Revoke roles from users

Similar Messages

• Unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  Hi,
  For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
  I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
  But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
  Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
  BR,
  Mangesh

• Mass deletion of roles from users

  I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.

  We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.
  This way you can optimize / automate periodic controls.
  There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.
  The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.
  Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)
  Cheers,
  Julius

• Remove role from user

  HI how do i remove a role from a user when he id terminated or disabled.
  I am assigning a role in the following way during creation with the help of a rule
  <setvar name='newuser.waveset.roles'>
  <filterdup>
  <appendAll>
  <ref>accounts[Lighthouse].roles</ref>
  <s>General-Provision-Role</s>
  <rule name='Get Location Role'>
  <argument name='LocationCode' value='$(newuser.global.LocationCode)'/>
  </rule>
  </appendAll>
  </filterdup>
  </setvar>
  How do I remove this role when termination of user.

  We looking for a way to automate the removing of a user (US) or role (AG) from a position (S).
  There is a report called RHGRENZ2 which can be used to delimit specific OM infotypes (like IT1001- Relationships) specifying the end-date and Position ID (Object Type S and Object ID= Position) manually. In your case, I believe IT1001's Relationship A008 and B007 have to be delimited in order to remove a user (US) or role (AG) from a position (S) but this report cannot be run for specific relationship types of IT1001 (atleast I did never find an option to filter based on relationship types).
  You can try using report RHRHDL00 to delete IT1001 relationships from PP Database but you should consider the consequences of such deletions and restrict the selection based in infotypes and relationship types carefully.
  Alternatively, you can also build a LSMW script to automate the process of mass delimit/deletion of IT1001's relationship types using transaction PP02 (PP01 is not compatible to BDC/background processing)
  Thanks
  Sandipan

• Remove roles from users

  Hi All,
  I would like to ask what can I do if I would like to remove multiple roles from ALL users in the system?
  Normally, for a list of users , I use SU10 to do it.
  However, since there are 1 thousand something users in the system, is there a more efficient way to do it?
  Thanks for your help.
  Regards,
  Chris

  Thanks.
  I would say, in my case, it's the best to use PFCG sinceI only need to remove 3X something roles from them. (I don't know which users have those particular roles, the only thing I need to do is to make sure that the 3X roles have no corresponding users).
  Thanks again !
  Regards,
  Chris

• Mass deletion of SAP roles from users

  Hello All,
  i need to delete all assinged roles from a big number of users. I know the users but not the roles which the users have. I need to delete all roles from the users-id's.
  I know SU10 and i can select all my needed users. But in the role tab i can not work with roles-names like Z* to delete. I can select all z*-roles and select "remove" but when i click to save, i get the message no changes made on the users???
  Any idea?
  Gruß
  Toni

  Hi David.
  David Berry wrote:
  I take it this is being run in PRD? What checks are being carried out during the table entry deletions and are you 100% happy sitting at your keyboard when pressing the 'run' button?
  Changes are made in PRD. The program was tested and is approved by each customer.
  Is there an easy way back to the previous state should it go wrong and how do you explain it to the auditors if needed that you assigned-number of roles in PRD against your own user ID possibly with no CDHDR/CSDPOS entries to back you up.
  Sorry for the 'negative vibes' but I don't like direct table maintenance in PRD for security.
  Best wishes
  David
  The way back is uploading the old role assignment previously exported from AGR_USERS. The program takes an excel sheet. In addition this excel sheet is attached to the change requests.
  From risk perspective we say (and experienced): mass changes through copy and paste lead to much more errors and faulty authorizations.
  Regarding direct table maintenance: standard function modules are used (like the one mentioned above) and the changes are visible in the change documents, Therefore the auditors grant an exception for using such tools.
  Cheers, Tobias

• Fetch Admin Roles from User Object

  Hi,
  I have user object from which I need to fetch name of all Admin roles a user is having.
  I tried this method - getExpandedAdminGroupRefs() but its returning me null.
  getAttribute method works fine with <s>firstname</s>
  <invoke ='getExpandedAdminGroupRefs'>
  <ref>userObj</ref>
  </invoke> --> null
  Along with this I also need all IDM capabilities that user is having and managed organizations.
  Can anyone help.
  Thanks in Advance :)

  Hi
  Not sure exactly where you are doing this from but there are reports in SIM that give you this information without writing any code.
  Admin role report
  Administrators report.
  If this doesn't suit you you could look at the code that runs these reports and maybe anser your code question there.
  Cheers

• How to revoke everything from a user when opening a new session.

  HI,
  I am using oracle 10g Express Edition and SQL Developer.
  I have 2 user, 2 database connections in my SQL Developer.
  First user is Oracle and its database connection is called TCF.
  Second user is SMITH and its database connection is called TCF_SMITH.
  Oracle user has privileges to do anything.
  SMITH user has no privileges except for CREATE SESSION.
  What I am trying to achieve is assign a user to a role (this role will have grants to select, insert , update from tables) for the current session (this step is successful), and then revoke
  The role from that user (set it back to its default/or revoke everything from it) if opening another session, or session has been terminated (what I am trying to achieve).
  From TCF I was able to do the following:
  CREATE synonym SMITH.EMP_IOD FOR EMP_IOD;
  CREATE ROLE TCF_I;
  GRANT SELECT, INSERT, UPDATE ON EMP_IOD TO TCF_I;
  GRANT TCF_I TO SMITH;In TCF_SMITH
  SMITH has the same privileges as TCF_I.
  so, smith now can select, insert , and update from EMP_IOD table.
  If I open another TCF_SMITH session, and select * from EMP_IOD I should not be able to see any of the records.
  I am trying to make this session base only. Unfortunately when opening another session I am able to select, update and insert records in the new session.
  Is there a way to make this session based ?
  How can I revoke everything from user SMITH from TCF connection ?
  Thanks,

  Oh My Good Lord!
  Rooney,
  What are you attempting to do ?
  In programming anything can be achieved, but there are speicifc tools to solve specific problems .
  I think you are trying to use fork to paint a wall* (If painting the wall indeed is your requirement).
  The "need" as you say...
  +The need for this is to grant the user different roles each time the user logs in.
  for example I can log in 5 different time in one week with different role each time.
  Moday I could have access to X,Y,Z,
  Tuesday I could have access to X,A,B
  Wednesday I could have access to A,B,C.+
  ... is to solve WHAT PROBLEM?
  Please describe your original requirement , not what you think should be the solution/tool to satisfy the requirement.
  In your previous thread you "solved" privilege/role problem by creating SYNONYM. That does not compute at all.
  Re: database roles seems like its not working for me - your help is appreciated
  Think about it. We are here to help each other as best we can.
  Please read more* about Oracle capabilities and "tools" it provides.
  http://tahiti.oracle.com/
  Especially the Oracle Concepts Guide ...
  http://download.oracle.com/docs/cd/B14117_01/server.101/b10743.pdf
  Also, please take time to respond as "helpfully" as possible. each response from you should take you closer to the solution.
  Hopefully, your original requirement will be solved.
  vr,
  Sudhakar B.

• How do you hide Excluded Roles from the End User (8.1) ?

  We have 2 Buisness Roles: Employee and Contractor. They are excluded from each other, meaning if you have one of the roles, you cannot be assigned the other role.
  When a user logs into 8.1 to the OOTB "Update My Roles" WF, they see their Available Roles for selection.
  These available roles listing includes the excluded roles.
  So when a user with the Contractor role logs in, they see the Employee role as an available role.
  If the Contractor user tries to add the Employee role, they will get an error due to the role exclusion.
  I know it is possible to hide the excluded roles from the end user, but don't know how.
  Does anyone know how to hide the excluded roles from users?
  Thanks.

  Hi
  I may have misread your first comment but I totally agree with your response.
  If the user has capabilities over multiple organizations it will show all roles, whether exclusion or not. (Been confirmed that this is how it is designed to work)
  What could be done is when selecting a user is a specific organization, you could have a rule that only shows up the Business roles that are associated with that organization. So although you have the capabilities over all organizations you only see the roles that are available to the organization where the user is your are updating.
  An idea anyway
  Ian

• Revoking roles in a trigger

  I am trying to revoke a role in a DB level trigger. I am using 'execute imediate' to do this. I have also tried to do it the old fashioned DBMS_SQL.PARSE way. When the trigger fires I get this error: ORA-04092: cannot COMMIT in a trigger. I understand that these ddl statements do commits inside of them. Can someone please give me an idea on how to revoke roles from a user from a DB level trigger? Thanks.
  null

  DDL operations do an implicit commit, so you cannot execute them in trigger, even via dynamic sql
  You can call a procedure which starts autonomous transaction and put necessary code in this procedure

• Pull User Role from identity manager in BPM process

  Hi,
  How can I pull user name, user role from different identity manager in order to configure hierarchy workflow in BPM process? can any one guide me on that??
  Regards,
  Amik

  I'm having the same problem on WebLogic 10.3

• Receiving an error when trying to remove P00 Security role from the user

  Hi All,
  I am receiving an error when trying to remove P00 Security role from the user.
  After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
  I click on Select Roles/Groups
  On the next screen,
  I click on Existing Roles/Groups
  ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
  Regards,
  Vineet

  Hi Vineet,
  My be your selection is incorrect
  Try this
  in Applicaiton Area -- Select ALL
  Functional Area  -
  Select ALL
  Company           -
  Select ALL
  Role/Profile/Group Names --- Give p00* and execute the report
  if you give only p00 it wont give any result
  Hope this helps
  Thank you,
  Kishore

• Hiding specific Roles from specific users

  Dear All,
  Is there any way in the database that can hide a role from a user. For instance, if I create a role, then this role can be viewed by all the users defined in the database and then these users can grant priviliges of their own objects to such role. I want to create a Role where certain users can not see and should not be allowed to grant any priviliges for this Role...
  is this possible....
  Thanks
  Bil

  For instance, if I create a role, then this role can be viewed by all the users defined in the database no, I do not think so. Roles are only "visible" to powerful users that have access to the dictionary
  SQL> create role SECRETROLE123;
  Role created.
  SQL> grant create session to SECRETROLE123;
  Grant succeeded.
  SQL> grant select on scott.emp to SECRETROLE123;
  Grant succeeded.
  SQL> grant recovery_catalog_owner to SECRETROLE123;
  Grant succeeded.
  SQL> grant update (sal) on scott.emp to SECRETROLE123;
  Grant succeeded.
  SQL> conn blake/paper                                              
  Connected.
  SQL> select * from dba_roles;
  select * from dba_roles
  ERROR at line 1:
  ORA-00942: table or view does not exist
  SQL> select * from role_tab_privs;
  no rows selected
  SQL> select * from role_sys_privs;
  no rows selected
  SQL> select * from role_role_privs;
  no rows selectedHowever, you cannot that easily prevent an user from granting a table privilege on its own table to a role
  SQL> grant all on t to secretrole123;                            
  Grant succeeded.
  SQL> select distinct grantee from user_tab_privs;
  GRANTEE
  SECRETROLE123Perhaps you can setup a database trigger
  Message was edited by:
  Laurent Schneider

• Accessing Users In NW Roles from MII

  We are using 12.1. Is there an easy way from MII to get a list of all the users that are in an SAP NW role?  For example, if a certain event occurs I want to e-mail everyone in a particular role from an MII transaction.  How do I get the list of users that are in the role?
  Thanks,
  Mike

  Jeremy,
  Thanks for the help.  This almost gets me there.  If I do this
  http://servernamehere/XMII/Illuminator?Service=SystemInfo&Mode=RoleList&Content-Type=text/xml
  from a browser it works fine (I see XML that has what I need).  If I do the same thing from an XML Loader action in an MII transaction I get the following error:
  "The markup in the document following the root element must be well formed."   "XML Document cannot be loaded."
  I need to be able to get to this info from within a transaction.
  Thanks,
  Mike

• How revoke quota from a user?

  After 'grant' unlimited quota on <tablespace> to a user, it doesn't possible 'revoke' this 'unlimited quota'.
  In EDIT USER, on QUOTAS tab, after unmark the UNLIMITED, nothing happen...
  Any work around?

  You'll have to use the SQL Worksheet to manually revoke the privilege. When you uncheck other roles or privileges, the revoke syntax is created, but not in this case.
  I've reopened the bug on this.
  Sue
  PS. Jim, if you right click on a user in "Other Users", and edit the user, you can add and revoke roles and system privileges.