Indirect Role Assignment: Composite roles
Can anyone shed some light regarding the following scenario:
We have a user previously assigned to a managerial position and this position is attached to a MSS-composite role in PO13 (thorugh the AG relationship). Now this user has been delimited from that managerial position, and is now assigned to a new position as a normal staff, so he shouldn't have the MSS-composite role anymore. We updated the run in PFUD with HR Org-assignment reconcilation, but we still find the Composite role for Managers in his user master record in SU01.
What might be wrong?
> Items to check for before running RHPROFL0:
> PA Records info for the User
> ==================
> 1. Was the HR check pointer on when the position was delimited?
> 2. Is the position truly delimited
> 3. Does the IT105/ST0001 match the person's user ID
> 4. How many position does this person hold in the PA record
> 5. Check if the new position have the correct roles for this person, it might actually have the MSS composite role you are trying to remove access from the user.
Hi John, thanks for your response to this thread.
We have not scheduled RHPROFL0 to run. Correct me if I'm wrong, isn't this is only needed when PD-profile is used? We are not assigning structural profile though PD-profile in PO13, we do it manuall instead in OOSB. Besides, I am not able to run that program anyway, because we have the CUA set to Global, and no indirect role asssignment is possible. We can only do the comparison via the HR-org assignment reconciliation in PFUD. Can this be the main reason somehow?
I also found out that our PRGN_CUST has no entries in it: HR_ORG_ACTIVE is not on. <<--- Does this only need to be switch-on if our CUA is set Local? Do I need this?
Then, my answers below to your questions:
1. Do you mean the "pink-arrow-up" icon from the old position? Then the answer is yes.
2. Then position itself it not delimited, only the user assignment is. In PPOSE, it shows that the person is assigned to this old position from 01.04.2007 until 31.01.2008. So I guess in that sense, it tells that the position is truly delimited.
3. Yes
4. In PA records I can see many records under different validity dates, but they are all records of the new position. The earliest record (the one at the end of the list) was a record attached to a default position and without any organization assignment. Then, in PA > List Organizational Assignment screen, there is a system message that says "Employee has more than one position". --> Does this refer to the non-listed old position? or default position + new position in PA record?
5. No. The new position is just an ordinary employee without any indirect role assigment.
We also tried to remove the MSS-composite role from the old position in PO13, but it doesn't make any difference to the user master record in SU01.
For your reference as well, this is how our US_ACTGR looks like:
40 > AG > A > 007 > S
50 > AG > A > 007 > US
60 > AG > A > 007 > P
70 > P > B > 208 > US
110 > S > A > 008 > *
Hope this information tells something.
I appreciate your time and many thanks in advance for your help!
Similar Messages
-
FM Assigning of Single Roles to Composite Roles
Hello everybody,
I spend the whole day to a find a solution using any source I know and I couldn't find an solution. So sorry if this question has been asked before.
My Question is:
Can you tell me a Function Module which assigns/removes a Single PFCG Role to a Composite PFCG Role.
Regards MaxHi,
You can add the as many single roles but you cannot add the Composite Roles in Composite Role. -
Not able to assign Composite Role to Position
Hello All,
I am facing following problems.
1) The user is Not able to see Create Report Links, when i checked the Composite Role in PFCG i found that the in USER Tab Organizational Tab was yellow, i did Indirect Reconcillatin in Organizational Tab and then it went GREEN, then i did User Comparision.
I got this Message
"You do not need to perform Prfile Comparision for role " Role Name".
and the Position was removed.
2) Now i am Trying to assing the Role to Position, i am not even able to assign it and the User id is not coming under User id list.
Please suggest.
Thanks,
CB@Point#1: It could be that user master is already compared for your composite role and no further comparison is required. To double check you might just run the comparison again via tcode PFUD or report RHAUTUPD_NEW
@Point#2: For indirect assigment to position make sure organization management is active in your system (the switch HR_ORG_ACTIVE is set in the table PRGN_CUST to YES).
Thanks
Sandipan -
Indirect pfcg role assignment - no roles in SU01
Hi experts,
I would like to assign PFCG roles via indirect assignment, this means i would assign roles with the organisational model (transation ppomw).
I did the assignment and i executed the transaction pfud for user master data reconciliation. But the pfcg roles are not assigned to the user (see roles in transaction SU01). Usually the roles should be displayed (in blue and with xflag for indirect assignment).
Are there any customizing configurations i have to keep in mind?
Hope you can help as fast as possible.
Thanks a lot and best regards,
NataliRun PFUD if this is still an issue.
-
Assign single role to composite role with alternate logsys assignments
Dear gurus,
In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
Cheers,
JuliusHi Martin and others,
I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
That is a bit of a bummer because it means that you also cannot ever test anything...
Did anyone ever try to actually use this?
Cheers,
Julius -
Identifying Duplicate Roles and Traching Composite Role Assigned to the Use
Dear Friends,
I am novice to this website even after browsing for past 3 months. This website is so useful and huge with so many forums. I am lost many times where to post this questions. there is not a single SAP Security Forum or Basis/Security related forum. Can anyone direct me to the right forum or if there is no Security Forums, can anyone direct me how to start new Forum so that all security related discussions and knowledge sharing takes place. I am requesting the Moderators of this website to direct me to the right forums.
we have around 2000 users in Production. We assign Composite roles and single roles to all users. Sometime we use SECATT or LSMW to update User Master Data to Assign some Roles that are ALREADY assigned to the users. I have 2 questions. If there any way to clean up this mess. I mean Identifying all users who have these Duplicate Roles with Different Validity Dates. I am sure SUIM can not help me as I research a lot on this. I appreciate if anyone can direct me with some solution in this cleanup process. I mean some SQL or SAP Query will help me i guess. Any suggestions are greatly appreciated.
My Second Question is Tracking Composite Role/User Assignment Changes. We had assigned some Composite roles to the user 3 months ago and deleted last week. when i check SUIM change documents, It does not show Composite Role history. It is Displaying all single roles that are assigned and deleted later. BUT It never showed any information on Composite Role Additions or Deletions in User Change Documents. I hope SUIM is not going to help. I still need to go to many places or write any Good SQL and execute them.
Is anyone had written this Utility SQL programs for cleanup of roles/users in the SAP. Is there any way to check or debug this issue, going to see any tables that monitor these changes. I appreciate if can one can share this knowledge to resolving this issues.
any ideas and suggestions are welcome.
Thanks
KumarSatish,
Please post this in the SAP NetWeaver Administrator Forum and close this thread here.
SAP NetWeaver Administrator
Regards,
Ravi -
Table name to find out roles assigned to USER !!
Hi BW Gurus,
i want to find out all the roles assigned to users , i check in tables USR01, USR02 , USR21, and ADRP ...... i got first name , last name , account number . BUT I NEED ROLES . can anyone kindly help me ,since otherwise i have to copy paste all manaully which takes more time...
100% points are assingned
SHERWINHello,
Check in this tables:
AGR_USERS - Assignment of roles to users
AGR_USERT - Assignment of roles to users
AGR_PROF - Profile name for role
AGR_AGRS - Roles in composite roles
Assign points if this helps
Regards,
Jorge Diogo -
SAP CRM 2007 Business role assignment
Hi all,
We are using CRM 2007. and we are trying to assign Business roles to users using the PFCG ROLE ID attribute.
1- We create a PFCG role : "pfcgrole1"
2- We create a Business Role "Businessrole1" and put PFCG Role id = "pfcgrole1"
3- assign the user to the PFCG role "pfcgrole1"
We have two cases :
CASE 1:The user is assigned to a position in Org management but the position does not have any Business roles assigned.
RESULT : The user logs in to CRM, the user gets error message "Logon is not possible because you have not been assigned a business role"
CASE 2:The user is not assigned to any position in Org management.
RESULT : The user logs in to CRM, everything works fine
my interpretation : org management has precedence over business role assignment using PFCG roles and blocks Business role assignment even if the position has no Business roles assigned
Anyone has any idea how to assign business roles using PFCG ROle ID even if the user is assigned to a position without any business roles
Thanks in advance.Please review these old threads first:
Re: Reg: Business Role
Assignment pfcg-role to user and assignment pfcg-role to business role
There is a lot of technical background on how business role to PFCG role assignment works.
Thank you,
Stephen
CRM Forum Moderator -
The security-role-assignment references an invalid security-role: Certifica
In Oracle Enterprise Pack for Eclipse, I failed to deploy an application in debug mode. The error I noticed in my domain log is:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: Certificate.
at weblogic.servlet.security.internal.WebAppSecurity.setRoleMapping(WebAppSecurity.java:180)
at weblogic.servlet.security.internal.WebAppSecurity.registerSecurityRoles(WebAppSecurity.java:155)
at weblogic.servlet.internal.WebAppServletContext.prepareFromDescriptors(WebAppServletContext.java:1181)
at weblogic.servlet.internal.WebAppServletContext.prepare(WebAppServletContext.java:1120)
at weblogic.servlet.internal.HttpServer.doPostContextInit(HttpServer.java:449)
at weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:424)
at weblogic.servlet.internal.WebAppModule.registerWebApp(WebAppModule.java:910)
at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:364)
at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedModuleDriver.java:176)
at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:42)
at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:615)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)
at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:16)
at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:155)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:197)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:89)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:723)
at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1190)
at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:248)
at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:157)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:12)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:45)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
What I do not understand is that this error remains even though I modified weblogic.xml to remove the following lines:
<wls:security-role-assignment>
<wls:role-name>Certificate</wls:role-name>
<wls:externally-defined/>
</wls:security-role-assignment>
I also deleted <MYDOMAIN_HOME>/servers/AdminServer/cache and <MYDOMAIN_HOME>/servers/AdminServer/tmp but this error still showed up when I attempted to deploy the application in Eclipse.
If I exported the EAR file and deployed it using Admin Console, the application was deployed successfully. But when I deleted it in Admin Console and attempted to deploy it in Eclipse again, the same error occurred and the deployment failed. What could be the reason for this behavior? Is there anything cached somewhere when deploying it in Eclipse? Thanks in advance for your help.Hi,
I know that is an old thread, but just in case... Maybe you could try setting up the DEBUG_OPTIONS in your startManagedWeblogic script and configure a remote debug in Eclipse:
DEBUG_OPTIONS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8003,server=y,suspend=n"
Hope it helps,
Luis -
Hi all,
I am new to CRM 7.0 Can someone explain What is a Business Role in CRM 7.0 and what is the relationship between Business role and PFCG role. What is the transaction Code to create a Business role.
And also I heard that there is no PCUI in CRM 7.0. Is it true and if so what is used in place of the PCUI
Thanks.
Neha.Neha,
Next time please do a search in this forum on business roles, and you would find many topics discussing this information more completely. I'm locking this thread due to it fact that this question has been asked many times before by many different people.
These threads explain the topic in more detail:
Re: Reg: Business Role
Assignment pfcg-role to user and assignment pfcg-role to business role
Thank you,
Stephen -
If personel no is not the same as infotype 0105 assigned user, How do you check your Indirect role assignment If you are using soultion manger. We dont have PA20, PA30, PA48 t-codes in soulution mangers.our CUA a in Soultion manger . Help is greately appericiated. Thanks
I created HR_ORG structure(HRMD_ABA) in dev (HR system-Sending system) and add filters according to help.sap document, generate partner profile using we20. After that I transfered org structure in CAU (SolMan-Non HR systems- Receving system) using ALE run (Run SA38 -RHALEINI) i think its working.
Composite roles are reside in Dev (HR-system), For indirect roles assignment (position level security) i created composit role just only roles name and description with out tcodes and auth object in CUA (SolMan -Non HR system).
For test position assigment, I run pfcg in CUA(SolMan) click on organization management select position and click indirect roles assignment after that i did user comparsion but i cant not see users id in user assignment. Please let me know any helpful Suggession. Thanks for ur quick response.. -
HR Indirect Role Assignment through HR ORG Distribution Model with ALE
1) When i assigned indirect (position level security) roles in CUA(SolMan) using pfcg click on organization managment to position after that i did user comparsion but i can not see user id in user tab.
2) If personel no is not the same as infotype 0105 assigned user, How do you check your Indirect role assignment If you are using soultion manger. We dont have PA20, PA30, PA48 t-codes in soulution mangers.our CUA a in Soultion manger .
Help is greately appericiated. ThanksI created HR_ORG structure(HRMD_ABA) in dev (HR system-Sending system) and add filters according to help.sap document, generate partner profile using we20. After that I transfered org structure in CAU (SolMan-Non HR systems- Receving system) using ALE run (Run SA38 -RHALEINI) i think its working.
Composite roles are reside in Dev (HR-system), For indirect roles assignment (position level security) i created composit role just only roles name and description with out tcodes and auth object in CUA (SolMan -Non HR system).
For test position assigment, I run pfcg in CUA(SolMan) click on organization management select position and click indirect roles assignment after that i did user comparsion but i cant not see users id in user assignment. Please let me know any helpful Suggession. Thanks for ur quick response.. -
CUA sync with child client issue for indirect role assignment.
Hello Security experts,
we have a indirect role assignment set up in our ECC environment. there is a syncronization issue from the parent CUA to the chlild client. The role assignments have been made to role although they are not always reaching target system without having to sync up either the role or the IDu2019s position # manually. This has been an ongoing issue CUA has on any role or user from time to time. any hint on fixing this issue. please help..Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
CUA has its own pros -
Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
Rakesh -
Indirect Role Assignment with HR-ORG in a system landscaper with CUA
Hi all,
we have 2 SAP systems:
1) SAP ECC6 (with composite roles)
2) SAP HR with PA and OM
We would like to assign SAP ECC6 roles through HR-OM.
Since HR-OM is not on the same ECC6 system, we would like to try the logic: HR-OM -> CUA -> ECC6
There are several documents that describe this situation (ex. SCUR351).
From PFCG point of view, we should create a composite role in CUA system which include simple roles of child system.
If we try to create a composite role in CUA central system, we can insert only simple roles available in central system (and not in child).
Any experience on this scenario ?
Pros vs cons ?
Are the different possible scenarios ?
Many thanks...
AndreaWhole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
CUA has its own pros -
Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
Rakesh -
Track changes on indirect assignment of roles to users
Hi Experts,
We have been facing an issue where users have roles assigned indirectly(position/job/org unit).
I have checked the relationship between position/org unit and job to find if there are any roles assigned to these position(HRP 1001).
To my surprise there are no roles assigned to any of the position,org unit or job.
Our production system is linked with CUA(Solman) and role assignment is selected as Global.
I have checked both the systems and couldn't find any roles assigned to the position/org unit/job.
These roles are assigned to the users in the year 2005?
I would like to know
1.) How these roles got assigned to the system? Any logs are there to track it down?
2.) either we have to change the CUA setting to local and to run the RHAUTUPD_NEW in production system?
or to run the report RHAUTUPD_NEW in CUA system? am i following the right approach?
Kindly advise and let us know suggestions on this?
Thanks a lot in advance for your help.Julius,
What change log says about these role assignments?
I think ,Having the system in part of CUA (SCUM setting :role assignment global) and maintaining postion based role assignment is contradictory.
So better to detach the system and perform PFUD(comparison type :HR org mgmet) to make the role assignments up to date and connect it back .
Thanks,krishna
Maybe you are looking for
-
How can you set up 2 p2011w printers on the same wireless network?
Ii tried renaming one, but that didn't work. We had one, it works great, my boss loved it and bought another. Now we're all printing in his office because the one he got for us doesn't work. Any ideas?
-
ORA-12505, TNS:listener does not currently know of SID given in connect des
Hello, After installation of Oracle Database Express Edition 11g and Oracle SQL Developer 3.0, I tryed connect a database. Informations entered : Nom de connexion : xe_sys Nom utilisateur : sys Mdp : ********* Type de connexion : de base, role sysdba
-
Hi , My requirement is -- i have to Bold the values which will start with "abc" for a dimension member "aaa" and values should be "n/a" if they are above or below >499 or < -499. In conditional format have written the condition for this like member n
-
How do I delete terminal from my dock, it won't let me open a download. What is terminal and how did I get it on my dock?
-
Having trouble to arrange Bins & Files in CS3 Project Panel.
I am an IT professional in a TV station. In our station we are using both Adobe Premiere 2.0 and Adobe Premiere CS3 licensed software for making playlist of commercials. We use to import these commercials from a central storage & compile it. During t