GRC 10.0 Mass Role removal

Hello all,
we are using GRC AC 10.0 (SP14). Today I found out that the access removal for multiple user is not working. The role removal for one User is working fine. But for multiple user who all have the same role it is not possible to select this existing role. Is it a standard in GRC AC or did I miss some config parameters?
The button "ADD" (yellow) is not working, and there is no button "Existing assignements". Please let me know, whether this settings are standard or not.
Many thanks,
regards
Sabrina

Sabrina,
Multi user requests have been quite problematic. I encourage you to search for corrections; we had to implement numerous corrections for multi-user requests. Right now, though, multi user requests for role removal using the "Existing Assignment" function are working for us (SP12 with a lot of corrections from SP13 and SP14).
I should mention that our Provisioning Log in the closure notification only lists the first user, but all three accounts in my test request just now had the role removed as requested. We have treated that as a training issue with our request submitters for the time being. We implemented Note 1727135 to correct that issue and it made matters worse, so we had to revert.
Good luck!
Gretchen

Similar Messages

Mass role removal

Hi all,
We have a new requirement to remove ALL roles from users in group TERMINATED.
I have used SU10 in the past to remove a specific role X from a group of users. But I cannot seem to simply remove all roles from every user in the group. Is there a way to do this without using ECATT?
There are about 2200 users in the group, as it was not previously maintained, and I would rather not do this manually if I can avoid it.
Thanks

Hi
Run SUIM to give you a list of the user ID's in the TERMINATED user group.
Record LSMW - you'll need to create a project/sub-project/object and then go to recordings, running tcode SU01, enter one user ID, go to the roles tab, select all roles icon and save.
That will end your LSMW recording.
Check the variables in the recording - all you need are the user ID - make sure you remove the default tested user ID or all you'll get wlll be a recording that does nothing but delete nothing from the same user
Create a .txt file with another of user ID's from the user group (barring the one you just changed) and save it somewhere easy to find.
Go back to your LSMW project and maintain each of the steps up to specify files - you'll need to browse for the saved .txt file and also change the delimiter section to tabular.
Assign the files and work your way through the next steps until you generate a batch input session, run the batch input in foreground and step through the recording you are now running for real. Make damned sure it does only what you expected it to do!
If the trial one works then mayby try a couple more unitl you feel confident before going for the big one.
Oh - and don't forget to check that you aren't in the TERMINATED user group or you'll lose your access during the LSMW script. That bit is embarrassing but renaming 670 users to Theresa is worse (I did that once because I forgot to remove the default entry in the recording)

Deletion of mass roles from GRC CUP 5.3

Dear All,
I have requirement to delete 1000 roles from GRC CUP 5.3.
I can see option to delete the roles individually under "search role" option but I am not able to find option to delete mass roles.
Please advice.
Regards
Trinadh Bokka

Hello Trinadh,
It is not possible to delete all the roles at once through the User Interface. However, you can select a lot of roles at the same time by searching for a role pattern. For example, retrieve all roles starting with Z*:
Hope it helps,
Fernando

Mass role risk analysis issue

Hello GRC Community,
I have a following issue:
When I use mass risk analysis the deactivated authorization objects in the role are displayed as result. At the same time, when I use Role Level Risk Analysis the role with deactivated critical authorization objects doesnt appear.
Does anybody know how to solve this issue? Is there any configuration parameter to be adjusted?
thanks
best regards
Sabrina

Prasant,
here are the screenshots of the Job result:
1. Mass role Risk Analysis
2. Risk Analysis on the (Single) Role Level
Im Backend you can see that the role contains lots of deactivated autorization objects.
I have run all sync Jobs, but seemingly it doesnt help.
Thanks,
Sabrina

ERM - Mass Role Import Error

I just upgraded to SP11 and am trying to mass import a few roles. It doesn't give me an error on the mass input screen, but it doesn't import the role, so I put DEBUG on and looked at the system logs. I created the download file as both ANSI and UTF-8 and neither is working. Here is the system log output:
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG
-- Request dump for Action Path is cnvMassRlImport.scrMassRlImport.loadMassRoleImport
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG recordHistory:0::true#
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG -- End Request dump for Action Path is cnvMassRlImport.scrMassRlImport.loadMassRoleImport
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Current Module: |CFG| Conversation: |cnvSysLog| Screen: |scrSysLog|
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Module#CFG#Conversation#cnvMassRlImport#Screen#scrMassRlImport#Action#loadMassRoleImport#
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Changing Conversation: FROM: cnvSysLog TO cnvMassRlImport
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG com.virsa.framework.Context : clearConversationRep :   : 0 entries cleared from conversation repositiory
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG com.virsa.framework.Context : clearScreenRep :   : 0 entries cleared from screen repositiory
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Handler found:class com.virsa.re.configuration.action.MassRoleImportAction
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG forwarding to:/cfg_mass_role_import.jsp
2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG
-- Request dump for Action Path is scrMassRlImport.importRoles
2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG -- End Request dump for Action Path is scrMassRlImport.importRoles
2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG Current Module: |CFG| Conversation: |cnvMassRlImport| Screen: |scrMassRlImport|
2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG Module#CFG#Conversation#cnvMassRlImport#Screen#scrMassRlImport#Action#importRoles#
2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG Handler found:class com.virsa.re.configuration.action.MassRoleImportAction
2010-03-23 11:27:09,332 [SAPEngine_Application_Thread[impl:3]_28] DEBUG dirName-->E:\usr\sap\WMS\GRC\ROLEIMPORT\1269358029332
2010-03-23 11:27:09,347 [SAPEngine_Application_Thread[impl:3]_28] DEBUG returnStatus###success
2010-03-23 11:27:09,347 [SAPEngine_Application_Thread[impl:3]_28] DEBUG forwarding to:/cfg_mass_role_import_status.jsp
2010-03-23 11:27:10,769 [SAPEngine_Application_Thread[impl:3]_31] DEBUG
-- Request dump for Action Path is scrMassRlImport.generateRolesForeGround
2010-03-23 11:27:10,769 [SAPEngine_Application_Thread[impl:3]_31] DEBUG -- End Request dump for Action Path is scrMassRlImport.generateRolesForeGround
2010-03-23 11:27:10,769 [SAPEngine_Application_Thread[impl:3]_31] DEBUG Current Module: |CFG| Conversation: |cnvMassRlImport| Screen: |scrMassRlImport|
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG Module#CFG#Conversation#cnvMassRlImport#Screen#scrMassRlImport#Action#generateRolesForeGround#
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG Handler found:class com.virsa.re.configuration.action.MassRoleImportAction
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG In LockedObjBO.getLockedObjListByType(String objType) starts.....
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG In LockedObjBO.getLockedObjListByType(String objType) ends.....
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG GET_BUS_PROC ===== SELECT BP.BPROCID, BP.BPROCNAM, BL.BPROCDES FROM VT_RE_BPROC BP LEFT OUTER JOIN VT_RE_BPROCLNG BL ON(BP.BPROCID = BL.BPROCID AND BL.LNGID=?), VT_RE_BPSPASSOC BSP WHERE BP.BPROCID = BSP.BPROCID AND BSP.SUBPROCID =?
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG bprocName ===== HR00
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG keys.size():- 42
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 1 cache statusid = 1 value = DEVELOPMENT Desc = Kehitys
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 2 cache statusid = 2 value = PRODUCTION Desc = Produksjon
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 3 cache statusid = 1 value = DEVELOPMENT Desc = ??
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 4 cache statusid = 1 value = DEVELOPMENT Desc = Development
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 5 cache statusid = 2 value = PRODUCTION Desc = �retim
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 6 cache statusid = 1 value = DEVELOPMENT Desc = Projektowanie
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 7 cache statusid = 2 value = PRODUCTION Desc = Production
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 8 cache statusid = 2 value = PRODUCTION Desc = Produ��o
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 9 cache statusid = 1 value = DEVELOPMENT Desc = Desarrollo
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 10 cache statusid = 2 value = PRODUCTION Desc = Production
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 11 cache statusid = 2 value = PRODUCTION Desc = Produzione
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 12 cache statusid = 1 value = DEVELOPMENT Desc = ??
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 13 cache statusid = 1 value = DEVELOPMENT Desc = ??
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 14 cache statusid = 2 value = PRODUCTION Desc = ??
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 15 cache statusid = 1 value = DEVELOPMENT Desc = Udvikling
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 16 cache statusid = 2 value = PRODUCTION Desc = Produkt�v
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 17 cache statusid = 1 value = DEVELOPMENT Desc = ??????????
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 18 cache statusid = 2 value = PRODUCTION Desc = V�roba
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 19 cache statusid = 2 value = PRODUCTION Desc = Productie
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 20 cache statusid = 1 value = DEVELOPMENT Desc = Fejleszt�s
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 21 cache statusid = 2 value = PRODUCTION Desc = Produktion
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 22 cache statusid = 1 value = DEVELOPMENT Desc = Desenvolvimento
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 23 cache statusid = 2 value = PRODUCTION Desc = ???
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 24 cache statusid = 1 value = DEVELOPMENT Desc = Ontwikkeling
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 25 cache statusid = 2 value = PRODUCTION Desc = V�roba
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 26 cache statusid = 2 value = PRODUCTION Desc = ????????????
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 27 cache statusid = 1 value = DEVELOPMENT Desc = Sviluppo
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 28 cache statusid = 1 value = DEVELOPMENT Desc = Utveckling
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 29 cache statusid = 2 value = PRODUCTION Desc = Tuotanto
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 30 cache statusid = 2 value = PRODUCTION Desc = Produkcja
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 31 cache statusid = 1 value = DEVELOPMENT Desc = Utvikling
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 32 cache statusid = 1 value = DEVELOPMENT Desc = V�voj
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 33 cache statusid = 2 value = PRODUCTION Desc = Produktion
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 34 cache statusid = 1 value = DEVELOPMENT Desc = V�voj
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 35 cache statusid = 2 value = PRODUCTION Desc = ??
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 36 cache statusid = 2 value = PRODUCTION Desc = Produktion
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 37 cache statusid = 2 value = PRODUCTION Desc = Proizvodnja
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 38 cache statusid = 1 value = DEVELOPMENT Desc = Entwicklung
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 39 cache statusid = 1 value = DEVELOPMENT Desc = Geli?tirme
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 40 cache statusid = 1 value = DEVELOPMENT Desc = Razvoj
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 41 cache statusid = 2 value = PRODUCTION Desc = Producci�n
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 42 cache statusid = 1 value = DEVELOPMENT Desc = D�veloppement
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 1RoleStatusName:- DEVELOPMENT
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 2RoleStatusName:- PRODUCTION
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG MissingDescriptionHelperDAO.java@37:com.virsa.re.dao.MissingDescriptionHelperDAO.getMissingRoleDesc()missingLst.size(): 1
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG startIndex: 0; endIdex: 1
2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] DEBUG RoleImportBO.java@1393:com.virsa.re.bo.impl.RoleImportBO.createRole()Creating Role:ZM:HR_PY_DEPT_SUPP_COMP profile:'Z:DEPTSUPP'
2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] DEBUG InsIde getLastGenerateDate(3572,11)
2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] DEBUG InsIde getLastGenerateDate(3572,11) ResultSet and got an entry
2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] ERROR Cannot assign a java.lang.String object of length 389 to host variable 7 which has JDBC type VARCHAR(100).
java.lang.Throwable: Cannot assign a java.lang.String object of length 389 to host variable 7 which has JDBC type VARCHAR(100).
     at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:85)
     at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:124)
     at com.sap.sql.types.GenericResultColumn.checkLength(GenericResultColumn.java:212)
     at com.sap.sql.types.VarcharResultColumn.setString(VarcharResultColumn.java:63)
     at com.sap.sql.jdbc.common.CommonPreparedStatement.setString(CommonPreparedStatement.java:511)
     at com.sap.engine.services.dbpool.wrappers.PreparedStatementWrapper.setString(PreparedStatementWrapper.java:355)
     at com.virsa.re.dao.jdbc.ChangeHistoryDAO.saveChangeHistory(ChangeHistoryDAO.java:318)
     at com.virsa.re.bo.impl.ChangeHistoryBO.saveChangeHistory(ChangeHistoryBO.java:77)
     at com.virsa.re.bo.impl.RoleBO.updateRoleWithChngeHist(RoleBO.java:469)
     at com.virsa.re.bo.impl.RoleImportBO.createRole(RoleImportBO.java:1437)
     at com.virsa.re.bo.impl.RoleImportBO.importRoles(RoleImportBO.java:639)
     at com.virsa.re.bo.impl.RoleImportBO.importRoles(RoleImportBO.java:333)
     at com.virsa.re.configuration.action.MassRoleImportAction.generateRole(MassRoleImportAction.java:597)
     at com.virsa.re.configuration.action.MassRoleImportAction.execute(MassRoleImportAction.java:78)
     at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
     at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
     at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
     at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
     at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
     at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
     at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
     at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
     at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

Hi All,
Two weeks ago, I have trying to load roles in ERM. The result hasn´t been than expected. I use SAP GRC AC (5.3). I need to load 6375 single roles, but only I have loaded 914 single role. Next I described to you a general context of my situation:
1. I divided the file VIRSA_RE_DNLDROLES.txt into 16 files (UTF - 8) with single roles per module (AM, PO, PS, GL, SD...)
2. Each file contains segmented roles associated to a business process and multiples sub - business process.
3. When I checked roles in ERM, I notice that just load any roles. Not all roles in template was loaded.
4. Files size varies between 18 kb y 145 kb.
5. Files concerned "Mass Role Import" have the following extensions: Bulk Download File* (.txt), Enterprise Role Management Information File (.xls) and Primary Org. Level File (.xls).
5. A error generated was "Unknown error occurred while performing operation (No space left on device (errno:28))."
Honestly, I don´t know the reason for not loading all roles from template. Any suggestions? or ideas?
Thanks in advance

Import roles to the ERM without using the "Mass Role Import

Hello,
I want to know if there is another way to import roles to the ERM without using the "Mass Role Import.
Im'm using SAP GRC AC 5.3
Best Regards.
Pablo Mortera.

Hi.
There is NO other way to import roles..
We need to use only ERM for "Mass Role Import.
Regards
Gangadhar

Role Removal for users

Hi Guys
How do we remove the role Y.R3.IS-XX.xxxxxx from all test users (T-) and assign the role Y.R3.IS-XX.RPT_FI_XXXX to all test users (T-) in Q
Any input on this is highly appreciated
Thanks
SV

Hi,
I am just sending you a sample of how to delete role using SCAT. you can modify to delete User from Role.
Use T-Code SCAT.
You will be prompted with initial screen
Test case      enter some name ex: Z_MASS_ROLE_DELETION
Click on Create (Blank page icon)
In the initial screen on left corner button TCD click on this for recording a transaction.
Enter T-code in PFCG
Click on -> arrow button to continue
In the next screen you will be displayed with PFCG screen
Enter the role Name which you want to delete
Click on the Delete button (Bin icon)
You will be prompted with message box with yes or no and cancel
Click on Yes
You will be prompted with information acknowledge it by click on continue
Now the role is deleted.
Click on Back button (F3)
You will prompted with Intial screen where you have enter T-code in the pop-up box (PFCG)
Click on RED small button to stop of recording the transaction
You will be prompted with next screen for Title.
Enter the Title ex: Mass Role Deletion
Click on SAVE button
Save as local object (click local object button)
Go Back by click F3 (Back arrow button on the menu)
Pop up box with save option appears save
Click on YES
You are ready with recording of T-Code PFCG
To create a variable click on the edit (Pencil icon)
In the next screen you will be prompted with
C Funct.      Object               Text
TCD           PFCG                 Role Maintenance
Double click on TCD column
In the next screen you will have the following information
Test case       Z_MASS_ROLE_DELETION           PFCG Role Maintenance
Transaction     PFCG                           Role Maintenance
Permitted msg.
Processing Mode
In the above screen click on FILED LIST button which is on top left menu bar.
In the next screen you will find the list of values check for the Variable part (ie role name what we have mentioned at the time of recording (TEST123 ROLE)
Role                     AGR_NAME_NEU                  030 TEST123
Replace TEST123 with & (this is done for the variable to be replace in future for new values)
Go back (F3) twice into initial screen and save
In the initial screen SCAT first screen
Go to the menu
GOTO -> Variant -> Export
Export will create a Text file (Z_MASS_ROLE_DELETION.TXT) save it on your desktop for easy editing
Open with EXCEL above text file (Z_MASS_ROLE_DELETION.TXT)
You will find below values
[Variant ID]     [Variant Text]     &AGR_NAME_NEU
-->     Parameter texts     Parameter contents
-->     Default Values     TEST123
Changes to the default values displayed above not effective
Place the list of roles which you have decided to delete under the column TEST123
Just Save file for any message just click on yes button.
Come back to SCAT initial screen click on execute (F8) clock icon on the right corner of menu tab.
In the next screen you will have option to choose
Log Type     Processing Mode   Variants
Long            Errors              External From file Choose
Choose the file (Z_MASS_ROLE_DELETION.TXT) which was edited with new values
Then Execute all the roles which are in file will be deleted.
I hope this helps
Try this with test roles first then on the Actual roles
If you have any problems let me know
Cheers
Soma

Mass Role Import -- 9000 derived roles with 9 org Levels, how to get TXT

Hello,
I hava a problem.
I want to use the (Mass Role Import) Bulk Role Import element in the ERM (SAP GRC AC 5.3 )for importing SAP roles (I only found that way to import roles from SAP).
I have 100 primary roles and more or less 9000 derived roles with 9 org Levels.
Is there a way to get this 9000 derived roles with their 9 org Levels in a TXT file?. Or do I have to do it manually this part to insert it in the "Bulk Role Import ".
Can someone help me?
Thank you in advance.
Pablo Mortera.

Hi Mike,
what kind of TA´s are in your role. Is it possible to integrate a "dummy" TA (without conflicting
your SOD)?
In my example I have CO TA´s bundled in a role:
Role: ZXXXX_O:CO_ORDERMANAGER_CRE - CO Order Manager Pflege
with
KO01 Create Internal Order ...
KO02 Change Order ...
KO04 Order Manager ...
KOK2 Collective Proc. Internal Orders ...
KOK4 Aut. Collect. Proc. Internal Orders
update this role with TA KO01 and KOKRS will be available for derivation.
Done this manually without import in ERM.
Reg,
Ulrich

Mass Role Deletion Transport to ECC6

Hi,
Prior to transporting a mass role deletion through to the PRD ECC6 system, is it recommended to end date the majority of position to role relationships? End dating may maintain some visability of previous role assignments... Or is it safe to send it through and be confident that all the relationships will be removed as well as UMR based assignments?
Any recommendations on this topics?
Kind Regards
Nathan

Hi,
Delete the roles through transports. but if you are concerning about the UMR history and end date for the roles. If so.. make sure there are no active assignments to the users.then there is no requirement for end date. in my idea generally UMR history will be there for deleted users and their assignments...as text.
~Praveen.

SCCM 2012 SP1 - SUP role removal or reinstall issue resolution

Hello all,
I just want to share a fix regarding SUP removal (re-install) issue.
I think I found a bug regarding SUP role removal/re-install.
When I try to re-install secondary SUP on a site system, when I remove SUP via AdminUI – Administration – Site - Site Systems, it gets removed from the list but I get the following errors, which makes (re-)installation fail.
Severity
Type        Site code
Date / Time
System     Component
Message ID
Description
Information
Milestone PS1
4/12/2013 10:28:09 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
1021        Site Component Manager detected that this component should be deinstalled from this site system. Site Component Manager will attempt to deinstall the component every 60 minutes. Site Component
Manager will abort the deinstallation if it fails to succeed after 1440 minutes.
Information
Audit        PS1
4/12/2013 10:27:58 PM
sms02ss401.icbcagent.net
Microsoft.ConfigurationManagement.exe 30038
User "ICBC\ll1v3" deleted the role of the Windows NT Server "\\SMS02SS401.ICBCAGENT.NET" as a Software update point in the site control file at site PS1.
Error
Milestone PS1
4/12/2013 10:15:45 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
1020
Site Component Manager failed to reinstall this component on this site system.
Solution: Review the previous status messages to determine the exact reason for the failure. Site Component Manager will automatically retry the reinstallation in 60 minutes. To force Site Component Manager to immediately retry the reinstallation, stop
and restart Site Component Manager using the Configuration Manager Service Manager.
Error
Detail       PS1
4/12/2013 10:15:45 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
580
Could not delete the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER"
on computer SMS02SS401.ICBCAGENT.NET. The operating system reported error 997: Overlapped I/O operation is in progress.
Information
Milestone PS1
4/12/2013 10:15:40 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
1018        Site Component Manager is reinstalling this component on this site system.
Error
Detail       PS1
4/12/2013 9:14:39 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
580
Could not delete the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER" on computer SMS02SS401.ICBCAGENT.NET. The operating system reported error 997: Overlapped
I/O operation is in progress.
In fact, the registry is under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER
When I trigger uninstall via AdminUI, it failed to remove, thus it think that it is already there when I try to re-install it.
The fix was to manually remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\
SMS_WSUS_CONTROL_MANAGER registry key then re-try.
Thanks,
Young-
YPae

Yes!!! this worked for me. I have SCCM set up with a number of untrusted forests with a firewall in between my SCCM servers and the untrusted forests. The firewall went down and half of my site servers in the untrusted forests were giving
the "operating system reported error 997: Overlapped I/O operation is in progress" on a number of their components. Finally found this, deleted the reg keys under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads"
and that allows SCCM to reinstall.

SAP GRC AC 5.3 Roles provisioning

Dear all,
Anyone knows if SAP BW, SAP XI, SAP WF and SAP SP are standard sopported by SAP GRC AC for the roles provisioning?
Thanks for your help!
Kind regards,
Sergio

Hi Sergio,
let's put the answer the other way round to make it easy.
AC 5.3 CUP can provision ABAP roles and UME/Portal roles. Not more not less.
This means if you have a solution which needs additonal provisioning to be done (e.g. CRM business partner assignment) then CUP won't be able to do that.
Best,
Frank

How to generate mass roles in SUPC

Hi All,
I have to generate mass roles at one time. There are 3000 roles to be generated. I am using tcode SUPC to do this but when give the list of roles and click on generate button it is taking only one role.
I am generating derived roles.
Please advise..
Thanks,
Masood

> I am generating derived roles.
Perhaps Salman123 wrote a CATT to hit the "Adjust derived roles" function once, or dug deeper?
If you have less than 50 roles and all standard and maintained authorizations you are better off using the delete menu and import from role option in my opinion. (make sure the root node is small and use redundancy compression).
If you have more than 50 roles, then (shame on me...) try to keep them very small with only selected objects and use the option to delete their profiles completely and upload them on mass. Such roles are anyway usually best suited for BW systems and an entirely different concept (Analysis Authorizations).
You can avoid derived roles completely this way.
Cheers,
Julius

ERM - MASS ROLE UPLOAD

Hi All,
when using the Mass role upload from SAP backend systems, i expect that all roles will be uploaded to the final stage in the role methodology inthe ERM and that they will be already generated.
After all, those roles already exists in the systems.
well, i see that this is not the case and i have to go through the different stages with every role.
is this indeed the system behavior or did we do somthing wrong ?
thanks

Hi
We did as you suggested but configured the approval stage in the methodology since the role is already approved and is in ECC PROD.
Now we encountered a situation where we need to update the role in ERM as part of continuos maintainance (after upload) but we don't have the authorization option to enter and change it but only the "save" and "change history" push buttons.
We changed bach the methodology to the relevant one with all the stages but still we can't maintain the uploaded role. the change in the methodology did not effect the role already uploaded.
Do you have any suggestions regarding how we can fix this issue?
Thank you

Mass role import

Hi guys,
i have a problem with mass role import. When i want to do a mass role import the system warns me with the following error: Failed processing; role not imported and the log does not help.
Thanks in advance!!!
Kind regards!!!
Isaac

I attach the System Log
2010-04-08 09:10:54,772 [Thread-1507] DEBUG BackgroundJobHistoryDAO before inserting....[email protected]3b0c[jobId=42,lastModifiedDate=Thu Apr 08 09:10:45 ART 2010,statusId=1,statusDesc=<null>,message=22805#_!ROLENAME#_!ZAP:SOL_ANT_VIAJES_COMPEN-G102 : ]
2010-04-08 09:10:54,772 [Thread-1507] DEBUG BackgroundJobHistoryDAO before inserting....[email protected]6f28[jobId=42,lastModifiedDate=Thu Apr 08 09:10:45 ART 2010,statusId=1,statusDesc=<null>,message=22805#_!ROLENAME#_!CO:RPTE_CO-LLAD : ]
2010-04-08 09:10:54,772 [Thread-1507] DEBUG BackgroundJobHistoryDAO before inserting....[email protected]b79e[jobId=42,lastModifiedDate=Thu Apr 08 09:10:45 ART 2010,statusId=1,statusDesc=<null>,message=22805#_!ROLENAME#_!GL:VIRL_CTAS_CONTAB-ALL-CTRL : ]
2010-04-08 09:10:54,772 [Thread-1507] DEBUG BackgroundJobHistoryDAO before inserting....[email protected]608b[jobId=42,lastModifiedDate=Thu Apr 08 09:10:45 ART 2010,statusId=1,statusDesc=<null>,message=22805#_!ROLENAME#_!TR:ADMR_DATOS_MTRO-G103 : ]
2010-04-08 09:10:54,772 [Thread-1507] DEBUG BackgroundJobHistoryDAO before inserting....[email protected]b29c[jobId=42,lastModifiedDate=Thu Apr 08 09:10:45 ART 2010,statusId=1,statusDesc=<null>,message=22805#_!ROLENAME#_!GL:ANAL_VALU_MONETARIA-ALL : ]
2010-04-08 09:10:54,772 [Thread-1507] DEBUG BackgroundJobHistoryDAO before inserting....[email protected]55c2[jobId=42,lastModifiedDate=Thu Apr 08 09:10:45 ART 2010,statusId=1,statusDesc=<null>,message=22805#_!ROLENAME#_!AR_SOL_ANTICIPO-I102 : ]
2010-04-08 09:10:54,772 [Thread-1507] DEBUG BackgroundJobHistoryDAO before inserting....[email protected]8e78[jobId=42,lastModifiedDate=Thu Apr 08 09:10:45 ART 2010,statusId=1,statusDesc=<null>,message=22805#_!ROLENAME#_!Z_FI_TX_S_ALR_87012083 : ]
2010-04-08 09:10:54,772 [Thread-1507] DEBUG BackgroundJobHistoryDAO before inserting....[email protected]08f5[jobId=42,lastModifiedDate=Thu Apr 08 09:10:45 ART 2010,statusId=1,statusDesc=<null>,message=22805#_!ROLENAME#_!/VIRSA/Z_VFAT_ADMINISTRATOR : ]
2010-04-08 09:10:54,788 [Thread-1507] DEBUG BackgroundJobHistoryDAO before

Initiater for Role removal.

Hi,
I need some update/input w.r.t Role removal Initiator. While configuring the role removal is it possible to use the role status in the initiator? If not how to identify this role is only for the role removal.
Normally we use to put only one stage for Role removal. In the config, no where we are having automatic check for the request is only for the Role removal. So we have to trust that particular stage owners. As per the CUP automation check is it possible to validate this?
Thanks in advance.
Regards,
Vasantha Kumar.

Hi Justin
I'm assuming you are involved in or victim of a security access review. I'm usually one of those security guys asking for role or transaction removal and you are the main contact in the business coordinating the changes.
The process of remediation will possibly consist of checking which transactions are causing segregation of duties conflict, if they are used or not and removing one side of the conflict by removing an unused transaction.
It shouldn't require the entire contents of a role to be removed - rather swapping role A for role B without a transaction or two.
Removing transactions that aren't used can have more subtle implications which hopefully are found during UAT but is usually missed until used in anger. This what support is for after go live.
Saying all that and depending on your time and skills, you could ask for access to the security person's test user in dev or qas where they are working to run transaction SUIM on transaction for user following the proposed changes and compare that to the actual access of the real affected user in prod. If you can get access to the informer tab in virsa you can use the standard simulation reports to also check the resulting conflicts which will help you talk to the business and advise on actions available. There should be role owners involved in all this as they have to owner the result: expect a request for these for CUP later on
If you can retain control and approval of the (controlled) changes being made to users you will have a better understanding of what is happening, catch potential errors and mediate between security and the business - you have an important task!
Ask for some basic training in standard SAP reports - the security team should be more than grateful for your input
Crikey that was hard typing on an iPhone!
Cheers
Edited by: David Berry on Jan 11, 2011 8:17 PM

GRC 10.0 Mass Role removal

Similar Messages

Maybe you are looking for