Removing single transactions from roles

Similar Messages

• Removal of tcode from role

  Hi Experts,
  I need to remove tcode from role menu, my requirement is as below
  I need to go in a role, search tcode in role menu and if tcode is present in role n times then remove that tcode.
  For example tcode SU01 is present in role menu 5 times then I need to remove all these 5 occurenses.
  As of now I have developed script using SECATT to remove tcode from role but it is static one,  means I already know that tcode is present 3 times then script will search tcode three times and delete and generate profile and come out.
  I want this functionality to be dynamic, i.e. I need to enter tcode only once in data input and then script should remove all occurence of that tcode from role.
  Looking forward for expert advice and comments, please let me know if my requirement is not clear.
  Thanks,
  Ashish Mistry

  Hello,
  1. Check the data base by writing ABAP Query.
  2. Get the length of the received data eg. number of record is present in the data base for your Query.
  3. Now you know exact number of T-Code so you can delete them.
  Regards,
  Bhavesh

• Deleting unused transactions from roles

  I am planning for unused transaction cleanup activity for SAP roles as mentioned below.
  There are lot of roles which are copied from SAP menu due to which they consist of around 1000 transactions. Now I know there will be around 50 transactions which might be used and rest of them not used at all.  I have made the strategy to find all the transactions which are not used during the last 3 months(using ST03N) and than consult the list with the role owners and delete the unused transactions.
  I would like to know whether this is the correct strategy to follow, will the ST03N data-> transactional profile provides the relevant data to sort out the transactions not used in last 3 months.  Please suggest or any alternative strategy can be followed. I know about sm19 audit log, but the problem is that it cannot be activated for all the users due to file space and performance issues.
  Regards,
  Sanjay

  There are lot of roles which are copied from SAP menu due to which they consist of around 1000 transactions.
  I am tempted to move this to the Test&Playground forum, because that is what building authorization roles from SAP Menü navigation nodes is.
  If course if you do not care and it is better than manual profiles then it is not all bad, so I will leave it here in the security forum fir now.
  From my side, if you have no clue... then go for the SAP standard roles and copy them into your own namepsace and work from there to start with. Check the objects included against audit check lists as step two. Take a closer look when you have a chance as step three (there are many manual auths in there...). You will be better off this ways than inventing roles of your own without any tcode or blue-print infos.
  I would however still not call it "best practice" and it will backfire over time, but it can be done in a few days (so that you can get your bones out of the project and onto the next one without learning about the pain-points).
  Eventually you become a professional bull-*******...
  Cheers,
  Julius

• Copied role but want to delete a transaction from S_tcode

  Copied one of our roles to a new role.
  When I go to the new role and want to change authorization for s_tcode.
  I want to remove a transaction from s_tcode. I only have a display icon
  It will not let me delete transaction.
  How can I change display icon to change
  Any suggestions on what I'm doing wrong
  Thanks
  Joe

  you should ask your question in the SECURITY forum to get a better answer.
  please check Security

• BDC to PFCG (Delete Authority Objects from Roles.)

  When we try to change an authority object it gives an error message saying that 'This authority object is used in roles XXX'.
  To remove Authority Ojects from roles, transaction PFCG is used. But the problem is that BDC is almost impossible to PFCG.
  Is there any way you can suggest us to change an authority object when it is assigned to a role or how we can BDC delete authority object from a role or a function/badi we can call to achieve this.
  This is a very high level question.

  Hi
  U should consider PFCG trx is enjoy trx so it's not suitable for BDC, what doesn't mean you can't do a BDC program for that trx but it won't be easy.
  Anyway you can know the users assigned to certain profile reading table AGR_USERS. I believe PFCG shows them sorted alphabetical, so you can know the position where an user should be, after u should use PAGE UP and PAGE DOWN command to scroll the table control.
  Max

• Removal of T.Code from role

  Hi all,
  i have to remove a t.code FBRA from all the plants users, there are 40 single roles, with T.Code FBRA,  how can i remove it at a time, without deleting individually in each roles. Is there any method , plz let me know.
  Thanks & Regards
  Syed..

  Hi Syed,
               Are you using a role which is created by using the standard role.
               Copy the role to a new role then delete the transaction from the role
               and assign the user with the newly created role. I think this would be one of the possible way. After that remove the users from the previous role.
  Please reward points if helpfull.
  Regards,
  Vamshi

• TS01: Remove other flows from transaction and save

  Dear Experts,
  TRM has been customized whenever a new transaction is created (using TS01) and a specific Business Partner chosen (Counterparty), additional flows for commissions (0301 u2013 flow type) and transfer fees (0302 u2013 flow type) are automatically generated based on IMG u201CDefine Derivation Procedures and Rulesu201D and its assignment of u201Cderived flowsu201D of the specific BP.
  For a specific  transaction our customer wants to remove the second flow 0302 u2013 Transfer fees although its deal has been performed with the same Counterparty that in its derivation rules include this flow (0302 u2013 Transfer fees). The business scenario is that this counterparty has always derived flows (Commissions and Transfer fees) but for this single one transaction it does not charge transfer fees. 
  When I create the transaction (TS01), after filling the payment amount, I move to u201COther Flowsu201D tab. In this the two flows have been automatically created. Then I choose the second line with 0302 flow type and I choose u201CDelete Rowu201D. Although initially the line disappears from the u201COther flowsu201D list, when I press Enter or Save the transaction the line with 0302 flow type reappears. It seems as I cannot remove the flow.
  Additionally I cannot change the amount of the flow!
  Does anyone know how to remove the flow and save the transaction and /or change the proposed by the system amount?
  Thank you, I would appreciate any help.

  Hi,
  For transaction derived flows, you can only change the amount but cannot remove the item as it is derived by default.  In case for  a single transaction you don't want the derived flow, you can remove it from the standing instructions of the counterparty and then create the transaction and then add the instruction back. 
  Or you have to add the same flow in the reverse direction for the same amount in other flows so that is gets nullified.
  Regards,
  Ravi

• How to Add a single Transaction to Base role of a User in GRC AC 10

  Hello Gurus,
  I would like to know if it is possible to assign a single transaction to a user in his default roles.
  e.g) We have some Users who have been assigned some default roles, and in some case if a user requires authorization only for a one transaction e.g.) FB08 or for the matter any transaction , instead of adding a role containing many other transactions , we would like to assign only this transaction to the user.
  OR
  In other example , if a user sends a missing authorization request i.e. SU53 screenshot , and that only one transaction needs to be assigned , how can it be provisioned to that specific user ?
  Is it possible in GRC AC 10 , by using CUP or BRM ?
  Looking forward for your opnion.
  Regards,
  Victor

  Hello Victor,
  In this case, why don't you create a role including only FB08? You cannot assign a user a transaction, you have to assign a role. This is the authorization concept in SAP.
  Cheers,
  Diego.

• Users are not removed from role using UME API

  Hello,
  I am using this code to remove users from a batch of roles that I have.
  Everything is running OK, no exception is thrown and at the System.out I see all the actions that needs to be taken correctly. The problem is that if I'll go later to one of the roles the users are still assigned to it. Any idea what I'm doing wrong here?
  try
  IRoleFactory roles = UMFactory.getRoleFactory();
  IUserFactory users = UMFactory.getUserFactory();
  IRoleSearchFilter filter = roles.getRoleSearchFilter();
  filter.setUniqueName("<My_filter>", ISearchAttribute.LIKE_OPERATOR, false);
  ISearchResult sresult = roles.searchRoles(filter);
  if ( sresult.getState() == ISearchResult.SEARCH_RESULT_OK )
       while(sresult.hasNext())
       String id = (String)sresult.next();
       IRole role = UMFactory.getRoleFactory().getMutableRole(id);
       Iterator i = role.getUserMembers(false);
       while (i.hasNext())
                       String uid = (String)i.next();
            IUser user = users.getUser(uid);
            role.removeUserMember(user.getUniqueName());
            System.out.println("Removed user: " + user.getUniqueName() + " from role: " + role.getDisplayName());
       role.save();
       role.commit();
  catch (Exception e)
       manager.reportException(new WDNonFatalException(e), false);

  Solved it!
  It needs the FQDN User ID...

• How to remove the worksets from the Top level navigation for the ESS role.

  Hi All,
  I am working on enabling and disabling certain services in the ESS worksets.
  we are using EP 7.0, ECC 6.0 (NW2004s).
  When I login as a user with ESS role, I can view the changes in the overview pages. However, the worksets are still visible in the TOP Level navigation of th poral. can anyone please explain me how to remove the workset from the Top level navigation.
  Thanks for your help
  Regards
  SM

  Hi,
  Go to the ESS role via Content Admin, then double click the workset (or page or iview) and in the drop down select navigation. Then click the <i>Yes</i> radio button of the "<i>Invisible in Navigation</i>" property.

• How to insert entities for a role and retrofit single trigger from DB

  Hi,
  before Oracle Designer replacement I would like to clarify these 2 issues:
  - how to insert entities for a role?
  - how to retrofit just a single trigger from database?
  Could somebody give a step by step advice, how to do these 2 things? Thanks!

  > um.. i don't think you could use 'create table'
  inside a pl/sql procedure.
  You are wrong. You can create table inside a PL/SQL using execute immediate. But, this is not a good practise. I think you should reconsider the logic and then use such programming code. Please read the Oracle documentation regarding execute immediate.
  Regards.
  Satyaki De.

• Selecting a single row from table control of standard transaction via repor

  Hi Experts,
  I have a requirement of selecting a single row from standard trasaction via ineractive report.
  For eg. for a given document number & item number, how can i select the specified item from transaction VA03.
  I am using call transaction to naviagate to the screen but unable to select the specified item.
  thanks in adavance for your Help.

  You mean selecting the item via BDC?
  Have you tried something like:
  perform bdc_field       using 'BDC_CURSOR'
                                'VBAP-POSNR(01)'.
  perform bdc_field       using 'RV45A-VBAP_SELKZ(01)'
                                'X'.
  or whatever your dynpro is to select the first row?

• Hyper-v cannot be installed: A hypervisor is already running: VMware Workstation and Hyper-v are not compatible. Remove the Hyper-V role from the system before running Vmware Workstation

  When I try to go to Control Panel\Programs and click on turn windows features on/off and , it shows ticks on hyper-v is removed.
  Hyper-v platform Is grayed out and When i move the mouse point to  Hyper-v platform it shows a message.
  "Hyper-v cannot be installed: A  hypervisor is already running"
  When I try to install vmware it says..
  VMware Workstation and Hyper-v are not compatible. Remove the Hyper-V role from the system before running Vmware Workstation..

  I dont feel you can do this. I have also tried what you tried and ended up with a failure.. So had to stick with vmware in one instance and for other instance hyper v... 
  For further details raise your question here http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverhyperv
  and
  https://communities.vmware.com/community/vmtn/developer/forums
  Good luck.. 

• Satellite Z830 - Remove/change single keys from keyboard

  Hi,
  some keys on the keyboard of my Z830 keyboard became sticky over time.
  Is it possible to remove single keys, try to clean it and put the key back in, or is the key glued?
  I wouldn't want to replace the whole keyboard, as most of the keys still work fine.
  Thanks

  Keyboard keys are not glued and keyboard caps can be removed. It was extremely easy on older keyboards and I have done it many times.
  I don't have experience with new keyboards but the principle should be the same.
  Take some flat plastic and try to remove keycap but be very gently.
  I think you are the first one with this question so it will be very nice if you can post some feedback or short instruction how it can be done.

• Authorization to a single Transaction

  Hi,
  I am novice in the authorization issue but i have a need that i will describe in the following lines:
  i need to atrib t-code FDTA to a single user.
  How can do that? and How can i know what users are using the t-code in a single moment
  Thank you for your answers
                         Best Regards
                                 João Fernandes

  Hi,
  glad to hear you are nearly resolved your issue.
  from my previous illustration :
  user A
  is assigned role ZA, ZB and ZC.
  role ZA contains tcode FDTA and SU53
  role ZB contains SM37 and SP02
  role ZC contains FDTA
  addition :
  user B
  is assigned role ZA only.
  there is three approach to prevent user access to a tcode:
  1. remove FDTA from role (no need to unasign role from user)
  in role ZA, tab menu, make sure that no FDTA there if you want to completely remove FDTA from that role. in this case, any user assigned by role ZA will not be able to execute FDTA. don't forget to save any changes made. after that, goto user tab and perform user comparison. Do the same way for role ZC.
  in this case user A and user B will not be able to execute FDTA.
  2. or unassign role contains FDTA from user (no need to remove tcode from role)
  if you just want user A cannot execute FDTA, from role ZA, tab user, remove user A from there, save it then hit user comparison button. do the same way for the other role assigned to A that contain FDTA (in this example above = role ZC).
  review from SU01, tab role, that role ZA and ZC is no longer been there anymore.
  in this case, only user A unable to execute FDTA. user B still able, because role ZA is still assigned to user B.
  3. from SU01, tab profile, there is powerful profile is assigned there.
  some powerful profile will give user access to many tcodes. make sure that you just maintain user access only from role, not from profile for a simplification on authorization audit. remove unecessary profile that is assigned manually, and allow only profile from role is stay there (you can recognize by profile name/ description).
  tcode SUIM will help you much to trace user-role-tcode assignemnt.
  - SUIM > transaction > executable for user (to see if user A able to execute FDTA ?)
  - SUIM > transaction > executable for role (see user A's role, and review what tcode can be executed by that role, if FDTA listed there, review that role soon! )
  I guess that you haven't perform user comparison so changes on role has not been reflected to the user master.
  or my second assumption, there is powerful profile assigned to that user.
  hope it help you.
  rgds,
  Alfonsus Guritno