Getting Roles assigned to Workset

Similar Messages

• Getting roles assigned to a user in OIM

  We need to write a query to find what are the roles assigned to a particular user and when it has been assigned , is there any source where the OIM tables and their attributes have been explained? We were referring the UPA_GRP_MEMBERSHIP for getting the roles( referring UGP_KEY)  and the user with (UPA_USR_KEY), is this correct or is there some other table which has the info?

  Thanks for your reply...
  To getting the roles of a user, what is the common attribute between USR and UPA_GRP_MEMBERSHIP table? Is it usr_key from usr table and upa_usr_key from UPA_GRP_MEMBERSHIP? if not, what are the differences between the two attributes and is there any other attribute to refer ?

• How to get the list of roles assigned to a user in all the child systems

  how to get the list of roles assigned to a user in all the child systems from CUA SYSTEM

  Try transaction SUIM in your CUA system. Go to user, cross-system information, users by roles. If you run it wide open, you'll get all users and all roles assigned for all systems managed in your CUA.
  Krysta

• Role Assignment does not get distributed from CUA

  Hi all.
  I create user and role in CUA client.
  There is no error in role generation.
  When I try to find my role in SU01 by pressing F4 of my role (Y*), system give me message role not found. But that's not my biggest problem.
  I can assign my role by typing manually.
  My biggest problem is only SAP ID get distributed into target system, not the role assignment.
  So in the target system I can see my user id without role assign to it.
  I checked my user id from SCUL. User and profile does not contain any error message in target client.
  I tried with transaction RSCCUSND, still my user id does not contain role.
  I checked my SCUM transaction, profiles and roles has Global settings.
  Does someone can give me a clue why this happens and how to solve this issue.
  Many thanks

  Lets try to simplify the thing in layman language.
  CUA is to manage user ids of different SAP systems (client level) centrally from one system without logging into each of those child systems. To do so, the Central system stores the information of the Roles (and their Text and Generated Profile Name ONLY) and Profiles (standard or non-generated profiles) in few of it's tables like: USLA04, USRSYSACT, USRSYSACTT, USRSYSPRF, USRSYSPRFT etc.
  It doesn't mean that the Roles for the corresponding child system is present in the central system and no need of creating (or making available) such roles in the Child systems. The physical existence of the Role for each system doesn't get transferred in the Central system when you do the Text comparison rather the identity only against the corresponding system.
  So the Roles has to be there in the corresponding Child systems and the Assignment (not physical assignment  -  only linking the name for that child system) of them to the user ids can be done from Central system.
  Also you have got the idea of Text comparison and requirement of keeping or creating roles in each system based on it's nature from the other posts.
  Let us know any more questions you have.
  regards,
  Dipanjan

• Function module to get the roles assigned to user

  Hi to all experts,
  I need a fm to retrieve the roles assigned to user .
  if a pass sy-uname as importing parameter i should to get all the roles assigned to that particular user

  hai,
  please try this.
  /VIRSA/RE_BAPI_CREATE_ROLE- Create Roles
  /VIRSA/ROLE_ASSIGN_CUA_NH
  /VIRSA/RE_BAPI_ROLE_TO_USERS
  ASSIGN_USERS_HIERARCHY - User Assignment to Role - this is a Normal FM
  try this bapis this may work
  BAPI_USER_LOCK
  - BAPI_USER_PROFILES_ASSIGN
  - BAPI_USER_LOCPROFILES_ASSIGN
  - BAPI_USER_LOCACTGROUPS_ASSIGN
  - BAPI_USER_CHANGE
  - BAPI_USER_UNLOCK

• Business role assignment get lost

  Hello *,
  from time to time single users report logon problems due to missing business role assignment.
  In these cases business role was assigned via user in tx su01 directly. Whenever it happened the affected user itself is shown for last modifier of user record. But the users of course are not authorized to edit this data.
  We assume that maybe the personalization in web ui could be the reason but up to know the behaviour was not reproduceable.
  Does anyone know this issue?
  Kind regards
  Thomas

  Hi Thomas,
  Sorry but maybe I've explained myself poorly. You said that business roles that were missing are normally assigned directly in SU01. Then, in order to try to understand how they are remove, in SU01 transaction there is a functionality that allows you to see the change history for every add/removal of a role. This will tell you the user that performed the action and which tcode he used.
  Check this functionality that it's available as a menu option in SU01. Maybe it can give you some good clues about what's happening.
  Kind regards,
  Garcia

• How to get list of Roles assigned to each User

  Hi,
  I have to create a list containing Roles assigned to each user in xMII 11.5.
  Need your help !
  Thanks in Advance !
  Regards,
  Alok

  Alok,
  Did you search (sometimes it is also good to make sure to search the forum for All threads not just the default time window)?
  https://forums.sdn.sap.com/click.jspa?searchID=22562502&messageID=5969490
  https://forums.sdn.sap.com/click.jspa?searchID=22562502&messageID=4890045
  More info from the help docs:  http://help.sap.com/saphelp_xmii115/helpdata/en/Connectors/IlluminatorSystemConnector.htm
  Regards,
  Jeremy

• Retreive Current active/selected Role & active/selected Workset - WebDynpro

  Hello All,
  I'm working on 2004s and trying to make a webdynpro application, which would retrieve following data of existing Portal users:
  1> Current Role (User selected Role)
  2> Current Worket that is attached/assigned to the current role (referring to point 2 above).
  Note: Users have multiple roles & Roles have multiple worksets.
  Thanks,
  Satya.

  Hi Satya,
  To get list of roles use String[] IRoleFactory.getRolesOfUser(String uniqueIdOfUser, boolean recursive) (https://media.sdn.sap.com/javadocs/NW04/SPS15/um/com/sap/security/api/IRoleFactory.html). To get worksets assigned to roles you can try to use approach described here /people/prakash.singh4/blog/2005/07/28/browse-roles-folders-pages-iviews-assigned-to-a-user-ep6-sp9-and-higher
  More on PCD:
  /people/daniel.wroblewski/blog/2006/07/30/everything-you-wanted-to-know-about-the-pcd
  /people/daniel.wroblewski/blog/2006/08/15/pcd-ii-creating-portal-objects
  Best regards, Maksim Rashchynski.

• Role Assignment Discovery Issue for Files and Folders through Sharepoint REST services

  To preface, I am a decided Sharepoint newbie in every sense. I am trying to use the Sharepoint REST services (Sharepoint 2013) to walk the folder and file structure of my Sharepoint server and, determine as I go, the Role Assignments (and subsequently
  Permissions) on those folders and files. I'm using an Administrator credentials and I'm actually able to successfully do it but I've run into some caveats. All the caveats begin with this; when I'm examining a folder, for example:
  /_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/ListItemAllFields
  I receive either an empty list or an error response doc when following the link supplied for ListItemAllFields.  When following that kind of link for folders, I either get:
  <d:ListItemAllFields
  m:null="true"
  />
  or an error response document that says "The object specified does not belong to a list." When I hit the /ListItemAllFields endpoint for files, I receive a response with a link for Role Assignments which subsequently also works and I get the
  info I need. So, is this a bug? Why does the link returned from Sharepoint work for files and not folders? So, google, google, google, and I discover that there is another possible way to get at the Role Assignments (and that the object does, indeed, belong
  to a list!).
  If I know the Title (or the guid) of the folder in question, I can use the following endpoint:
  /_api/Web/Lists/GetByTitle('Development')
  If I use that endpoint, I get the information I would have expected to get from following /ListItemAllFields and the subsequent Role Assignments links all work and I get what I need. If there's a bug and this is how I have to work around it, that's fine
  but I have yet to discover how to dynamically determine the Title of a given folder nor am I sure if all Titles are supposed to be unique within a given Sharepoint server. I'm assuming that the folder name as represented in the server relative URL and the
  Title may be different and this is where my newbishness may start to shine if I'm misunderstanding what a "List" is supposed to be in Sharepoint. Anyway, I did find that I could use the Properties endpoint to perhaps get the Title, for example:
  /_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/Properties
  gives me:
  <d:vti_x005f_listtitle>Development</d:vti_x005f_listtitle>
  whose value I assume I could then supply to the /GetByTitle endpoint and be golden. However, "vti_x005f_listtitle" just sounds a little too deep to be something I should be relying on but maybe that's kosher. That's part of what I'm trying to
  find out. Also, if there is a way to use the Sharepoint REST API to discover the guid of a given object, then I could look it up in that way.
  So, in summary:
  1. Am I going about getting folder Role Assignment information in the wrong way? Based on the CSOM examples I've seen, I believe I'm doing it correctly and that the answer to #2 below is a resounding "Yes!" :)
  2. Is it a bug if I'm not able to use /ListItemAllFields on folders using the server relative url?
  3. If I'm supposed to use GetByTitle as a workaround, am I discovering that Title correctly through /Properties? Seems quite circuitous and awkward. Are Titles required to be unique throughout a given Sharepoint server?
  4. If I'm supposed to use the guid, how can I use the REST interface to discover an object's guid? Once we get down to the Role Assignments and other links, the guid appears in those links but I don't know how to discover it independently if that's the
  path I should use to get the data I described above.

  Upon further research, I'll answer my own question for the benefit of some other potential future newbie.  The answer to question number 1 above is "Not exactly.".  The server relative URLs I was using corresponded to lists (which are
  returned as a collection through /_api/web/lists).  I was treating them mentally like regular folders.  That, coupled with the fact that accessing their data as I showed above returns a ListItemAllFields link, made me think that was the way to get
  the Role Assignments just as I would for files and, as it turns out, "real" folders and sub-folders created under these lists.  That was the other problem with thinking of these lists as regular folders.  So, ListItemAllFields works on
  all files and folders in a list.  However, if you want Role Assignments for the lists themselves, you can keep track of the Titles and\or Guids from the /_api/web/lists that you're interested in (in my case, all non-hidden "document library"
  type lists) and then access those Role Assignments as I discussed in questions 3 and 4 above.  For example, from the /_api/web/lists collection from my test server, the "Development" document library Role Assignments are accessable via /_api/Web/Lists(guid'cd242eeb-aafa-4efa-aecc-9bbdf8e3d459')/RoleAssignments
  or /_api/Web/Lists/GetByTitle('Development')/RoleAssignments.

• FPN - error trying to lookup object - remote role assignment not working

  Hello everyone,
  We have implemented a Federated Portal Network connection in our landscape between our portals.
  We use only remote role assignment functionality.
  Everything was working fine, but since 2 days we encounter the following error in the Default trace.
  Error trying to lookup object: alias: <role name>
  It is possible to open the producer portal in the Portal Content Administration and also searching for the Producer portal roles is possible in User administration. But when we assign the remote role the tab is not displayed in the portal only the above mentioned error is shown in the default trace. Our portals run SP 12 and BI Java SP14.
  Is there a solution or workaround for this issue ?
  Martin

  Hi,
  I have the same issue as you, I cannot see role tabs in Consumer portal and I get the same error in the defaulttrace as you.
  What did you do to resolve this issue?
  Many thanks
  Gordon

• Role info not appearing once role assignment request is submitted from UI

  Hi Everyone,
  We have a strange problem in our project in IDM 7.2 SP8 where IDM role concept is used which contains privileges (could be role/profile) of backend systems.
  Usually when ever a role (i.e IDM role) assignment request is submitted from UI, the activity with the associated info (like user details, role details, audit ID) should be stored in MXI_LINK table from where the info will be fetched and used in next stages of the processing
  Even though the information is getting available for most of the cases for all users but some times for few users once the role assignment request is initiated from UI there is no info is getting available in MXI_LINK table corresponding to this activity which is strange.
  Because of this problem even though user submits role assignment request no role info getting passed to IDM, set to pending state for the user which is getting meaning of user not submitted any role assignment request at all.
  Can any one suggest what are the things that gets involved between these two steps and any troubleshooting hints are highly appreciable.
  Regards,
  Venkata Bavirisetty

  Is this a situation you recreate at will? In other words, is it always happening on the same users? If so, you could put a trace on that user's account then try to add the role and see what that trace log shows. Additionally, you could just follow the links in the chain of the various tasks that kick off when you do a role assignment and check each task / job's job log and see what that tells you. There's got to be an error somewhere along the way that's preventing this from executing properly.

• Role assignment not working

  Hi everyone,
  I am trying to assign different roles to different users for GRC - Risk Management 10.0; however it seems like standard roles don't have any affect on type of activity. I have maintained various levels of roles (e.g. risk owner, risk expert, risk manager, etc) using PFCG and assigned almost every role to the users; but it doesn't give them the authorization to create or edit anything, they can only display.
  The only workaround for this was assigning a role with the authorization object GRFN_USER (with 02 Change value enabled) or assigning SAP_GRC_FN_ALL (Power user role which also contains object GRFN_USER). However this would allow users to do "anything" they want which obviously isn't what I seek.
  I have tried changing customization options such as Maintain Custom Agent Determination Rules and Maintain Entity Role Assignment, it hasn't solved anything so far.
  I urgently require your assistance on this issue. Thank you.
  Regards,
  Seckin

  Hi,
  I 'm facing same kind of problem.
  Case 1:
  I tried with:
                    Assigning users to group (abap role) which didn't worked.
                    Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                    Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
  How can i do the same from portal?
  Case2:     
  While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
  Why are the portal roles not getting transfered even though the status is green?
  Mr.Chowdary

• OBPM 10gR3 Dynamic Role Assignment at user login

  Hi,
  For all the great integration with LDAP in 10gR3, unfortunately, the system is unable to deal with dynamically-defined LDAP groups.
  Our goal is to apply a BPM Role to ALL humans defined in our LDAP.
  All humans happen to already be defined by a dynamically-defined LDAP group called 'AllPeople'.
  It would have been perfect if we could simply assign our BPM Role, 'Employee', to the LDAP group, 'AllPeople'. Sadly you can't (one for the next release pls).
  So as a workaround, what we want to do instead is assign the BPM Role 'Employee' to each individual user dynamically when they first login.
  Since the FDI library is useless outside of a BPM context (you'll find that some of the familiar methods of RoleAssignment are missing), We opted to create an actual BPM process to conduct role assignments, and we would then trigger it via PAPI.
  The question then was, where/when do we invoke the process such that it does the role assignment quickly and soon enough for the appropriate views and applications to appear in their workspace straight after login?
  We opted for a customised implementation of the SSOWorkspaceLoginInterface class.
  However, we tried making the invocation in the setupAuthenticatedSession() and the processRequest() methods but, although the role assignment was successfully done in either case, sadly the user's session was loaded without the new changes - perhaps loaded quicker than the role assignment could be fed back through the directory.
  Therefore, we dumped the invocation in the actual constuctor - and this seems to work for the most part. Yet on the odd ocassion, the role assignment is not quick enough to be realised in the user's workspace session - the user has to logout and back in before the changes are realised.
  We've even tried to get the execution to sleep for a second or two, while the PAPI thread goes about doing the role assignment - again not much success.
  So I really have 2 questions:
  1. Where during login can we make a PAPI call to do a role assignment so that it should be picked up by the time the session is created? perhaps we already are doing it in the right place.
  2. How could we refresh/request a new session cookie without explicitly logging out and back in again? Note, page refresh is not enough.
  Thanks for reading.

  Sorry for the belated response - I don't get notified of replies.
  The code for my custom SSOLoginModule class is:-
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import java.io.FileInputStream;
  import java.io.IOException;
  import java.util.Properties;
  import fuego.workspace.security.SSOWorkspaceLoginInterface;
  import fuego.papi.Arguments;
  import fuego.papi.CommunicationException;
  import fuego.papi.InstanceInfo;
  import fuego.papi.OperationException;
  import fuego.papi.ProcessService;
  import fuego.papi.ProcessServiceSession;
  import fuego.sso.SSOLoginException;
  import fuego.sso.SSOUserLogin;
  import fuego.jsfcomponents.Util;
  import fuego.workspace.model.common.WorkspaceApplicationBean;
  public class CustomSSOWorkspaceLogin extends SSOUserLogin implements SSOWorkspaceLoginInterface {
  private ProcessService pService;
  private ProcessServiceSession pServiceSession;
  private Properties properties;
  public SSOWorkspaceDBLogin() {
  //Do the role assignment here because it works, and does not work in the ideal location of setupAuthenticatedSession method
  pService = createProcessService();
  pServiceSession = createProcessServiceSession();
  assignDefaultRole(Util.getHttpServletRequest().getRemoteUser());
  private ProcessService createProcessService() {
  return WorkspaceApplicationBean.getCurrent().getProcessService();
  private ProcessServiceSession createProcessServiceSession() {
  return pService.createSession("yourdirectoryusername","yourdirectorypassword",null);
  //This method is used to remotely invoke a BPM process to do the role assignment - no external API to do this directly!
  private void assignDefaultRole(String email) {
  try {
  String processId = "myRoleAssignmentProcessId";
  String argumentName = "argumentName"; //the name of the input argument to feed in the participant
  String argumentValue = email;
  Arguments arguments = Arguments.create();
  arguments.putArgument(argumentName, argumentValue);
  InstanceInfo instance = pServiceSession.processCreateInstance(processId, arguments);
  Long waitTime = new Long(1000);
  Long timeLimit = new Long(5000);
  boolean roleAssigned = false;
  boolean timeLimitExceeded = false;
  Long startTime = System.currentTimeMillis();
  //Allow role assignment thread to complete
  while (!roleAssigned && !timeLimitExceeded) {
  try {
  Thread.sleep(waitTime);
  if (pServiceSession.processGetInstance(instance.getId()).isCompleted()) {
  roleAssigned = true;
  if (System.currentTimeMillis() - startTime > timeLimit) {
  timeLimitExceeded = true;
  } catch (InterruptedException e) {
  e.printStackTrace();
  //close process service session
  pServiceSession.close();
  //Do not close the service itself as it is shared with the Workspace itself!
  //pService.close();
  } catch (Exception e) {
  e.printStackTrace();
  public void setupAuthenticatedSession(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  //Unfortunately, the below does not work here because the role assignment is not fast enough
  //The result is that the user logs in but cannot see any applications because the role assignment has not been made in time.
  //Therefore, we run the below statements from the constructor - ugly but functions.
  //pService = createProcessService();
  //pServiceSession = createProcessServiceSession();
  //assignDefaultRole(httpservletrequest.getRemoteUser());
  public void processRequest(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  }

• ABAP centered role assignment not working

  I have been trying to implement ABAP centered role assignment for our users but not really having much luck in gettng it to work. I've been trying to make sense of it by using [the help guide|http://help.sap.com/saphelp_nwmobile71/helpdata/en/d2/3e3842b23d690de10000000a155106/frameset.htm] but I must be doing someting wrong. Here are the steps that  take.
  1. Create a single ABAP role - A single role with no menu or authorizatons
  2. Create a UME Group - I name the group exactly the same as the ABAP single role from the previous step
  3. Assign UME Group to Portal Role
  4. Assign mapped user to ABAP role
  Supposedly the ABAP role assingment is supposed to reflect through to the UME group membership so the portal user then sees the associated portal tab.
  Can you enlighten me?
  Thanks in advance

  Hi,
  I 'm facing same kind of problem.
  Case 1:
  I tried with:
                    Assigning users to group (abap role) which didn't worked.
                    Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                    Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
  How can i do the same from portal?
  Case2:     
  While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
  Why are the portal roles not getting transfered even though the status is green?
  Mr.Chowdary

• Function module to Delimit the roles assigned to the user

  Hi All,
  I am working on security role automation process abap report.My requirement is to delimit the roles assigned to the user on account of employee termination or retirement. I have used the function module "BAPI_USER_ACTGROUPS_ASSIGN"  to delimit the role assigned to the user.
  Passing the importing parameter "username" and in the Tables parameter"ACTIVITYGROUPS"  passing the respective parameters AGR_NAME(Role), FROM_DAT(Start Date),TO_DAT(termination date - 1). When I passing the parameters as mentioned above,the role assigned to the user is getting deleted,instead of delimitation of the role assigned to the user.
  Is there any other function module we can use to delmit the roles assigned to the user?  Please help.
  Regards,
  Krishnan

  hai,
  please try this.
  /VIRSA/RE_BAPI_CREATE_ROLE- Create Roles
  /VIRSA/ROLE_ASSIGN_CUA_NH
  /VIRSA/RE_BAPI_ROLE_TO_USERS
  ASSIGN_USERS_HIERARCHY - User Assignment to Role - this is a Normal FM
  try this bapis this may work
  BAPI_USER_LOCK
  - BAPI_USER_PROFILES_ASSIGN
  - BAPI_USER_LOCPROFILES_ASSIGN
  - BAPI_USER_LOCACTGROUPS_ASSIGN
  - BAPI_USER_CHANGE
  - BAPI_USER_UNLOCK