PFUD - profiles are removed, but role is in

Hello,
I am testing background job based on report RHAUTUPD_NEW.  I assign role to a user via SU01 and time-limit it.  When limit expires I check user's record via SU01.  I see that the profile is being removed from the user's record, but role's assignment still shows in the user's record.  Is this a correct behavior?  Is there a way to remove role from the user's master record as well?
Thanks
Galina

That is indeed interesting question.
If might make sense to agree on an approach with them.
If your provisioning of access support model and infrastructure supports it, then removing the role is a better option in my opinion. SAP seems to be going that way as well, since IdM also without deleting the user ID which is usefull.
It helps a lot if you do not have too many (sets of) roles and the tools interogate their validity.
It is without a doubt a very usefull control to set the date of expiry when assigning the access. At that point in time you know most about the user and their request for access!
Cheers,
Julius
Edited by: Julius Bussche on Mar 30, 2010 12:14 AM

Similar Messages

  • Lr 3.2 lens profiles are removed during PSE9 uninstall

    I uninstalled the trial version of Photoshop Elements 9 from my computer (Win Vista Ultimate 64 bit, 8 gig ram; tons of HD space available). When I used Lr 3.2 later that day I noticed that most of the lens profiles that Lr had installed were now missing. All is not lost; I re-instaled Lr 3.2 and the profiles are back. Just thought I'd let folks know in case you noticed this on your system.
    Michael

    It is a known and unfortunate limitation of how our current lens profile installation/uninstallation works. The workaround is to reinstall LR 3.2.

  • Users are created but Roles are not Provisioned in the Target System

    Hi,
    It would be great if somebody would provided solution to my problem. The problem is when I try to create the Users in Identity Managment UI then the Users are created in the Target systems but the Roles are not provisioned to the Users.
    In the provisioning job SetABAPRole&ProfileForUser,
    It is says In the Error putNextEntry failed storing
    Exception from Modify operation:com.sap.idm.ic.ToPassException: User does not exist
    MSKEY 58437
    Please note the When we create the User, the user is created however the Roles is not provisioned to the user.
    Regards,
    Hakim

    Hello Nits,
    since this thread is from 2010 and the OP was logged on last in 2012 (as you can see in the profile), I don't think you'll get an answer here.
    Please create a new thread to explain your problem (with version and SP numbers, logs etc). You can add a link to this thread to show, that the problem is similar.
    Regards,
    Steffi.

  • CUA issue; after roles are removed systems assigned to users remain?

    Hello,
    I've had this specific issue with CUA for some time, but haven't needed to try and resolve until now.
    The problem is this:
    - after security roles for a user have been removed for an entire system, in the system tab entries remain.
    - this results in the user account remaining in the child system, even though there are no security roles assigned.
    I have tried removing system entries once all roles are removed, however after saving the changes I see that the systems still exist.
    So, can anyone comment on why this happens? Is there an SAP note to resolve this?
    Appreciate the feedback.
    Paul

    Paul Vipond wrote:
    Thanks Julius.
    My intention is not to delete users. What I'm expecting to happen is that after I remove all the roles assigned to user for a specific child system, that user should not exist in the child system anymore.
    If you delete the system assignment for a child system, A deletion of the user in that system will happen.
    Paul Vipond wrote:
    This is the way it has worked for many child systems, but not all. For me it's specifically my production systems where a user account remains after all the roles have been removed.
    In dev/test systems I've removed all roles assigned to a user and after saving their account no longer exists in those dev/test systems.
    Make sense?
    If that is so, that is a bug in your dev/test system. I suggest to open an incident wiht SAP then.
    It should work like in a standalone system.... Removing all roles there will never lead to a deletion of that user!
    b.rgds, Bernhard

  • How to copy and remove admin Role from SAP_ALL profile

    Hi SDN Experts,
    I need to copy SAP_ALL profile to another in CRM 5.0 system, thereafter i need to remove admin Role from SAP_ALL profile. Can any help regarding this point..
    regds
    gcp

    Chandra,
    I saw ur post in this forum regarding configuring sap intergration with genesys gplus adapter. We are in need of the same configuration. Can you please help me in configuring sap phone for gplus adapter. Reply me on [email protected]
    Thanks in Advance

  • After BI 7.0 Upgrade, Authorization Roles and profiles are not visible

    Hi Gurus,
    We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
    As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
    I verified in SU01 for user access and every are assigned there roles and they are green.
    Do we need to add any new authorization object to fix this issue, please let me know
    Thanks and appreciate your help.
    Thanks
    Ganesh Reddy.
    Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PM

    Hi Ganesh,
    check the behaviour, if you assign
    S_USER_AGR                          
       ACT_GROUP = "..name of the assigned role.."
       ACTVT = 03 (for "display")    
    b.rgds,
    Bernhard

  • After BI 7.0 Upgrade, Roles and profiles are not visible

    Hi Gurus,
                                  We have issue with the roles and profiles, all our users doesnt see any roles or profiles in Bex Analyzer, under there user access after BI 7.0 Upgrade. 
                                   When I go and check there profile in SU01 and I can see all roles are assigned but not able to see in the Bex Analyzer reporting tool.
                                   Do we need to do any configuration settings after BI 7.0 upgrade to visible roles. This problem with every user.
                                   Your help will be really appreciated.
    Thanks
    Ganesh Reddy.
    Edited by: Ganesh Reddy on Oct 22, 2009 5:19 PM

    Hi Mohan/Vijay,
                            Sorry for little bit late. I have all authorization roles access, and users dont have that access. Difference between our roles is I have SAP_ALL and SAP_NEW.
                            But when they login with old bex analyzer they can see all roles, but not with new bex analyzer.
                            Please some suggest me still I need to run SU25.
    Thanks
    Dayaker Reddy.
    Edited by: Ganesh Reddy on Oct 26, 2009 10:19 AM

  • OSD - MDT 2013 - USMT Scan/LoadState Runs Successfully but user profiles are not restored.

    I have this odd issue that I can't seem to figure out. I have an MDT Task Sequence that I created runs scanstate and loadstate without any issues using hard link. Unfortunately, the user profiles are not loaded/restored after loadstate runs. I can go to
    the StateStore folder and manually run the loadstate again or use the Windows Easy transfer to restore the users, but I want this to occur when loadstate runs. 
    Here is the loadstate log:
    2014-03-30 18:01:10, Info                  [0x000000] USMT Started at 2014/03/30:18:01:10.787
    2014-03-30 18:01:10, Info                  [0x000000] Command line: C:\_SMSTaskSequence\Packages\CMP0010E\x86\loadstate.exe C:\StateStore /c /v:5 /l:C:\WINDOWS\system32\CCM\Logs\SMSTSLog\loadstate.log /progress:C:\WINDOWS\system32\CCM\Logs\SMSTSLog\loadstateprogress.log
    /i:C:\_SMSTaskSequence\Packages\CMP0010E\x86\MigApp.xml /i:C:\_SMSTaskSequence\Packages\CMP0010E\x86\MigUser.xml /ue:*\* /ui:company.local\*
    2014-03-30 18:01:10, Status                [0x000000] Activity: 'MIGACTIVITY_COMMAND_LINE_PROCESSING'
    2014-03-30 18:01:10, Info                  [0x000000] Script file specified: C:\_SMSTaskSequence\Packages\CMP0010E\x86\MigApp.xml[gle=0x000000cb]
    2014-03-30 18:01:10, Info                  [0x000000] Script file specified: C:\_SMSTaskSequence\Packages\CMP0010E\x86\MigUser.xml[gle=0x000000cb]
    2014-03-30 18:01:10, Info                  [0x000000] Replacement Manifests are processed because this OS version has built-in component manifests
    2014-03-30 18:01:10, Info                  [0x000000] The ReplacementManifests folder used to service system component manifests is not present. OS settings migration will be done with system component manifests
    installed onto the system.
    2014-03-30 18:01:10, Info                  [0x000000] Starting the migration process[gle=0x00000006]
    2014-03-30 18:01:10, Status                [0x000000] Activity: 'MIGACTIVITY_MIGRATION_START'
    2014-03-30 18:01:10, Info                  [0x000000] Excluding path: C:\_SMSTaskSequence\Packages\CMP0010E\x86
    2014-03-30 18:01:10, Info                  [0x000000] Excluding path: C:\StateStore
    2014-03-30 18:01:10, Info                  [0x000000] Excluding path: C:\WINDOWS\system32\CCM\Logs\SMSTSLog\loadstate.log
    2014-03-30 18:01:10, Info                  [0x000000] Excluding path: C:\WINDOWS\system32\CCM\Logs\SMSTSLog\loadstateprogress.log
    2014-03-30 18:01:10, Info                  [0x000000] Excluding path: C:\_SMSTaskSequence\Packages\CMP0010E\x86\MigApp.xml
    2014-03-30 18:01:10, Info                  [0x000000] Excluding path: C:\_SMSTaskSequence\Packages\CMP0010E\x86\MigUser.xml
    2014-03-30 18:02:55, Info                  [0x000000] Leaving MigCloseCurrentStore method
    2014-03-30 18:02:55, Status                [0x000000] Activity: 'MIGACTIVITY_SUCCESS'
    2014-03-30 18:02:55, Info                  [0x000000] Success.[gle=0x00000006]
    2014-03-30 18:02:55, Info                  [0x000000] USMT Completed at 2014/03/30:18:02:55.116[gle=0x00000006]
    2014-03-30 18:02:55, Info                  [0x000000] Entering MigShutdown method
    2014-03-30 18:02:55, Info                  [0x080000] COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
    2014-03-30 18:02:55, Info                  [0x0803e6] Removing mapping for HKLM
    2014-03-30 18:02:55, Info                  [0x0803e7] Successfully unmapped HKLM
    2014-03-30 18:02:55, Info                  [0x0803e6] Removing mapping for HKU
    2014-03-30 18:02:55, Info                  [0x0803e7] Successfully unmapped HKU
    2014-03-30 18:02:55, Info                  [0x080487] Destroying OS analysis service
    2014-03-30 18:02:55, Info                  [0x080488] Destroyed OS analysis service
    2014-03-30 18:02:55, Info                  [0x000000] Leaving MigShutdown method

    I've got this to work although I haven't figured out the root cause.
    My initial OSDMigrateAdditionalCaptureOptions were: /Hardlink /nocompress /uel:30 /config:%_SMSTSMDataPath%\Packages\%_OSDMigrateUsmtPackageID%\%Processor_Architecture%\config.xml"
    My OSDMigrateRestoreCaptureOptions were:  /Hardlink /nocompress /ue:*\* /ui:domain.local\*
    Since the restore was failing, I removed the domain name from the ui switch which magically caused the restore process to load the user profiles to the computer.
    My final OSDMigrateRestoreCapptureOptions which worked: /Hardlink /nocompress /ue:%computername%.
    Just to note /hardlink commands are not necessary when you are using MDT task sequence, but I put it in anyway and it seems ensure that I get consistent results.

  • Server 2012 R2 RDS, User Profile Disks are created but local profiles are created as well. The UPDs aren't mounting correctly.

    2012 R2 RDS Deployment with RDCB HA and UPDs enabled. Everything was working fine with no issues until users started getting temporary profiles. Around the same time UPDs were being created but at the same time a user profile was created in C:\Users. 
    I actually rebuilt the entire RDS configuration except the SQL Server. It took about 5 hours and was not that big a deal but.... we still have the same issue! 
    Does anybody have the solution for this?

    Hi,
    In most cases, the issue is caused by locked UPD. And the workaround is to log off the user. Please check if it is the case.
    For example:
    RDS user profile disks - getting error temporary profile are being used as UPD are not accessible
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d4b66fc-b53f-435e-b036-142b6ed15d0b/rds-user-profile-disks-getting-error-temporary-profile-are-being-used-as-upd-are-not-accesible?forum=winserverTS
    Also, please check if you will get the temporary profile when logging on with a local account of the session host server.
    If issue persists, please check if there is any related error in Event Viewer and provide us for further research.
    Hope this helps.
    Jeremy Wu
    TechNet Community Support

  • Profile mismatch, but the profiles are just the same

    Hi guys,
    I assigned all my CS5 to one CMYK profile {FOGRA39}. But when I open document, which is in FOGRA39 as well, every times the Profile-Mismatch-Dialog pops up. It says, that my document is assigned to FOGRA39 and my current color setting is set to FOGRA39.
    I ma confused a bit – the spaces are jsut the same. Where is the mismatch?
    Sorry, the dialog is in Czech, but I hope it is clear.
    Thank you in advance!

    The difference is not the profile, but the policy.

  • Hi. I cannot trash photos from an album. Options are "remove from album" or "trash" but both only remove from album not the library

    Hi. I cannot trash photos from an album. Options are "remove from album" or "trash" but both only remove from album not the library. The only way to trash photos is to go to the library/photos and trash from there which is a bit annoying!

    If you click the arrow in the right lower corner of the photo in the album, you should see the Trash can. Is it not there?
    Or use the key combination option-command-delete  ⌥⌘⌫  .

  • Profile for a composite role

    Hello Experts,
    We are having a problem dealing with a composite role.
    Whenever we add the composite role to a user master; a profile appears for each of the single roles (which is normal) BUT we also get a profile for the composite role.
    We verified in the table AGR_1016  and found that there is a profile asocited to the composite role.
    We tried the clean-up option of the transaction PFUD which did not work in our case.
    We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
    Any answer is most welcome!
    Thanks & Reagards

    > We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
    Sounds to me as if there has been an import of a composite role overwriting a single role with the same name. The pfcg import facility has very few checks in them so something unwantend could have happened. I think it is not possible to change a role from single to composite with the PFCG or other tools. What does table AGR_PROF say about this role?
    I would suggest to copy the composite to a new name (without copying the singles) and see how that looks. If it is OK you can delete the corrupted role, check wether it is completely gone and copy the new role back to it's original name.

  • I tried to remove a role from one of my 2012R2 DC's

    I tried to remove a role from one of my 2012R2 DC's and now I basically can't do anything to that DC.  Attempting pretty much anything on it tells me that it can't do it because it needs a reboot, and a reboot fixes nothing.  The role I wanted
    to delete is removed (print services), but I can't re-add it, or change any other role or feature.  There is a 'pending.xml' file, and it is rather large.  I can't delete, or rename the 'pending.xml' file, as it is owned by 'TrustedInstaller'.  This
    is the FSMO DC and there are some other services on it that I would rather not have to re-install and reconfigure. I've looked for other things that could prohibit installs and more, but there are no 'Pending Renames' in the registry.
    At least getting server manager to stop complaining would be a good start.
    Thanks in advance for any assistance.

    Hi Mike,
    Just addition, please run
    sfc /scannow command to scan all protected system files and use
    Chkdsk command to check the status of the disk in the current drive. any find?
    à
    The role I wanted to delete is removed (print services), but I can't re-add it, or change any other role or feature.
    Just a confirmation, did you mean that had un-install
    print services successfully? No error occurred? Please check relevant log file (such as event log file and so on) if find some errors. In addition, I noticed that you attempt to re-install the role. Did you get any error message when failed to re-install?
    Did you use Install-WindowsFeature PowerShell command to install? Any difference?
    If any update, please feel free to let us know.
    Hope this helps.
    Best regards,
    Justin Gu

  • Which are the required roles/privs for viewing all scheduler jobs in OEM?

    Platform: Oracle 11.1.0.6 Enterprise Edition (64) Windows 2008 R2 Server
    - I've created a new Admin user in "OEM>Setup>Adminstrators>Create"
    - I checked the user in "OEM>Server>Users":
    CREATE USER "SA_ADMIN"
    PROFILE "DEFAULT"
    INDENTIFIED BY "saadminsa"
    DEFAULT TABLESPACE "SYSAUX"
    TEMPORARY TABLESPACE "TEMP"
    ACCOUNT UNLOCK;
    GRANT SELECT ANY DICTIONARY TO "SA_ADMIN";
    GRANT "MGMT_USER" TO "SA_ADMIN"
    - "SA_ADMIN" was granted only the permissions above.
    - I can log in OEM as "SA_ADMIN"
    - I can see OEM backup jobs and the history
    - But I cannot see any "scheduler" jobs in "OEM>Server>Jobs"
    - I get a lists of the jobs in "OEM>Scheduler Central" but I cannot display any more information of "scheduler jobs"
    - I logged off from OEM
    - I granted SCHEDULER_ADMIN role to "SA_ADMIN"
    GRANT SCHEDULER_ADMIN TO "SA_ADMIN";
    - I logged back in OEM as "SA_ADMIN
    - I can now see some scheduler jobs, but not all of the jobs, I still cannot see any of the new jobs I created logged in OEM as SYS.
    Which are the required roles/privs for viewing all scheduler jobs in OEM?

    if you grant "SYSDBA" to the new Admin user then you can see the "scheduler" jobs.
    GRANT SYSDBA TO "SA_ADMIN";
    I wanted to grant "read" access in OEM for the new user.
    This behaviour is strange.
    Without the "SYSDBA" role the new user can see the OEM backup jobs that were create in as SYS, but it cannot see the "scheduler" jobs.

  • AGR_1016: More than one profile linked to a role

    Hi,
    We have a role wich contains several profiles in table AGR_1016. The name of such profiles are sequential number based on the original profile (XXXXXX1, XXXXXX2, XXXXX3 etc).
    Why is the reason for having many profiles linked to a unique role? Which action in the system generated the different entries in table AGR_1016?
    We do know that the princial / original profile is inserted once we generate the role in PFCG. But what about the sequential entries?
    Many thanks in advance. Best regards,
      Imanol

    imanol,
    Yes this is possible with large roles. When the number of authorizations exceeds a set number , profile generator will create additional profiles. You will notice that there is a sequential number at the end of the profile name for the additional roles.
    Maximum no. of profile that can be assigned is 312.
    Max of 150 auth can fit into a profile. if there are more than 150 auth, an additional profile is generated. It has the same profile name (first 10 charaters) last digits are used as counter (0 to 99)
    Thanks,
    Sri
    Edited by: sri on Jul 16, 2010 5:00 AM

Maybe you are looking for

  • Enumeration mapping in message mapping

    I have a source structure ABC that contains two fields.  This structure needs to be transformed into two records that will store the field name of the source as well as the value.  It actually creates name/value pair in the target interface.  I wonde

  • Performances Problem in XI using RFC

    Hi All, I have some doubts about XI performance: Does anybody knows if there is any performance restrictions to do RFC calls to XI ? What's the best performance Solution in XI ? iDoc Adpater or RFC Adapter, File Adapter or RFC Adapter ? Is it possibl

  • All Game Center friends' status says "Never Played" and not be updated after restoring iphone

    I restored my iphone today, and after that, recent game activity line of all of my friends on my game center friends list shows "Never Played" and has not been updated. Is there anyone saw this issue and found any solutions?

  • IPad 2 International Warranty

    I intend to purchase an IPad 2 recently in US, but I will be re-allocate to Singapore soon. Does IPad 2 comes with International warranty so in case there are any defeats it could be repaired in Singapore under warranty?

  • Can I get fixed length output after encryption using PBEwithMD5andDES?

    Hi, I am currently using "PBEWITHMD5ANDDES" algorithm to encrypt the string and later it is encoded using BASE64. I need to store the value in Database so I need output to be of fixed size. Currently output depends on the input string length. My inpu