Role Deleted - Profile remains on User record

Similar Messages

• Standred Roles and profiles for OSS Connection User

  Dears,
  We open OSS connections several times for SAP support in which we also provide login credentials to SAP to login in our system.
  Is there any standred roles or profile for this user in QAS and PRD that we can give to maintain our servers confidentiality.
  Please suggest.
  Shivam

  Not really. A note related to your question popped up in a previous discussion:Re: Exclude T-code from SAP all
  > If you take a look at [SAP Note 1118396 - Roles for support activities|https://service.sap.com/sap/support/notes/1118396] you will see this explained nicely...

• After BI 7.0 Upgrade, Roles and profiles are not visible

  Hi Gurus,
                                We have issue with the roles and profiles, all our users doesnt see any roles or profiles in Bex Analyzer, under there user access after BI 7.0 Upgrade. 
                                 When I go and check there profile in SU01 and I can see all roles are assigned but not able to see in the Bex Analyzer reporting tool.
                                 Do we need to do any configuration settings after BI 7.0 upgrade to visible roles. This problem with every user.
                                 Your help will be really appreciated.
  Thanks
  Ganesh Reddy.
  Edited by: Ganesh Reddy on Oct 22, 2009 5:19 PM

  Hi Mohan/Vijay,
                          Sorry for little bit late. I have all authorization roles access, and users dont have that access. Difference between our roles is I have SAP_ALL and SAP_NEW.
                          But when they login with old bex analyzer they can see all roles, but not with new bex analyzer.
                          Please some suggest me still I need to run SU25.
  Thanks
  Dayaker Reddy.
  Edited by: Ganesh Reddy on Oct 26, 2009 10:19 AM

• HOW MANY ROLES ARE ELGIBLE FOR THE USER

  hello gurus,
  how many roles can we assign to the user... what is the maximum limit of the roles  and profiles for the user.
  thanks in advance!
  sri

  Dear Srinivas,
  About roles it's indeed not to easy to tell..just imagine the scenario:
  1. Maximum number of profile is 312 ... (however due to some known bug system reads about 300). So, let's say 300 profile maximum can be assigned to an user
  2. Now you can have single ABAP role which generally one-to-one to profile. So, this theory says if you are only assigning single ABAP roles, you can assign maximum 312 (or 300) roles.
  3. But, you might also have Composite ABAP role. A composite ABAP role can have one or more Single/Composite ABAP role. So, one Composite ABAP role can correspond to any number of Profile which is determined by number of individual Single roles under than composite role. So, when you are assiging Composite ABAP role, you have to take care underlying number of profiles and make sure total does not exceed 312 (or 300 without note correction)
  4. Now, last part of complication (and my favourite one). Sometimes, there is an empty Role which does not have any ABAP authorization assigned to it. But, this type of roles are used to map a authorization role in JAVA system. These roles does not have any Profile (as it does not have any ABAP authorization). Now, that brings my confusion ..What happens you assign 300 ABAP profiles via ABAP Roles and another 20 empty role for JAVA system without profile. You see my point
  Hope this clarifies a bit
  Cheers !!
  Satya.

• Tcode authorization without any role or profile

  Hi Experts ,
  Can you please suggest on authorization issue , if observed that one Tcode not given in to any roles or profile but some user still using this authorization.
  When I checked role and profile for such user using the SUIM still it shows no data.
  So is there any other way to assign direct Tcode without using any role or profile.
  Thanks in advance .

  not sure how you are using SUIM to check, just to be sure, use the complex selection method or the authorization values method. the by transaction method only check for transactions that were added via the menu.
  look for object= S_TCODE, value=(the transaction code)
  SUIM will then calculate if the transaction code was added manually and as part of a wild card or a range.
  i.e. if the transaction was MM02 it will be accessible if the S_TCODE had
  wild card value M*, MM*, MM0* or
  range value A*-Z*
  Otherwise, it is possible that it was called indirectly and the BADI does not perform a S_TCODE check.

• Developing security Roles and profiles

  Hi Team,
  Can you guys let me know how to develop security roles and profiles. We are rolling out for a company in Japan, and the congif is completed. We are in the process of developing test cases ans also security roles and profiles for users? Can somebody guide and help me on this?
  Regards,

  Hi,
  Use Tcode = PFCG -->then create any customized roles and profiles for any users on module based.
  user masters: USR01 to 09, UST04,
  profiles: USR10, USR11, UST10S, UST10C,
  authorisations: USR12, USR13, UST12.
  password exceptions USR40.
  History tables(may not be applicable but FYI): users: USH02, USH04,
  profiles: USH10, auths USH12.
  R/3 Security Tcodes
  End User Transaction Code  Menu Path   Purpose
  SU3  System > User Profile> Own Data  Set address/defaults/parameters
  SU53  System > Utilities > Display Authorization Check  Display last authority check that failed
  SU56  Tools --> Administration --> Monitor --> User Buffer  Display user buffer
  Role Administration Transaction Code  Menu Path   Purpose
  PFCG
  Tools --> Administration --> User Maintenance --> Roles  Maintain roles using the Profile Generator
  PFUD   Work on SAP check indicators and field values
  Select: Copy SAP check IDu2019s and field values
  Installation
  1. Initial Customer Tables Fill
  Upgrade
  2a. Preparation: Compare with SAP values
  2b. Reconcile affected transactions
  2c. Roles to be checked
  2d. Display changed transaction codes
  SU24
  Same as for SU25:
  Select: Change Check Indicators > Maintain Check Indicators>Maintain 
  Regards,
  Srini Nookala

• Su01 - role or profile for MM module

  hi experts.
  i could like to set the role or profile to a user which only can access to Materials management.
  do anyone can guide me which role or profile i should set?

  thanks for fast reply.
  i were enter the all the MM role as the reference u gave to a user.
  doc patch = roles in back-end system -> logistics -> materials management (mm).
  but the user still cant access the MM module at the logistics -> materials management.
  did i still missing some configuration ?

• Su01 recreate old user - lost roles and profiles

  Situation: a person's sap account was deleted, but now that person needs it again with the same sap access as before
  when you recreate an old sap user account in su01,
  sap gives a message "found old user information, do you want to reacreate this".
  Press yess, then all is copied except roles and profiles (empty)....
  You can find them back via the menu : information<change dcuments for users.
  Is there a way to make sure that roles (and/or profiles) are instantly copied from the old records of the sap account (like
  the name, email user group, user parameters, etcetera)?
  Regards,
  ABC

  No. There is no such feature.
  The solution is not to delete the user but rather lock the ID and move it to a "retired" user group where it is protected. From there you can restore it again easily.
  Cheers,
  Julius

• Do you really have to delete roles if you deactivate a user?

  I was searching through threads trying to find a recommendation regarding the best way to deactivate users in SAP.  I understand locking and changing the validity date, but I am also seeing recommendations to delete the roles...  In addition to roles do you also recommend deleting profiles (ones not associated with a specific role)?  I'm just asking because I was under the impression it was good for security purposes to know what roles/profiles (authorizations) the user had in the past if something happened that required research and the ability to identify "who had the ability to do what".  If we delete all of that information from their account, is their still a way to determine what they did have when they were an active user?  If it is OK to leave roles in and maybe just set their expiration date, how should profiles not associated to roles be handled?
  I guess most importantly, is there a known recommendation straight from SAP that I can reference?  My searches have come up empty.

  In my opinion, best is to:
  - Retire the user ID by locking the account (not just the password).
  - Set the validity on the user account to expire (preferably when this is known already, and not when a piece of paper becomes current...).
  - Setting the validity of roles is subject to the user compare to a large extent. It is very usefull.
  - Manual profiles are a bugger - dirty trick is to import them as a template into a role.
  > I guess most importantly, is there a known recommendation straight from SAP that I can reference? My searches have come up empty.
  I know that the technical explanations of how it works is to a large extent available, release dependently.
  If you search for the reports associated to the "user compare" (tcode PFUD) then you will find a lot of infos.
  Recommendations are more tricky, as it depends on what you want. SAP enables a lot of stuff and is responsible for the correct checks in the programs. But how you build your roles and profiles is up to you, and you have a lot of freedom in that area. You can also shoot yourself in the foot
  I am assuming that you are not on SAP release R/2. Perhaps a bit more details would help...
  Cheers,
  Julius

• VIRSA tables for users, roles and profiles sync?

  Hello,
  I am in a customer, implementing CC 5.2. At the first time, we tried CC 5.2 in DEV environment, and when everything was OK, we redirect RFC connectors to QA environment.
  After doing user, roles and profiles sync in DEV and in QA environment too, I have 4.500 user (1.100 from DEV + 3.400 from QA) when I recover all users "*" with "user level - risk analysis" from the "Informer" tab.
  It seems that "users, roles, profiles, sync" works like and "APPEND", but I did a COMPLETE syncronization not an INCREMENTAL.
  If I start an analysis for QA environment, CC works properly and only analyse QA users (3.400). But I would like to clean CC tables (users, roles and profiles) in order to have a clean copy of QA in CC.
  Which VIRSA tables (users, roles and profiles) I need to clean?
  It is necessary to do the same with authorization and text objects? Which would be these tables?
  Thanks in advance,
  Victor

  Hi all,
  SAP GRC Support provides a script which allows you to remove a connector since it does delete all data link to it. Anyway, I would recommend a deep analysis of it and find out if it does what you really want to do.
  Víctor, if what you want to do it is just to remove all user, role and profile master data (stored in tables VIRSA_CC_SYSUSR and VIRSA_CC_GENOBJ) you could upload a text file using data extractor functionality with the delete field set to X. Doing so user, role and profile master data will be removed from CC database.
  In order to use data extraction functionlaity you connector must be of type "File Local".
  Be careful about removing data directly from DB since, as Prem states, you might loose the DB consistency.
  Hope it helps. Best regards,
     Imanol

• Delete a user record from oracle db

  Hi,
  Can anybody share me a custom workflow which deletes a user record from the oracle db.The user does exist in SUN IDM.
  Please help me.
  Thanks in advance.

  You can use a Trigger and UTL_FILE to write to a file (on the server).
  Example:
  create or replace trigger test_file
    after insert or delete or update on test_case 
    for each row
  declare
  v_logfile utl_file.file_type;
  begin
    v_logfile := utl_file.fopen('\myfiles','test_file.log','a');
    if inserting then
       utl_file.put_line(v_logfile,'Inserting to table');
    elsif deleting then
       utl_file.put_line(v_logfile,'Deleting to table');
    else
       utl_file.put_line(v_logfile,'Updating to table');
    end if;
    utl_file.fclose(v_logfile);
  end test_file;
  I want to generate a log file in which i want to dump some useful messages, when anyone does a dml operation on a table, and also, i want to have a switch like YES or NO (may be an environment variable,,) if i switch it to YES the log file should get generated, if NO then, no log file will be generated..
  can anyone help, how can you do this task ?
  thanks a lot in advance..
  srini

• Roles and profiles of a MI/MAM user

  Hi All,
  We are planning to configure MAM3.0 in Netweaver 2004. What all the roles,profiles and authorizations for a MI/MAM user must have to synchronize with middleware and R/3. Can any body please tell me, is there any document saying about the roles,profiles and authorizations for a MI/MAM user must have. I did enough search in SDN regarding this but did not find any document for this.
  Also please let us know is there any document available in service market place.
  Your help in this regard is appreciable.
  Regards,
  Murthy.

  Hey,
  You can use "SAP_ALL" (that would work).
  If you are interesting in smaller role (less authorization),
  than you would have to create your own role,
  that's because SAP doesn't know which object you are going to synchronize.
  You will have to create your own roles according to your scenarios, for example if you are synchronizing HR data than you should add HR authorization and etc.
  You can find out which authorization are needed by:
  Create a user with SAP_ALL
  Start authorization trace (with St01)
  Run the processes that synchronizes the data
  Stop the authorization trace
  Build profile with all the authorization that aprears
  in the authorization trace.
  Assign the profile to the user of MAM
  Good luck!

• Unlink and remove role = delete user???

  Hi All,
  We are using Sun IDM 7.1.1.21 and have run into this problem. I believe it's a product bug because it doesn't make any sense. We have users in an AD resource, and they are linked to that resource in IDM using a role. If, for some reason, the user is deleted from AD, and re-setup we have to "re-link" the user because the "accountGUID" attribute has the wrong GUID for the user and IDM doesn't like that. We are doing this using Recon. When recon runs, and catches this user, the situation comes back as "Confirmed", which is fine, we are using a per account workflow to handle the changes. We then compare the GUIDs of the objects in the workflow, if they are different, we would unlink the IDM account and relink it to the new GUID. We are setting the following options on the unlink.
  <set name='options.unlinkTargets'>
  <list>
  <s>AD</s>
  </list>
  </set>
  <set name='options.deleteAccounts'>
  <s>false</s>
  </set>
  and we remove the role, becuase if we do not, nothing happens. When the user object is checked in, it gets deleted from the resource. I'm sure this is happening becuase the accountID DOES exist (when the user is re-setup on the back-end the same DN is given to the user). Obviously this result is undesireable. So now I have 2 questions.
  1. Am I doing this wrong?
  2. Why would IDM delete an account when deleteAccounts and unlinkTargets are explicitly set on the checkin?

  OK. I figured out where the problem was. Renaming the accountGUID without removing the role only caused a "rename account to same name" error. I was not setting the correct options when removing the role. I needed to set:
  <set name='options.noDelete'>
  <s>true</s>
  </set>
  <set name='options.deleteUser'>
  <s>false</s>
  </set>
  This did the trick. The roles were removed and the user unlinked without any harm done to the resource account. I was then able to re-add the roles and relink to the existing resource account without a problem.
  Thanks.

• Dynamic rooting (User Record) setting is not working in Nakisa OrgChart SP3

  Dear All
  The Dynamic rooting setting is not working in the Nakisa OrgChart SP3.
  It is giving an error message - "Cannot find the root of your orgchart. The orgchart box may have been deleted or incorrectly specified, or no valid org structure can be found for the selected effective date. Please change the root of the chart or select another effective date."
  We followed the same steps as given in the Admin guide of SP3 (P.no. 109 - shown below)
  In Orgchart --> General Settings:
  * Select the Org chart root value source.
  User Record: Retrieves the record specified in the next step from the employee data element.
  *Do one of the following to define the org chart root:
  If User Record was selected in the previous step, select the field containing the ID of the required organizational object in the employee data element from the User record field drop-down list. For example, if you wish to root the org chart at the org unit of the logged-in user, select the field containing the org unit ID. Hence, we have selected the Org unit ID.
  Note:
  We had enabled single sign-on with logon tickets
  Retained the standard settings in Security Settings --> Employee Source
  Had provided full authorization to the roles
  If we use the "OrgChart Root" option available in 'Orgchart root value source', the org structure gets displayed correctly from the root object defined.
  As this is an standard functionality, Kindly guide us in resolving the issue.
  Regards
  Ravindra

  Ravindra.
  You don't have to and shouldn't always include the username and password parameters for the SAP Connection string.  When you omit them it will use the user's login credentials.
  Remember though that:
  The SAPRoleMappingConnection will need them included in order to get the details for the user in the first place.
  Without the username and password specified in a connection string you can't click the option to test the connection and result in a successful connection.  Remember unable to connect does not necessarily equate to wrongly configured.
  I've filtered the log file for errors and the following entries were flagged up:
  26 Jun 2012 10:00:06 ERROR com.nakisa.Logger  - com.nakisa.framework.utility.Files : deleteFile : java.io.IOException: Unable to delete file: E:\usr\sap\D15\J00\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\.system\Admin_Config\__000__THY_SAP_Live_RFC_01\AppResources\attr.txt
  26 Jun 2012 13:13:52 ERROR com.nakisa.Logger  - com.nakisa.framework.utility.Files : deleteFile : java.io.IOException: Unable to delete file: E:\usr\sap\D15\J00\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\.system\Admin_Config\__000__THY_SAP_Live_RFC_01\AppResources\attr.txt
  26 Jun 2012 13:43:49 ERROR com.nakisa.Logger  - java.lang.reflect.InvocationTargetException
  26 Jun 2012 13:55:09 ERROR com.nakisa.Logger  - com.nakisa.framework.utility.Files : deleteFile : java.io.IOException: Unable to delete file: E:\usr\sap\D15\J00\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\.system\Admin_Config\__000__THY_SAP_Live_RFC_01\AppResources\attr.txt
  26 Jun 2012 14:32:03 ERROR com.nakisa.Logger  - com.nakisa.framework.utility.Files : deleteFile : java.io.IOException: Unable to delete file: E:\usr\sap\D15\J00\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\.system\Admin_Config\__000__THY_SAP_Live_RFC_01\AppResources\attr.txt
  26 Jun 2012 15:47:44 ERROR com.nakisa.Logger  - BAPI_SAP_OTFProcessor_LinkedDataElement : The dataelement ( SAPPositionVacancyDataElement ) is not defined.
  26 Jun 2012 15:47:44 ERROR com.nakisa.Logger  - BAPI_SAP_OTFProcessor_LinkedDataElement : while trying to invoke the method com.nakisa.framework.data.Command.getType() of an object loaded from local variable 'p_cmd'
  26 Jun 2012 15:47:44 ERROR com.nakisa.Logger  - com.nakisa.framework.webelement.charting.data.ChartingData : createNodesFromData : Notes Error: NullPointerException
  26 Jun 2012 15:47:44 ERROR com.nakisa.Logger  - BAPI_SAP_OTFProcessor_LinkedDataElement : The dataelement ( SAPPositionVacancyDataElement ) is not defined.
  26 Jun 2012 15:47:44 ERROR com.nakisa.Logger  - BAPI_SAP_OTFProcessor_LinkedDataElement : while trying to invoke the method com.nakisa.framework.data.Command.getType() of an object loaded from local variable 'p_cmd'
  26 Jun 2012 15:47:44 ERROR com.nakisa.Logger  - com.nakisa.framework.webelement.charting.data.ChartingData : createNodesFromData : Notes Error: NullPointerException
  26 Jun 2012 15:47:48 ERROR com.nakisa.Logger  - com.nakisa.framework.webelement.charting.data.ChartingData : createNodesFromData : Notes Error: NullPointerException
  26 Jun 2012 15:47:55 ERROR com.nakisa.Logger  - BAPI_SAP_OTFProcessor_LinkedDataElement : The dataelement ( SAPPositionVacancyDataElement ) is not defined.
  26 Jun 2012 15:47:55 ERROR com.nakisa.Logger  - BAPI_SAP_OTFProcessor_LinkedDataElement : while trying to invoke the method com.nakisa.framework.data.Command.getType() of an object loaded from local variable 'p_cmd'
  26 Jun 2012 15:47:55 ERROR com.nakisa.Logger  - com.nakisa.framework.webelement.charting.data.ChartingData : createNodesFromData : Notes Error: NullPointerException
  At the very least it looks like SAPPositionVacancyDataElement is missing and whilst the other errors around it are unfamiliar I wonder if it might be a good first step to see if you can track down the reference to and existence of this data element?  That being said it looks like your last test occurred well over an hour after this (so you may have already resolved it) and resulted in nothing but information messages.  If that is the case it might be worth "rolling" your log file or manually trimming it to the right time frame when posting it?  Otherwise it can be misleading as people could flag up issues you have already resolved.
  So assuming you haven't tried Luke's suggestion (which should only take a couple of minutes to do) I think you should go back and do so right away .
  Regards,
  Stephen.

• Since upgrading to Firefox 8.0.1, it is hanging when I try to open it. Deleting profiles etc. doesn't help. I suspect the problem has to do with caching or history, since when I first quit after upgrading I had to force-quit as it was hanging.

  '''bold text'''MacOS 10.5.8 is my operating system.
  There is no actual crash, thus no crash ID--it just hangs forever and eventually I force-quit.
  Restarting the computer hasn't helped
  Downgrading to previous versions didn't help.
  Deleting profiles and preferences doesn't seem to make any difference.
  Apparently clean re-installs hasn't helped.
  If option-opening is really safe mode on a Mac, then that isn't helping, either. It's the same hanging.
  No problems are being noted with any other software.
  I'm totally stumped--what else can I take off for a cleaner re-install?

  Firefox hangs the same way in safe mode.
  There is no such thing as a Firefox program folder on a Mac, nor is there an "uninstall" to do, so these directions are not relevant to a Mac user.
  The problem remains.