Mass deletion of SAP roles from users

Similar Messages

• Unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  Hi,
  For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
  I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
  But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
  Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
  BR,
  Mangesh

• Revoke roles from users

  I want to revoke a number of roles from users. What I found is if one or more roles were not granted to the user before, then the whole 'revoke' statement will fail, i.e. the granted roles will not be revoked from the user. Is there a way to let the statement revoke the granted roles even though there may be some roles were not granted. For example;
  REVOKE role1,role2,role3 from user;
  I want to revoke role1 and role2 even though role3 were not granted to the user.

  Why don't you test this yourself?
  satyaki>
  satyaki>select * from v$Version;
  BANNER
  Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Prod
  PL/SQL Release 10.2.0.3.0 - Production
  CORE    10.2.0.3.0      Production
  TNS for 32-bit Windows: Version 10.2.0.3.0 - Production
  NLSRTL Version 10.2.0.3.0 - Production
  Elapsed: 00:00:00.98
  satyaki>
  satyaki>
  satyaki>
  satyaki>
  satyaki>create role r1;
  Role created.
  Elapsed: 00:00:01.80
  satyaki>
  satyaki>
  satyaki>GRANT select  ON emp   TO r1;
  Grant succeeded.
  Elapsed: 00:00:00.51
  satyaki>
  satyaki>
  satyaki>create role r2;
  Role created.
  Elapsed: 00:00:00.02
  satyaki>
  satyaki>grant update on emp to r2;
  Grant succeeded.
  Elapsed: 00:00:00.05
  satyaki>
  satyaki>
  satyaki>grant r1 to hr;
  Grant succeeded.
  Elapsed: 00:00:00.17
  satyaki>
  satyaki>grant r2 to titan;
  Grant succeeded.
  Elapsed: 00:00:00.07
  satyaki>
  satyaki>
  satyaki>revoke r2 from hr;
  revoke r2 from hr
  ERROR at line 1:
  ORA-01951: ROLE 'R2' not granted to 'HR'
  Elapsed: 00:00:00.12
  satyaki>
  satyaki>Regards.
  Satyaki De.

• Mass deletion of roles from users

  I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.

  We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
  This way you can optimize / automate periodic controls.
  There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
  The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
  Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
  Cheers,
  Julius

• Deletion of  particular roles from SU01 for specific users

  Hi,
  Actually I have to certain(only some)  roles for  users in SU01.
  This is bulk data so doing it manually through SU01 is not possible.
  Is there any function module/BAPI which will delete particular roles for users??
  Disha.

  Hi David.
  David Berry wrote:
  I take it this is being run in PRD? What checks are being carried out during the table entry deletions and are you 100% happy sitting at your keyboard when pressing the 'run' button?
  Changes are made in PRD. The program was tested and is approved by each customer.
  Is there an easy way back to the previous state should it go wrong and how do you explain it to the auditors if needed that you assigned-number of roles in PRD against your own user ID possibly with no CDHDR/CSDPOS entries to back you up.
  Sorry for the 'negative vibes' but I don't like direct table maintenance in PRD for security.
  Best wishes
  David
  The way back is uploading the old role assignment previously exported from AGR_USERS. The program takes an excel sheet. In addition this excel sheet is attached to the change requests.
  From risk perspective we say (and experienced): mass changes through copy and paste lead to much more errors and faulty authorizations.
  Regarding direct table maintenance: standard function modules are used (like the one mentioned above) and the changes are visible in the change documents, Therefore the auditors grant an exception for using such tools.
  Cheers, Tobias

• Remove role from user

  HI how do i remove a role from a user when he id terminated or disabled.
  I am assigning a role in the following way during creation with the help of a rule
  <setvar name='newuser.waveset.roles'>
  <filterdup>
  <appendAll>
  <ref>accounts[Lighthouse].roles</ref>
  <s>General-Provision-Role</s>
  <rule name='Get Location Role'>
  <argument name='LocationCode' value='$(newuser.global.LocationCode)'/>
  </rule>
  </appendAll>
  </filterdup>
  </setvar>
  How do I remove this role when termination of user.

  We looking for a way to automate the removing of a user (US) or role (AG) from a position (S).
  There is a report called RHGRENZ2 which can be used to delimit specific OM infotypes (like IT1001- Relationships) specifying the end-date and Position ID (Object Type S and Object ID= Position) manually. In your case, I believe IT1001's Relationship A008 and B007 have to be delimited in order to remove a user (US) or role (AG) from a position (S) but this report cannot be run for specific relationship types of IT1001 (atleast I did never find an option to filter based on relationship types).
  You can try using report RHRHDL00 to delete IT1001 relationships from PP Database but you should consider the consequences of such deletions and restrict the selection based in infotypes and relationship types carefully.
  Alternatively, you can also build a LSMW script to automate the process of mass delimit/deletion of IT1001's relationship types using transaction PP02 (PP01 is not compatible to BDC/background processing)
  Thanks
  Sandipan

• Remove roles from users

  Hi All,
  I would like to ask what can I do if I would like to remove multiple roles from ALL users in the system?
  Normally, for a list of users , I use SU10 to do it.
  However, since there are 1 thousand something users in the system, is there a more efficient way to do it?
  Thanks for your help.
  Regards,
  Chris

  Thanks.
  I would say, in my case, it's the best to use PFCG sinceI only need to remove 3X something roles from them. (I don't know which users have those particular roles, the only thing I need to do is to make sure that the 3X roles have no corresponding users).
  Thanks again !
  Regards,
  Chris

• Fetch Admin Roles from User Object

  Hi,
  I have user object from which I need to fetch name of all Admin roles a user is having.
  I tried this method - getExpandedAdminGroupRefs() but its returning me null.
  getAttribute method works fine with <s>firstname</s>
  <invoke ='getExpandedAdminGroupRefs'>
  <ref>userObj</ref>
  </invoke> --> null
  Along with this I also need all IDM capabilities that user is having and managed organizations.
  Can anyone help.
  Thanks in Advance :)

  Hi
  Not sure exactly where you are doing this from but there are reports in SIM that give you this information without writing any code.
  Admin role report
  Administrators report.
  If this doesn't suit you you could look at the code that runs these reports and maybe anser your code question there.
  Cheers

• Mass Deletion of Alternate UOM from MARM Table

  Hi,
  We plan to remove some of the alternate UOM for few thousand materials. We would like to delete them in mass. We could remove the UOM conversion factors using mass maintenance. But the alternate UOM stays in the UOM table MARM. Is there any BAPI or IDOC available to handle this using LSMW? Has anyone come across this requirement before? If you have any input, it will be really appreciated.
  Cheers !
  Subbu Ponnambalam

  Check
  Note  541538 - FAQ: Reorganisationen
  for tips and tricks (and also see related notes).
  Markus

• ME52N: Determine if restore delete indicator is set from user exit

  Hi all,
  My most recent dilemma involves tcode ME52n. I want to restore a line item that has been deleted on a purchase requisition. When I drop into my user exit I want to test to see if the user is attempting to restore the deleted line item...how do I do that? It seems if I use the okcode for the screen I am picking up the save...
  As always...thanks in advance,
  Mat

  Hi all,
  My most recent dilemma involves tcode ME52n. I want to restore a line item that has been deleted on a purchase requisition. When I drop into my user exit I want to test to see if the user is attempting to restore the deleted line item...how do I do that? It seems if I use the okcode for the screen I am picking up the save...
  As always...thanks in advance,
  Mat

• Mass deletion of users business partner and position in SRM 4.0

  Hi Experts,
  We have a requirement of deleting 1000 +  users who are locked in ECC from SRM Organization structure. For which I got the list of users who are under u201Cdeleteu201D group from table USR02. Then I found the business partner number of those users from table BUT000. Once I got the BP number I can do mass deletion of the BPs by using BUPA_DEL.
  Now, my problem is I need to mass delete the position of the users as well. If I delete it one user at a time I can go to PPOMA_BBP and select the position and delete the object.  Can anyone please help me on how can I do mass deletion of the positions of those users, its pretty urgent. I am waiting for your valuable suggestions.
  Thanks
  Div
  Edited by: Tridib Das on Sep 29, 2011 4:15 PM

  Hi Velu,
  To find the business partner or the central person id we can' go to table HRP1001 and get the central person id / business partner by inputing the parameters in the selection field as :
  Object type : CP / BP
  Rel. Obj.type: US
  ID rel. object : Give the id of the user
  this shows the object id . Anyway thanks for your help .
  Cheers
  Div

• Mass updation of portal roles SAP portal

  Hello,
  During conversion , is there a way to mass update Manager (MSS) roles for users in Portal without doing it manually one by one. Your help will be appreciated.
  Thanks,
  Sanghamitra

  Dear
  Yes we can do it by using UME Script. so that you can write a UME script for Group, Role and user. after writing script then import it;
  Steps -
  1) Copy the following UME Scripts
  2) Navigate to the following location in the Portal
  User Administration  Import
  3) Paste each configuration script into the text box in the following order - IMPORTANT
  u2022     UME_xxxx_Groups
  u2022     UME_xxxx_Roles
  u2022     UME_xxxx_Users
  4) Ensure u201COverwrite Existing Datau201D is checked, and select u201CUploadu201D
  UME Script -
  1)
  [User]
  uid=ESS_USER
  last_name=User xx
  first_name=xxxx
  email=xxxx
  accessibility=0
  password=xxxx
  group=TestUsers
  2)
  [role]
  rid=pcd:portal_content/com.sap.pct/xxxx_user/com.sap.pct.erp.ess.xxxx/com.sap.pct.erp.ess.roles/com.sap.xxx.employee_self_service
  rdesc=Employee Self-Service
  3)
  [group]
  gid=Administrators
  user=xxxxx;xxxx;xxxx_ess1
  Thanks
  Keshari

• How to reinstall window 8.1 when app data deleted from user folder

  due to fault i deleted my app data from user folder of c drive  due to this some apps and software not working prioperly so i want to reinstall my windos but it is not done  so help me to solve this problem of deleting app data

  Hi there 
  Welcome to the HP Support Forums! It is a great place to find the help you need, both from other users, HP experts and other support personnel. I understand that you deleted the App data from your profile and now apps are not working properly.  I am happy to assist with this. Please post the full product number for your notebook. See the following, if you need help with that information.
  How Do I Find My Model Number or Product Number?
  Also, was Windows 8.1 your factory installed operating system? I would recommedn that you backup any personal data, files, etc from the system before doing anything else. Then you can do a system recovery to restore the factory installation.
  Performing an HP System Recovery (Windows 8)
  Troubleshooting HP System Recovery Problems (Windows 8)

• How do you hide Excluded Roles from the End User (8.1) ?

  We have 2 Buisness Roles: Employee and Contractor. They are excluded from each other, meaning if you have one of the roles, you cannot be assigned the other role.
  When a user logs into 8.1 to the OOTB "Update My Roles" WF, they see their Available Roles for selection.
  These available roles listing includes the excluded roles.
  So when a user with the Contractor role logs in, they see the Employee role as an available role.
  If the Contractor user tries to add the Employee role, they will get an error due to the role exclusion.
  I know it is possible to hide the excluded roles from the end user, but don't know how.
  Does anyone know how to hide the excluded roles from users?
  Thanks.

  Hi
  I may have misread your first comment but I totally agree with your response.
  If the user has capabilities over multiple organizations it will show all roles, whether exclusion or not. (Been confirmed that this is how it is designed to work)
  What could be done is when selecting a user is a specific organization, you could have a rule that only shows up the Business roles that are associated with that organization. So although you have the capabilities over all organizations you only see the roles that are available to the organization where the user is your are updating.
  An idea anyway
  Ian

• Deleting components from user database

  Hi.
  I created several components, and I want to delete some of them from user database.  But I can't understand how to do this.
  Could you help me?
  Thank You.

  Use the database manager.
  Tools>Database>Database Manager
  Then select the Components tab and the User Database from the drop-down list: "Database Name"
  See picture.
  Ryan R.
  R&D
  Attachments:
  Multisim User Database.png ‏21 KB