-01.ldf -s dc1.domain1.com -d "OU=Users,OU=people,DC=domain1,DC=com" -r "(&(objectCategory=person)(objectClass=user)(givenname=*))" -l "cn,givenName,objectclass,samAccountName,mail,physicalDeliveryOfficeName,displayName,name,description,sn,targetAddress"
  ldifde -i -f import-test-01.ldf -s dc1.domain1.com
  I'm then using ADModify.net to bulk modify hide from address lists attribute and correct the mail, targetaddress, proxyaddress attributes, possibly forwarding as well.  The process is clunky compared to something like powershell on Exchange 2010. 
  Am I going about this the wrong way?

  users will remain on the domain.  decommissioning or altering access to the old mailboxes until some point post-migration would be unwanted so there's a fallback method in case anything goes wrong.  until testing reveals a better method, the strategy
  for Exchange 2003 / Server 2003 environment will remain as is for now using ldifde export of select user object attributes followed by ldifde import of select attributes to contact objects, followed by admodify.net / admodcmd updating of the necessary mail/exchange
  attributes via %’mailNickName’% similar to what's described below to forward internal mail to the external host.
  Using ADModify to Change Exchange Specific AD User Attributes in Bulk
  Using ADModify – A real world example

• Access admin share from Users account. UAC into admin.

  Server 2012 R2 domain.
  I want USERS to be able to UAC into Admins and access Admins shares.
  To be clear: I want to type \\svr1.horse.local\c$ from a USER account without Admin rights, to be able to access that share.
  I have added LocalAccountTokenFilterPolicy, and set it to 1. No difference, and yes I have restarted. :)

  Hi,
  Another way to access Administrative Shares is to Disable UAC Admin Approval mode for all administrator accounts.
  Checkout the below link for article on Access Denied for Admin Shares, Disabling the UAC restrictions and Disabling UAC Admin Approval mode,
  http://4sysops.com/archives/access-denied-to-administrative-admin-shares-in-windows-8/ 
  Regards,
  Gopi
  JiJi
  Technologies

• Networking dual network logins and cant remove admin status from user

  Hi
  I hope someone can help.  From my the computer management\system tools\shared folders\open sessions\ on our server admin panel,  I have 3 users logged in as admin or administrator and they shouldn't
  be, they should be logged as their own user.  The user rights as dictated by the server is all correct but this is bugging me and the other users are all ok.
  On another point, how do I have some users replicated, in one case i have one user on  4 times, twice  as HB1-Andy and HB1-ANDY ?
  Hope someone can help as this has got me completely confused.
  I tried to do a screen shot but the forum wouldn't allow it until the account was verified.
  Many thanks

  Hi,
  Was your computer in the domain environment?
  Did you refer to Computer Management\System Tools\Shared Folders\Sessions of your local computer or your Server?
  From client, we just could see the following status:
  How did you know If they access the shared folder as admin？
  If I misunderstand you, please correct me.
  Karen Hu
  TechNet Community Support

• Fetching DBMS_OUTPUT statements in user objects

  My procedure/s contains lot of dbms_output statments.I want to fetch all the dbms_output statments in a procedure.pls suggest.
  for example:My procedure is
  PROCEDURE TEST_PROC(VAR_TEAM_ID VARCHAR2)
  AS
  VAR_NUM NUMBER;
  VAR_MAX NUMBER;
  BEGIN
  SELECT NVL(COUNT(*),0) INTO VAR_NUM FROM PROJ_INFO
  WHERE TEAM_MEMBER_ID=VAR_TEAM_ID;
  IF VAR_NUM > 0 THEN
  SELECT MAX(PROJECT_ID) INTO VAR_MAX FROM PROJ_INFO
  WHERE TEAM_MEMBER_ID=VAR_TEAM_ID;
  DBMS_OUTPUT.PUT_LINE('1.WHEN VAR_NUM > 0');
  ELSIF VAR_NUM = 0 THEN
  DBMS_OUTPUT.PUT_LINE('1.WHEN VAR_NUM = 0'||' '||VAR_NUM='THIS IS A TEST LINE');
  ELSE
  DBMS_OUTPUT.PUT_LINE('1.LAST ELSE');
  END IF;
  IF VAR_NUM > 0 THEN
  DBMS_OUTPUT.PUT_LINE('2.WHEN VAR_NUM > 0');
  END IF;
  IF VAR_NUM > 0 THEN
  DBMS_OUTPUT.PUT_LINE('3.WHEN VAR_NUM > 0');
  ELSE
  DBMS_OUTPUT.PUT_LINE('3.WHEN VAR_NUM = 0');
  END IF;
  END;
  and i want all the DBMS_OUTPUT statments from USER_SOURCE view.
  Pls suggest
  Regards
  MS

  How about:
  SELECT * FROM user_source WHERE UPPER(text) LIKE '%DBMS_OUTPUT%';?
  Cheers,
  Colin

• Org Tech Admin can add user from other org?

  We are currently on a trial run with CIAC, and I am testing User Management with a Organization Tech Admin account (OTA).
  To my suprise, when adding user and select "existing user", I can see every account currently on Cloud Portal, and even successfully add user from other organization to my orgnization.
  Is there anyway so that OTA can see only the users in their own organization?

  I've been able to remove the admin role from a site administrator with an OTA.
  I know there are issues when you log with an user then logout and relog with another user, CIAC considers that you are still the previous user (I've encountered the issue several times in portlets in the nsapi requests). I don't know if/how those issues are related, but I'd say that logout/login issue were an user has the same rights than the previous users should be fixed.
  Changing OTA rights will not change that particular issue.
  For the moment, what we've done is create our own servlet for requests to the sql DB, and our own roles for most services.
  Let's see what v4 has in store for us.

• Fetch Data from an Object which is Input parameter to a BADI

  Hi all,
  This is a requirement in a BADI. The BADI is triggered by some program and the BADI has an Object ct_valid_lanes as an Input Parameter.
  The Object ct_valid_lanes is of type "ANY TABLE". By debugging, I found out that it has many fields say MATNR, MATID, LOCNO etc etc..and has more than one data for each field.
  I want to fetch these data from the object and put it into my internal table. I can't loop at an object and also I don't know how to read fields in an object. I am new to OOPS concept. Kindly, help.
  Regards,
  Preetha

  Hi,
  I have done that using Field-Symbols.
  Thanks,
  Preetha