Restrict Moving roles with user assignment

Hi There,
Need your help...
How to restrict to move roles from dev->QA with user assignment. (want to disable the user assignment restirction)
Thanks and Regards,
Gnanaprakasam

Unfortunately this is not the default installation setting, so you need to go into the security settings customizing and change the USER_REL_IMPORT switch to 'NO'.
This does however NOT make the checkbox disappear in the transport source system. It prevents the import in the target... so you must set it and transport it there first, then it works.
Cheers,
Julius

Similar Messages

  • Moving roles with user assignment

    Hi There,
    Need your help...
    We have roles and users created in QA for training, now we want to move roles from QA to Production with user assignment.
    Users that are created in QA for training have also been created in Production, is it possible to move the roles from QA to Production with the user assignment.
    Thanks and Regards,
    Azher.

    Table PRGN_CUST does'nt contain any entries, its an empy table in QA.
    USER_REL_TRANSPORT entry with value NO locks system from TR imports with User assignment. So you have to ensure your target system-Production does not has that entry in PRGN_CUST.
    TR is geting created in Local change request which cannot be moved to Production.
    This TR request are created in Local Change request only when you do not specify a target system/group . All you need to do is specify the "Target" while creating the TR in PFCG (subsequent screen after you hit Create request) and release your TR via SE10. Once released, the TR would be added to the import queue of Production. You/your Basis team can import it manually via STMS_IMPORT (Extras>Other requests>Add TR and CTRL+F11 to import). If there are any errors please have Basis team to review the transport logs.
    P.S:  You can only transport direct user assignments of roles via PFCG transport option described in my post. In case of indirect user assignments that were created using Organizational Management (HR-Org), you will have to use transport functionality in Organizational management.
    Thanks
    Sandipan

  • Transport roles and analysis authorization with user assigned

    Hi expert,
    I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
    Thanks for your time,
    Luis

    Hi,
    In role administration, you have the following options for transporting roles:
    You can download the roles from one system and upload them into another  
    You can import the role from a remote system using RFC  
    You can transport the roles with the transport function.
    Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
    Transporting Roles with the Role Transport Function
           1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
           2.      Enter the role to be transported and choose Transport Role.
    The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
    You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
    For more information go thrpugh the below link
    http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
    Regards,
    Marasa.

  • Transporting role with user assignments

    Hi Guru's,
    When we transport a role with user assignments then in the target system, the role will wipe out all the existing assignment and show the the users in the original released request.
    eg. D->Q
    In dev:
    role-A has userA, userB
    In Qas;
    Role-A has UserA and userC
    ......after import of request:
    the roleA will have userA and userB
    What I have noticed is even if userB does not exist in Qas, the assignment will be reflected in AGR_USERS. A PFUD or user compare in a role does not remove the ghost entries. Is there any way to remove these inconsistencies ?
    I saw note 534010, which is applicable for UST04.
    Thank you
    Abhishek

    Hi Matt,
    Yes, I do agree this is not a best practice. However, for a particular requirement, we thought this was the best way to solve the problem. Infact, this was the first time I ever did this
    We have a role that needs to ONLY be assigned to every person in a particular team. With more than 30 systems present( out of the production landscape, just the testing systems), we thought this would be the only fast way out than going in each system and assigning this role. This would also ensure unassignment of this role to any other person too
    Any other alternative?
    Thank you
    Abhishek

  • Problem with User Assigned Bundles on Win7 x64, ZCM 10.3.4

    Greetings,
    We are experiencing an issue with user assigned bundles in our environment. Specifically we are seeing the following problem on some, but not all, workstations running Windows 7 Pro x64 with ZCM 10.3.4. Some users do not get new, user assigned bundles until they log out of ZENworks Adaptive Agent, via the system tray "Z" icon, and then log back in to the agent. A simple refresh does not grab the new user assigned bundles. One has to perform this logout/login routine to get all user assigned bundles. The problem seems to be machine specific. The server shows that the missing bundles are, in fact, properly associated with the user. If the affected user logs onto a different machine, their user assigned bundles populate as expected. Any ideas?
    In addition to rebooting our ZCM servers, we performed the following on the affected workstations:
    zac unr
    zac unr -f
    zac cc
    zac reg -g
    Uninstalled/reinstalled ZENworks Adaptive Agent 10.3.4
    Deleted affected user's local machine profile
    Repaired CASA installation

    Originally Posted by spond
    Sirhw1,
    what do you see in the zmd-messages.log (set to debug level) when you
    do that initial refresh?
    Shaun Pond
    Shaun,
    The following is an excerpt from our zmd-messages.log after doing a refresh-only on an affected machine. This data was generated approximately 2 minutes after performing the refresh. Thanks for your assistance.
    [DEBUG] [04/04/2012 11:29:58.579] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [objInfo.db SqliteCommand.ExecuteReader.prepare returned error: ERROR] [] []
    [DEBUG] [04/04/2012 11:29:58.579] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [(objInfo.db) Throwing sqlite exception from ExecuteReader(sql, want_results, err, errMsg): (select e.id as entryId, e.localPath, d.id as descriptorId, d.name, d.value, d.owner from Entry e, EntryDescriptor d where e.id = d.entryId and e.key='registration:primaryUserInfo' and e.owner='0d6a500efee6a219c74358cb244dc2f1', True, ERROR, )] [] []
    [DEBUG] [04/04/2012 11:29:58.580] [3428] [ZenLinuxDaemon] [4523] [] [ZenCache] [] [Sqlite Exception getting object record for key registration:primaryUserInfo on attempt 1
    Type: Novell.Zenworks.Cache.Sqlite.SqliteException
    Message: Sqlite Error: 1
    Stack Trace:
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader (CommandBehavior behavior, Boolean want_results, System.Int32& rows_affected) (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader (CommandBehavior behavior) (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader () (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.System. Data.IDbCommand.ExecuteReader () (0x00000)
    at Novell.Zenworks.Cache.SqliteEntryInfoProvider.GetC acheEntry (IDbConnection dbConn, System.String key, Novell.Zenworks.Cache.UserContext owner, System.Type type) (0x00000)
    at Novell.Zenworks.Cache.SqliteEntryInfoProvider.GetO bjectEntry (System.String key, Novell.Zenworks.Cache.UserContext owner) (0x00000)
    [DEBUG] [04/04/2012 11:29:58.580] [3428] [ZenLinuxDaemon] [4523] [] [ZenCache] [] [Validating dbSchema...] [] []
    [DEBUG] [04/04/2012 11:29:58.582] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [objInfo.db SqliteCommand.ExecuteReader.prepare::ExecuteNonQue ry returned error: ERROR] [] []
    [DEBUG] [04/04/2012 11:29:58.582] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [(objInfo.db) SqliteCommand.ExecuteReader.sqlite3_exec(no_want_r esults) returned error: ERROR] [] []
    [DEBUG] [04/04/2012 11:29:58.582] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [(objInfo.db) Throwing sqlite exception from ExecuteReader(sql, want_results, err, errMsg): (create table Entry (
    id integer primary key autoincrement,
    key text not null collate nocase,
    owner text not null collate nocase,
    localPath text not null collate nocase,
    unique (key, owner));
    create table EntryDescriptor (
    id integer primary key autoincrement,
    entryId integer not null references FileEntry,
    name text not null collate nocase,
    value text not null collate nocase,
    owner text not null collate nocase,
    unique (entryId, name, owner));
    , False, ERROR, )] [] []
    [DEBUG] [04/04/2012 11:29:58.583] [3428] [ZenLinuxDaemon] [4523] [] [ZenCache] [] [Failed to create cache database file /var/opt/novell/zenworks/zmd/cache/ZenCache/metaData/objInfo.db
    Type: Novell.Zenworks.Cache.Sqlite.SqliteException
    Message: Sqlite Error: 1
    Stack Trace:
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader (CommandBehavior behavior, Boolean want_results, System.Int32& rows_affected) (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute NonQuery () (0x00000)
    at Novell.Zenworks.Cache.SqliteEntryInfoProvider.Crea teDatabaseSchema (System.String dbPath, System.String schema) (0x00000)
    [DEBUG] [04/04/2012 11:29:58.585] [3428] [ZenLinuxDaemon] [4523] [] [ZenCache] [] [ValidateSchema() returned: True] [] []
    [DEBUG] [04/04/2012 11:29:58.585] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [objInfo.db SqliteCommand.ExecuteReader.prepare returned error: ERROR] [] []
    [DEBUG] [04/04/2012 11:29:58.585] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [(objInfo.db) Throwing sqlite exception from ExecuteReader(sql, want_results, err, errMsg): (select e.id as entryId, e.localPath, d.id as descriptorId, d.name, d.value, d.owner from Entry e, EntryDescriptor d where e.id = d.entryId and e.key='registration:primaryUserInfo' and e.owner='0d6a500efee6a219c74358cb244dc2f1', True, ERROR, )] [] []
    [DEBUG] [04/04/2012 11:29:58.586] [3428] [ZenLinuxDaemon] [4523] [] [ZenCache] [] [Sqlite Exception getting object record for key registration:primaryUserInfo on attempt 2
    Type: Novell.Zenworks.Cache.Sqlite.SqliteException
    Message: Sqlite Error: 1
    Stack Trace:
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader (CommandBehavior behavior, Boolean want_results, System.Int32& rows_affected) (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader (CommandBehavior behavior) (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader () (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.System. Data.IDbCommand.ExecuteReader () (0x00000)
    at Novell.Zenworks.Cache.SqliteEntryInfoProvider.GetC acheEntry (IDbConnection dbConn, System.String key, Novell.Zenworks.Cache.UserContext owner, System.Type type) (0x00000)
    at Novell.Zenworks.Cache.SqliteEntryInfoProvider.GetO bjectEntry (System.String key, Novell.Zenworks.Cache.UserContext owner) (0x00000)
    [DEBUG] [04/04/2012 11:29:58.587] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [objInfo.db SqliteCommand.ExecuteReader.prepare returned error: ERROR] [] []
    [DEBUG] [04/04/2012 11:29:58.587] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [(objInfo.db) Throwing sqlite exception from ExecuteReader(sql, want_results, err, errMsg): (select id from Entry where key='registration:primaryUserInfo' and owner='0d6a500efee6a219c74358cb244dc2f1', True, ERROR, )] [] []
    [DEBUG] [04/04/2012 11:29:58.587] [3428] [ZenLinuxDaemon] [4523] [] [ZenCache] [] [Exception getting sqlite entry id for registration:primaryUserInfo
    Type: Novell.Zenworks.Cache.Sqlite.SqliteException
    Message: Sqlite Error: 1
    Stack Trace:
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader (CommandBehavior behavior, Boolean want_results, System.Int32& rows_affected) (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader (CommandBehavior behavior) (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader () (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Scalar () (0x00000)
    at Novell.Zenworks.Cache.SqliteEntryInfoProvider.Look upEntryId (IDbConnection dbConn, System.String key, Novell.Zenworks.Cache.UserContext owner) (0x00000)
    [DEBUG] [04/04/2012 11:29:58.588] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [objInfo.db SqliteCommand.ExecuteReader.prepare::ExecuteNonQue ry returned error: ERROR] [] []
    [DEBUG] [04/04/2012 11:29:58.588] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [(objInfo.db) SqliteCommand.ExecuteReader.sqlite3_exec(no_want_r esults) returned error: ERROR] [] []
    [DEBUG] [04/04/2012 11:29:58.588] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [(objInfo.db) Throwing sqlite exception from ExecuteReader(sql, want_results, err, errMsg): (insert into Entry (key, owner, localPath) values ('registration:primaryUserInfo', '0d6a500efee6a219c74358cb244dc2f1', '/var/opt/novell/zenworks/zmd/cache/ZenCache/11796bbf-b14c-4f6d-9c39-a2f5a487e4b9'), False, ERROR, )] [] []
    [DEBUG] [04/04/2012 11:29:58.588] [3428] [ZenLinuxDaemon] [4523] [] [ZenCache] [] [Sqlite Exception putting file record for key registration:primaryUserInfo on attempt 1
    Type: Novell.Zenworks.Cache.Sqlite.SqliteException
    Message: Sqlite Error: 1
    Stack Trace:
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader (CommandBehavior behavior, Boolean want_results, System.Int32& rows_affected) (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute NonQuery () (0x00000)
    at Novell.Zenworks.Cache.SqliteEntryInfoProvider.PutC acheEntry (IDbConnection dbConn, IDbTransaction dbTransaction, Novell.Zenworks.Cache.CacheEntry entry) (0x00000)
    at Novell.Zenworks.Cache.SqliteEntryInfoProvider.PutO bjectEntry (Novell.Zenworks.Cache.ObjectCacheEntry& objectEntry) (0x00000)
    [DEBUG] [04/04/2012 11:29:58.589] [3428] [ZenLinuxDaemon] [4523] [] [ZenCache] [] [Validating dbSchema...] [] []
    [DEBUG] [04/04/2012 11:29:58.590] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [objInfo.db SqliteCommand.ExecuteReader.prepare::ExecuteNonQue ry returned error: ERROR] [] []
    [DEBUG] [04/04/2012 11:29:58.590] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [(objInfo.db) SqliteCommand.ExecuteReader.sqlite3_exec(no_want_r esults) returned error: ERROR] [] []
    [DEBUG] [04/04/2012 11:29:58.590] [3428] [ZenLinuxDaemon] [4523] [] [Sqlite] [] [(objInfo.db) Throwing sqlite exception from ExecuteReader(sql, want_results, err, errMsg): (create table Entry (
    id integer primary key autoincrement,
    key text not null collate nocase,
    owner text not null collate nocase,
    localPath text not null collate nocase,
    unique (key, owner));
    create table EntryDescriptor (
    id integer primary key autoincrement,
    entryId integer not null references FileEntry,
    name text not null collate nocase,
    value text not null collate nocase,
    owner text not null collate nocase,
    unique (entryId, name, owner));
    , False, ERROR, )] [] []
    [DEBUG] [04/04/2012 11:29:58.591] [3428] [ZenLinuxDaemon] [4523] [] [ZenCache] [] [Failed to create cache database file /var/opt/novell/zenworks/zmd/cache/ZenCache/metaData/objInfo.db
    Type: Novell.Zenworks.Cache.Sqlite.SqliteException
    Message: Sqlite Error: 1
    Stack Trace:
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute Reader (CommandBehavior behavior, Boolean want_results, System.Int32& rows_affected) (0x00000)
    at Novell.Zenworks.Cache.Sqlite.SqliteCommand.Execute NonQuery () (0x00000)
    at Novell.Zenworks.Cache.SqliteEntryInfoProvider.Crea teDatabaseSchema (System.String dbPath, System.String schema) (0x00000)
    [DEBUG] [04/04/2012 11:29:58.593] [3428] [ZenLinuxDaemon] [4523] [] [ZenCache] [] [ValidateSchema() returned: True] [] []

  • Restrict the role of User Administrator

    Hello all,
    I need to know that if it is possible to restrict the Role of an User Administrator to assign only a specific set of Roles to the end user.
    For example : The user administrator should be able to assign only say Managers, Employees Roles to the Users and not any other roles like Super Administrators etc.
    If so, how can we achieve that?
    Regards
    Avik

    There is a authorization object (combined with a parameter) that does this restriction:
    S_SPO_PAGE
    Definition
    Using authorization object S_SPO_PAGE, you can restrict the maximum number of pages of a request that can be printed on a particular printer.
    This authorization check is only active if profile parameter rspo/auth/pagelimit is set to 1.
    Defined fields
    SPODEVICE       Device name for which the restriction is to apply.
    SPOPAGES        Maximum number of pages allowed; enter a range (0 to n) here

  • Fail to create roles with users in LDAP

    I installed and configured two Directory Services one for AM and one for identity. I created an LDAP Data Store for the root realm and can see the LDAP users in the Subjects->User tab in AM. I can create Subjects->Groups and add LDAP users successfully, but I cannot create Subjects->Roles with LDAP users. I get the following error:
    Plug-in com.sun.identity.idm.plugins.files.FilesRepo: Unable to find entry: C:\SFU\app\ironscale\amserver\idRepo\user\awhite
    Any ideas? I also found it odd that my new Group was created in the FileRepo under idRepo/group. I thought it would have been written to the AM DS.
    I deleted the flat file Data Store and the Group/Roles tabs disappeared. Must I import additional LDIFS to my LDAP Identity DS to store roles and groups it that DS?

    Update.
    I deleted LDAPv3 Plug-in Supported Types and Operations values group, user, and role, based on Sun's Access Manager training class examples. I re-added them and deleted the File Data Store and groups now get created in the LDAP Identity repo. However when I create a role and add users the operation sucessfully completes. But I cannot find the roles using an LDAP browser. I can grep the role name from the LDAP database and the roles remain after restarting the db and AM. It appears AM is adding roles in a way other tools cannot see them.

  • SIngle riole that belong to composite role with user

    HI,
    There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
    BR
    Nina

    There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
    SIngle role is created by pfcg where you assign the role name n safe it as single role n then after t codes been provided the user has been assigned accordingly
    Composite role is same just it contains many roleson to one and similarly the user has been assigned
    Thx
    Mysterious

  • Room role and user assignment

    Hi ,
    We are on EP6 SP10 and have a strange issue involving
    collaboration rooms.We are having MS-AD UME.
    Now after changing from one ldap to another , some users
    are displayed as ldap id's in the rooms while some are not.
    They are displayed properly with name itself.
    Why is this so? Is this because they have been deleted in the
    ldap but not in the room , something like that.
    Also there is no way to remove these id's from the room too,
    this generates  a runtime error.
    Any help on this would be appreciated
    Regards
    Vineeth

    Hi Vineeth,
    Why is this so? Is this because they have been deleted in the
    ldap but not in the room , something like that.
    Sound reasonable, if this is in fact your situation.,
    Also there is no way to remove these id's from the room too,
    this generates a runtime error.
    Ýou could try to remove the users from the corresponding group via the UME. For each room, there is a group created in the UME with the name "ROOM_[roomname]_MAIN" and the ID "ROOM_[roomid]_MAIN". Open that group and try to remove the user entries in question from there.
    Hope it helps
    Detlev

  • Assign single role to composite role with alternate logsys assignments

    Dear gurus,
    In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
    Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
    But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
    Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
    Cheers,
    Julius

    Hi Martin and others,
    I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
    While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
    Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
    You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
    There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
    That is a bit of a bummer because it means that you also cannot ever test anything...
    Did anyone ever try to actually use this?
    Cheers,
    Julius

  • Restriction in roles

    Hello Gurus,
    Iam working on a SLO project, There are 5 systems and all need to be merged.
    Each and every system has their respective roles, Now i need to bring all roles in to the target system and restrict the roles with respect to their system.
    Iam trying to restrict the roles with the organisational levels present.
    Is their any more restriction need to be done ?
    please provide some inputs.
    Thanks,
    Sanketh.

    Hi Sanketh
    If that is your remit then it looks like your project management have not scoped the activity properly and they have left you to pick up the pieces.
    It sounds like you are doing the right thing for the custom developments, though you will end up with additional work with the * in the org levels.
    If you need to restrict each role set to only be able to see it's own data:
    1. Get the project to deliver you an organisational matrix listing all the org level elements that belong to each company.  You can get the org levels from table USORG.  insist that this is provided as one of their deliverables and provided ASAP.
    2. ID all the org levels that are not relevant and you can keep a * in
    3. Using the org level matrix you can now start to work on the roles to make sure that the roles only contain the org data for that company.  If company x has a certain list of company codes then you need to maintain all those
    4. Remove access to view tables & directly execute programs
    5. Remove access to SQ00 or SQ01
    Are you responsible for maintaining this after go-live?  If so then you really need to start to assess that the roles support the functional scope of the to-be systems.  Get the updated roles included in the cutover testing so that you can get validation that you have done what was asked and it tested OK before they are deployed into live.
    I can't send any docs as previous work is either covered under client confidentiality arrangements or is our intellectual capital.  I am more than happy to provide feedback on here though.
    Good luck!

  • SECATT - Mass creation of users with different assigned roles

    Hello! I've been tasked with creating an eCATT to do a mass creation of users and each user will have a different role assigned (besides the general roles). We're doing this to test out the different roles we have created. I've done some searching through the forums and found some different ideas but I'm not sure they are exactly what I need. One suggestion was to use SU10 to make the role assignement but I'm guessing I would still need to setup a parameter for each role so I would initially need to know how many roles would be entered. I would like for the eCATT to be able to handle assigning multiple roles to a user with each user possibly getting a different number of roles. Would anyone be able to suggest a way to assign different roles to different users through an eCATT?
    Thank you!

    Hi Wendy,
    To create users, maybe SU01 or SU10 can be used.  To assign users to a role, maybe you can try with PFCG.
    SU01 and SU10 have the view from the user - for each user, different roles can be selected and assigned to that user. 
    PFCG has the view of roles - for each role, different users can be selected and assigned to that role. 
    Hence if you know which roles should be assigned to which users, PFCG might be easier.
    Hope such information is helpful for you.
    Kind Regards, Qian

  • Report to see list of roles with no user assignment

    Hi Gurus,
    I need to know the transaction/Report where i can see list of roles which doesnt have any user assignment.
    Pls help me

    HII,
    To search for  roles with no users assignment u can run a report RSUSR070 AFTER EXECUTING TCODE SA38 in the progran field enter the name of the report and click execute button u get roles by complex selection criteria    then scroll down and in the selection according to user assignments  select  without user assignment then cli ck execute button u will get the roles with no user assigments............
                          Thanks and regards

  • List of Portal users with the assigned Roles.....

    Hello All,
    I am working on EP6 SP9 and want to know from where can I get a list of all Portal users along with the assigned roles for each of them.
    One way I found is by searching for all users in User Administration role and along with the searched users, there is also an icon for Assigned roles.
    Apart from the above mentioned way, is there any other way by which I can get a direct list of the same. Is there a Java sample code for this.....?
    Please help.
    Awaiting Reply.
    Thanks and Warm Regards,
    Ritu R Hunjan

    Hi Ritu,
    Yes it is possible to get the roles of the users. You can try the following java code.
    package com.hcl.user;
    import java.util.Iterator;
    import java.util.Vector;
    import com.sap.security.api.IRole;
    import com.sap.security.api.IRoleFactory;
    import com.sap.security.api.IRoleSearchFilter;
    import com.sap.security.api.ISearchResult;
    import com.sap.security.api.IUser;
    import com.sap.security.api.IUserAccount;
    import com.sap.security.api.IUserFactory;
    import com.sap.security.api.UMFactory;
    import com.sapportals.portal.prt.component.AbstractPortalComponent;
    import com.sapportals.portal.prt.component.IPortalComponentRequest;
    import com.sapportals.portal.prt.component.IPortalComponentResponse;
    public class role_member extends AbstractPortalComponent {
    public void doContent(
    IPortalComponentRequest request,
    IPortalComponentResponse response) {
    try {
    IUserFactory userfactory = UMFactory.getUserFactory();
    IRoleFactory rolefactory = UMFactory.getRoleFactory();
    IRoleSearchFilter rolefltr = rolefactory.getRoleSearchFilter();
    rolefltr.setMaxSearchResultSize(2000);
    ISearchResult result = rolefactory.searchRoles(rolefltr);
    while (result.hasNext()) {
    response.write("<table border=0>n");
    String uniqueid = (String) result.next();
    IRole role = rolefactory.getRole(uniqueid);
    response.write("<tr><td bgcolor=Red>"+ role.getDisplayName()+ "</tr></td>n");
    Iterator users = role.getUserMembers(true);
    while (users.hasNext()) {
    String unique_user = (String) users.next();
    IUser user = userfactory.getUser(unique_user);
    IUserAccount account[] = user.getUserAccounts();
    response.write(
    "<tr><td>" + account[0].getLogonUid() + "</tr></td>n");
    response.write("</table>n");
    response.write("</br>n");
    } catch (Exception e) {
    This code gives you the list of all the users of your portal along with the roles assigned to them.
    Apart from this if you want you want to know all the roles assigned to the user on portal itself then the way you mentioned is the correct method.
    Regards
    Pravesh
    PS: Please consider awarding points.

  • Restricting administrator tab to user created with default role OIM 11g R2

    Hi,
    I have a query, if we create a user in OIM 11g R2 without any admin role and then login to Self Service screen (Identity) with the newly created user, we can see the Administration Tab is visible to the user.
    Is this mean that by default user is having admin role assigned to him to do some of the admin activities.
    Please let me know how to control this behavior and not to show the Administration tab to the user until and unless he is having some admin roles assigned to him.
    Please help.

    You can hide Administration tab for normal users using EL's. By default users will get this tab when they login to identity console even though admin role is not assigned to them. But if you do any operation on any users, request will be raised accordingly.
    Check this link to configure EL's http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/uicust.htm#autoId18

Maybe you are looking for