Indirect pfcg role assignment - no roles in SU01

Similar Messages

• Indirect Role Assignment: Composite roles

  Can anyone shed some light regarding the following scenario:
  We have a user previously assigned to a managerial position and this position is attached to a MSS-composite role in PO13 (thorugh the AG relationship). Now this user has been delimited from that managerial position, and is now assigned to a new position as a normal staff, so he shouldn't have the MSS-composite role anymore. We updated the run in PFUD with HR Org-assignment reconcilation, but we still find the Composite role for Managers in his user master record in SU01.
  What might be wrong?

  > Items to check for before running RHPROFL0:
  > PA Records info for the User
  > ==================
  > 1.  Was the HR check pointer on when the position was delimited?
  > 2.  Is the position truly delimited
  > 3.  Does the IT105/ST0001 match the person's user ID
  > 4.  How many position does this person hold in the PA record
  > 5.  Check if the new position have the correct roles for this person, it might actually have the MSS composite role you are trying to remove access from the user.
  Hi John, thanks for your response to this thread.
  We have not scheduled RHPROFL0 to run. Correct me if I'm wrong, isn't this is only needed when PD-profile is used? We are not assigning structural profile though PD-profile in PO13, we do it manuall instead in OOSB. Besides, I am not able to run that program anyway, because we have the CUA set to Global, and no indirect role asssignment is possible. We can only do the comparison via the HR-org assignment reconciliation in PFUD. Can this be the main reason somehow?
  I also found out that our PRGN_CUST has no entries in it: HR_ORG_ACTIVE is not on. <<--- Does this only need to be switch-on if our CUA is set Local? Do I need this?
  Then, my answers below to your questions:
  1. Do you mean the "pink-arrow-up" icon from the old position? Then the answer is yes.
  2. Then position itself it not delimited, only the user assignment is. In PPOSE, it shows that the person is assigned to this old position from 01.04.2007 until 31.01.2008. So I guess in that sense, it tells that the position is truly delimited.
  3. Yes
  4. In PA records I can see many records under different validity dates, but they are all records of the new position. The earliest record (the one at the end of the list) was a record attached to a default position and without any organization assignment. Then, in PA > List Organizational Assignment screen, there is a system message that says "Employee has more than one position". --> Does this refer to the non-listed old position? or default position + new position in PA record?
  5. No. The new position is just an ordinary employee without any indirect role assigment.
  We also tried to remove the MSS-composite role from the old position in PO13, but it doesn't make any difference to the user master record in SU01.
  For your reference as well, this is how our US_ACTGR looks like:
  40 > AG > A > 007 >  S
  50 > AG > A > 007 > US
  60 > AG > A > 007 > P
  70 > P > B > 208 > US
  110 > S > A > 008 > *
  Hope this information tells something.
  I appreciate your time and many thanks in advance for your help!

• The security-role-assignment references an invalid security-role: Certifica

  In Oracle Enterprise Pack for Eclipse, I failed to deploy an application in debug mode. The error I noticed in my domain log is:
  weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: Certificate.
       at weblogic.servlet.security.internal.WebAppSecurity.setRoleMapping(WebAppSecurity.java:180)
       at weblogic.servlet.security.internal.WebAppSecurity.registerSecurityRoles(WebAppSecurity.java:155)
       at weblogic.servlet.internal.WebAppServletContext.prepareFromDescriptors(WebAppServletContext.java:1181)
       at weblogic.servlet.internal.WebAppServletContext.prepare(WebAppServletContext.java:1120)
       at weblogic.servlet.internal.HttpServer.doPostContextInit(HttpServer.java:449)
       at weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:424)
       at weblogic.servlet.internal.WebAppModule.registerWebApp(WebAppModule.java:910)
       at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:364)
       at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedModuleDriver.java:176)
       at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
       at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
       at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
       at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
       at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:42)
       at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:615)
       at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
       at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)
       at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:16)
       at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:155)
       at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
       at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:197)
       at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:89)
       at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
       at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:723)
       at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1190)
       at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:248)
       at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
       at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:157)
       at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:12)
       at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:45)
       at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  What I do not understand is that this error remains even though I modified weblogic.xml to remove the following lines:
  <wls:security-role-assignment>
  <wls:role-name>Certificate</wls:role-name>
  <wls:externally-defined/>
  </wls:security-role-assignment>
  I also deleted <MYDOMAIN_HOME>/servers/AdminServer/cache and <MYDOMAIN_HOME>/servers/AdminServer/tmp but this error still showed up when I attempted to deploy the application in Eclipse.
  If I exported the EAR file and deployed it using Admin Console, the application was deployed successfully. But when I deleted it in Admin Console and attempted to deploy it in Eclipse again, the same error occurred and the deployment failed. What could be the reason for this behavior? Is there anything cached somewhere when deploying it in Eclipse? Thanks in advance for your help.

  Hi,
  I know that is an old thread, but just in case... Maybe you could try setting up the DEBUG_OPTIONS in your startManagedWeblogic script and configure a remote debug in Eclipse:
  DEBUG_OPTIONS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8003,server=y,suspend=n"
  Hope it helps,
  Luis

• Mass Change for Indirect Role Assignment

  Hi all,
  I am in the process of changing the company’s authorisations from a standard SU01 role assignment to a position based indirect role assignment.
  At the moment I am using PFCG going to the Org Mg button under the User tab then attaching the position that way.  Is there a way of assigning more than one role to a position at the same time?
  Is there a Mass Assignment option in PFCG or is there a separate transaction available to make this process quicker??
  Thanks for your help
  Ian

  you can mass-assign people and roles if you go to transaction PPOME instead of PFCG. to make role assignments from PPOME please apply note 578271 first. be careful whilst implementing this <insert nasty word here> note because some of those view-clusters tend to refuse to load your changes = you can see them, but they don't work - might be you will have to flush table buffers for the changes to take effect.

• Indirect Role Assignment in My SAP SRM

  Hello,
  I am trying to do a Indirect Role Assignment in My SAP SRM.
  In my ECC system we have done it through PFCGgotoOrg Mgmt---assign positions and then reconcilitaion
  in HR master data the Sap USer ID is communication through infotype 105
  but in My SAP SRM I need some help on how to do that...
  as HR master data does'nt exist in my SAP SRM..
  so can you please tell me how to do that.
  -Thanks
  Sam

  Hi Its done the same goto PFCG, user tab >org assign > select the position and reconcile, once done do a PFUD then goto PPOSW fine your position and you will see the role assigned to that position then goto su01 to make sure the role has been assigned there to.

• HR indirect role assignment

  If personel no is not the same as infotype 0105 assigned user, How do you check your Indirect role assignment If you are using soultion manger. We dont have PA20, PA30, PA48 t-codes in soulution mangers.our CUA a in Soultion manger . Help is greately appericiated. Thanks

  I created HR_ORG structure(HRMD_ABA) in dev (HR system-Sending system) and add filters according to help.sap document, generate partner profile using we20. After that I transfered org structure in CAU (SolMan-Non HR systems- Receving system) using ALE run (Run SA38 -RHALEINI) i think its working.
  Composite roles are reside in Dev (HR-system), For indirect roles assignment (position level security) i created composit role just only roles name and description with out tcodes and auth object in CUA (SolMan -Non HR system).
  For test position assigment, I run pfcg in CUA(SolMan) click on organization management  select position and click indirect roles assignment after that i did user comparsion but i cant not see users id in user assignment. Please let me know any helpful Suggession. Thanks for ur quick response..

• HR Indirect Role Assignment through HR ORG Distribution Model with ALE

  1) When i assigned indirect (position level security) roles in CUA(SolMan) using pfcg click on organization managment to position after that i did user comparsion but i can not see user id in user tab.
  2) If personel no is not the same as infotype 0105 assigned user, How do you check your Indirect role assignment If you are using soultion manger. We dont have PA20, PA30, PA48 t-codes in soulution mangers.our CUA a in Soultion manger .
  Help is greately appericiated. Thanks

  I created HR_ORG structure(HRMD_ABA) in dev (HR system-Sending system) and add filters according to help.sap document, generate partner profile using we20. After that I transfered org structure in CAU (SolMan-Non HR systems- Receving system) using ALE run (Run SA38 -RHALEINI) i think its working.
  Composite roles are reside in Dev (HR-system), For indirect roles assignment (position level security) i created composit role just only roles name and description with out tcodes and auth object in CUA (SolMan -Non HR system).
  For test position assigment, I run pfcg in CUA(SolMan) click on organization management  select position and click indirect roles assignment after that i did user comparsion but i cant not see users id in user assignment. Please let me know any helpful Suggession. Thanks for ur quick response..

• Track changes on indirect assignment of roles to users

  Hi Experts,
  We have been facing an issue where users have roles assigned indirectly(position/job/org unit).
  I have checked the relationship between position/org unit and job to find if there are any roles assigned to these position(HRP 1001).
  To my surprise there are no roles assigned to any of the position,org unit or job.
  Our production system is linked with CUA(Solman) and role assignment is selected as Global.
  I have checked both the systems and couldn't find any roles assigned to the position/org unit/job.
  These roles are assigned to the users in the year 2005?
  I would like to know
  1.) How these roles got assigned to the system? Any logs are there to track it down?
  2.) either we have to change the CUA setting to local and to run the RHAUTUPD_NEW in production system?
  or to run the report RHAUTUPD_NEW in CUA system? am i following the right approach?
  Kindly advise and let us know suggestions on this?
  Thanks a lot in advance for your help.

  Julius,
  What change log says about these role assignments?
  I think  ,Having the system in part of CUA (SCUM setting :role assignment global) and maintaining postion based role assignment is contradictory.
  So better to detach the system and perform PFUD(comparison type :HR org mgmet) to make the role assignments up to date and connect it back .
  Thanks,krishna

• Indirect Role Assignment

  I am adding roles to positions using indirect role assignment, when adding the role to the position I am prompted to carry out a reconcilliation of indirect user assignments, receive message 'Indirect user assignments ok'  so then I've run PFUD.  When I check both the role and the user I cannot see the role attached to the user, but the role is listed in the 'Relationships' in PP01.
  A new organisation structure has been created, when I click on the drop down at the 'change agent assignment' the old organisation structure is displayed.  Any suggestions please how I can select the new organisation structure?
  Thanks

  Hello Anthea,
  to pass on a role from a position to a SAP user id I would suggest the following.
  Go to transaction SA38 and run report RHPROFL0.
  Some notes on the report and report selections.
  The report can be used to eveluate and assign roles from HR objects to SAP users. The report starts reading at a given HR object along an evaluation path. It then updates the SAP user found with authorisation roles.
  Selections:
  You have assigned the roles to a position therefore you should select object type S.
  Then put the position number in the Object ID.
  The key date is hopefully self explaining.
  The evaluation path might have defaulted to PROFL0. That would be the correct one.
  The program has a test mode. I suggest you run the test mode first. It will tell you what the program would change in an actual run.
  In the next selection box - "Generate authorization profiles"
  You might leave the ticks in the boxes:
  - Standard authorizations
  - PD authorizations
  That will generate profiles if they aren't generated yet.
  Next selection box - "Delete manually maintained authorisation profiles"
  Leave the tick boxes blank if you have any direct assigned roles.
  If you tick the boxes all roles and profiles directly assigned to SAP user ids will be deleted.
  In section "New Users"
  There is a tick box "Generate".
  If that box is ticked the report will create new SAP user IDs for all occupied positions with roles but without SAP user ID on the Employee record.
  You might leave that box unticked for the moment.
  I suggest to create the application log --> Last tick box on the selection screen.
  Some general comments at the end.
  The report RHPROFL0 might be scheduled in production systems if indirect role assignments are used. Depending on your needs make sure that the deletion of manual assigned profiles is activated or deactivated.
  If you do not enter an object id, the report will run for all object ids.
  A further note on the indirect setup.
  If roles should be passed on from a Position to a SAP user id, it is important, that the following conditions are fulfilled.
  The Position is valid/active as of the report key date.
  The position has a holder at key date.
  The holder has an assignment of a valid SAP user ID at key date. Infotype 0105 subtype 0001 for object type P.
  The Roles on the position are valid at the key date.
  I hope that helps solving your issue.
  Best regards
  Karsten

• Status of roles assigned in SU01

  Hi All, Need help to understand the status of a role and effect of user comparison on it... in SU01 assignment to a ID....Cases as below:
  1.Role assigned to the ID has expired....The color of the role I have noticed becomes red...why is it so? is it because the role had a new profile generated since the time role got expired in that user? or is it just because role has got expired and so it becomes red in SU01?
  And are roles and corresponding profiles which got expired removed from the ID automatically or just both role&profile left as it is with only the role turned red giving the text (User comparison required)...
  2.Role assigned to a ID with validity start date set as some date in future. Have seen that in this case too role becomes red after a day!! PFCG_TIME_DEPENDENCY runs..But why is it so??Why does it turn red?

  Hi,
  Role assigned to the ID has expired. the color of the role becomes red. This is because each role assigned to the user has a validity end period. once this date is crossed, the user will not have authorization to objects contained in the role. You can check more details in AGR_USERS table. there you will find that each role attached to a user has a start and end date.

• Assign biz role through CRM -SU01 and display page at portal

  HI, SDN Fellows.
  I am creating some custom portal roles at portal and mapped it to the custom business roles for some PCUI screens at crmc_blueprint_c --> "Assign Portal Role to Single Role" ("Assignment of CRM Role to Portal Role").
  Currently, our portal UME data source is mapped to CRM system.
  Right now, I have to assign both the CRM Role through SU01(to have access the CRM Object Method at CRM-PCUI application) and Portal Role through User Admin of WAS/portal (to access/display the PCUI iView in the portal).
  My goal is to just assign role through CRM-SU01 and achieve the same output as I described above. Meaning can I just do the role assignment for the CRM role (through SU01) and able to access to the CRM-PCUI application through portal (able to see the pcui screen)?
  Thanks,
  Kent

  What I want is when I assign a role (Sales Manager) said user A in CRM system, userA should able to see the related workset/page/iviews in the portal (without the need to assign the same: Sales Manager role in portal).
  Now, what I have to do is assign the related objects into a single/composite roles in CRM (for backend data access), then I have to assign a portal role (through User Admin of Portal, so that they can see the portal content),
  is that a way we can do it in one step?
  Thanks,
  Kent

• Indirect Role Assignment Within CUA

  Hi Experts,
  Weu2019re implementing indirect role assignment in SAP HR and exploring the feasibility to include this client as part of CUA. Has anyone implemented this before? Appreciate if you could share.
  I understand that CUA able to distribute DIRECT role assignment made from central client to the child client(s), but not so sure if it is possible for INDIRECT role assignment approach. My previous project exclude client with indirect role assignment from the CUA distribution landscape and I wonder why.
  Appreciate your input in this matter and looking forward for further discussion.
  Best regards and million thanks in advance.

  Hi,
  So I worked on a CUA managed landscape that had systems that featured indirect org assignment hooked in.  The association between the User ID and the HR org based position was still maintained locally as the local system contained the HR Org structure, but direct access was still blocked by CUA The roles assigned indirectly were visible from CUA in a different colour.  You can still maintain users directly from CUA on top of this.  This may be an alternative to consider.
  If the local system does not contain the HR Org structure you are probably going to have to export the structure, so if that is the case you might as well import it to CUA if all org relevant users are maintained there and manage it centrally via the advised link anyway.
  Cheers
  Steve

• HR-ORG - Indirect Role Assignment

  Hello
  We are designing the role & security strategy in a new implementation project. The best security strategy seems to be an indirect role assignment via SAP organizational structure. We've looked for some information about that, but we have some doubts about it (we have downloaded "HR-ORG - Indirect Role Assignment" and "User & Roles" files from SAPNet).
  The organizational structure will have a lot of leaves named "explotacion". Every leaf will have a different company code, sales organization, sector and so on... On the other hand, it's a requirement that a user obtains automatically its roles when its moved through organizational structure.
  Our plan consists in create several primary roles (for example, sales manager). Then we will create a lot of derivate roles which will inherit all authorizations from the parent role. However, it shouldn't inherit organization field values... Then, when this role is assigned to a position, this role should obtain all organizational field values (company code, sector, ...) from our organizational structure.
  Is it possible? How can we do that?
  Best regards,

  As mentioned previously, the indirect role assignment may work in this case since it assigns complete roles to positions rather than inheriting the properties of that position.
  Structural authorisations however, do have specific authorisation values assigned directly to the organisational positions.
  I have not had much experience in implementing these but that maybe worth a look.
  Simon

• Indirect role assignment using HR org

  Can we use the indirect rôle assignement with thousands of users ? I mean is there any way to make a mass users assignation using this method ?
  Thanks!

  Hello,
  The switch for ORGPD is activated.
  Our organization's position and job categorization is be very generic, according to the functional requirements of HR department on OM. This department is new on SAP so they are unaware of the basis team's requirement/need for an "semi-automatic" role assignment. Moreover, the functional desing on OM is done beyond this need, and it's not considered to redo the design again.
  We would like to use the task object type to link the roles, any other "unused" HR ORG object, or if possible, a custom HR ORG object with custom relations with standard OM objects. This last choice would be the best from the point of view of the basis team, because this way we would not interfere in a future use of HR ORG standard objects.
  The idea is to distribute the role assignment between basis people and HR people. Basis people would link the roles with the selected object and HR people would link the selected object with positions, functions, employees,...according to their needs.
  Is it possible to use a custom HR ORG object for indirect role assignment? If not, is it possible to use task for this purpose? How it's done?
  Yours,
  jmiturbe

• Indirect role assignment using HR-ORG, any concern

  May someone share their view or experience on indirect role assignment using HR-ORG, i.e. assign role to HR position or org unit instead of user.
  Here are some of my concerns:
  1. HR data is maintain by HR staff and their task should be separate from authorization/user assignment.
  2. When using with CUA, distribute HR structure to CUA parent system is not acceptable because HR data is sensitive.

  Well I think the Position and User are created by the functional consultant, but the authorization you are talking about is taken care by the BASIS consultant.