Showing USER ROLES in LOV..is it possible

hello
I can create a adhoc role and assign users programmatically. When i create a role and assign users the role sends notifications to all the users assigned.
But..My requirement is like:
I am having 1000+ employee roles to be shown in LOV(list of values pop up).
When a user responds notification he/she choose a specific role and responds.
Is it possible
thanks
kp

Hi,
Thanks for your replay.
Here i need to send a photo with out tap on the "send" button . (So i dont want to see the "Cancel" and "Send" Buttons)
PLease guide me.
-Thanks.

Similar Messages

Request Offerings not showing up for custom User role in SMPortal

Hello All,
I've created a custom End User role and scoped it to the domain users group.
To this role I want to show a specific set of Request Offerings on the portal
For that Purpose I created a new Service Offering and added these Request Offerings to it.
I then went on to create a Catalog Group and added the Service Offering to it.
I then created the custom user role based on the EndUser role and allowed them to see all Forms, all Queues, All CI's and on the Catalog group I select that they could only see the Catalog Group which I just created.
I then logged in into the SMPortal and was expecting that my Service Offering would be shown to them.
However, they don't see the service offering.
What could cause this?
Is there something I'm missing?
Thanks in advance!
Filip

You have to add the Service Offerings and the Request Offerings in the Catalog Group. Nesting doesn't work because Service Offerings and Request Offerings are different types of objects.
This offers the option the manage the access to Service Offerings and Request Offerings very granular if needed. For instance you can control access to a Service Offering in one Catalog Group related to one user role (A) and use two additional Catalog Groups
with different Request Offerings related to other user roles (B) and (C). Result will lead to:
User in Role A and B -> Can see Service Offerings A containing Request Offerings B
User in Role A and C -> Can see Service Offerings A containing Request Offerings C
User in Role A, B and C -> Can see Service Offerings A containing Request Offerings B and C
User in Role A only -> Don's see anything because of the missing permission on any Request Offering. So the "empty" Service Request won't show up in the portal.
Hope his helps.
Andreas Baumgarten | H&D International Group

Risk Analysis shows no Roles or Users!!

Hi Team,
Please can you help me, I am configuring GRC AC 10's ARA and I am stuck with the issue when I execute Risk Analysis on Roles or Users, I am getting blank field. No data is getting pulled up from backend system. Although my Repository Sync job finished successfully when I did it for User, Roles and Profiles.
Please can anybody help.
Thanks,
Nick

Hi Nick,
please check this thread: GRC AC 10: RAR - no analysis results, or document: GRC AC 10: RAR - no analysis results
Regards, Andrzej

User roles un-assigned in CUA but acces in child system is ok

hi
i am have a really weird issue. a user who has access in roles in child clients, suddenly his roles disappeared from CUA. it did not effect access in child systems. any suggestions how to investigate this.
thanks

Did you click the Naughty Button in SCUL? Check OSS Note 1074552...
Could also be a cause of failing idocs.
Regards,
Trond
PS: The above note is for cases where users loose their visible role assignments in CUA, although roles remain assigned in the child system(s), not for cases where role assignments from CUA never trickles through to the child systems. The mentioned OSS note is a direct result of a case worked on by yours truly in 2007. I include below a warning I posted on sapfans about the issue:
Word of warning: RSUSR_CUA_CLEANUP_USZBVSYS is faulty!!!
The program RSUSR_CUA_CLEANUP_USZBVSYS is available as a standard SAP program from at least version 6.20. It can be run from SE38/SA38 or launched from a pushbutton (far right) on the "results" screen of transaction SCUL.
The program is intended to delete "obsolete" entries from table USZBVSYS, which contains log entries for assigned child systems in a CUA environment. The program is run in the main CUA system, and supposedly deletes entries for systems where users no longer have access.
There is a serious problem with the program, as acknowledged and confirmed by SAP in an OSS note I opened a few days ago. Under certain circumstances (more than 500 entries for any child system in the CUA landscape), the program wipes clean the whole table, instead of just the obsolete entries.
The consequences are dire. Table USZBVSYS is used for several fundamental CUA functions, such as remote password reset from the CUA master system. After the wipe, executing SU01 and attempting to reset a users password in a child system will no longer work. The assigned child systems are no longer visible in the reset password pop-up (nor anywhere else in SU01, including the Roles tab). You'll have to edit the user via SU01, and click on the annoying pop-up showing "new system assigned to user" for each system where the user has access...
The only way to fix the issue is to re-run SCUG for all systems in the CUA landscape. We had to do this across 6 CUA's, each containing 30+ child systems/clients and 10000+ users, which was very time-consuming and annoying. Also, there seems to be cases where roles have been wiped out from users on the CUA master systems, possibly due to consequences of the empty USZBVSYS table.
SAP has conceeded the program is faulty, and have proposed a new version (note 1074551). Without applying this correction, the program should NOT be run.
Note that users can still log in to and work in the child systems, it's just the "visibility" from the CUA master system which is missing. Tables USLA04/USL04 are still intact.
Just wanted to warn the community; we've spent some considerable time discussing with SAP and rectifying the mess created by RSUSR_CUA_CLEANUP_USZBVSYS...
Edited by: Trond Stroemme on Aug 5, 2008 3:03 PM

Editing the BW Frontend User Role Menu

Hi All,
I am struggling to identify where it is possible to modify the front end role menu on the web. We currently have a web page which launches once the user as logged in. It displays our company logo in the left hand corner and then shows (user specific) roles with a drop down option to display the queries available within those roles.
This page has obviously been customised at some point in time in our system but no one can seem to remember how it was done (our original project team is long gone). It has never caused an issue but it's not very attractive and we would like to improve it.
Does anyone know where to start? I suspect it is somewhere in SE80 but I don't know what or where.
I have found this thread (Access BW (web) role menu outside of the Portal) which points to two "how to" documents but one doens't work anymore and the other one points me to SE80 but seems to be not quite what I am looking for as it allows me to edit the screen which has the login details (rather than the menu once they have logged in).
Any help would be appreciated.
Many Thanks

Hi Ole Paludan,
Hi R. Huisman,
Its a very old thread .I am facing the same problem. It may help me in sort out my problem.
But I could not find as per my below comment which huisman replied to you..
Please let me know where i can find these.
First of all you need the portal/java environment to execute the 7.0 Webtemplate.
Open the webtemplate where your BW 3.5 rol menu resides. In the properties of the rol menu change the target frame to new page. --> I could not find setting called Target Frame in Role Menu BW3.5 WAD
Open the 7.0 WAD execute your template(s) and copy the full URL.
In PFCG select the object BEx Web Template and past the URL. Make sure you use the full space to past the URL - I am not able to find object BEx Web Template in PFCG transaction.
Now start/execute the old rol menu and click on the 7.0 report item you've created in PFCG. Now from the 3.5 role menu the new 7.0 report will be openend in a new window.
Can you please provide some screens which help me in understand properly.
Regards
Gunpreet Singh

How can I add a user Role member that is from a different domain

We are currently building out SCOM 2012 R2 to provide monitoring as a service to some of our customers. As of now we have the RMS on our own department's domain (Domain A) which we have full control of and we have a gateway server that is on the company
wide domain (Domain B) so that we can monitor other departments devices as the leverage this system.
Monitoring is working just fine on both domains and we are just working on fine tuning SCOM so that we can roll it out as a service we offer to our customers. One of the next steps we are working on before rolling it out is giving specific users access
to view only their own devices, dashboards, and groups. So I created a Read-Only profile and went to add a user to test it out, but that user is on Domain B and SCOM is unable to resolve this account. I'm seeing Event ID 26319 with Error Code 1332.
How can I get SCOM to discover devices on a different domain so that I can give them different permissions for accessing the Operations Console and/or Web Console? Is this possible?
Here is the Error I'm seeing.
Log Name: Operations Manager
Source: OpsMgr SDK Service
Date: 2/4/2015 1:11:59 PM
Event ID: 26319
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxx.xxxx.xxxxxxxx.xxx
Description:
An exception was thrown while processing UpsertUserRolesV2 for session ID uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40.
Exception message: The creator of this fault did not specify a Reason.
Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="OpsMgr SDK Service" />
<EventID Qualifiers="49152">26319</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-02-04T21:11:59.000000000Z" />
<EventRecordID>172748</EventRecordID>
<Channel>Operations Manager</Channel>
<Computer>xxxxx.xxxx.xxxxxxxx.xxx</Computer>
<Security />
</System>
<EventData>
<Data>UpsertUserRolesV2</Data>
<Data>uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40</Data>
<Data>The creator of this fault did not specify a Reason.</Data>
<Data>System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).</Data>
</EventData>
</Event>
Thanks for any help I can get in resolving this issue.
Jake

The SCOM Management Server is in Domain A. I've tried it already and it has failed.
So just to clarify the method I used was to go to Administration>Security>User Roles. Then New User Role>Read-Only Operator. In the Create User Role Wizard I then gave the User Role a name, Clicked "Add" under User Role Members.
Then the Select Users or Groups window pops up and I changed the Locations from Domain A to Domain B and searched for the user, which it's able to find, then clicked "OK" to add it to the User Role members which it does just fine. On
the next page which is Group Scope I checked the one group I want this account to have access to and then click next. This brings me to Dashboards and Views where I click the radio button for "Only the dashboards and views selected in each tab are
approved" and chose the folder of dashboards I want this account to access and then click next. This brings me to the Summary and I click "Create". At this point it thinks for a moment then closes out the wizard but the new Read-Only
Operator does not appear. I then look in Event Viewer and see the Event I pasted above.
Am I doing something wrong here? Any guidance on how to get around this issue would be much appreciated.
Thanks,
Jake

End User Role for Service Desk in Solution Manager

Hey,
I am launching the Service Desk functionality for my End Users. One thing that i want to know of is the role that I should assign my user in Solution Manager to access his message. E.g.
I have a user 'A' who creates a message from any system in my landscape:Test, QA, Dev or Production. Now this message reaches in Solution Manager and is assigned to a certain Support Team according to the rules I defined. Now the personnel of Support Team needs some feedback from the end user who created the message. For that the user 'A' has to log into Solution Manager, access his message and enter the details which the Support Team requested.
I want to know that what Role should i give to this user 'A' so that he is able to access ONLY the messages that he created i.e. "Reported by" field showing user 'A'; and is able to view and edit them.
If I give him the role SAP_SUPPDESK_CREATE and SAP_SUPPDESK_DISPLAY, he is just able to see the messages, all of them, but is not authorized to edit any. Please help me out in this matter as i need a solution asap.
Regards,
Bilal Nazir

Hi Nazir,
Create a role and add this t-code manually.
CRM_DNO_MONITOR - Transaction Monitor
This is will definitely solve your problem.
Feel free to revert back.
Thanks and Regards,
Ragu
ERP,
Suzlon Energy Limted, Pune
Extn: 2638
+919370675797
I have no limits for others sky is only a reason

Restricting values of a dropdown based on user roles

Hi,
Is it possible to restrict the values of a custom metadata dropdown based on the user roles (assuming only 1 role is assigned to each user)? Say, based on the role assigned to a user, he/she should see only 3-4 values out of 10 values in a dropdown on the checkin page. Please suggest.
Thanks.

You can get pretty close out of the box using some configuration manager applet voodoo
1)First off create a Table that will contain the options for your list. Create the columns e.g. label and id and then also create a column called dSecurityGroup
2)Add a view based on the table you just created, choose the Security tab and select "Use standard document security"
3)Add some values to your view - make sure that you populate the dSecurityGroup column with real values of security groups
4)Once it is all published, have a look at the checkin and search screens. You should find that UCM will evaluate the options in the same way it would documents - based on the dSecurityGroup value you applied to the row - e.g. you will see an option on the search screen if you have at least R permissions, you will see an option on a checkin screen if you have at least RW permission
Try it out :-)

How to get the type of user role in ISF?

We have functionality to hide all the buttons on Monitor task, which was successfully achieved by javascript. But we need to enable these buttons for only Site Administrators, so that they only can do necessary modifications upon request from end users. Can someone point me to correct direction how to get the user role when a user is not a Site Administrator. Thanks in advance.

What about having your custom ISF onload script first run a db query (on older version called a rcFetch) which would evaluate if the person loading form is a member of the site admin ou.
Here's a rough example:
ISF_onLoad()
rcFetch('Q1','Q1PL=' + UserID);
This will then run a query to validate if the person is a member of the admin ou.
SELECT * FROM DirOrganizationUnitPeople WHERE PersonID = #P1# AND OrganizationalUnitID = 1 (this should be the id of the site admin ou or the ou which you are referring to as an admin)
then have a call back to determine if any records where return, which indicate the person is a member of the site admin ou.
function Q81_DataCallback(retArray, queryList)
if (retArray['Q8500._COUNT_'] == 1)
{ *Show the fields* }
Hope this helps.

On the web how can I check the user role to display the form suitable for this role i

Hello
How can I check on the web the use role to display the a form for each role
Example
If the admin login I display admin_form.fmb and if user login I display
user_form.fmb
Thankx
Tamer

In my forms I hide tab pages according the role using something like the following script in the WHEN_NEW_FORM_INSTANCE trigger.
So the user can not navigate to tabs which are vorbiden by his role.
CURSOR users_roles_cur IS SELECT granted_role FROM user_role_privs
WHERE username=(SELECT user FROM dual);
user_roles_rec users_roles_cur%ROWTYPE;
IF users_roles_cur%ISOPEN
THEN
CLOSE users_roles_cur;
END IF;
OPEN users_roles_cur;
LOOP
FETCH users_roles_cur INTO user_roles_rec;
EXIT WHEN users_roles_cur%NOTFOUND;
MESSAGE (user_roles_rec.granted_role);
PAUSE;
IF RTRIM(user_roles_rec.granted_role,' ') = 'BLA-BLA'
THEN
tb_pg_id := FIND_TAB_PAGE('activity');
IF GET_TAB_PAGE_PROPERTY(tb_pg_id, visible) = 'FALSE' THEN
SET_TAB_PAGE_PROPERTY(tb_pg_id, visible, property_true);
END IF;
END IF;
END LOOP;
CLOSE users_roles_cur;
Other solution may be is to use an initial form which only will detect the user role and run the appropriate form.
Other solutions are also possible.
Joseph

VL10 batch doesn't allow user role maintenance

A batch job to create deliveries is desired.
A user role was created using VL10CUA (copied from 5001).
Access VL10G to create a variant, but the User Role tab is completely display only.
According to OSS note 310022, step 2 indicates that user role can be maintained for background processing.
Currently using ECC 5.0. Why is the user role tab display only? What changes are necessary to create a variant using the new user role?
I also looked at the screen painter and the fields were "Possible" so that doesn't answer why they are display only when using VL10G.
Regards,
Bela

In VL10CUA, create a new user role from 5001 and click on Chg. Attributes and change F code to 5001.
Then assign the user role in VL10CUV to VL10 Scenario.
This will default the user role in VL10. Save the variant and then run VL10BATCH for the variant.

How to create SR Queue and Custom User Role for technician only see which SR assigned Him/Her and Resolve

Hi
I have created workitem SR advance and Criteria with ID [Assigned To ME] and created user role in Advance operators.
But in technician Console showing which SR he/she created not service desk assigned to him/her.
Please suggest...
Regards
Sheetla Maurya

I have find out Solution .......Create Queue with Service Request Advance and we not need to create any criteria option, After that create custom User role on Advance
operators with View "Assigned To ME"
Regards
Sheetla Maurya

New Request/Service Offerings not displaying on Portal via Catalog Group/ User Role

I have created some new service offerings and request offerings which I have published and are visible on the portal when logged in as an administrator.
I have then added these new items into a catalog group which is tied to a pre-existing user role to target our IT department ( this user role is currently working fine and shows all the other IT related offerings)
The new published items do are not showing up on the portal.
AD sync completed with no errors.
I have done the following to troubleshoot to no avail:
- created a new catalog group and user role to target the new SO RO's to
- targeted directly to a test user rather than the AD group
Some other weird things that I believe to be related to this is that the contents of catalog groups appear empty on local console but when logging on to the SM server to launch console all catalog group items are visible.
we are seeing a lot of error and warning event logs 26319 & 3333
Any suggestions?
Thanks
Pete

did you try to restart the Microsoft Monitoring Agent?
Antoine AL Ibry

User Library - User Roles RoboSource 3

When using RoboHelp Server 7 and RoboSource Control 3.1,
there is a short help topic that describes the User Library - User
Roles - and each permission (what it enables or disables). This is
pretty brief information. I'm having many different issues with
getting permissions set up for each of the authors on my technical
writing team at my company. Does anyone out there have any more
information (more details) on what each permission does and
enables? I don't think I should have to assign all rights,
especially admin and subadmin to all of my users just to get
everything working the way I want it to.

Finally got an answer from Adobe customer support. Having
gone back and forth for a while with a web case and getting no
where fast, I called and talked to the customer support
representative on the telephone. A couple of things helped clarify
my issue. First of all, the difference between X5 and RH7 source
control is that the default behavior when deleting using the client
is now to "hide" topics rather than delete them from the database
permanently. You can keep users from bringing those topics back by
not giving them the unhide right. The only way to actually delete a
topic from the database permanently now is to use the RoboSource
Control Explorer, which breaks the project. Of course, I just check
out the folder fpj file, modify it myself, and check it back in to
fix that issue. But who wants to do that all the time? And not all
of us understand XML and are able to do that. OK, so that is the
first issue. One has to understand that hiding is deleting now. But
on to the second issue. Why was the topic I was deleting only being
hidden from me and not all of the other users are our team? Turns
out I should not be giving Admin and Sub-Admin rights to myself as
an authoring user. Only the "Admin" user account should have these
rights, and only for administration, only use the Admin account.
After removing these rights, I was then able to delete topics and
the topics would then not show up for any of my team. I also found
another issue resolved by taking these rights from my authoring
user account. When I had the admin and sub-admin rights, I could
not re-import topics another time. I would get a message that said
the topic already existed in the project. After removing the
rights, I could then choose to overwrite the existing topic or not.
Thus, my other post in this RoboSource Control forum about wanting
more than a one-liner on user rights is even more important. I
submitted a feature request for better documentation of user
rights. Let's hope someone listens!

Modify Script to Create User Role on Single Database.

Hi All,
Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
Can anyone help me to modify the script?
--===================================================================================
-- Description
-- Database Type: MSSQL
-- This script creates a role called 'gdmmonitor' for ALL databases.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
-- before runnign this script
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
-- Note:
-- If you wish to use a different login name (instead of 'sqlguard') you need to change
-- the value of the variable '@Guardium_user' in the script below;
-- (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
-- after runnign this script
-- Nothing to do, the script already creates the db user
-- User/Password to use
-- User: sqlguard (or any other name, if changed)
-- Pass: user defined
-- Role: gdmmonitor
--===================================================================================
PRINT '>>>==================================================================>>>'
PRINT '>>> Creating role: "gdmmonitor" at the server level.'
PRINT '>>>==================================================================>>>'
-- Change to the master database
USE master
-- *** If a different login name is desired, define it here. ***
DECLARE @Guardium_user AS varchar(50)
set @Guardium_user = 'sqlguard'
DECLARE @dbName AS varchar(256)
DECLARE @memberName AS varchar(256)
DECLARE @dbVer AS nvarchar(128)
SET @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
SET @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
IF (@dbVer = '8') SET @dbVer = '2000'
ELSE IF (@dbVer = '9') SET @dbVer = '2005'
ELSE IF (@dbVer = '10') SET @dbVer = '2008'
ELSE IF (@dbVer = '11') SET @dbVer = '2012'
ELSE SET @dbVer = '''Unsupported Version'''
IF (@dbVer != '2000')
BEGIN
-- This privilege is required to peform a specific MSSQL test.
-- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key)
-- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop
-- Purpose: To display provider property, not changing anything.
PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
END
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if they exist
CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the role gdmmonitor on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.spt_values TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysconfigures TO gdmmonitor
GRANT SELECT ON dbo.sysdatabases TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syslogins TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
-- Grant execute privileges to the role for MSSql Common
PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON sp_helpdbfixedrole TO gdmmonitor
GRANT EXECUTE ON sp_helprotect TO gdmmonitor
GRANT EXECUTE ON sp_helprolemember TO gdmmonitor
GRANT EXECUTE ON sp_helpsrvrolemember TO gdmmonitor
GRANT EXECUTE ON sp_tables TO gdmmonitor
GRANT EXECUTE ON sp_validatelogins TO gdmmonitor
GRANT EXECUTE ON sp_server_info TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sql_logins TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
GRANT SELECT ON sys.server_role_members TO gdmmonitor
GRANT SELECT ON sys.configurations TO gdmmonitor
GRANT SELECT ON sys.master_key_passwords TO gdmmonitor
GRANT SELECT ON sys.server_principals TO gdmmonitor
GRANT SELECT ON sys.server_permissions TO gdmmonitor
GRANT SELECT ON sys.credentials
TO gdmmonitor
--This is called by master.dbo.sp_MSset_oledb_prop.
--By defautl it should have already been granted to public.
GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR
END
-- Re-add the dropped members
IF EXISTS (SELECT 1 FROM #rolemember)
BEGIN
PRINT '==> Re-adding the role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- END of role creation on database
PRINT '==> END of role creation on: ' + @dbName
PRINT ''
-- Change to the msdb database
USE msdb
set @memberName = ''
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if it exists
TRUNCATE TABLE #rolemember
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the gdmmonitor role on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
GRANT SELECT ON dbo.backupset TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
-- Grant execute privileges to the role for MSSql 2005 or above
PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
END
IF (@dbVer > '2000' and @dbVer < '2012')
--This sp is not available in SQL 2012
BEGIN
GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
END
-- Re-add the dropped members
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the temporary table
DROP TABLE #rolemember
-- END of role creation on database
PRINT '==> END of gdmmonitor role creation on: ' + @dbName
-- Role creation complete
PRINT '<<<==================================================================<<<'
PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
PRINT '<<<==================================================================<<<'
PRINT ''
PRINT '>>>==================================================================>>>'
PRINT '>>> Starting application database role creation'
PRINT '>>>==================================================================>>>'
use master
DECLARE @databaseName AS varchar(80)
DECLARE @executeString AS varchar(7950)
DECLARE @dbcounter as int
set @dbcounter = 0
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
and not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @dbcounter = @dbcounter + 1
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
'/*find any members of the role if it exists*/ ' +
'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
'INSERT INTO #rolemember ' +
'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
'WHERE usr.uid = mbr.memberuid ' +
'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'/*Drop the Role Members If they exist*/ ' +
'IF EXISTS (SELECT * FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/*drop the role if it exists*/ ' +
'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'BEGIN ' +
'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_droprole ''gdmmonitor'' ' +
'END ' +
'/* Create the role */ ' +
'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_addrole ''gdmmonitor'' ' +
'/* Grant select privileges to the role for MSSql Common */ ' +
'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON dbo.sysmembers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysobjects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysprotects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysusers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
'/* Check if the version is 2005 or greater */ ' +
'IF (' + @dbVer + ' != ''2000'') ' +
'BEGIN ' +
'/* Grant select privileges to the role for MSSql 2005 and above */ ' +
'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
'GRANT SELECT ON sys.all_objects TO gdmmonitor ' +
'GRANT SELECT ON sys.database_principals TO gdmmonitor ' +
'GRANT SELECT ON sys.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON sys.database_role_members TO gdmmonitor ' +
'END ' +
'/* Re-add the dropped members */ ' +
'IF EXISTS (SELECT 1 FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/* drop the temporary table */ ' +
'DROP TABLE #rolemember ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT '' ''' +
'PRINT '' '''
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
-- Adding user to all the databases
-- and grant gdmmonitor role, only if login exists.
PRINT '>>>==================================================================>>>'
PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '>>> on all databases.'
PRINT '>>>==================================================================>>>'
USE master
/* Check if @Guardium_user is a login exist, if not do nothing.*/
IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
BEGIN
PRINT ''
PRINT '************************************************************************'
PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
PRINT '*** Please add the login and re-run this script.'
PRINT '************************************************************************'
PRINT ''
END
ELSE
BEGIN
DECLARE @counter AS smallint
set @counter = 0
-- This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
-- 99% of the time, this is totally unnecessary. But in some rare case on SQL 2005
-- the loop skips some databases when it tried to add the @Guardium_user.
-- After two to three executions, the user is added in all the dbs.
-- Might be a SQL Server bug.
WHILE @counter <= 3
BEGIN
set @counter = @counter + 1
set @databaseName = ''
set @executeString = ''
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
where not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'/*Check if the login already has access to this database */ ' +
'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'/*Check if login already have gdmmonitor role*/ ' +
'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'AND usr.name = ''' + @Guardium_user + ''') ' +
'BEGIN ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END ' +
'END ' +
'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
'execute sp_adduser [' + @Guardium_user + '] ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END '
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
END -- end while
-- Required for Version 2005 or greater.
IF (@dbVer != '2000')
BEGIN
-- Grant system privileges to the @guardium_user. This is a requirement for >= SQL 2005
-- or else some system catalogs will filter our result from assessment test.
-- This will show up in sys.server_permissions view.
PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
END
PRINT '<<<==================================================================<<<'
PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '<<< on all databases.'
PRINT '<<<==================================================================<<<'
PRINT ''
END
GO

Thanks a lot Sir... it worked.
Can you also help me in troubleshooting below issue?
This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
SA account with highest privileges is been used for script execution. errors received are as follow:
>>>==================================================================>>>
>>> Creating role: "gdmmonitor" at the server level.
>>>==================================================================>>>
==> Granting MSSSQL 2005 and above setupadmin server role
==> Starting MSSql 2005 role creation on database: master
(0 row(s) affected)
==> Dropping the gdmmonitor role members on: master
==> Creating the role gdmmonitor on: master
Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
The procedure 'sys.sp_addrole' cannot be executed within a transaction.
==> Granting common SELECT privileges on: master
Msg 15151, Level 16, State 1, Line 117
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 118
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 119
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 120
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 121
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 122
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 123
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 124
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 125
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 126
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
==> Granting common EXECUTE privileges on: master
Msg 15151, Level 16, State 1, Line 130
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 131
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 132
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 133
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 134
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 135
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 136
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.

Showing USER ROLES in LOV..is it possible

Similar Messages

Maybe you are looking for