Multiple roles assigned to an user

Hi folks,
My question sounds to be something weird, but wanted to be cautious. I see a lot of users in my environment with multiple roles assigned to them. When i checked the roles of an user who has three roles assigned to him, i noticed that all the roles have some tables in common with the same grants in all the three roles, and all these three roles are assigned to the same user. Will there be any problem?
An example to explain my senerio...
User scott has three roles A,B and C assigned to him. All the three roles have execute on xy.abc procedure and select,insert,update,delete on xy.xyz table. Will there be any problem to the user who is assigned all these three roles. Will there be any confusion from oracle to chooose from which role?
Thanks

This sounds to be something new. So When a oracle
tries to hold all the privileges does it do a
distinct on the table grants, so that i will have
just one entry of the privilege of an object, though
it exists in all the roles assigned to that user.No, the table objauth$ looks like this,
  1* select * from objauth$ where rownum < 100
SYS@etest> /
      OBJ#   GRANTOR#   GRANTEE# PRIVILEGE#  SEQUENCE# PARENT                OPTION$       COL#
       133          0          5          0          1
       133          0          5          3          2
       133          0          5          5          3
       133          0          5          6          4
       133          0          5          9          5
       133          0          5         10          6
       133          0          5         11          7
       135          0          5          0          8
       135          0          5          3          9
       135          0          5          5         10
       135          0          5          6         11
      OBJ#    GRANTOR#  GRANTEE# PRIVILEGE#  SEQUENCE# PARENT                OPTION$       COL#
---------- ---------- ---------- ---------- ---------- ------------------ ---------- ----------where
OBJ# is object ID, could be any object not only table,
GRANTOR# is user# , ROLE is also considered a special USER internally in Oracle.
SYS@etest> select user#, name from user$
  2  /
     USER# NAME
         0 SYS
         1 PUBLIC
         2 CONNECT
         3 RESOURCE
         4 DBA
         5 SYSTEM
         6 SELECT_CATALOG_ROLE
         7 EXECUTE_CATALOG_ROLE
         8 DELETE_CATALOG_ROLE
         9 EXP_FULL_DATABASE
        10 IMP_FULL_DATABASE
..............So different roles will have different records in objauth$. Even it's same privilege of same object granted to same user.
a GRANTEE# can have same privilege to the same object from different GRANTOR#

Similar Messages

  • How to get the list of roles assigned to a user in all the child systems

    how to get the list of roles assigned to a user in all the child systems from CUA SYSTEM

    Try transaction SUIM in your CUA system. Go to user, cross-system information, users by roles. If you run it wide open, you'll get all users and all roles assigned for all systems managed in your CUA.
    Krysta

  • Function module to Delimit the roles assigned to the user

    Hi All,
    I am working on security role automation process abap report.My requirement is to delimit the roles assigned to the user on account of employee termination or retirement. I have used the function module "BAPI_USER_ACTGROUPS_ASSIGN"  to delimit the role assigned to the user.
    Passing the importing parameter "username" and in the Tables parameter"ACTIVITYGROUPS"  passing the respective parameters AGR_NAME(Role), FROM_DAT(Start Date),TO_DAT(termination date - 1). When I passing the parameters as mentioned above,the role assigned to the user is getting deleted,instead of delimitation of the role assigned to the user.
    Is there any other function module we can use to delmit the roles assigned to the user?  Please help.
    Regards,
    Krishnan

    hai,
    please try this.
    /VIRSA/RE_BAPI_CREATE_ROLE- Create Roles
    /VIRSA/ROLE_ASSIGN_CUA_NH
    /VIRSA/RE_BAPI_ROLE_TO_USERS
    ASSIGN_USERS_HIERARCHY - User Assignment to Role - this is a Normal FM
    try this bapis this may work
    BAPI_USER_LOCK
    - BAPI_USER_PROFILES_ASSIGN
    - BAPI_USER_LOCPROFILES_ASSIGN
    - BAPI_USER_LOCACTGROUPS_ASSIGN
    - BAPI_USER_CHANGE
    - BAPI_USER_UNLOCK

  • SPML: search the roles assigned to a user and add others to him

    Hi,
    as in the subject i'm trying to create a method in idmClient to search the roles assigned to a user and then add some other (one or more).
    How can i implement the search/filter of the available roles assigned to a user?
    Thanks in advance,
    Gentjan

    coocooche wrote:
    Hi,
    as in the subject i'm trying to create a method in idmClient to search the roles assigned to a user and then add some other (one or more).
    How can i implement the search/filter of the available roles assigned to a user?I already find how to do it. I have to asked another question about SPML: is there any way to add new roles without searching the old ones?
    In other words i implemented a method that:
    1) search the roles assigned to a user and copy it to a List
    2) add to the List of the old roles, the new ones.
    Is it possible just to add the new roles without doing a search of the old ones? In this way the performance is better.
    Thanks in advance,
    Gentjan

  • How to get list of Roles assigned to each User

    Hi,
    I have to create a list containing Roles assigned to each user in xMII 11.5.
    Need your help !
    Thanks in Advance !
    Regards,
    Alok

    Alok,
    Did you search (sometimes it is also good to make sure to search the forum for All threads not just the default time window)?
    https://forums.sdn.sap.com/click.jspa?searchID=22562502&messageID=5969490
    https://forums.sdn.sap.com/click.jspa?searchID=22562502&messageID=4890045
    More info from the help docs:  http://help.sap.com/saphelp_xmii115/helpdata/en/Connectors/IlluminatorSystemConnector.htm
    Regards,
    Jeremy

  • Getting roles assigned to a user in OIM

    We need to write a query to find what are the roles assigned to a particular user and when it has been assigned , is there any source where the OIM tables and their attributes have been explained? We were referring the UPA_GRP_MEMBERSHIP for getting the roles( referring UGP_KEY)  and the user with (UPA_USR_KEY), is this correct or is there some other table which has the info?

    Thanks for your reply...
    To getting the roles of a user, what is the common attribute between USR and UPA_GRP_MEMBERSHIP table? Is it usr_key from usr table and upa_usr_key from UPA_GRP_MEMBERSHIP? if not, what are the differences between the two attributes and is there any other attribute to refer ?

  • Finding roles assigned to a user ?

    Hi Folks,
    Is there a view that will list all role(s) assigned to a user in Oracle 11g?
    Thanks in advance
    rogers42

    DBA_ROLE_PRIVS will do it:
    SQL> desc dba_role_privs
    Name                                      Null?    Type
    GRANTEE                                            VARCHAR2(30)
    GRANTED_ROLE                              NOT NULL VARCHAR2(30)
    ADMIN_OPTION                                       VARCHAR2(3)
    DEFAULT_ROLE                                       VARCHAR2(3)
    SQL> select granted_role,admin_option,default_role from dba_role_privs where grantee='&user';
    Enter value for user: MBOBAK
    old   1: select granted_role,admin_option,default_role from dba_role_privs where grantee='&user'
    new   1: select granted_role,admin_option,default_role from dba_role_privs where grantee='MBOBAK'
    GRANTED_ROLE                   ADM DEF
    DBA                            NO  YESAlso, you can use the same query and give the ROLE as input to the GRANTEE predicate to see what roles that role confers:
    SQL> select granted_role,admin_option,default_role from dba_role_privs where grantee='&user';
    Enter value for user: DBA
    old   1: select granted_role,admin_option,default_role from dba_role_privs where grantee='&user'
    new   1: select granted_role,admin_option,default_role from dba_role_privs where grantee='DBA'
    GRANTED_ROLE                   ADM DEF
    DATAPUMP_IMP_FULL_DATABASE     NO  YES
    SCHEDULER_ADMIN                YES YES
    OLAP_DBA                       NO  YES
    EXECUTE_CATALOG_ROLE           YES YES
    DELETE_CATALOG_ROLE            YES YES
    OLAP_XS_ADMIN                  NO  YES
    SELECT_CATALOG_ROLE            YES YES
    EXP_FULL_DATABASE              NO  YES
    WM_ADMIN_ROLE                  NO  YES
    GATHER_SYSTEM_STATISTICS       NO  YES
    JAVA_DEPLOY                    NO  YES
    GRANTED_ROLE                   ADM DEF
    DATAPUMP_EXP_FULL_DATABASE     NO  YES
    JAVA_ADMIN                     NO  YES
    XDB_SET_INVOKER                NO  YES
    IMP_FULL_DATABASE              NO  YES
    XDBADMIN                       NO  YES
    16 rows selected.Hope that helps,
    -Mark

  • ESW: What are the roles assigned with CRM user in ESW?

    I would like to see the CRM from a Sales role and a marketing role

    Hi,
    you can use the installation Guid for that:
    http://help.sap.com/saphelp_nw04/helpdata/en/25/33533dc1c0b60fe10000000a114084/frameset.htm
    Only thing that is not exactly mentioned there. If you create a special user to use NWA on the J2EE - this user should have J2EE_ADMIN authorisation.
    Rest is described exactly in the Guide Mentioned above.
    Hope this helps to solve the issue.
    Regards,
    Oliver

  • Roles assigned against a user id

    Hi All,
    I have a user id, I want to check if a role is attached to it or not, I already have the role.
    How can i go about it ?
    thanks,
    gols

    Goto Su01-->username--> Display or change mode -->check the tab that contains roles and assignments.
    SU01 Create/ Change User SU01 Create/ Change User
    PFCG Maintain Roles
    SU10 Mass Changes
    SU01D Display User
    SUIM Reports
    ST01 Trace
    SU53 Authorization analysis
    Thanks,
    AMS

  • Multiple Roles assigned to one Swimlane

    Hi,
    We are currently using ALBPM 5.7, moving towards a possible upgrade to 6.0.
    We are faced with a situation, where it would be very beneficial to assign more than one Role to a Swimlane, but this seems not to be possible?
    We are then forced to model the same parts twice or more in the same Process just in different Swimlanes, which is tedious and maintenance cost grows.
    Are there any good explanation, why this is not possible, or are you working on fixing this in any future releases?
    On the other hand it would be nice if there is another easier workaround for this, than duplicating parts of the flow in different Swimlanes.
    Thanks,
    Nikolaj

    Hi,
    In 5.7 there is a feature called "multivalue role". In 6.0 it is called "parametric role".
    Based on a string instance variable, this type of role allows different people access to instances in the same interactive activities in a role of a process. For example, you might have people who are auditors and people who are underwriters. If the instance variable that the parametric role is based on has been set to "auditors", then only the auditors assigned to that role will be able to see the instances in the interactive activities in that role.
    Let me know if you need more information about this.
    Dan

  • Report to see user type and roles assigned to users in EP?

    Hi,
    a) Is there any reporting mechanism in EP? Any specific report which throws up user types and roles assigned to the users? There is an option of 'Export' in the user management role but unfortunately it does not give information on User Type.
    b) If  the group is assigned a role, How can we see ( in any report) the roles assigned to a group? In the 'export' option of the 'User Management' this information does not come.

    By default Portal UME comes along with the installation of portal.
    Sometimes we may integrate external users using LDAP. At that time users come from ABAP stack or some active directories.  But you can also create users in the portal UME.  The purpose of using LDAP is to maintain the users centrally rather than creating again in portal.
    You can check them in user administration->identity management and search for the users.
    THere you can see some users will be from UME and some from LDAP.
    User Admin tool is nothing but User Administration only.
    Raghu

  • EP role assignment to user id's deleted

    Hi,
    We have Windows Active directory server and the id's created there will be created in EP as well. (or both share the same db).
    Our Portal team will assign the roles to the newly created userid's using IMPORT function.
    1. Nearly we have 15k users. and today we have used the import functionality to assign roles to the 60 newly created users.
    2. The role assignment for 14k users which share the same domain(LDAP1) deleted.
    3. The role assignment for other users who use other domain(LDAP2) exists.
    What would be the root cause of the problem?
    Is it possible to take System log from EP system -> system admin ? or we need to ask the basis admin to retrieve issue log?
    Thanks!
    Dhiyu

    Hello Shabir,
    Initially all the contents can be viewed only if u have super_admin role. If u want to give access of any folder to a particular user, just open the permission editor of the folder and assign any particular role (say content_admin role) and select the end user checkbox.
    Now assign the user the same role u have specified in the permission editor of the folder. Then the user can view that folder.
    This will solve ur problem.
    Regards
    Deb
    [Reward points for helpful answers]

  • Best way for limit users ? How to limit also the role assignment?

    Hi gurus, we are facing a strange situation.
    due to the politics implemented in our company , we are not allowed to delete the user record once this guy has finished in the company. We need to have an historic of users to consult who has made something in our R3 4.7 ERP
    We use instead the fiel VALID TO in the user record, so the user can´t access the system once the date is reached (it is the same thing that the standard transaction HRUSER manages the validity of the users...)
    The problem is that the roles assigned to the users are not limited the same way, I mean if an user has the validity of a role form the 2008/01/01 to 9999/21/31 its not limited.
    That means that in PFGC you can see the roles with user assigned but they are not really actives...
    Please, is there any possibility to limit also this range of dates in PFCG in an automatic way? It will help us a lot to have the role assignments up to date
    Thanks in advance
    Best regards.

    due to the politics implemented in our company , we are not allowed to delete the user record once this guy has finished in the company. We need to have an historic of users to consult who has made something in our R3 4.7 ERP
    Good! There are many discussions in the forum on the disadvantage of deleting users.
    We use instead the fiel VALID TO in the user record, so the user can´t access the system once the date is reached (it is the same thing that the standard transaction HRUSER manages the validity of the users...)
    The problem is that the roles assigned to the users are not limited the same way, I mean if an user has the validity of a role form the 2008/01/01 to 9999/21/31 its not limited.
    What's wrong with taking away all roles from these users? You can always retreive their previous assignments from the change documents.

  • ABAP centered role assignment not working

    I have been trying to implement ABAP centered role assignment for our users but not really having much luck in gettng it to work. I've been trying to make sense of it by using [the help guide|http://help.sap.com/saphelp_nwmobile71/helpdata/en/d2/3e3842b23d690de10000000a155106/frameset.htm] but I must be doing someting wrong. Here are the steps that  take.
    1. Create a single ABAP role - A single role with no menu or authorizatons
    2. Create a UME Group - I name the group exactly the same as the ABAP single role from the previous step
    3. Assign UME Group to Portal Role
    4. Assign mapped user to ABAP role
    Supposedly the ABAP role assingment is supposed to reflect through to the UME group membership so the portal user then sees the associated portal tab.
    Can you enlighten me?
    Thanks in advance

    Hi,
    I 'm facing same kind of problem.
    Case 1:
    I tried with:
                      Assigning users to group (abap role) which didn't worked.
                      Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                      Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
    How can i do the same from portal?
    Case2:     
    While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
    Why are the portal roles not getting transfered even though the status is green?
    Mr.Chowdary

  • Status of roles assigned in SU01

    Hi All, Need help to understand the status of a role and effect of user comparison on it... in SU01 assignment to a ID....Cases as below:
    1.Role assigned to the ID has expired....The color of the role I have noticed becomes red...why is it so? is it because the role had a new profile generated since the time role got expired in that user? or is it just because role has got expired and so it becomes red in SU01?
    And are roles and corresponding profiles which got expired removed from the ID automatically or just both role&profile left as it is with only the role turned red giving the text (User comparison required)...
    2.Role assigned to a ID with validity start date set as some date in future. Have seen that in this case too role becomes red after a day!! PFCG_TIME_DEPENDENCY runs..But why is it so??Why does it turn red?

    Hi,
    Role assigned to the ID has expired. the color of the role becomes red. This is because each role assigned to the user has a validity end period. once this date is crossed, the user will not have authorization to objects contained in the role. You can check more details in AGR_USERS table. there you will find that each role attached to a user has a start and end date.

Maybe you are looking for

  • Display images in a report

    Hi all, I have a table, Standard_Products, and i want to show an image in my report along with some other data. I am using file browser to import the images at the moment. Please advise what to do - at the moment the column is showing "Datatype" inst

  • Part 2: Load Image from URL into Dynamic Text Box - goodinson.snapshot

    I have a flash file where a user can add an image url into a Dynamic Text Box (image_in.text) and the image will now appear in the flash file. I am using goodinson.snapshot as featured in this article: Saving Flash graphics as image files at runtime

  • ESS with Internal ITS

    We are using ESS 50.4 on ECC6 with internal ITS.  It is working well except for a mouseover message when the user places the mouse over a pushbutton in the applications for Address, Personal Information, Bank Information, and Family/Related persons.

  • How do i get the answers to my security questions if i forgot them?

    How do i get the answers to my security questions if i forgot them?

  • Just got new Macbook Pro 15' Retina and Google Chrome instantly crashes

    I already tried reinstalling it many times, but no dice. I literally just came from my local apple tech store and got some of my applicatons and files transfered, since I was having problems transfering. Now that they transfered as much as they could