Role Removal for users

Hi Guys
How do we remove the  role Y.R3.IS-XX.xxxxxx from all test users (T-) and assign the role Y.R3.IS-XX.RPT_FI_XXXX to all test users (T-) in Q
Any input on this is highly appreciated
Thanks
SV

Hi,
I am just sending you a sample of how to delete role using SCAT. you can modify to delete User from Role.
Use T-Code SCAT.
You will be prompted with initial screen
Test case      enter some name ex: Z_MASS_ROLE_DELETION
Click on Create (Blank page icon)
In the initial screen on left corner button TCD click on this for recording a transaction.
Enter T-code in PFCG
Click on -> arrow button to continue
In the next screen you will be displayed with PFCG screen
Enter the role Name which you want to delete
Click on the Delete button (Bin icon)
You will be prompted with message box with yes or no and cancel
Click on Yes
You will be prompted with information acknowledge it by click on continue
Now the role is deleted.
Click on Back button (F3)
You will prompted with Intial screen where you have enter T-code in the pop-up box (PFCG)
Click on RED small button to stop of recording the transaction
You will be prompted with next screen for Title.
Enter the Title ex: Mass Role Deletion
Click on SAVE button
Save as local object (click local object button)
Go Back by click F3 (Back arrow button on the menu)
Pop up box with save option appears save
Click on YES
You are ready with recording of T-Code PFCG
To create a variable click on the edit (Pencil icon)
In the next screen you will be prompted with
C Funct.      Object               Text
TCD           PFCG                 Role Maintenance
Double click on TCD column
In the next screen you will have the following information
Test case       Z_MASS_ROLE_DELETION           PFCG Role Maintenance
Transaction     PFCG                           Role Maintenance
Permitted msg.
Processing Mode
In the above screen click on FILED LIST button which is on top left menu bar.
In the next screen you will find the list of values check for the Variable part (ie role name what we have mentioned at the time of recording (TEST123 ROLE)
Role                     AGR_NAME_NEU                  030 TEST123
Replace TEST123 with & (this is done for the variable to be replace in future for new values)
Go back (F3) twice into initial screen and save
In the initial screen SCAT first screen
Go to the menu
GOTO -> Variant -> Export
Export will create a Text file (Z_MASS_ROLE_DELETION.TXT) save it on your desktop for easy editing
Open with EXCEL above text file (Z_MASS_ROLE_DELETION.TXT)
You will find below values
[Variant ID]     [Variant Text]     &AGR_NAME_NEU
-->     Parameter texts     Parameter contents
-->     Default Values     TEST123
Changes to the default values displayed above not effective          
Place the list of roles which you have decided to delete under the column TEST123
Just Save file for any message just click on yes button.
Come back to SCAT initial screen click on execute (F8) clock icon on the right corner of menu tab.
In the next screen you will have option to choose
Log Type     Processing Mode   Variants
Long            Errors              External From file Choose     
Choose the file (Z_MASS_ROLE_DELETION.TXT) which was edited with new values
Then Execute all the roles which are in file will be deleted.
I hope this helps
Try this with test roles first then on the Actual roles
If you have any problems let me know
Cheers
Soma

Similar Messages

  • 4016: User/Role relationship for user

    Hi Guru,
    I have a requirement to send email notifications to mulitple users.
    I created a adhoc role and tried assigning the users to the role but I am getting this error. I am on R12.1.3
    4016: User/Role relationship for user
    Where do I pick the user to assign it to the role. Should I use wf_users, fnd_user.
    I have the user_name in fnd_user and the name iin wf_users is the same.
    v_role_name := 'XX_CUSTOM_ROLE'
    v_role_display_name := 'XX Custom Display Role'
       wf_directory.createadhocrole(role_name => v_role_name
                        ,role_display_name => v_role_display_name
                        ,role_description => null
                        ,notification_preference => 'MAILHTML'
                        ,email_address => null
                        ,status => 'ACTIVE'
                        ,expiration_date => NULL);
           for i in v_asset_manger(g_project_id)
    -----------v_asset_manger is a cursor which picks up all the assets managers on the project--------------
           loop
                select wfr.name into v_full_name from per_all_people_f papf, fnd_user fu, wf_local_roles wfr
            where papf.person_id = fu.employee_id
            and wfr.name = fu.user_name
            and person_id  = i.person_id;
            select count(name) into v_count from per_all_people_f papf, fnd_user fu, wf_local_roles wfr
            where papf.person_id = fu.employee_id
            and wfr.name = fu.user_name
            and person_id  = i.person_id;
                        if v_count > 1 then
                        v_name :=  v_full_name||' '||v_name;
                        v_full_name:= null;
                        else
                        v_name :=v_full_name ;
                        end if;
            end loop;
            wf_directory.adduserstoadhocrole(role_name => v_role_name,
                                                role_users =>v_name);
                wf_engine.setitemattrtext (itemtype      => p_itemtype,
                                        itemkey       => p_itemkey,
                                        aname         => 'XX_ASSET_MANAGER',
                                        avalue        => v_name
                

    Hi Sree,
    THanks for your reply. user_name in fnd_user, the role in wf_local_rules are same.
    ex. KSURNAJ in wf_local_roles is same as in KSURNAJ fnd_user
    Activity Type  Function
    Error Name  WF_DUP_USER_ROLE
    Error Message  4016: User/Role relationship for user 'KSURNAJ' and role 'MAIL_TO_ASSET_MANAGERS-1' already exists.
    Error Stack  Wf_Directory.CreateUserRole(KSURNAJ, MAIL_TO_ASSET_MANAGERS-1, PER, 2680, WF_LOCAL_ROLES,0) Wf_Directory.AddUsersToAdHocRole2(MAIL_TO_ASSET_MANAGERS-1) Wf_Directory.AddUsersToAdHocRole(MAIL_TO_ASSET_MANAGERS-1, "MINUHYE KSURNAJ") XXPA_BUDGET_APPROVAL_WF_PKG.Inside my look XXXX(PABUDWF, 120524, 258610, RUN) XXPA_BUDGET_APPROVAL_WF_PKG.xx_assign_approver(PABUDWF, 120524, 258610, RUN) Wf_Engine_Util.Function_Call(XXPA_BUDGET_APPROVAL_WF_PKG.xx_assign_approver, PABUDWF, 120524, 258610, RUN)

  • OIM 11.1.1.5 BP2 Roles removed from users automatically

    Hi All,
    We are using OIM 11.1.1.5 BP02 and facing issues with event handlers, role membership and access policy. We have a custom post create user handler and a custom user post update event handler. We are creating users through trusted reconcilication by using EBS Employee Recon connector and provisioning users to AD & Exchange by using the 11.1.1.5 ICF connectors.
    The issue we are seeing is with the Roles of the users, the behavior we are seeing is that, on user creates through trusted recon, the users are getting roles correctly and then the resources are assigned correctly, but after sometime, the roles are removed from the user. We donot have 'Revoke if no longer applies' on the access policy and thus the resources are appearing fine for the user, but we donot want roles to be removed from the user since the rule membership rules criteria is still holding good for the user.
    We are seeing this issue only with trusted reconcilication and not when we create users through the UI. Our custom event handlers have the same logic for both the execute methods; with the difference that the bulk execute method is working on the array of identities received from trusted recon while the normal execute method working on just one identity through the UI.
    We are doing complex computation in the event handlers (& setting multiple fields of the user) and are forced to use UserManager API to set the fields in the create user handler (Following article: 1469286.1); this we believe is effecting the ordering of the custom event handler and the OOTB Role ChangeCalculator event handler.
    We have already checked the bugs(14075985 & 14221435) and wanted to confirm if we are hitting the same and/or how can we debug this more. We have already checked the UPA_USR table but that does not tell us as to why the role is revoked from the user.
    Anyone faced similar issue?
    Thanks,
    Bikash

    The patch we were given was 14226386, also called 11.1.1.5.2AK. The readme has the following overview:
    This patch addresses the concurrency issues encountered in 11g R1 PS1 as described below
    1. Unlike in OIM 11g R1 PS1, when a user's role membership changes policy evaluation doesn't
         kick off immediately. Instead the user is flagged for policy evaluation in the future.
         'Evaluate User Policies' scheduled task then triggers policy evaluation for such users.
         The scheduled task ensures that there is only one policy evaluation for a user at any
         given time. So, duplicate accounts or entitlements wouldn't be provisioned to a user.
         With this fix, access policy based provisioning events will be triggered only when
         'Evaluate User Policies' scheduled task runs. Hence, the frequency of this scheduled
         task needs to be tuned for the customer's deployment. The recommendation is to set it to
         10 minutes.
         In addition to binary changes, this fix involves data model and metadata changes as
         described below.
    2. In a custom event handler, use Platform.getServiceForEventHandler() instead of
    Platform.getService() to get a handle to a Service available in OIM before making an API
         call. This ensures that the API completes in its entirety (including any post processing)
         when it returns. Also, this brings in predicability in the order of execution of OIM
         events on the same entity created from one another.
    3. When trusted source reconciliation brings in multiple events on the same user these events
    are processed by OIM sequentially.
    But since then BP03 and BP04 have been released, I would suggest you find out if BP04 has resolved this from support before applying anything.
    -Kevin

  • HT5239 Where can I get Apple FIPS Role guide for user so that I can use the APIs from my application

    I am trying to use Apple's FIPS certified crypto library's crypto APIs in my application to do the crypto operations. For that I was asked to refer the "Role Guide : User" in the nist document. But I couldn't find the same. Can I know where I can download the same.

    The OS X and iOS programming documentation is the Cryptographic Services Guide, and related manuals.
    AFAIK, what you're probably after is the Common Crypto stuff that's part of libSystem.  See man CC_crypto for some introductory details of that, and there's a sample program available.
    The devforums.apple.com developer forums and the developer.apple.com web site will be better resources for programming questions than are these ASC forums (and that includes my answer here!), and the Fed-Talk mailing list might be of interest for this question.
    Given the usual arc these security questions follow, I'd suggest ignoring what I've posted here and directly contacting the Apple Developer Technical Services (DTS) folks, and ask for formal help with this.  The folks I've worked with over the years that were looking for FIPS 140-2 crypto stuff and similar usually have a requirement for a paperwork trail involved, and that means direct contact with the vendor when you cannot local published formal statements.   Not unofficial stuff from random folks like me posted here in ASC.  (There's an Apple contact on that FIPS page, BTW.)

  • Roles/authorizations for user to Solman Diagnostics.

    We have a need to have non-administrator persons access our Sol Man
    Diags environment. We do not want them to access with j2ee_admin
    account.
    How / what roles or authorizations do I assign to restricted users so
    users cannot see the administration and setup tabs and not be able to
    turn traces on?

    The roles for the end users are mentioned in the standard SMD guide  pleas go thuroug it

  • Backend roles neeed for user to access ESS related services

    Dear Experts-
    Can any one of you please point me to a document or let me know what exact role need to be assigned for a user on backend for him to access all ESS related services in Standard deployment.

    read the note 857431
    1129412   ESS: Authorizations and roles for WD services in ERP EHP3
    844639    MSS: Authorizations and roles for WD services in ERP 2005
    785345    Copying authorization default values for services
    612585    New: Authorization default values for ext. services
    The following roles were delivered for ESS with ERP 2005:
    SAP_ESSUSER_ERP05: Single role, containing all non-country-specific
                        functions.
    SAP_EMPLOYEE_ERP05_xx:   Single role with the country-specific
                              functions. Each country version has its own
                              role (with xx = country ID). The corresponding
                              composite role is SAP_EMPLOYEE_ERP05.

  • OIM 9.1.0.2 Group Membership Removal for Disabled Users

    Hello
    In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
    Thanks
    Nick

    Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
    Thanks
    Nick

  • GRC 10.0 Mass Role removal

    Hello all,
    we are using GRC AC 10.0 (SP14). Today I found out that the access removal for multiple user is not working. The role removal for one User is working fine. But for multiple user who all have the same role it is not possible to select this existing role. Is it a standard in GRC AC or did I miss some config parameters?
    The  button "ADD" (yellow) is not working, and there is no button "Existing assignements". Please let me know, whether this settings are standard or not.
    Many thanks,
    regards
    Sabrina

    Sabrina,
    Multi user requests have been quite problematic. I encourage you to search for corrections; we had to implement numerous corrections for multi-user requests. Right now, though, multi user requests for role removal using the "Existing Assignment" function are working for us (SP12 with a lot of corrections from  SP13 and SP14).
    I should mention that our Provisioning Log in the closure notification only lists the first user, but all three accounts in my test request just now had the role removed as requested. We have treated that as a training issue with our request submitters for the time being. We implemented Note 1727135 to correct that issue and it made matters worse, so we had to revert.
    Good luck!
    Gretchen

  • Business Role Assignment to User by Organizational Model

    We have created the organizational model in our system where we have the levels that are tied to a specific business role. We have been manually assigning all of our users to these organizational model levels in order to have the business role assignment. I am curious if there is a program or easier way to do this than to have to create the assignment to the employee record manually in the org model.
    Any help would be greatly appreciated.
    Thanks,
    Darcie

    Hi Robert,
    maintaining the user profile directly may be easier with only a few employees but for large companies this method will end up being more maintenance intensive.
    for Org you only have to maintain it on the Org unit or position and all employees underneath will inherit the role; whether it's 2 individuals or 2000. and if the person is moved into a different position laterally or through promotion there would be no maintenance required as the information would replicate from HR (if you use/have the system) and the person would inherit the new position and role automatically.
    for User parameter if you only have 2 individuals it is easier but 2000 is too much to maintain. there is some automation but would require you to create them and run them yourself.
    pfcg at most companies do not fall under general master data maintenance and would require involvement from the security group and they often do not want to generate empty or unnecessary security/authorization profiles - the maintenance workload is shifted to them also in this case.
    regards.

  • Remove T Code for each ROLE for user

    Hi Experts
    Can anyone tell me how to remove the T code for each role which was define individually for users Eg
    CR01 has been assign to 50 users, the difficulty is I have to go to each role then search for CR01 t code then delete and again generate the Authorization
    In this way there are so many t codes which I have to go one by one to delete it.
    Any help to remove the t-code for each role through any way.
    regards
    Piroz

    try the Security forum at Security
    they might have trick (such as CATT scripts).
    doing this via SQL commands is dangerous. avoid this solution if you are not 100% sure of its impact.

  • Not able to do GR for user removed form SRM Org. Str

    All,
    We removed a user from organizational structure. POs were created for this user before removing and not confirmed (by default he is the recipient).
    He is no longer with company to do GR confirmation and when central goods recipeint trying to do Confirmation, it is not allowing to peform Confirmation (role: Central Goods Recipeint).
    Did anyone faced similar issues? how to confirm this POs.
    Thanks,
    Ravi

    Hi Ravi,
    normally users shouldn't be deleted until their documents are not closed. The problem is, that the documents (POs) has still the businesspartner GUID of the old user in the table CRMD_PARTNER.
    As this GUID number is checked in all of the documents (also by booking the confirmation), the documents can not be proceed any more due to the non existing user.
    What you can do is, that you change the business partner GUID of the related documents (e.g. your PO)in the field CRMD_PARTNER-PARTNER_NO to an existing user. You can reach this CRMD_PARTNER-PARTNER_NO by clicking on the partner tab in the transaction BBP_PD. Than inside the table you need to change 'hard' the GUIDs of the old business partner to the business partner of an existing user. 
    Please don't forget, that the requestor can have also multi-roles in the PO like:
    I00000016       Requestor    
    00000020       Goods recipient
    In this case in both of the roles needs to be changed.
    You need to know, that with this change you can trick the system, and book the confirmation, but the address data of the old user remains in the document (CRMD_PARTNER-ADDR_NR, CRMD_PARTNER-ADDR_NP). Are also this adress information important for you, you also need to update them.
    Regards,
    Peter

  • Receiving an error when trying to remove P00 Security role from the user

    Hi All,
    I am receiving an error when trying to remove P00 Security role from the user.
    After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
    I click on Select Roles/Groups
    On the next screen,
    I click on Existing Roles/Groups
    ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
    Regards,
    Vineet

    Hi Vineet,
    My be your selection is incorrect
    Try this
    in Applicaiton Area -- Select ALL
    Functional Area  -
    Select ALL
    Company           -
    Select ALL
    Role/Profile/Group Names --- Give p00* and execute the report
    if you give only p00 it wont give any result
    Hope this helps
    Thank you,
    Kishore

  • Initiater for Role removal.

    Hi,
       I need some update/input w.r.t Role removal Initiator. While configuring the role removal is it possible to use the role status in the initiator?    If not how to identify this role is only for the role removal.
    Normally we use to put only one stage for Role removal. In the config, no where we are having automatic check for the request is only for the Role removal. So we have to trust that particular stage owners. As per the CUP automation check is it possible to validate this?
    Thanks in advance.
    Regards,
    Vasantha Kumar.

    Hi Justin
    I'm assuming you are involved in or victim of a security access review. I'm usually one of those security guys asking for role or transaction removal and you are the main contact in the business coordinating the changes.
    The process of remediation will possibly consist of checking which transactions are causing segregation of duties conflict, if they are used or not and removing one side of the conflict by removing an unused transaction.
    It shouldn't require the entire contents of a role to be removed - rather swapping role A for role B without a transaction or two.
    Removing transactions that aren't used can have more subtle implications which hopefully are found during UAT but is usually missed until used in anger. This what support is for after go live.
    Saying all that and depending on your time and skills, you could ask for access to the security person's test user in dev or qas where they are working to run transaction SUIM on transaction for user following the proposed changes and compare that to the actual access of the real affected user in prod. If you can get access to the informer tab in virsa you can use the standard simulation reports to also check the resulting conflicts which will help you talk to the business and advise on actions available. There should be role owners involved in all this as they have to owner the result: expect a request for these for CUP later on
    If you can retain control and approval of the (controlled) changes being made to users you will have a better understanding of what is happening, catch potential errors and mediate between security and the business - you have an important task!
    Ask for some basic training in standard SAP reports - the security team should be more than grateful for your input
    Crikey that was hard typing on an iPhone!
    Cheers
    Edited by: David Berry on Jan 11, 2011 8:17 PM

  • How add Authorization check for user with assigened role for t.code-MIR4

    Hi All,
    Regarding authorization how to check authorizations check for user whith assigned roles for the t.code MIR4  using ABAP.
    In Detail:2)     All users are allowed to go to MIR4(invoice number), But ONLY for users with role: MM_RELEASE_INVOICE can proceed to do the posting.
    suggest me...
    Thanks,
    srii..

    Hi Sri ,
    first u need to find out  in which user rules u are using this object , after that if u want to restrict users then remove create/change values from that object values .
    make use of Tcode SUIM to find out all roles which are using this Object.
    or
    ask ur basis guy to remove authorizations to create/change....
    regards
    Prabhu

  • Cannot remove a User Role

    In the User Administration regarding the user roles when we select a user and search for his roles we can see his defined roles. We can edit some roles of the user but we cannot edit somre roles for example to remove a role. I can remove one role but i cannot remove another role. Can anyone tell me the reason why is this case and what is the solution.
    thanks
    murali

    Hi,
    You can assign one role to one user in two ways:
    Direct asignment: You asign one role directly to one user.
    Indirect asignment: You add a user to one group which is asigned to one or more roles.
    Then, you can delete only roles in the first group. If you have a role because you have been added to one group you must delete user-group asignment to delete role asingment.
    Hope to be understable.
    Consider rewarding points.

Maybe you are looking for

  • Excise and tax not calulating in MIRO

    Hi , I have created on PO in which system showing exicse and VAT amount. But while doing MIRO it is not showing any tax and exice even though i selected calculate tax option. Regards, Ravindra

  • HT1209 how to transfer non apple music from ipod to itunes

    had to restore computer, would like to take what is on ipod and import to itunes libary.                                                                                                          Thanks for your help                                    

  • Issues related to Sound Blaster X-Fi Xtreme Audio (PCI Express 1)

    Hi, I've recently bought a SB X-Fi Xtreme Audio (PCI Express edition). Before I address my issue, I'd like to point out that my rig is: Maximus Extreme (mobo)? Q6600 (cpu) ATI4870 (vid card) 4Gigs of DDR3 (ram) and my OS is Vista Home Edition (32 bit

  • BorderLayout

    When I compile this code I have an error: Error 13: class borderLayout not found in class Challenge2.Challenge2 package Challenge2; import javax.swing.*; import java.awt.*; public class Challenge2 extends JFrame { public void Challenge2() { setDefaul

  • NETWORK CONTROLLER PROBLEM IBM R50E, SYSTEM MODEL 1834EA6

    DOES ANYBODY KNOW, WHERE CAN I DOWNLOAD THE DRIVER WITH THIS MODEL? THANKS...