Get child users of composite role

Similar Messages

• How to get the user list under role

  Hi Gurus,
  in mdm console, if you select a role, you will see the users who are assigned to this role.
  how can I get this user list through java api.
  Ouser server is  MDM7.1SP5
  Best regards,
  John

  Hello John
  you cann't get users list.
  you can get user roles information since SAP MDM 7.1 SP3:
  com.sap.mdm.security.commands GetUserRoles Command
  A command to retrieve the array of roles for the specified user
  more about api  you can read here(What's New in MDM Java and .NET API - part):
  http://help.sap.com/saphelp_nwmdm71/helpdata/en/13/041975d8ce4d4287d5205816ea955a/frameset.htm
  Regards
  Kanstantsin Chernichenka
  Edited by: Kanstantsin Chernichenka on Mar 11, 2011 3:10 PM

• Getting current user's business role

  Hi,
  Is there any function that read current user's business role in CRM?
  Best Regards.
  Sadi

  Hi Sadi,
  Try something like this:
  DATA ls_user_role TYPE string.
  DATA lr_profile_instance TYPE REF TO if_crm_ui_profile.
  *- Read User Role
      lr_profile_instance = cl_crm_ui_profile=>get_instance( ).
      CALL METHOD lr_profile_instance->get_profile
        RECEIVING
          rv_result = ls_user_role.
  Kind regards,
  Garcia

• Getting UWL task count for all users in a role.

  Hi.
  I recently posted a question regarding a very similar issue, but I haven't got any response yet. I think my question might have been somewhat poorly phrased, so I will try to do better at explaining what we need.
  We have a number of processes, most of which need to be dynamically assigned to a user when created. The way we want to assign those tasks is by executing a WebService which would receive a role name and get all the users for that role. Then, using the UWL API, it would check how many tasks each of the users have in their UWL, and return the UserID for whoever has the least tasks. I haven't been able to get this to work. I keep getting Logged in users context or session doesn't exist Exception.
  Please, any help on this will be greatly appreciated.
  Currently working with SAP NWDS 7.1 SP05 PAT0005

  Hi,
  Thank you for your response, however, that's not what I need.
  For you and anyone esle who might find this extra info useful...
  I know how to get a user's role(s), and how to get the users in a role.
  I also know how to assign a task to a specific user dynamically.
  Using the UWL API, I know how to get the tasks (or items) in a user's UWL from a WD application, I need to do that from a WebService and using pretty much the same code, with the necessary adjustments, I can't get it to work.
  Furthermore, I'm able to get the UWL tasks for ONE user, that user being the one I log into the application with. For example, if I write code to get the tasks for user testUser1, I need to log in with testUser1 to get it to work, if I log in with any different user or make it a non-authenticated application, it won't work.
  Again, help on this is much needed and will be appreciated.

• Getting tasks for all users in a role

  Hi,
  We need to get all users in a Role, and out of those, find out which one has the least tasks in their UWL using a WebService. Saw some example codes and here's my attempt at it. Doesn't quite work, I'm getting the Logged in users context or session doesn't exist Exception. Any help on this will be GREATLY appreciated.
  public class LeastTasksBean implements LeastTasksLocal {
       public String getUserLeastTasks( String sRole )
            try{
                 Map<String, String> users = new HashMap<String, String>();
                 Map<String, String> tasks = new HashMap<String, String>();
                 final int sessionIdleTimeout = 60;
                 String Users[] = UMFactory.getRoleFactory().getUsersOfRole( sRole, true );
                 if( Users != null ){
                      for( int i = 0; i < Users.length; i ++ ){
                           UWLContext  uwlContext      = new UWLContext();
                           IUWLService uwlService      = findService();
                           uwlContext.setAllowBackEndConnections( true );
                           IUser uwlContextUser        = UMFactory.getUserFactory().getUser( Users[0] );
                           uwlContext.setUser            ( uwlContextUser );
                           Locale loc                  = new Locale( "ES" );
                           uwlContext.setLocale          ( loc );
                           HttpServletRequest request  = getHttpRequest();
                           uwlContext.setOriginRequest   ( request );
                           IUWLSession session         = uwlService.beginSession( uwlContext, sessionIdleTimeout );
                           uwlContext.setSession         ( session );
                           IUWLItemManager itemManager = uwlService.getItemManager( uwlContext );
                           QueryResult result          = itemManager.getItems( uwlContext, null, null );
                           users.put( String.valueOf( i ), uwlContext.getUserName() );
                           tasks.put( String.valueOf( i ), String.valueOf( result.getItems().size() ) );
                           uwlService.endSession( uwlContext );
                      int userTasks = 0;
                      int leastTasks = Integer.valueOf( tasks.get( 0 ) );
                      int userKey = 0;
                      for( int i = 0; i < Users.length; i ++ ){
                           userTasks = Integer.valueOf( tasks.get( Integer.toString( i ) ) );
                           if( userTasks < leastTasks ){
                                leastTasks = userTasks;
                                userKey = i;
                      return users.get( Integer.toString( userKey ) );
                 else{
                      return "No users exist for this role";
            //Exception Handling
       private IUWLService findService() throws NamingException
            Properties properties = new Properties();
            properties.put( InitialContext.INITIAL_CONTEXT_FACTORY, "com.sapportals.portal.prt.registry.PortalRegistryFactory" ); 
            InitialContext ctx = new InitialContext( propiedades ); 
            IUWLService uwlService = ( IUWLService ) ctx.lookup( IUWLService.ALIAS_KEY );
            return uwlService;
       private HttpServletRequest getHttpRequest() throws Exception
            Properties properties = new Properties();
            properties.put( "domain", "true" );
            ApplicationWebServiceContext wsContext =
                 (ApplicationWebServiceContext) new InitialContext( propiedades ).lookup( "/wsContext/" + ApplicationWebServiceContext.APPLICATION_WSCONTEXT );
            HttpServletRequest request = wsContext.getHttpServletRequest();
            return request; 

  Hi David,
  I have a similar requirement on our project. I need to get a count of pending workitems for all user but I'm getting similar message when I try to access UWL context of any other user.
  Did you find any solution for this? Is it possible to get the workitems for all users using webservice or wendynpro?
  I would appreciate if you can provide some inputs on this.
  Thank you in advance.
  Regards,
  Seema Rane

• Add a single role to different composite roles in one step

  Hello everybody,
  I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
  Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
  I don't want to believe that there is no easier way. Any ideas?
  Thank you
  Flo

  Hi Soma,
  great to find a place to be welcome..Thanks
  What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
  The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
  And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
  -> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
  or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
  -> Which again... our security manager disallowed me...
  So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
  And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
  Comments?
  Cheers
  Florian

• ADF 11g + getting the user details in ADF BC layer

  Hello,
  I am using Jdeveloper build JDEVADF_11.1.1.2.0_GENERIC_091029.2229.553
  How to get the user name and roles in ADF BC layer? . I need to get the username in entity layer,view layer and am layer.
  Is there way to write common method to get the username from session data??
  Any advice??
  Thanks
  RB

  Hi,
  You can get User name using EL ---adf.context.securityContext.userName
  and also using---getUserPrincipalName()
  Thanks,
  Vijay

• View Deleted Users Composite Role

  Dear Experts,
  Is there any way to view the composite roles that were assigned to a user that was deleted? 
  I am able to go to SUIM and view the single roles but I would like to get the composite roles that were deleted.  This is needed so that we can recreate the user and assign the old roles to the user.
  Please help.
  Thanks.

  If you select the "role change docs" in SUIM and use the selection criteria "overview of change docs" or "all change docs", then deleted composite roles will show up in this report. It would be handy if your composite roles had a different naming convention than the single roles.

• Stopping user compare when saving composite roles in 4.6c basis pack 25?

  One of the environments I look after is a 4.6c system with basis pack 25 – they can’t upgrade as it breaks a great deal of very heavy customisation in that system.
  We have encountered an issue with the saving of composite roles in that system - when a role is saved we must sit through a very long period of “user distribution in role XXX” while the system performs a user compare of every singular role in that composite role.  This is very painful as it can take nearly half an hour simply to save the composite role – we then need to rebuild the menu and compress it (we use the composite role’s menu structure).  The odd thing is that this behaviour wasn’t apparent for many years – it suddenly started happening about 2-3 years ago to a previous administrator but he wasn’t aware of any changes going through, it just began to force these lengthy compares on him when saving composites.
  I’ve tried in vain to disable this forced compare on every save – I’ve tried the PRGN_CUST modifications including adding the lines “AUTO_USERCOMPARE” with a value of “NO” and “USRCOMPARE_PFUD” with a value of “YES” to try and stop the profile generator from doing this but to no avail.  Unless these settings need a restart of the system to take effect (do they?) I’m at a loss to find any other options.
  The menu setting in the profile generator of “automatic user master adjustment when saving role” is switched off – though setting “auto_usercompare” seems to have broken the ability to bring up the “settings: role maintenance” dialogue box anyway.
  We have a very large number of roles to modify and would be grateful if anyone could offer any advice here.
  Thanks
  DT

  the problem with your issue is that none of use can reproduce that phenomenon, since none of use has that combination of primal release/support package level at hand any longer (at least i think so). so there's only two options left to you:
  first: update this special application until the problem goes away - do so by adding note after note on the very subject, like the one i mentioned plus [905924|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=905924&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] plus [662484|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=662484&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] and stop only when you hit one that is not implementable using SNOTE but only by implementing a support-package -> this will obviously be the point where you're stuck then.
  (and yes - for the sake of rob burbank: there are several other ways to implement corrections aside from SNOTE).
  second: open a call with SAP. mind you, this might become a lenghty one since they will also give you note after note ...
  as i said, i'm pretty sure no one in here can help you doing a proper analysis anymore (but maybe i'm wrong).
  anyone - any other (better) suggestions?

• SIngle riole that belong to composite role with user

  HI,
  There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
  BR
  Nina

  There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
  SIngle role is created by pfcg where you assign the role name n safe it as single role n then after t codes been provided the user has been assigned accordingly
  Composite role is same just it contains many roleson to one and similarly the user has been assigned
  Thx
  Mysterious

• User Composite Role History

  Hi Experts,
  Do you know if it is possible to track the history of composite roles that have been assigned to a user.
  For single roles there is a table ush04 which shows a history of assigned roles but I have not seen a similar table for composite roles only.

  Table USH04 shows the history of profile assignments which are stored in table USR04 and UST04. Assignements of single roles are somehow visible, too, because of their corresponding profiles.
  But role assignments are stored in another place:
  Table AGR_USERS (actual assignments)
  Table USLA04 (actual assignments in a CUA central system)
  The history of role assignments is stored in standard change documents.
  Use the SUIM report RSSCD100_PFCG for viewing change documents of roles.
  (The list shows all role assignments but does not mark the assignments for composite roles in a special way.)
  However you need at least the Support Packages as describesd in note <a href="https://service.sap.com/sap/support/notes/621720">621720</a> and <a href="https://service.sap.com/sap/support/notes/606636">606636</a>
  Kind regards
  Frank Buchholz

• SAP Security Report for single and composite roles

  Hi
    I have a requirement to create a cutomize report in SAP Security.
  I have to display Composite roles,corresponding single roles,the tcodes assigned to those single roles and the description of t- codes. The selection screen has composite roles,single role and T-code which are optional.User can enter selection in any of the selection critreria.How should I go on this?If user gives only composite roles on the selection for e.g 'TEST'. for this role I get suppose 3 child roles 'TEST1' 'TEST2' 'TEST3' from table AGR_AGRS.Now to get the tcodes i go to table 'AR_1251' and I get the tcodes.
  But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.for e.g, 'TEST' 'SAP1' 'SAP2' etc..Now if go to get the tcodes for this single role in AGR_1251,I will ceatainly get the tcodes for eg MM01,FB01,etc.But then how would I know whether MM01 belongs to composite role 'TEST' SAP1' or SAP2' for the single role 'TEST2'.
  Please advise.
  Thanks
  Edited by: Julius Bussche on Aug 13, 2009 4:52 PM
  Subject title improved

  I though of seperate selection options for singles and composites, but you also said:
  > But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.
  My suggestion would be to build better single roles, but that is just me...
  Cheers,
  Julius

• CUA problem with composite role

  Hello experts, I have a problem with a composite role in my CUA parent system. If you look at the roles tab you will see one of the child roles has a name of child CUA system in the 'target sys' column. the rest all have 'user system'. Can anyone explain how this 'target sys' column is defined?
  Thanks
  Dave Wood

  I do not know if you have solved this issue, but the target system is defined within your single role on you menu tab.
  No what happens is that in transaction SM30 table SSM_RFC you define system variable linked to your logical system.
  This variable determines that when you import roles from another system by means of transaction PFCG > Read from other system from RFC and you select your variable the system will automatically default in the target system field the system it is suppose to go back to.
  So this way when you distibute the roles it will only go back to that particular target system, and you do not need to specify and guess where the role came from.
  Try removing that table entry in SM30 SSM_RFC and see if that way you will be able to remove the target system from the role.
  However it is not a bad thing to have activated. If you are working with position base authorizations and you have more than 1 system, you define 1 composite role for all the roles, for all the systems and you will be able to see where the composite resides by means of the target value.
  Hope this makes sense.
  Regards
  Sonja

• Profile for a composite role

  Hello Experts,
  We are having a problem dealing with a composite role.
  Whenever we add the composite role to a user master; a profile appears for each of the single roles (which is normal) BUT we also get a profile for the composite role.
  We verified in the table AGR_1016  and found that there is a profile asocited to the composite role.
  We tried the clean-up option of the transaction PFUD which did not work in our case.
  We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
  Any answer is most welcome!
  Thanks & Reagards

  > We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
  Sounds to me as if there has been an import of a composite role overwriting a single role with the same name. The pfcg import facility has very few checks in them so something unwantend could have happened. I think it is not possible to change a role from single to composite with the PFCG or other tools. What does table AGR_PROF say about this role?
  I would suggest to copy the composite to a new name (without copying the singles) and see how that looks. If it is OK you can delete the corrupted role, check wether it is completely gone and copy the new role back to it's original name.

• Assign single role to composite role with alternate logsys assignments

  Dear gurus,
  In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
  Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
  But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
  Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
  Cheers,
  Julius

  Hi Martin and others,
  I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
  While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
  Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
  You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
  There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
  That is a bit of a bummer because it means that you also cannot ever test anything...
  Did anyone ever try to actually use this?
  Cheers,
  Julius