Mass deletion of SAP roles from users
Hello All,
i need to delete all assinged roles from a big number of users. I know the users but not the roles which the users have. I need to delete all roles from the users-id's.
I know SU10 and i can select all my needed users. But in the role tab i can not work with roles-names like Z* to delete. I can select all z*-roles and select "remove" but when i click to save, i get the message no changes made on the users???
Any idea?
Gruß
Toni
Hi David.
David Berry wrote:
I take it this is being run in PRD? What checks are being carried out during the table entry deletions and are you 100% happy sitting at your keyboard when pressing the 'run' button?
Changes are made in PRD. The program was tested and is approved by each customer.
Is there an easy way back to the previous state should it go wrong and how do you explain it to the auditors if needed that you assigned-number of roles in PRD against your own user ID possibly with no CDHDR/CSDPOS entries to back you up.
Sorry for the 'negative vibes' but I don't like direct table maintenance in PRD for security.
Best wishes
David
The way back is uploading the old role assignment previously exported from AGR_USERS. The program takes an excel sheet. In addition this excel sheet is attached to the change requests.
From risk perspective we say (and experienced): mass changes through copy and paste lead to much more errors and faulty authorizations.
Regarding direct table maintenance: standard function modules are used (like the one mentioned above) and the changes are visible in the change documents, Therefore the auditors grant an exception for using such tools.
Cheers, Tobias
Similar Messages
-
unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest
Hi,
For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
BR,
Mangesh -
I want to revoke a number of roles from users. What I found is if one or more roles were not granted to the user before, then the whole 'revoke' statement will fail, i.e. the granted roles will not be revoked from the user. Is there a way to let the statement revoke the granted roles even though there may be some roles were not granted. For example;
REVOKE role1,role2,role3 from user;
I want to revoke role1 and role2 even though role3 were not granted to the user.Why don't you test this yourself?
satyaki>
satyaki>select * from v$Version;
BANNER
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Prod
PL/SQL Release 10.2.0.3.0 - Production
CORE 10.2.0.3.0 Production
TNS for 32-bit Windows: Version 10.2.0.3.0 - Production
NLSRTL Version 10.2.0.3.0 - Production
Elapsed: 00:00:00.98
satyaki>
satyaki>
satyaki>
satyaki>
satyaki>create role r1;
Role created.
Elapsed: 00:00:01.80
satyaki>
satyaki>
satyaki>GRANT select ON emp TO r1;
Grant succeeded.
Elapsed: 00:00:00.51
satyaki>
satyaki>
satyaki>create role r2;
Role created.
Elapsed: 00:00:00.02
satyaki>
satyaki>grant update on emp to r2;
Grant succeeded.
Elapsed: 00:00:00.05
satyaki>
satyaki>
satyaki>grant r1 to hr;
Grant succeeded.
Elapsed: 00:00:00.17
satyaki>
satyaki>grant r2 to titan;
Grant succeeded.
Elapsed: 00:00:00.07
satyaki>
satyaki>
satyaki>revoke r2 from hr;
revoke r2 from hr
ERROR at line 1:
ORA-01951: ROLE 'R2' not granted to 'HR'
Elapsed: 00:00:00.12
satyaki>
satyaki>Regards.
Satyaki De. -
Mass deletion of roles from users
I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.
We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
This way you can optimize / automate periodic controls.
There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
Cheers,
Julius -
Deletion of particular roles from SU01 for specific users
Hi,
Actually I have to certain(only some) roles for users in SU01.
This is bulk data so doing it manually through SU01 is not possible.
Is there any function module/BAPI which will delete particular roles for users??
Disha.Hi David.
David Berry wrote:
I take it this is being run in PRD? What checks are being carried out during the table entry deletions and are you 100% happy sitting at your keyboard when pressing the 'run' button?
Changes are made in PRD. The program was tested and is approved by each customer.
Is there an easy way back to the previous state should it go wrong and how do you explain it to the auditors if needed that you assigned-number of roles in PRD against your own user ID possibly with no CDHDR/CSDPOS entries to back you up.
Sorry for the 'negative vibes' but I don't like direct table maintenance in PRD for security.
Best wishes
David
The way back is uploading the old role assignment previously exported from AGR_USERS. The program takes an excel sheet. In addition this excel sheet is attached to the change requests.
From risk perspective we say (and experienced): mass changes through copy and paste lead to much more errors and faulty authorizations.
Regarding direct table maintenance: standard function modules are used (like the one mentioned above) and the changes are visible in the change documents, Therefore the auditors grant an exception for using such tools.
Cheers, Tobias -
HI how do i remove a role from a user when he id terminated or disabled.
I am assigning a role in the following way during creation with the help of a rule
<setvar name='newuser.waveset.roles'>
<filterdup>
<appendAll>
<ref>accounts[Lighthouse].roles</ref>
<s>General-Provision-Role</s>
<rule name='Get Location Role'>
<argument name='LocationCode' value='$(newuser.global.LocationCode)'/>
</rule>
</appendAll>
</filterdup>
</setvar>
How do I remove this role when termination of user.We looking for a way to automate the removing of a user (US) or role (AG) from a position (S).
There is a report called RHGRENZ2 which can be used to delimit specific OM infotypes (like IT1001- Relationships) specifying the end-date and Position ID (Object Type S and Object ID= Position) manually. In your case, I believe IT1001's Relationship A008 and B007 have to be delimited in order to remove a user (US) or role (AG) from a position (S) but this report cannot be run for specific relationship types of IT1001 (atleast I did never find an option to filter based on relationship types).
You can try using report RHRHDL00 to delete IT1001 relationships from PP Database but you should consider the consequences of such deletions and restrict the selection based in infotypes and relationship types carefully.
Alternatively, you can also build a LSMW script to automate the process of mass delimit/deletion of IT1001's relationship types using transaction PP02 (PP01 is not compatible to BDC/background processing)
Thanks
Sandipan -
Hi All,
I would like to ask what can I do if I would like to remove multiple roles from ALL users in the system?
Normally, for a list of users , I use SU10 to do it.
However, since there are 1 thousand something users in the system, is there a more efficient way to do it?
Thanks for your help.
Regards,
ChrisThanks.
I would say, in my case, it's the best to use PFCG sinceI only need to remove 3X something roles from them. (I don't know which users have those particular roles, the only thing I need to do is to make sure that the 3X roles have no corresponding users).
Thanks again !
Regards,
Chris -
Fetch Admin Roles from User Object
Hi,
I have user object from which I need to fetch name of all Admin roles a user is having.
I tried this method - getExpandedAdminGroupRefs() but its returning me null.
getAttribute method works fine with <s>firstname</s>
<invoke ='getExpandedAdminGroupRefs'>
<ref>userObj</ref>
</invoke> --> null
Along with this I also need all IDM capabilities that user is having and managed organizations.
Can anyone help.
Thanks in Advance :)Hi
Not sure exactly where you are doing this from but there are reports in SIM that give you this information without writing any code.
Admin role report
Administrators report.
If this doesn't suit you you could look at the code that runs these reports and maybe anser your code question there.
Cheers -
Mass Deletion of Alternate UOM from MARM Table
Hi,
We plan to remove some of the alternate UOM for few thousand materials. We would like to delete them in mass. We could remove the UOM conversion factors using mass maintenance. But the alternate UOM stays in the UOM table MARM. Is there any BAPI or IDOC available to handle this using LSMW? Has anyone come across this requirement before? If you have any input, it will be really appreciated.
Cheers !
Subbu PonnambalamCheck
Note 541538 - FAQ: Reorganisationen
for tips and tricks (and also see related notes).
Markus -
ME52N: Determine if restore delete indicator is set from user exit
Hi all,
My most recent dilemma involves tcode ME52n. I want to restore a line item that has been deleted on a purchase requisition. When I drop into my user exit I want to test to see if the user is attempting to restore the deleted line item...how do I do that? It seems if I use the okcode for the screen I am picking up the save...
As always...thanks in advance,
MatHi all,
My most recent dilemma involves tcode ME52n. I want to restore a line item that has been deleted on a purchase requisition. When I drop into my user exit I want to test to see if the user is attempting to restore the deleted line item...how do I do that? It seems if I use the okcode for the screen I am picking up the save...
As always...thanks in advance,
Mat -
Mass deletion of users business partner and position in SRM 4.0
Hi Experts,
We have a requirement of deleting 1000 + users who are locked in ECC from SRM Organization structure. For which I got the list of users who are under u201Cdeleteu201D group from table USR02. Then I found the business partner number of those users from table BUT000. Once I got the BP number I can do mass deletion of the BPs by using BUPA_DEL.
Now, my problem is I need to mass delete the position of the users as well. If I delete it one user at a time I can go to PPOMA_BBP and select the position and delete the object. Can anyone please help me on how can I do mass deletion of the positions of those users, its pretty urgent. I am waiting for your valuable suggestions.
Thanks
Div
Edited by: Tridib Das on Sep 29, 2011 4:15 PMHi Velu,
To find the business partner or the central person id we can' go to table HRP1001 and get the central person id / business partner by inputing the parameters in the selection field as :
Object type : CP / BP
Rel. Obj.type: US
ID rel. object : Give the id of the user
this shows the object id . Anyway thanks for your help .
Cheers
Div -
Mass updation of portal roles SAP portal
Hello,
During conversion , is there a way to mass update Manager (MSS) roles for users in Portal without doing it manually one by one. Your help will be appreciated.
Thanks,
SanghamitraDear
Yes we can do it by using UME Script. so that you can write a UME script for Group, Role and user. after writing script then import it;
Steps -
1) Copy the following UME Scripts
2) Navigate to the following location in the Portal
User Administration Import
3) Paste each configuration script into the text box in the following order - IMPORTANT
u2022 UME_xxxx_Groups
u2022 UME_xxxx_Roles
u2022 UME_xxxx_Users
4) Ensure u201COverwrite Existing Datau201D is checked, and select u201CUploadu201D
UME Script -
1)
[User]
uid=ESS_USER
last_name=User xx
first_name=xxxx
email=xxxx
accessibility=0
password=xxxx
group=TestUsers
2)
[role]
rid=pcd:portal_content/com.sap.pct/xxxx_user/com.sap.pct.erp.ess.xxxx/com.sap.pct.erp.ess.roles/com.sap.xxx.employee_self_service
rdesc=Employee Self-Service
3)
[group]
gid=Administrators
user=xxxxx;xxxx;xxxx_ess1
Thanks
Keshari -
How to reinstall window 8.1 when app data deleted from user folder
due to fault i deleted my app data from user folder of c drive due to this some apps and software not working prioperly so i want to reinstall my windos but it is not done so help me to solve this problem of deleting app data
Hi there
Welcome to the HP Support Forums! It is a great place to find the help you need, both from other users, HP experts and other support personnel. I understand that you deleted the App data from your profile and now apps are not working properly. I am happy to assist with this. Please post the full product number for your notebook. See the following, if you need help with that information.
How Do I Find My Model Number or Product Number?
Also, was Windows 8.1 your factory installed operating system? I would recommedn that you backup any personal data, files, etc from the system before doing anything else. Then you can do a system recovery to restore the factory installation.
Performing an HP System Recovery (Windows 8)
Troubleshooting HP System Recovery Problems (Windows 8) -
How do you hide Excluded Roles from the End User (8.1) ?
We have 2 Buisness Roles: Employee and Contractor. They are excluded from each other, meaning if you have one of the roles, you cannot be assigned the other role.
When a user logs into 8.1 to the OOTB "Update My Roles" WF, they see their Available Roles for selection.
These available roles listing includes the excluded roles.
So when a user with the Contractor role logs in, they see the Employee role as an available role.
If the Contractor user tries to add the Employee role, they will get an error due to the role exclusion.
I know it is possible to hide the excluded roles from the end user, but don't know how.
Does anyone know how to hide the excluded roles from users?
Thanks.Hi
I may have misread your first comment but I totally agree with your response.
If the user has capabilities over multiple organizations it will show all roles, whether exclusion or not. (Been confirmed that this is how it is designed to work)
What could be done is when selecting a user is a specific organization, you could have a rule that only shows up the Business roles that are associated with that organization. So although you have the capabilities over all organizations you only see the roles that are available to the organization where the user is your are updating.
An idea anyway
Ian -
Deleting components from user database
Hi.
I created several components, and I want to delete some of them from user database. But I can't understand how to do this.
Could you help me?
Thank You.Use the database manager.
Tools>Database>Database Manager
Then select the Components tab and the User Database from the drop-down list: "Database Name"
See picture.
Ryan R.
R&D
Attachments:
Multisim User Database.png 21 KB
Maybe you are looking for
-
How to redirect the output display on Ultra 5 box.
Hello, Good day to you. I have issues with redirecting display output to my console server (which is configured with cyclades switch) on a newly installed solaris 10, Ultra 5 box. I could access the output display on the monitor when I connect it dir
-
Data migration Tally to SAP B1
Hi Friends I need a information about data migration from tally to sap business one. can anybody guide me how to do ? regards kamlesh
-
We want to reset our SMP Password for S-USER ON Security Policy. Kindly let us know the procedure for that.. Regards, Panu
-
Hi, I have added a dropdown for language in the login screen of the portal by configuring the property UME.Logon.locale from False to True in the config tool. But when I click the logon button, it is defaulting to English, and not picking up the chos
-
Infinite loop when trying to unzip Adobe CS6 downloaded from "Arvato"
The downloaded CS6 file "Download_Package.zip" does not open into a functional file (I tried this with Safari and with Chrome with the same results, all cookies enabled). Here's what I did: 1. Buy Adobe CS6 "design and web premium" academic version