Remove role from user

Similar Messages

• Remove roles from users

  Hi All,
  I would like to ask what can I do if I would like to remove multiple roles from ALL users in the system?
  Normally, for a list of users , I use SU10 to do it.
  However, since there are 1 thousand something users in the system, is there a more efficient way to do it?
  Thanks for your help.
  Regards,
  Chris

  Thanks.
  I would say, in my case, it's the best to use PFCG sinceI only need to remove 3X something roles from them. (I don't know which users have those particular roles, the only thing I need to do is to make sure that the 3X roles have no corresponding users).
  Thanks again !
  Regards,
  Chris

• Unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  Hi,
  For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
  I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
  But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
  Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
  BR,
  Mangesh

• Remove role from the securityContext

  Hi Experts,
  we have requirement our application ,user can loin to application ,once login
  if use has multiple roles defined in the security ,all the roles will be disaplyed in the page, now he can select one role and navigate to the next page.
  as soon as user select the role,i need to remove all other roles from the security context meaning that in the next page user has to one role in the secuirtContext.
  please suggest how to remove role from the securityConext for that session?
  JDEV version 11.1.1.6
  appreciate you help
  KT
  Edited by: KT on Oct 1, 2012 1:35 PM

  Repost.....

• RAR: Risk resolution options , Remove access from user is disabled

  Hi All,
  In RAR , After risk analysis, if we click on risk description 3 Risk resolution options are there.
  Mitigate Risk
  Remove access from user
  Delimit access for user
  In these options mitigate risk only working.I am using GRC SP 5.
  How about other two options , save button is disabled.How to enable this?
  can we remove/delimit access to  user using these options? any body  tested these options?
  Thanks n Regards,
  Joseph

  Joseph,
     These functionalities do not exist in the tool and these buttons have been in the RAR for past 2 years. SAP wants clients to use CUP for removing or delemiting access so I highly doubt this will ever work.
  Alpesh

• Revoke roles from users

  I want to revoke a number of roles from users. What I found is if one or more roles were not granted to the user before, then the whole 'revoke' statement will fail, i.e. the granted roles will not be revoked from the user. Is there a way to let the statement revoke the granted roles even though there may be some roles were not granted. For example;
  REVOKE role1,role2,role3 from user;
  I want to revoke role1 and role2 even though role3 were not granted to the user.

  Why don't you test this yourself?
  satyaki>
  satyaki>select * from v$Version;
  BANNER
  Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Prod
  PL/SQL Release 10.2.0.3.0 - Production
  CORE    10.2.0.3.0      Production
  TNS for 32-bit Windows: Version 10.2.0.3.0 - Production
  NLSRTL Version 10.2.0.3.0 - Production
  Elapsed: 00:00:00.98
  satyaki>
  satyaki>
  satyaki>
  satyaki>
  satyaki>create role r1;
  Role created.
  Elapsed: 00:00:01.80
  satyaki>
  satyaki>
  satyaki>GRANT select  ON emp   TO r1;
  Grant succeeded.
  Elapsed: 00:00:00.51
  satyaki>
  satyaki>
  satyaki>create role r2;
  Role created.
  Elapsed: 00:00:00.02
  satyaki>
  satyaki>grant update on emp to r2;
  Grant succeeded.
  Elapsed: 00:00:00.05
  satyaki>
  satyaki>
  satyaki>grant r1 to hr;
  Grant succeeded.
  Elapsed: 00:00:00.17
  satyaki>
  satyaki>grant r2 to titan;
  Grant succeeded.
  Elapsed: 00:00:00.07
  satyaki>
  satyaki>
  satyaki>revoke r2 from hr;
  revoke r2 from hr
  ERROR at line 1:
  ORA-01951: ROLE 'R2' not granted to 'HR'
  Elapsed: 00:00:00.12
  satyaki>
  satyaki>Regards.
  Satyaki De.

• Removed myself from users group

  Yesterday, I was trying to setup a mail server following this: http://www.howtoforge.com/arch-linux-ma … nd-dovecot and I accidentally removed myself from users group
  [yasar@yasar-laptop ~]$ id
  uid=1000(yasar) gid=12(mail) gruplar=12(mail)
  Now, I am thinking to issue this command:
  usermod -g users -G audio,lp,optical,storage,video,wheel,power yasar
  Is this command good? I just wanted to be sure. I don't want to break stuff again.

  Just run this command as root:
  gpasswd -a yasar users
  Last edited by anonymous_user (2012-01-12 16:40:45)

• Remove role or user from position

  Hi all,
  we are on ECC 6.0; we are using indirect role assignment. We looking for a way to automate the removing of a user (US) or role (AG) from a position (S).
  eg. remove user 123456 from position 50000001 and user 654321 from position 50000002 in one shot.
  We have found the standard SAP program RHRHDC00 (RE_RHRHDC00 transaction) but is not designed for doing that.
  There's another standard program/function or... for solve this matters?
  Many thanks.
  Massimo

  We looking for a way to automate the removing of a user (US) or role (AG) from a position (S).
  There is a report called RHGRENZ2 which can be used to delimit specific OM infotypes (like IT1001- Relationships) specifying the end-date and Position ID (Object Type S and Object ID= Position) manually. In your case, I believe IT1001's Relationship A008 and B007 have to be delimited in order to remove a user (US) or role (AG) from a position (S) but this report cannot be run for specific relationship types of IT1001 (atleast I did never find an option to filter based on relationship types).
  You can try using report RHRHDL00 to delete IT1001 relationships from PP Database but you should consider the consequences of such deletions and restrict the selection based in infotypes and relationship types carefully.
  Alternatively, you can also build a LSMW script to automate the process of mass delimit/deletion of IT1001's relationship types using transaction PP02 (PP01 is not compatible to BDC/background processing)
  Thanks
  Sandipan

• Could not add/remove Groups from User in UME

  Hi All,
  I am ABAP + Java stacks.
  There is a user ABC with an ABAP role ZZZ which is displayed as a group in UME console.
  When I tried to remove this Group from this user in UME, system returned error message:
  You are not authorized to assign one or more entities. Perform a new assigned entities search to see the correct status.
  Even I add  a new Group to this user is forbidden.
  But if I delete this Role in ABAP SU01, it synchronize disappeared from UME quickly.
  I don't know why. it seems does not relevant to authorization problem since I already have full auth.
  Could anyone help me?
  Thank you so much.
  Best regards,
  Nick

  Hi Nick,
  You can never assign abap role from portal. You can only map the portal role to abap role.
  when you create group on portal , it will not be refelect as an role in abap system. becauase when you create a group it will create as basic group with identity as private database and not as R3.DB.
  If you want to confirm , then create and group and save it , after saving it check what is a UNIQUE ID.
  Thanks
  Anil

• Mass deletion of roles from users

  I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.

  We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
  This way you can optimize / automate periodic controls.
  There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
  The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
  Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
  Cheers,
  Julius

• Mass deletion of SAP roles from users

  Hello All,
  i need to delete all assinged roles from a big number of users. I know the users but not the roles which the users have. I need to delete all roles from the users-id's.
  I know SU10 and i can select all my needed users. But in the role tab i can not work with roles-names like Z* to delete. I can select all z*-roles and select "remove" but when i click to save, i get the message no changes made on the users???
  Any idea?
  Gruß
  Toni

  Hi David.
  David Berry wrote:
  I take it this is being run in PRD? What checks are being carried out during the table entry deletions and are you 100% happy sitting at your keyboard when pressing the 'run' button?
  Changes are made in PRD. The program was tested and is approved by each customer.
  Is there an easy way back to the previous state should it go wrong and how do you explain it to the auditors if needed that you assigned-number of roles in PRD against your own user ID possibly with no CDHDR/CSDPOS entries to back you up.
  Sorry for the 'negative vibes' but I don't like direct table maintenance in PRD for security.
  Best wishes
  David
  The way back is uploading the old role assignment previously exported from AGR_USERS. The program takes an excel sheet. In addition this excel sheet is attached to the change requests.
  From risk perspective we say (and experienced): mass changes through copy and paste lead to much more errors and faulty authorizations.
  Regarding direct table maintenance: standard function modules are used (like the one mentioned above) and the changes are visible in the change documents, Therefore the auditors grant an exception for using such tools.
  Cheers, Tobias

• Unlink and remove role = delete user???

  Hi All,
  We are using Sun IDM 7.1.1.21 and have run into this problem. I believe it's a product bug because it doesn't make any sense. We have users in an AD resource, and they are linked to that resource in IDM using a role. If, for some reason, the user is deleted from AD, and re-setup we have to "re-link" the user because the "accountGUID" attribute has the wrong GUID for the user and IDM doesn't like that. We are doing this using Recon. When recon runs, and catches this user, the situation comes back as "Confirmed", which is fine, we are using a per account workflow to handle the changes. We then compare the GUIDs of the objects in the workflow, if they are different, we would unlink the IDM account and relink it to the new GUID. We are setting the following options on the unlink.
  <set name='options.unlinkTargets'>
  <list>
  <s>AD</s>
  </list>
  </set>
  <set name='options.deleteAccounts'>
  <s>false</s>
  </set>
  and we remove the role, becuase if we do not, nothing happens. When the user object is checked in, it gets deleted from the resource. I'm sure this is happening becuase the accountID DOES exist (when the user is re-setup on the back-end the same DN is given to the user). Obviously this result is undesireable. So now I have 2 questions.
  1. Am I doing this wrong?
  2. Why would IDM delete an account when deleteAccounts and unlinkTargets are explicitly set on the checkin?

  OK. I figured out where the problem was. Renaming the accountGUID without removing the role only caused a "rename account to same name" error. I was not setting the correct options when removing the role. I needed to set:
  <set name='options.noDelete'>
  <s>true</s>
  </set>
  <set name='options.deleteUser'>
  <s>false</s>
  </set>
  This did the trick. The roles were removed and the user unlinked without any harm done to the resource account. I was then able to re-add the roles and relink to the existing resource account without a problem.
  Thanks.

• Fetch Admin Roles from User Object

  Hi,
  I have user object from which I need to fetch name of all Admin roles a user is having.
  I tried this method - getExpandedAdminGroupRefs() but its returning me null.
  getAttribute method works fine with <s>firstname</s>
  <invoke ='getExpandedAdminGroupRefs'>
  <ref>userObj</ref>
  </invoke> --> null
  Along with this I also need all IDM capabilities that user is having and managed organizations.
  Can anyone help.
  Thanks in Advance :)

  Hi
  Not sure exactly where you are doing this from but there are reports in SIM that give you this information without writing any code.
  Admin role report
  Administrators report.
  If this doesn't suit you you could look at the code that runs these reports and maybe anser your code question there.
  Cheers

• Remove link from User Display Name

  Hi, there is the name of the user on top of the page, it has an arrow and when I click it shows me "About me" and "Sign out". I need to remove that link and leave only the text. Any idea how to do it pls?
  Thanks

  try these links:
  http://sharepoint.stackexchange.com/questions/77387/how-to-hide-the-about-me-link-from-the-username-drop-down-list
  https://social.msdn.microsoft.com/Forums/office/en-US/0cfdd44a-492d-4382-9981-2004d751cb01/how-to-hide-the-about-me-link-from-the-username-drop-down-list?forum=sharepointdevelopment
  https://social.msdn.microsoft.com/Forums/office/en-US/0cfdd44a-492d-4382-9981-2004d751cb01/how-to-hide-the-about-me-link-from-the-username-drop-down-list?forum=sharepointdevelopment
  http://myloveforsharepoint.blogspot.in/2013/09/hiding-links-in-welcome-control-in.html
  https://technet.microsoft.com/en-us/library/dn659293(v=office.15).aspx
  http://stackoverflow.com/questions/14725720/how-to-remove-default-links-from-sharepoint-2013-suite-bar-and-add-my-own-links
  Please mark as answer if you find it useful else vote for it if it is close to answer..happy sharepointing

• Disconnect/remove PSTs from users profile with logging

  Hi all,
  I would like a script that removes (but does not delete) all PST files (except Sharepoint lists) attached to Outlook on a machine (for all users) with logging. I found the script on another site but I would like it to create a log file which records what
  it has actually done (machine|user|location of PST that was removed|time it was removed). Can anyone help with the logging bit please? I am thinking include the script as part of logon script and have the log file save in a network location.
  Current script is this:
  On Error Resume Next
  Dim objOutlook 'As Outlook.Application
  Dim Stores 'As Outlook.Stores
  Dim objFolder 'As Outlook.Folder
  Dim i 'As Integer
  Set objOutlook = CreateObject("Outlook.Application")
  Set Stores = objOutlook.Session.Stores
  For i = Stores.Count to 0 step -1
  If Stores(i).ExchangeStoreType = 3 Then
  If Stores(i).DisplayName <> "SharePoint Lists" then
  Set objFolder = Stores(i).GetRootFolder
  objOutlook.Session.RemoveStore objFolder
  End if
  Else
  End If
  Next
  Thank you in advance for your time.

  Hello,
  You can use VBA Logger for adding log statements to the existing code.
  The
  RemoveStore method of the Namespace class removes a Personal Folders file (.pst) from the current MAPI profile or session. I.e. the method removes a store only from the Microsoft Outlook user interface. You cannot remove
  a store from the main mailbox on the server or from a user's hard disk using the Outlook object model.