Status of roles assigned in SU01

Hi All, Need help to understand the status of a role and effect of user comparison on it... in SU01 assignment to a ID....Cases as below:
1.Role assigned to the ID has expired....The color of the role I have noticed becomes red...why is it so? is it because the role had a new profile generated since the time role got expired in that user? or is it just because role has got expired and so it becomes red in SU01?
And are roles and corresponding profiles which got expired removed from the ID automatically or just both role&profile left as it is with only the role turned red giving the text (User comparison required)...
2.Role assigned to a ID with validity start date set as some date in future. Have seen that in this case too role becomes red after a day!! PFCG_TIME_DEPENDENCY runs..But why is it so??Why does it turn red?

Hi,
Role assigned to the ID has expired. the color of the role becomes red. This is because each role assigned to the user has a validity end period. once this date is crossed, the user will not have authorization to objects contained in the role. You can check more details in AGR_USERS table. there you will find that each role attached to a user has a start and end date.

Similar Messages

  • Role Assignment thru SU01

    Hi there...quick question...after you assign a role to a user id thru SU01 why is the Profile Comp Status button RED under the Roles tab...thanks in advance

    Hello Raj,
    When you assign roles to a user the roles are assigned but the authorizations are not yet active to the users untill they login again or  you compare the profiles of the users.The user compare or Profile compare does compare the existing authorizations and the newly assigned ones and updates the user master record
    Its good to assign the users to the roles and then make a user compare of the roles so that the authorizations are distributed and made active instantly
    **Reward points accordingly

  • Assign biz role through CRM -SU01 and display page at portal

    HI, SDN Fellows.
    I am creating some custom portal roles at portal and mapped it to the custom business roles for some PCUI screens at crmc_blueprint_c --> "Assign Portal Role to Single Role" ("Assignment of CRM Role to Portal Role").
    Currently, our portal UME data source is mapped to CRM system.
    Right now, I have to assign both the CRM Role through SU01(to have access the CRM Object Method at CRM-PCUI application) and Portal Role through User Admin of WAS/portal (to access/display the PCUI iView in the portal).
    My goal is to just assign role through CRM-SU01 and achieve the same output as I described above. Meaning can I just do the role assignment for the CRM role (through SU01) and able to access to the CRM-PCUI application through portal (able to see the pcui screen)?
    Thanks,
    Kent

    What I want is when I assign a role (Sales Manager) said user A in CRM system, userA should able to see the related workset/page/iviews in the portal (without the need to assign the same: Sales Manager role in portal).
    Now, what I have to do is assign the related objects into a single/composite roles in CRM (for backend data access), then I have to assign a portal role (through User Admin of Portal, so that they can see the portal content),
    is that a way we can do it in one step?
    Thanks,
    Kent

  • Indirect pfcg role assignment - no roles in SU01

    Hi experts,
    I would like to assign PFCG roles via indirect assignment, this means i would assign roles with the organisational model (transation ppomw).
    I did the assignment and i executed the transaction pfud for user master data reconciliation. But the pfcg roles are not assigned to the user (see roles in transaction SU01). Usually the roles should be displayed (in blue and with xflag for indirect assignment).
    Are there any customizing configurations i have to keep in mind?
    Hope you can help as fast as possible.
    Thanks a lot and best regards,
    Natali

    Run PFUD if this is still an issue.

  • Fix Business Role / Technical Role assignment in Pending or Failed status

    Hi,
    We are facing issues with few users where Business role assignment or technical role assignment is going into Pending or failed status.
    None of the jobs are failing or throwing any error related with the changes.
    We are running IdM 7.2 version with SP8.
    Is there a way to fix this issue other than removing and reassigning or recreating ID.
    Regards,
    Manish

    Hi Manish,
    If technical role (priv) in failed status, please check Tero's reply in the below post. You can set a periodic job to read users and privs in failed status and use uRetryPrivilegeAdd() function to retry the assignment.
    Failed AD privileges
    I was able to find a document on how to set up the periodic job.
    Retry failed assignments (Privilege)
    You should try searching the forum and wiki for answers. Most of the issues are addressed by our community experts already. Thanks.
    Kind regards,
    Jai
    Message was edited by: Jai Suryan

  • Mass Change for Indirect Role Assignment

    Hi all,
    I am in the process of changing the company’s authorisations from a standard SU01 role assignment to a position based indirect role assignment.
    At the moment I am using PFCG going to the Org Mg button under the User tab then attaching the position that way.  Is there a way of assigning more than one role to a position at the same time?
    Is there a Mass Assignment option in PFCG or is there a separate transaction available to make this process quicker??
    Thanks for your help
    Ian

    you can mass-assign people and roles if you go to transaction PPOME instead of PFCG. to make role assignments from PPOME please apply note 578271 first. be careful whilst implementing this <insert nasty word here> note because some of those view-clusters tend to refuse to load your changes = you can see them, but they don't work - might be you will have to flush table buffers for the changes to take effect.

  • Role assignment not working

    Hi everyone,
    I am trying to assign different roles to different users for GRC - Risk Management 10.0; however it seems like standard roles don't have any affect on type of activity. I have maintained various levels of roles (e.g. risk owner, risk expert, risk manager, etc) using PFCG and assigned almost every role to the users; but it doesn't give them the authorization to create or edit anything, they can only display.
    The only workaround for this was assigning a role with the authorization object GRFN_USER (with 02 Change value enabled) or assigning SAP_GRC_FN_ALL (Power user role which also contains object GRFN_USER). However this would allow users to do "anything" they want which obviously isn't what I seek.
    I have tried changing customization options such as Maintain Custom Agent Determination Rules and Maintain Entity Role Assignment, it hasn't solved anything so far.
    I urgently require your assistance on this issue. Thank you.
    Regards,
    Seckin

    Hi,
    I 'm facing same kind of problem.
    Case 1:
    I tried with:
                      Assigning users to group (abap role) which didn't worked.
                      Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                      Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
    How can i do the same from portal?
    Case2:     
    While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
    Why are the portal roles not getting transfered even though the status is green?
    Mr.Chowdary

  • ABAP centered role assignment not working

    I have been trying to implement ABAP centered role assignment for our users but not really having much luck in gettng it to work. I've been trying to make sense of it by using [the help guide|http://help.sap.com/saphelp_nwmobile71/helpdata/en/d2/3e3842b23d690de10000000a155106/frameset.htm] but I must be doing someting wrong. Here are the steps that  take.
    1. Create a single ABAP role - A single role with no menu or authorizatons
    2. Create a UME Group - I name the group exactly the same as the ABAP single role from the previous step
    3. Assign UME Group to Portal Role
    4. Assign mapped user to ABAP role
    Supposedly the ABAP role assingment is supposed to reflect through to the UME group membership so the portal user then sees the associated portal tab.
    Can you enlighten me?
    Thanks in advance

    Hi,
    I 'm facing same kind of problem.
    Case 1:
    I tried with:
                      Assigning users to group (abap role) which didn't worked.
                      Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                      Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
    How can i do the same from portal?
    Case2:     
    While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
    Why are the portal roles not getting transfered even though the status is green?
    Mr.Chowdary

  • Role assignment to users (Change documents)

    Hi
    I was looking through the change documents for users and here i came across  "START_REPORT" under the Transaction column along with SU01 and PFCG. I was not quite sure about what this "STATUS_REPORT" was all about. I was wondering if this is a program. It certainly is not a batch coz we dont run batches here. I am trying to track down this change to the user but STATUS_REPORT is leading me nowhere....
    Any ideas?
    ravi

    Hi ravi
    Could you please explain the problem once more ?
    If you want to see the changes in the profiles of the user(which i take as one example of change documents) then you can use the transaction SUIM and there it'll give you options for change documents as below:
    1) For users
    2) For role assignment
    3) For Roles
    4) For profiles
    5) For authorizations
    and then you can choose the option you want.
    If I can help in some other way then kindly let me know.
    Cheers

  • Indirect Role Assignment in My SAP SRM

    Hello,
    I am trying to do a Indirect Role Assignment in My SAP SRM.
    In my ECC system we have done it through PFCGgotoOrg Mgmt---assign positions and then reconcilitaion
    in HR master data the Sap USer ID is communication through infotype 105
    but in My SAP SRM I need some help on how to do that...
    as HR master data does'nt exist in my SAP SRM..
    so can you please tell me how to do that.
    -Thanks
    Sam

    Hi Its done the same goto PFCG, user tab >org assign > select the position and reconcile, once done do a PFUD then goto PPOSW fine your position and you will see the role assigned to that position then goto su01 to make sure the role has been assigned there to.

  • Role Assignment does not get distributed from CUA

    Hi all.
    I create user and role in CUA client.
    There is no error in role generation.
    When I try to find my role in SU01 by pressing F4 of my role (Y*), system give me message role not found. But that's not my biggest problem.
    I can assign my role by typing manually.
    My biggest problem is only SAP ID get distributed into target system, not the role assignment.
    So in the target system I can see my user id without role assign to it.
    I checked my user id from SCUL. User and profile does not contain any error message in target client.
    I tried with transaction RSCCUSND, still my user id does not contain role.
    I checked my SCUM transaction, profiles and roles has Global settings.
    Does someone can give me a clue why this happens and how to solve this issue.
    Many thanks

    Lets try to simplify the thing in layman language.
    CUA is to manage user ids of different SAP systems (client level) centrally from one system without logging into each of those child systems. To do so, the Central system stores the information of the Roles (and their Text and Generated Profile Name ONLY) and Profiles (standard or non-generated profiles) in few of it's tables like: USLA04, USRSYSACT, USRSYSACTT, USRSYSPRF, USRSYSPRFT etc.
    It doesn't mean that the Roles for the corresponding child system is present in the central system and no need of creating (or making available) such roles in the Child systems. The physical existence of the Role for each system doesn't get transferred in the Central system when you do the Text comparison rather the identity only against the corresponding system.
    So the Roles has to be there in the corresponding Child systems and the Assignment (not physical assignment  -  only linking the name for that child system) of them to the user ids can be done from Central system.
    Also you have got the idea of Text comparison and requirement of keeping or creating roles in each system based on it's nature from the other posts.
    Let us know any more questions you have.
    regards,
    Dipanjan

  • CUA and role assignment

    Hi forum,
    I have a CUA configured where I want the profile and the role assignment to be distributed global from the central system. I can create new roles with PFCG assign, users there, but I don’t see these new roles in the user details in SU01.
    What am I doing wrong?
    Thank you!

    Hi Chris,
    Seems pretty simple to me. Since it is a new role you need to do a text comparision.
    In the central system of CUA execute the report SUSR_ZBV_GET_RECEIVER_PROFILES in SE38 transaction.
    In receiving systems give all the systems that are part of CUA including the central system (in this particular case only central system can be input since the new role is present in central system) Now execute it and then do the role assignment wither through SU01 or PFCG once again. Check once more.
    After every new role creation this report needs to be executed. This is what is known as Text comparison of roles which can also be done in SU01. Check for the pushbutton for text comparision under tabsrtip Roles within SU01.
    Regards.
    Ruchit.

  • Business role assignment get lost

    Hello *,
    from time to time single users report logon problems due to missing business role assignment.
    In these cases business role was assigned via user in tx su01 directly. Whenever it happened the affected user itself is shown for last modifier of user record. But the users of course are not authorized to edit this data.
    We assume that maybe the personalization in web ui could be the reason but up to know the behaviour was not reproduceable.
    Does anyone know this issue?
    Kind regards
    Thomas

    Hi Thomas,
    Sorry but maybe I've explained myself poorly. You said that business roles that were missing are normally assigned directly in SU01. Then, in order to try to understand how they are remove, in SU01 transaction there is a functionality that allows you to see the change history for every add/removal of a role. This will tell you the user that performed the action and which tcode he used.
    Check this functionality that it's available as a menu option in SU01. Maybe it can give you some good clues about what's happening.
    Kind regards,
    Garcia

  • Approval Task for role assignment

    Hello again,
    is there any manual for approval tasks with the SAP Provisioning Framework? There is a task group called Request new business role, but if I use this, the approver approves the request, but the status of the role assignment is "in process"and never changed to "OK".
    I only found these manuals:
    - How To... Create Approval Tasks in SAP NetWeaver Identity Management
    - Implementing role approvals
    But both documents didn't show an end-to-end role-request-and-approval workflow.
    Thanks in advance.

    Hello Matt, hello Peter,
    the web-enabled task "Request New Business Role" and the including approval task are only examples.
    To create own approval processes for your projects you have to understand how approval tasks and pending values work.
    The following document shows the basics of PVOs (pending value objects).
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0d6b459-3456-2b10-209e-9e78ec9fd97b?quicklink=index&overridelayout=true
    This is documentation of the release 7.0, which is not updated to 7.1. But basics of PVOs are still the same.
    There is also a document which describes approval task for Release 7.1:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/20b67ad5-c69a-2c10-9da2-9721b1cf749c?quicklink=index&overridelayout=true
    Also a "How-To Guide" is available:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/904deabf-73b9-2c10-e8bb-8514dc3757f2?quicklink=index&overridelayout=true
    I think this is enough to learn to create workflows in SAP IdM.
    There is also a nice book available with detailed information:
    EN: http://www.sap-press.com/products/Understanding-SAP-NetWeaver-Identity-Management-.html
    DE: http://www.sap-press.de/2007
    I think this will help you.
    Best regrads,
    Christoph Reckers

  • Role Assign Permission

    I am trying to check programmatically if a user has Role assign permission for a Role. The below code returns false even if the user has Role assign permission.
    IAclManager mgr = UMFactory.getAclManager();
    mgr.hasPermission(iRole.getUniqueID(),iUser, "com.sap.portal.pcd.roleservice.roles.Assign")
    Also, using getPermissionStatus() returns an undefined permission status.
    In addition to the above if the user is an administrator then the above methods return true always.
    Any help is appreciated.
    Thanks.

    Hi Raghav,
    Thanks for your response.
    The target user is a demand planner and would require to change alpha, beta and gamma factors based on changing sales trends.
    In production system, it will be risky to give model configuration permission to such users.
    Regards,
    Aditya G

Maybe you are looking for

  • IF condition in Sapscript

    Hi all, Have created a new window in one of the scripts recently. I was asked to display this  window( with some data) only for company code NL01. So I kept the condition , IF reguh-zbukr = 'NL01'..and wrote the code.. Now Im asked to extend the func

  • Received this error message when starting iTunes and reinstalling does not resolve it:  The registry settings used by iTunes drivers for importing and burning CDs and DVDs is missing.

    Received this error message when starting iTunes and reinstalling does not resolve it:  The registry settings used by iTunes drivers for importing and burning CDs and DVDs is missing... Can I uninstall existing iTunes without losing my media library?

  • Clock in and clock out issue

    Hi All, I am looking for  a solution for the below issue. Please help me out Clock in and clock out details from third party terminal are stored in SAP in IT2011. My requirement is if the duration between first clock in and last clock out is less tha

  • Query about Data Model Design, UPDATED_ON

    hi on a *.ppt called ODTUG2007_Advanced_APEX.ppt, that i found on google <www.oracle.com/technology/products/database/application_express/ppt/ODTUG2007_Advanced_APEX.ppt>, i found a something that might be very interesting in using in my APEX app...

  • Error Dropping Sequence

    When I try to run the following command: drop sequence mst_scenario_attribute_wbs_SQ; I get the following error: ORA-02289: sequence does not exist I know it exists because I see it when I query: select * from sys.all_sequences s I also see it in PL/