Single role limit to user

Similar Messages

• SSAS 2012 , Role- Limit of users

  Hi Experts , 
  I am working on SSAS 2012 Cube .
  I am implementing Security on my cube for which I have created 2 Roles.
  Question: I need to know how many users can be added in one Role (Member Ship Tab)? What is the maximum limit ??

  Hi Rihan,
  According to your description, you want to know the maximum number of users can be add into a role, right?
  Here is a document that the list the maximum sizes and numbers of various objects defined in Analysis Services components under different server deployment modes.
  http://technet.microsoft.com/en-us/library/ms365363(v=sql.110).aspx
  However, the maximum number of users can be add into a role is not specify on that document. As per my understanding, we can add any numbers of users to the role as we want. In your scenario, how many users do you need to add into this role?
  If you really need to know the maximum number, you can open a support case with Microsoft. Visit this link to see the various support options that are available to better meet your needs:
  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
  Regards,
  Charlie Liao
  TechNet Community Support

• Changes like password and removal of roles for all users

  Hi
  i want to change password for all users and remove single roles from all users.When i am doing this in SU10 changes are not reflecting for users.Please help reg this
  Vinod

  Me too...I have never been able to remove roles from multiple users with SU10.  I don't know if it's a bug or (more likely) just a confusing screen, but in 4.7 it never worked for me.

• How many single role we can attach to single user?

  Dear Friends,
  How many single role we can attach to single user?
  Sachin

  Hi Sachin,
  The below parameter can be checked for this topic. Infact the limit is about 9000 for this parameter and typically i have seen ID's in 4.7 environment with around 150 roles or more...
  <b>Auth/auth_number_in_userbuffer</b>
  When a user logs onto SAP, the authorizations contained in the user’s profiles are copied to a user buffer in memory.  The maximum number of authorizations copied is set by this parameter.  The size of the buffer must always exceed the maximum number of authorizations as authorization checks are made only against those in the buffer.
  Refer to OSS notes 84209 and 75908 for more detailed information regarding changes to the size of the user buffer.
  Transaction SU56 shows the contents of the user’s user buffer and a total for all the authorizations in a user master record.
  Hope this info helps
  Br,
  Sri
  Award points for helpful answers

• How to Add a single Transaction to Base role of a User in GRC AC 10

  Hello Gurus,
  I would like to know if it is possible to assign a single transaction to a user in his default roles.
  e.g) We have some Users who have been assigned some default roles, and in some case if a user requires authorization only for a one transaction e.g.) FB08 or for the matter any transaction , instead of adding a role containing many other transactions , we would like to assign only this transaction to the user.
  OR
  In other example , if a user sends a missing authorization request i.e. SU53 screenshot , and that only one transaction needs to be assigned , how can it be provisioned to that specific user ?
  Is it possible in GRC AC 10 , by using CUP or BRM ?
  Looking forward for your opnion.
  Regards,
  Victor

  Hello Victor,
  In this case, why don't you create a role including only FB08? You cannot assign a user a transaction, you have to assign a role. This is the authorization concept in SAP.
  Cheers,
  Diego.

• How to disable the validity of a particular Role for 100 users, in a single

  Hi
  How to disable the validity of a particular Role
  which is assigned to 100 users. (disabling the role of change the validity of the role )
  at present am doing manually, by entering into each user and changing the validity of the role
  Thanks.

  > How to disable the validity of a particular Role for 100 users, in a single ...
  ... shot?
  Assign a reference user to the 100+ users and create events in the factory calendar which assigns and removes the role from the reference user only.
  The downside is that it is not scalable for many of the same concepts at the same time, because a dialog user can at one logon time only have one reference user assigned to them.
  Cheers,
  Julius

• How to assign a single role to all the 700 bi users

  Hi all,
  I have created a new roles, which needs to be assigned to all the users in the BI. I have teh list of users but i need to copy all of them manually and assign that users with this role!!
  Is there any way in which i can use any abap programs/ function module were in i can assign this single role too all the list of users in the bi system!!
  Thanks
  Pooja

  Hi Pooja,
  I guess you are lookign for  way to upload the list of 700 users into transaction Su10 instead of copying and pasting them manually (which will need many manual copy pastes since the number of users which can be pasted into SAP in one shot will be limted to 10-20).
  There is a way to upload all 700 into SU10 transaction in a few clicks. Please follow the below steps:
  1.Get the list of all 700 users in say excel or notepad. Copy all 700 users ids (copy entire column in excel using Cntrl+C)
  2. Login to system and go to SU10 tcode.
  3. Click on 'Authorization data" tab in SU10
  4. In next page you will see a tab called "User" --> select the arrow exactly to the right side for multiple selection.
  5. In new window; there is an icon for "Upload from clipboard"(second last icon in bottom of window). Click on it and you will have the list of 700 users uploaded into SAP. In next window click on "select all" and "transfer"
  Now go into change mode in SU10 and paste the role to be added under tab "roles".
  Get back if you face any issues.
  Soumya

• Single PM Role for Power User

  Dear Experts,
  Kindly let me know whether there is any Single Standard Super Role in PM (SAP_PM_...) to cover all authorisations of PM functions for the use of Power User.
  I know that there are about 49 Standard PM Roles.
  Regards
  Jogeswara Rao

  Hi,
  You can find out standard single role
  then create composite role and include all single roles in this
  Kapil

• Add a single role to different composite roles in one step

  Hello everybody,
  I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
  Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
  I don't want to believe that there is no easier way. Any ideas?
  Thank you
  Flo

  Hi Soma,
  great to find a place to be welcome..Thanks
  What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
  The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
  And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
  -> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
  or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
  -> Which again... our security manager disallowed me...
  So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
  And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
  Comments?
  Cheers
  Florian

• How to count direct plus indirect roles assigned per user (8.1.7.4) ?

  Hi, because of the 148 max roles limit in 8.1.7.4 (and because we use Noetix that generates many roles !), we would like to build a query that can be used as an alert and that tells us the following: Number of roles (direct and get from inheritance of roles).
  For instance:
  user howmanyroles
  Fred 12
  Noetix 125
  ..

  1.-
  2.c
  3.a
  4.a
  5.c
  6.b
  7.a
  8.d
  9.b
  10.a -
  11.a
  12.c
  13.b
  14.d
  15.c
  16.a -
  17.a
  18.d
  19.c
  20.a
  21. -
  22.d
  23.b
  24.?
  hope it helps u.
  Thanks
  Kuljeet

• Assign single role to composite role with alternate logsys assignments

  Dear gurus,
  In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
  Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
  But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
  Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
  Cheers,
  Julius

  Hi Martin and others,
  I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
  While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
  Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
  You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
  There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
  That is a bit of a bummer because it means that you also cannot ever test anything...
  Did anyone ever try to actually use this?
  Cheers,
  Julius

• GRC 10 BRM - Approve Single Role assignment in Business Roles

  Hello,
  I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
  The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
  Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
  Do you know any way to configure this?
  Thanks,
  Fernando

  Hi Claudio - thanks for breaking it down
  @ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
  By using this role approval methodology your single role approvers are indirectly allowing  any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
  As mentioned - you are using two different workflow process ids
  Role Build - using BRM to approve the single roles being part of the business role
  Access Assignment - approving the user to receive the business role which includes the single roles
  Regards
  Colleen

• Backend roles neeed for user to access ESS related services

  Dear Experts-
  Can any one of you please point me to a document or let me know what exact role need to be assigned for a user on backend for him to access all ESS related services in Standard deployment.

  read the note 857431
  1129412   ESS: Authorizations and roles for WD services in ERP EHP3
  844639    MSS: Authorizations and roles for WD services in ERP 2005
  785345    Copying authorization default values for services
  612585    New: Authorization default values for ext. services
  The following roles were delivered for ESS with ERP 2005:
  SAP_ESSUSER_ERP05: Single role, containing all non-country-specific
                      functions.
  SAP_EMPLOYEE_ERP05_xx:   Single role with the country-specific
                            functions. Each country version has its own
                            role (with xx = country ID). The corresponding
                            composite role is SAP_EMPLOYEE_ERP05.

• Creating single role by copying profiles from other roles

  HI ,
  I am creating a single role from 4 roles. Ihave copied the authorizations of 4 roles and added into the new role. This is done by copying the profiles.
  Problems Faced :-->
  1. )In table AGR_TCODES i am not able to see the Tcodes for this new single role present in  the new role, whereas if i goto object S_TCODE i am able to see tcodes and have that access.
  2.) Some of the objects are not copied into this new role. Even from the roles whose all other objects are copied into this role.
  Can anybody help me on this and also if someone knows what other problems can be faced by doing this.
  <removed_by_moderator>
  Thanks,
  Rajesh
  Edited by: Julius Bussche on Oct 15, 2008 3:55 PM

  Hi Rajesh,
  If you have created a role by copying authorizations, then it is possible to get the t-codes provided your role contains the auth.obj S_TCODE which you might have copied manually from one or two among the 4 roles.
  If S_TCODE exists in your role then you can find out the t-codes belonging to this role through SUIM->Transactions->Executable for Roles-> Insert your role name
  or
  Go to SE16-> Table AGR_1251->
  In the field AGR_NAME, give the role name
  In the field OBJECT, enter S_TCODE and then
  Execute.
  Q.My second question THere is one role created by some user I am checking it in AGR_Tcodes and SUIM ....I am finding that the no. of Tcodes in both cases donot match....Can anybody tell where i can look for this and what is the possible reason.
  Possible reasons for this could be that some of the t-codes have been entered into the role manually and not through the menu in PFCG and as mentioned earlie that AGR_TCODES only shows the transactions that exists in the menu of the role.
  It could also be that the manually entered t-codes contains wildcards specifying a range of values.
  The best option would be to find it out from the AGR_1251 table.
  Hope this helps !
  Thanks,
  Saby..

• Help with copying permissions and roles from one user to another. Issue with RoleDefinitions

  I need help please. 
  I’m trying to copy a role definition/name in SharePoint 2010 Powershell. 
  The below is only a piece of my script, but I have to find '$SearchUser" and wherever it lives (webs, lists, groups), I need to add "$account" and copy permissions
  from '$SearchUser" . We are doing this to limit certain users from access our farm (by adding a new AD domain that does not contain these users, then deleting the old domain). 
  Every time I run it, it seems to mess up on this line: 
  $role = $web.RoleDefinitions.[$newRoleDef].
   It is acting like the $newRoleDef is null, but it is not. 
  When I outputfile the $newRoleDef, it has values, such as Read, Contribute.
  foreach($Web in $Site.AllWebs)
  if($Web.HasUniqueRoleAssignments -eq $True)
  foreach($WebRoleAssignment in $Web.RoleAssignments )
  if($WebRoleAssignment.Member.userlogin)
  if($WebRoleAssignment.Member.LoginName -eq $SearchUser)
  $WebUserPermissions=@()
  foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
  $newRoleDef = $RoleDefinition.Name
  $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
  $role = $web.RoleDefinitions.[$newRoleDef]
  $assignment.RoleDefinitionBindings.Add($role)
  $_.RoleAssignments.Add($assignment)

  Hi,
  Glad to hear that you solve this issue, thanks for your sharing.
  Thanks,
  Linda Li
  Linda Li
  TechNet Community Support