Track changes on indirect assignment of roles to users

Hi Experts,
We have been facing an issue where users have roles assigned indirectly(position/job/org unit).
I have checked the relationship between position/org unit and job to find if there are any roles assigned to these position(HRP 1001).
To my surprise there are no roles assigned to any of the position,org unit or job.
Our production system is linked with CUA(Solman) and role assignment is selected as Global.
I have checked both the systems and couldn't find any roles assigned to the position/org unit/job.
These roles are assigned to the users in the year 2005?
I would like to know
1.) How these roles got assigned to the system? Any logs are there to track it down?
2.) either we have to change the CUA setting to local and to run the RHAUTUPD_NEW in production system?
or to run the report RHAUTUPD_NEW in CUA system? am i following the right approach?
Kindly advise and let us know suggestions on this?
Thanks a lot in advance for your help.

Julius,
What change log says about these role assignments?
I think  ,Having the system in part of CUA (SCUM setting :role assignment global) and maintaining postion based role assignment is contradictory.
So better to detach the system and perform PFUD(comparison type :HR org mgmet) to make the role assignments up to date and connect it back .
Thanks,krishna

Similar Messages

  • Assigning the role to user - not getting the page and tabs showing.

    I have a role with a page that contains 2 demo iviews.  They preview ok. but when I assign the role to user, it does not come up.  Could some one send me a help document for SP2?

    I got it.  Need to set Entry Point - Yes.

  • Assignment pfcg-role to user and assignment pfcg-role to business role

    Hello, Gurus!
    What is the difference between direct assignment pfcg-role to user and assignment pfcg-role to business role? What is the effect from assignment pfcg-role to business role?
    As  I see authrizations from pfcg-role assigned to business role have no effect to user...
    Best regards,
    Artuк Litvinov.

    Artur,
    The business role assignment does not give a user that PFCG role.  Instead it is just a mapping table and does nothing more. 
    Therefore that UIU_COMP auth object must exist in the PFCG roles assigned to the user in order for them to use the webclient.  In your scenario let's do the following:
    You have pfcg roles:
    RA
    RB
    You a have business role
    B1
    You have users:
    Joe
    Jack
    Business Role B1 is assigned to role RA which contains UIU_COMP.
    User Joe gets business role B1 and roles RB which does not have UIU_COMP.  This will not let him use the webclient.
    User Jack gets business role B1 and pfcg role RA.  This will work because everything is there.
    This means you need both the correct PFCG plus business role setup to make it work properly.
    Take care,
    Stephen

  • Assigning Roles to Users and Groups

    Hi,
    We have installed EP 5.0 SP4...with Content Management...we configured the LDAP to Portal......all the users are maintained through LDAP only...the problem is assigning the Role's to user..here in portal how to assign the roles to the users...we are not getting the Role assignment option under Portal Admin TAB..is there any way to configure the roles to User's are Group's.....
    it is an urgent assignment for me..help can be appreciated...
    sudhir

    Sudhir,
    You can assign the roles to users and groups as below.
    1. Select the System Administration in the top level navigtion
    2. Select user administration
    3. You can search for a specific user or a group from this iView.
    4. Use the edit button to edit the profie of the user or group.
    5. Search for the role in the search iView.
    6. Add the role to the user of group and save.

  • Problem in assigning roles to users

    Hi
    I created Role in EP, which i want to assign to the users. i assigned that role to user. the user i not able to access the particular iviews. i attached some R/3 transactions iviews to that role. it says unable to lookup the system or system alias. when i assign that role to me, i'm able to access that iviews(R/3).
    i have superadmin role permissions.
    what default roles and permissions need to assign for users.
    suggest me
    thx
    pradeep

    Hi Pradeep,
    In SP9 apart form creating a System, we need to assign permissions for users.
    Follow this path:
    System Administration -> Permissions -> <select your System in Portal Content> -> Open Permissions <on right click>. This would take you to the Permission Editor.
    Here you need to add the user and assign permissions.
    Please check this and let me know if its working.
    Awaiting Reply.
    Warm Regards,
    Ritu

  • How to track changes in a hyperion application for SOX control?

    Hello all,
    We have been working on identifying the best way on how to track changes in a hyperion application in regards to the SOX control.
    The following areas have been identified as the main areas of an application where the changes are to be tracked:
    Monthly data load from ODI
    Calculation of data
    Metadats change
    Formula edit
    Changes to reports
    Changes to security
    Can anybody please suggest the best ways to do this? Has anyone experienced this issue before?
    Somebody suggested that there is hyperion auditing available.
    Is there any other software that is available that can do this or just documenting the changes would be the best option?
    Please suggest. Toyr response would be appreciated.
    Thanks.

    Shared Services allows the auditing of provisioning and life-cycle management activities to track changes to security objects and the artifacts that are exported or imported using Lifecycle Management Utility.
    For Shared Services auditing, refer Page 129 of http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security.pdf
    Planning Administrators can select aspects of the application for change tracking. For example, you can track changes to metadata, such as when users change a member property or add a currency. You can also track changes in data forms, business rules, workflow, users, access permissions, and so on.
    For Planning auditing, refer Page 56 of http://download.oracle.com/docs/cd/E12825_01/epm.111/hp_admin.pdf
    HTH-
    Jasmine.

  • As a Hyperion Admin how to track changes if one user changes / creates user

    1) in Hyperion how Admin can find if one user
    Password resets logged.
    2)In hyperion how Admin an fine if one user
    Creation, change and deletion of User accounts logged.

    Shared Services allows the auditing of provisioning and life-cycle management activities to track changes to security objects and the artifacts that are exported or imported using Lifecycle Management Utility.
    For Shared Services auditing, refer Page 129 of http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security.pdf
    Planning Administrators can select aspects of the application for change tracking. For example, you can track changes to metadata, such as when users change a member property or add a currency. You can also track changes in data forms, business rules, workflow, users, access permissions, and so on.
    For Planning auditing, refer Page 56 of http://download.oracle.com/docs/cd/E12825_01/epm.111/hp_admin.pdf
    HTH-
    Jasmine.

  • Assigning the role automatically when a user is created.

    Hi all,
    we are usign the EP 7.0 eph1 sp6 . we have a requirement that:
    When we are creating a new user and click save, then a user is created and to that user automatically a role should get assigned (without manual assignment of role to user). the role will have the framework page etc.
    and suppose we are assigning some role to the same user the above assigned automatic role should be deassigned automatically again.
    is there any possible way.
    Please help.
    regards,
    kavitha

    Hi
    When we are creating a new user and click save, then a user is created and to that user automatically a role should get assigned (without manual assignment of role to user). the role will have the framework page etc.
    for the above one we can follow the simple process ,
    as u need 2 assign the role automatically  while creating the user it self, u have to do the following.
    In user Adminstartion we have a button called Copy To New User.
    u just slect a user already created and just click on the button above, the  new user which is going to be created will get all the credntails and roles groups ,everything as the previous one.
    Just have a try .
    Sandeep

  • Indirect pfcg role assignment - no roles in SU01

    Hi experts,
    I would like to assign PFCG roles via indirect assignment, this means i would assign roles with the organisational model (transation ppomw).
    I did the assignment and i executed the transaction pfud for user master data reconciliation. But the pfcg roles are not assigned to the user (see roles in transaction SU01). Usually the roles should be displayed (in blue and with xflag for indirect assignment).
    Are there any customizing configurations i have to keep in mind?
    Hope you can help as fast as possible.
    Thanks a lot and best regards,
    Natali

    Run PFUD if this is still an issue.

  • Need to delet or assign individual roles without changing all existing role

    Hi
    I am looking for a way in order to delete or add single roles without touching all other roles a user has.
    I found various BAPI_USER_* , however they always change the entire role assignment.
    Does anybody got an idea or an associated BAPI`?
    Thanks a lot,
    Kind regards,
    Mingolo

    Hello Minima
    The corresponding BAPI is BAPI_USER_ACTGROUPS_ASSIGN. In to delete only specific roles you first have to read the assigned roles of the user using BAPI BAPI_USER_GET_DETAIL.
    Now here the procedure:
    (1) Read the assigned roles for a given user using BAPI_USER_GET_DETAIL. The roles are returned in TABLES parameter  ACTIVITYGROUPS.
    (2) Delete the role you want to unassigned from ACTIVITYGROUPS.
    (3) Change the user using BAPI_USER_ACTGROUPS_ASSIGN with the modified list of roles (in ACTIVITYGROUPS).
    The logic behind this is as follows:
    - the BAPI BAPI_USER_ACTGROUPS_ASSIGN compared the imported list of roles with the currently assigned roles.
    - If one is missing, it is unassigned.
    - If one is new, it is assigned.
    - All others role assignements remain.
    Regards
       Uwe

  • Moving roles with user assignment

    Hi There,
    Need your help...
    We have roles and users created in QA for training, now we want to move roles from QA to Production with user assignment.
    Users that are created in QA for training have also been created in Production, is it possible to move the roles from QA to Production with the user assignment.
    Thanks and Regards,
    Azher.

    Table PRGN_CUST does'nt contain any entries, its an empy table in QA.
    USER_REL_TRANSPORT entry with value NO locks system from TR imports with User assignment. So you have to ensure your target system-Production does not has that entry in PRGN_CUST.
    TR is geting created in Local change request which cannot be moved to Production.
    This TR request are created in Local Change request only when you do not specify a target system/group . All you need to do is specify the "Target" while creating the TR in PFCG (subsequent screen after you hit Create request) and release your TR via SE10. Once released, the TR would be added to the import queue of Production. You/your Basis team can import it manually via STMS_IMPORT (Extras>Other requests>Add TR and CTRL+F11 to import). If there are any errors please have Basis team to review the transport logs.
    P.S:  You can only transport direct user assignments of roles via PFCG transport option described in my post. In case of indirect user assignments that were created using Organizational Management (HR-Org), you will have to use transport functionality in Organizational management.
    Thanks
    Sandipan

  • Report to track changes to infotypes prior to running the  payroll interfac

    wants a report to track changes to infotypes prior to running the  payroll interface.  The attached report looks like it should work but it returns nothing.  Is there config that turns on "Track Changes": for select infotypes?  If so, can they be activated for key infotypes so this report will run?
    Name, Address, position, etc.
    Not attendance and absence ITs.

    Hi,
    IMG – Personnel Management – Personnel Admin – Tools – Revision – Set up change document:
    This node has three items:
    Infotypes to be logged
    Field Group Definitions
    Field Group Characteristics
    Using these three options you define which infotypes you wish to log, then which fields, then you define which groups of fields are to be saved. Click each link, or see the sections below:
    Infotypes to be logged
    Here you define which PA infotype numbers you require logging. Select New Entries and enter a transaction class (A for Pers Admin, B for recruitment), then enter the infotype number and save.
    Field Group Definition
    When changes are made to a logged infotype, the field contents before and after are recorded. This is the very reason for logging the infotype, but there is an overhead in performance and disk space used so it needs to be given consideration. Typically you will want to record fields that are pay relevant.
    Using the field group definition, you specify which fields you wish to record changes in. When any of the fields in the group are changed, all the fields in the group are saved. You can use an asterisk to log all the fields of the infotype but this is not recommended for space and performance, also there are many fields on an infotype that you will not be using, that will be saved also. Ideally you will pick individual fields of the infotype and enter them like so:
    The field group number is a freely defined number you allocate to the group, it will be used in the next step. For normal use, simply pick any number not already used in that infotype. All fields with the same field group number are recorded in the log, even if they have not changed.
    Click New Entries and enter the infotype number, field group number and field names that you wish to record.
    Field Group Characteristics
    When you have set up the field group numbers, use the field group characteristics to activate the logging of those fields. You can also specify a supplementary field group; this means that the contents of another field group can also be saved at the same time, even though the contents have not changed. In practise it is not used much. Simply select new entries, enter the transaction class, infotype, and in the DocFieldGr enter the number you assigned to the field names that you want to store, then enter L for Long Term Documents (short are not supported)
    The Audit Report
    To access the report showing the logged infotype changes, use the HR report tree available from various menu paths, including:
    Main Menu – Human Resources – Pers Management – Administration – Info System – Reports - Documents – Infotype change – logged changes in infotype data. (RPUAUD00).
    When you run the report, select the infotypes you require, and select and execute.
    Cheers
    Prasanth

  • Assigning roles to users dynamically

    Hi
    I need to assign manager role to the user if he has any users under him and usassign the role if he has no users under him. when ever a users manager is changed OIM has to check no of users under the manager and if it 0 then manager role has to be unassigned to him and when the user is placed under another manager OIM has to check whether manager role is assigned to him if not and then assign manager role to new manager
    please suggest
    Regards
    A Abhinay

    Create a trigger on manager field. Whenever manager changes for any user just grab the USER ID of manager and validate whether he has any direct reports or not. If yes then do nothing, else remove from Manager Role.

  • SECATT for assigning roles to users

    Hi All,
    How do we make the ECATT to work for the below scenario:
    Users already have roles assigned to them. We need to add a new roles to the users which can vary in number based on the users job.
    A simple ECATT script that was developed to add a single role to a new user does not work in the above case and gives an error of invalid batch input. How do I create a ECATT to assign role to user who already has a set of roles assigned (number of roles assigned to users differ, so I cannot assume to train the ECATT to assign a role on line X). Is there something I am missing while the ECATT script creation?
    We are doing this from a CUA and its very difficult to assume how many roles a user could have.
    Thanks,
    Jay

    Thanks Alex for the insight. For some reason SU10 is slow in the CUA environment and I wanted to avoid it but yes I finally had to use SU10. Talking to one of our ABAPer I came to know that even in their BDC recordings they get the error which I receeived, but he changes his program to skip all the lines with data and then fill the empty line.
    In CUA environment, how do we create ECATT to delete a role from many users?
    Thanks,
    Jay

  • Track Changes made in Routing Operation Detail

    Hi gurus,
    I need your help with Routings.
    We have a process where if a change is made into the Routing, we have the Change Master process and a Change number is assigned to this Routing.
    For example, if a change is made into the Description of the "Operation" into the Routing, I can see this change with transaction CA60 and CA61.
    But, if a change is made into the "Operation Details" i.e.:  change the labour data or the overlapping data (where before it was Required overlapping and now is No overlapping); this kind of change into my Routing is not showed in transactions CA60 or CA61.
    I checked that a changed was made because the "Changed on" field was updated and "Changed by" field.
    Then, I checked the tables CHDHR and CDPOS and I can see that a document was created with the changed that I did, but, it does not show the detail of my change (i.e. old value was: Required overlapping, new value is: No overlapping).
    Do you know where I can see that my change was made? Or, is it possible to track these kinds of changes into SAP? where and how?
    Many thanks for your time and your feedback will be very well appreciated!
    Regards,
    Sandra

    Hi,
    Look for the change history in change header and change positions.
    The tables are CDHDR and CDPOS.
    Regards,
    Renjith Michael.

Maybe you are looking for

  • How to hide some fields in ABAP Query

    Hi, My ABAP Query has a long list of extracted fields. I wanted to set some of these output to "HIDE". This allow User the flexibility to decide what fields to show. How can I set the field to "HIDE" in my query? Thanks bye

  • How do I transfer Lightroom from one computer to another?

    I would like to purchase a new Mac before this good old Mac revolts completely. I store my images on external hard drives and have heard nightmares about others attempting to transfre to a new Computer.  How do I safely transfer Lightroom to a new co

  • Portal migration from Windows to HP-UX

    Dear gurus, We need to migrate portal 6.0 SP12 from Win to HP-UX platform. Oracle is the database. We've installed and configured MSS/ESS/LSO/E-recruiting As basis specialist I plan next steps: 1. Export Win portal database 2. Full installation of po

  • Deactivating the field for input

    Hi friends, I want to deactivate ( to make it read only) a field in standard Tcode for specific company codes. ( For example I want to deactivate company code field in ME22n -> Org data tab ) We have around 20 company codes and this change should be

  • 10.4 DNS forward

    I just upgraded to 10.4 from 10.3 and it has killed my DNS forwarding. I set it up in 10.3 with Server Admin but in 10.4, Apple in their infinite wisdom, decided that that forwarding was a bad thing and removed it from the GUI. Worse yet: it overwrot