Mass Removal of Roles through SU10
I have thousands of expired accounts that still have valid roles. I want to remove all roles from these expired accounts. In Su10 to remove roles do you have to list the roles you want to remove? Is there a function in SU10 to simply remove any roles these users have? In Su10 I tried checking the remove box and the change box but then when I execute it is not removing any of the roles when I look in SU01. So to actaully remove the roles does it require you to list them?
Edited by: Alex Williams on Apr 23, 2008 3:13 PM
Sorry I misread your post. I suppose there is a reason why you want to keep the expired accounts ? Otherwise the quickest way is simply to delete the expired accounts.
You can use SU10, but you would need to list every role. You also have to make sure that the role dates encompass the dates of the roles that are assigned to the ids. Usually it is the start date - so you may want to put in a start date prior to even implementation to catch everything.
Edited by: JC on Apr 23, 2008 9:47 AM
Similar Messages
-
Mass selection of roles in SU10
Hi
I have to remove lot of roles from 2000 users which have more than 20 roles in SU10.
I am doing part by part by pasting 20 roles in SU10.
Is there a way to select mass roles in su10 like the user selection.
Thanks
Baskar R> I have to enter every 20 roles in su10 roles tab. Instead of that,
>
> i want to paste entire 500 roles in one short in su10 roles tab.
You want to assign 500 roles to each user!!!!!!! Did you think about the maximum number of profile assignment limit for each user id? If not, then i would like to request you to check the following SAP Notes:
[Note 841612 - Maximum number of profiles per user|https://service.sap.com/sap/support/notes/841612]
[Note 410993 - Maximum number for profiles and authorizations|https://service.sap.com/sap/support/notes/410993]
[Note 511200 - PFCG/PFUD/SU01/SU10: Role assignment and profile comparison|https://service.sap.com/sap/support/notes/511200]
Also, if you need to assign so many roles to each user id then it is missing the important topic SOD. Also the design is itself Incorrect.
Regards,
Dipanjan
Edited by: Dipanjan Sanpui on Oct 22, 2009 3:21 PM -
Mass deletion of roles from users
I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.
We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
This way you can optimize / automate periodic controls.
There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
Cheers,
Julius -
Changes like password and removal of roles for all users
Hi
i want to change password for all users and remove single roles from all users.When i am doing this in SU10 changes are not reflecting for users.Please help reg this
VinodMe too...I have never been able to remove roles from multiple users with SU10. I don't know if it's a bug or (more likely) just a confusing screen, but in 4.7 it never worked for me.
-
Restricting an administrator to only adding or removing Business Roles
Hi:
Is there an out of the box rule or form in IDM that can restrict an administrator to only adding or removing business roles from accounts?
Thanks.Hi Dwayne,
This BU ruling is somewhat of a newer function with OIA. For mass alteration, the old-school way would be to execute a SQL script directly towards the DB.
Simply change the last line on what correlation you wish (in this situation, it's looking at the BU Name and the GU office name)
delete from BU_GLOBALUSERS where businessunitkey > 0;
insert into BU_GLOBALUSERS(BusinessUnitKey,GlobalUserKey)
select BU.BusinessUnitKey, GU.GlobalUserKey from BUSINESSUNITS BU, GLOBALUSERS GU
where BU.BusinessUnitName = GU.officename;
Regards,
Daniel Redfern
Technicalconfessions.com -
Hi All:
Can anyone tell me how to perform mass creation of roles using VIRSA role expert,also if you could point me to some documentation it will be very helpful.
Thanks,
J DHi Olivier,
I am afraid, my help is limited to this forum.
However, I can help you with some ABAP logic :
Table AGR_1252 is used to store the ORG values of derived roles.
You can start working with an ABAP'er to get his coding magic started. Though I am not familiar with ABAP, I believe our ABAP'er debugged PFCG and knew what needed to be done. I have no clue what he did
the logic:
Start of Selection
Load information into internal tables for use in creating report
Upload the Organsational Changes Spreadsheet
Ensure Roles exist and there are no duplicates
Ensure Organistional levels exist and there are no duplicates
*Checks if the file exists
Role must exist
Ignore duplicate roles
Authority Check Role for user
IMP Logic checks-
For Add High range of Role must be greater than low range
*...if adding specific ranges - remove existing * or space entry if it
exists
*...if adding * access remove other accesses if they exist
*Process All Org Levels for each role
...submit report to generate profiles
You can start working with your ABAP'er with this logic.
*Disclaimer* - this may need enhancements to meet your requirements. Also, I have just put the logic what I could remember at the top of my head. I may have missed something.
Hope it helps
Abhishek -
Hi,
Here is my scenario.
User 'test1' is created by assigning a role (say A). Role A has AD and database table resource assigned, so there are 2 resources assigned to the user i.e. AD and a database table resource. (This is the exisitng process, I cannot change this process at all).
Now while removing the role, my requirement is to delete only AD resource account and it should not try to delete the database table resource account. Is there a way to do this?
Please share your ideas.
Thanks in advance.Do you only want to keep the ressource account or also keep the link? If you want to keep the link, do what the previous poster suggested. If you only want to prevent the deletion of the database row, you can configure this in the database table resource adapter by deactivating the capability to delete accounts.
-
How to mass cancel the requisitions through program
How to mass cancel the requisitions through program
Check this...you should get good idea
http://docs.oracle.com/cd/E18727_01/doc.121/e13410/T446883T443951.htm#4021290
Mahendra -
Hi
Which option does user have to choose from the list to output the mass generation of roles at PFCG?
Nag.Hi ,
unfortunately there is no way in standard to bypass the manual work.
IF SU24-values have been changed for a t-code, all roles that contain that t-code, have to be adapted manually and afterwards regenerated.
The profile gets the status ' To adjust' until you have maintained the authorizations once and saved. Until then no mass generation (SUPC) will be able to regenerate thos profiles.
Please consider enough time to adapt your roles during your test upgrade. A good idea is to adapt all roles to the new authorizations in a test environement and save them afterwards in a transport. AFter you have performed the upgrade in your productive environement, you can import then this transport and you don't have to perform this time consuming 'adaption-work' again in your p-environement....
b.rgds, Bernhard -
Assign biz role through CRM -SU01 and display page at portal
HI, SDN Fellows.
I am creating some custom portal roles at portal and mapped it to the custom business roles for some PCUI screens at crmc_blueprint_c --> "Assign Portal Role to Single Role" ("Assignment of CRM Role to Portal Role").
Currently, our portal UME data source is mapped to CRM system.
Right now, I have to assign both the CRM Role through SU01(to have access the CRM Object Method at CRM-PCUI application) and Portal Role through User Admin of WAS/portal (to access/display the PCUI iView in the portal).
My goal is to just assign role through CRM-SU01 and achieve the same output as I described above. Meaning can I just do the role assignment for the CRM role (through SU01) and able to access to the CRM-PCUI application through portal (able to see the pcui screen)?
Thanks,
KentWhat I want is when I assign a role (Sales Manager) said user A in CRM system, userA should able to see the related workset/page/iviews in the portal (without the need to assign the same: Sales Manager role in portal).
Now, what I have to do is assign the related objects into a single/composite roles in CRM (for backend data access), then I have to assign a portal role (through User Admin of Portal, so that they can see the portal content),
is that a way we can do it in one step?
Thanks,
Kent -
Removing/updating data through CAF entity service
Does anyone know a way to remove/update data through a CAF entity service from a web dynpro which uses the webdynpro model of the CAF project ?
Hi Nicolaij,
This example describes how UPDATE and DELETE works under SP8.
Hopefully it helps.
Regards
Kamil
UPDATE of entity called "Bank"
=======================
ABank recordBank;
recordBank = BankServiceProxy.read(000000024);
recordBank.setCountryId(Germany);
IAspect aspectList = recordBank.getAspect();
aspectList.sendChanges();
DELETE from entity called "TransferID"
============================
ATransferID recordTransferID;
recordTransferID = TransferIDServiceProxy.read(123115651);
IAspect aspectList = recordTransferID.getAspect();
IAspectRow aspectRow = aspectList.getAspectRow(0);
aspectList.removeAspectRow(aspectRow);
aspectList.sendChanges(); -
I tried to remove a role from one of my 2012R2 DC's
I tried to remove a role from one of my 2012R2 DC's and now I basically can't do anything to that DC. Attempting pretty much anything on it tells me that it can't do it because it needs a reboot, and a reboot fixes nothing. The role I wanted
to delete is removed (print services), but I can't re-add it, or change any other role or feature. There is a 'pending.xml' file, and it is rather large. I can't delete, or rename the 'pending.xml' file, as it is owned by 'TrustedInstaller'. This
is the FSMO DC and there are some other services on it that I would rather not have to re-install and reconfigure. I've looked for other things that could prohibit installs and more, but there are no 'Pending Renames' in the registry.
At least getting server manager to stop complaining would be a good start.
Thanks in advance for any assistance.Hi Mike,
Just addition, please run
sfc /scannow command to scan all protected system files and use
Chkdsk command to check the status of the disk in the current drive. any find?
à
The role I wanted to delete is removed (print services), but I can't re-add it, or change any other role or feature.
Just a confirmation, did you mean that had un-install
print services successfully? No error occurred? Please check relevant log file (such as event log file and so on) if find some errors. In addition, I noticed that you attempt to re-install the role. Did you get any error message when failed to re-install?
Did you use Install-WindowsFeature PowerShell command to install? Any difference?
If any update, please feel free to let us know.
Hope this helps.
Best regards,
Justin Gu -
How to copy and remove admin Role from SAP_ALL profile
Hi SDN Experts,
I need to copy SAP_ALL profile to another in CRM 5.0 system, thereafter i need to remove admin Role from SAP_ALL profile. Can any help regarding this point..
regds
gcpChandra,
I saw ur post in this forum regarding configuring sap intergration with genesys gplus adapter. We are in need of the same configuration. Can you please help me in configuring sap phone for gplus adapter. Reply me on [email protected]
Thanks in Advance -
Removing UM role servers that don't exist anymore?
Have come into a situation where I have a Exchange 2010 SP3 install with 2 node DAG and the management console references two UM role installed servers that technically no longer exists. I am planning on doing a migration to 2013 and just know I will run
into some issue with these lagging references to these machines. Can someone direct me on how to remove these roles from my Exchange 2010 organization? Again, the servers that the roles were installed on are gone and of course, UM is not being used at all,
so no worries there.
Thanks.Do the servers still exist in AD and part of the configuration container under the Exchange org?
If so, the supported way to do this is to run setup with the recoverserver option and install Exchange again on a server. It could be any crummy server or virtual guest.
Once installed, run setup and gracefully remove the server with Add/Remove Programs.
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
PFUD - profiles are removed, but role is in
Hello,
I am testing background job based on report RHAUTUPD_NEW. I assign role to a user via SU01 and time-limit it. When limit expires I check user's record via SU01. I see that the profile is being removed from the user's record, but role's assignment still shows in the user's record. Is this a correct behavior? Is there a way to remove role from the user's master record as well?
Thanks
GalinaThat is indeed interesting question.
If might make sense to agree on an approach with them.
If your provisioning of access support model and infrastructure supports it, then removing the role is a better option in my opinion. SAP seems to be going that way as well, since IdM also without deleting the user ID which is usefull.
It helps a lot if you do not have too many (sets of) roles and the tools interogate their validity.
It is without a doubt a very usefull control to set the date of expiry when assigning the access. At that point in time you know most about the user and their request for access!
Cheers,
Julius
Edited by: Julius Bussche on Mar 30, 2010 12:14 AM
Maybe you are looking for
-
How do I stop an "invalid password" notification popup from popping up continually?From the first time I entered a wrong Mobile Me password, even when I am not trying to access my account, it continually pops up over whatever I have on the screen. I
-
There is this dinner dash game I would like to purchase but then is telling me ERROR contact apple support ...pls how do I get the game now.?? Thank u
-
New to Portal and need help with PDK
Hi there, I have looked all over otn to find a simple document that explain how to install and use PDK but I can't find any. Can someone help me with this? There is a video on otn but it doesn't work here. Regards, Robert
-
Sub Column to be displayed in ALV
Hi All, The requirement is to display an ALV report with sub columns under a column. Can anyone guide me on how to display the sub columns under a particular column using ALV? Appreciate your help. Thanks and Regards Krunal Raichura
-
I'm trying to have a color background that extends to the edge of the browser. For some reason I'm not getting the same results in different size monitor screens.... not browsers... different screens. For example. If I include html {height: 100%;} ..