View Deleted Users Composite Role

Similar Messages

• User Composite Role History

  Hi Experts,
  Do you know if it is possible to track the history of composite roles that have been assigned to a user.
  For single roles there is a table ush04 which shows a history of assigned roles but I have not seen a similar table for composite roles only.

  Table USH04 shows the history of profile assignments which are stored in table USR04 and UST04. Assignements of single roles are somehow visible, too, because of their corresponding profiles.
  But role assignments are stored in another place:
  Table AGR_USERS (actual assignments)
  Table USLA04 (actual assignments in a CUA central system)
  The history of role assignments is stored in standard change documents.
  Use the SUIM report RSSCD100_PFCG for viewing change documents of roles.
  (The list shows all role assignments but does not mark the assignments for composite roles in a special way.)
  However you need at least the Support Packages as describesd in note <a href="https://service.sap.com/sap/support/notes/621720">621720</a> and <a href="https://service.sap.com/sap/support/notes/606636">606636</a>
  Kind regards
  Frank Buchholz

• Viewing/deleting user accounts

  I purchased my MacbookPro used off ebay a while back. It works great, so no worries there, but I would like to view some unknown items before I delete them.
  The users folder has three subfolders: diana, newuser, and shared. I would like to view the newuser files to make sure there's not anything there I need before I delete them, but I get a permission error.
  I checked the accounts listing in the system prefs, and there's not a newuser listed there. So how do I access those files?
  The second question is probably related to the first. I'm using Time Machine to backup my files, but the backup is called "New User’s MacBook Pro. sparsebundle" How do I rename the backup file or my computer or whatever it is that keeps giving the name New User?
  I'm running OS 10.6.7.
  Thanks for your help!

  Just because you are an admin doesn't give you permission to view other user's folders, directly.
  You can view them in the Terminal, or you can just give yourself ownership of those folders.
  If you didn't put anything in the newuser folder, then there is nothing in there that you would need.
  However, to take ownership of the folder so you can check it out, there are two ways.
  In the Finder, select the Folder and type Cmd-I for Get Info.
  At the bottom of the pane is the permissions. Click the padlock and enter your password.
  Click the add ( + ) button.
  Select your username and click Select.
  To the right of your name, click on the menu and set it to read and write.
  Click on the gear icon and select Apply to Enclosed items.
  The other way is to use the Terminal with this command.
  sudo chown -R `id -un` /Users/newuser
  sudo requests to elevate your privileges so that you can run the next command as root (the super user).
  chown is change owner.
  -R tells it to work recursively through all subdirectories.
  `id -un` gets your user name and the command then makes you the owner of that folder and its subfolders.
  It is best to copy and paste the whole line so you don't make a mistake. If you just type up to the first / and hit return, and then enter your password, you will completely FUBAR your Mac. That is why the Finder GUI method is a bit safer and recommended.
  sudo will ask for your password after warning you of the dangers of working as root. When you type the password, you won't see it on the screen.
  The ` character around id -un is a back-tick. It is not an apostrophe. On a US keyboard, it is the key to the left of the 1 key. It has a tilde (~) on the key with it.

• Get child users of composite role

  Hello
  There is FM (ESS_USERS_OF_ROLE_GET ) which bring all user of roles but what i want it's more complicated
  IF there is composite role i want to get all the user that in the roles under the composite role .
  Let say i have composite role with two roles inside (in the role tree ) .
  Composite role
  user1"this is the users of the composite role
  user2
  user3
  Role number  1
  user4
  user7
  user9
  Role number 2
  user 8
  user 5
  user7
  user6
  What i want is to get all the users of the composite role  and the child  role (which is parent ) .
  which is .
  users 1 - 9.
  I read some previous post on this issue in the forum but what I need is to use just this FM without access  to the DB
  table such as T_AGR_AGRS and COLL_ACTGROUPS_GET_ACTGROUPS ,
  What i need to do is recursive call on  the FM ESS_USERS_OF_ROLE_GET  .
  Regards
  Joy
  Edited by: Joy Stpr on Aug 23, 2009 8:50 AM

  Hello Joy,
  How is it possible to use just function module ESS_USERS_OF_ROLE_GET to get data without DB access?
  I mean this function module takes input as Simple/Composite ROLE so you have to have some list maintained
  which will be input for this function module.
  I think you can load composite and simple role in table and loop at it to make calls to function module ESS_USERS_OF_ROLE_GET to get users for compsite/simple roles.
  Some input has to be there, That's what I feel.
  Check if this helps!
  Thanks,
  Augustin.

• Stopping user compare when saving composite roles in 4.6c basis pack 25?

  One of the environments I look after is a 4.6c system with basis pack 25 – they can’t upgrade as it breaks a great deal of very heavy customisation in that system.
  We have encountered an issue with the saving of composite roles in that system - when a role is saved we must sit through a very long period of “user distribution in role XXX” while the system performs a user compare of every singular role in that composite role.  This is very painful as it can take nearly half an hour simply to save the composite role – we then need to rebuild the menu and compress it (we use the composite role’s menu structure).  The odd thing is that this behaviour wasn’t apparent for many years – it suddenly started happening about 2-3 years ago to a previous administrator but he wasn’t aware of any changes going through, it just began to force these lengthy compares on him when saving composites.
  I’ve tried in vain to disable this forced compare on every save – I’ve tried the PRGN_CUST modifications including adding the lines “AUTO_USERCOMPARE” with a value of “NO” and “USRCOMPARE_PFUD” with a value of “YES” to try and stop the profile generator from doing this but to no avail.  Unless these settings need a restart of the system to take effect (do they?) I’m at a loss to find any other options.
  The menu setting in the profile generator of “automatic user master adjustment when saving role” is switched off – though setting “auto_usercompare” seems to have broken the ability to bring up the “settings: role maintenance” dialogue box anyway.
  We have a very large number of roles to modify and would be grateful if anyone could offer any advice here.
  Thanks
  DT

  the problem with your issue is that none of use can reproduce that phenomenon, since none of use has that combination of primal release/support package level at hand any longer (at least i think so). so there's only two options left to you:
  first: update this special application until the problem goes away - do so by adding note after note on the very subject, like the one i mentioned plus [905924|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=905924&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] plus [662484|https://websmp130.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=662484&nlang=EN&smpsrv=https%3a%2f%2fwebsmp107%2esap-ag%2ede] and stop only when you hit one that is not implementable using SNOTE but only by implementing a support-package -> this will obviously be the point where you're stuck then.
  (and yes - for the sake of rob burbank: there are several other ways to implement corrections aside from SNOTE).
  second: open a call with SAP. mind you, this might become a lenghty one since they will also give you note after note ...
  as i said, i'm pretty sure no one in here can help you doing a proper analysis anymore (but maybe i'm wrong).
  anyone - any other (better) suggestions?

• Mass deletion of SAP roles from users

  Hello All,
  i need to delete all assinged roles from a big number of users. I know the users but not the roles which the users have. I need to delete all roles from the users-id's.
  I know SU10 and i can select all my needed users. But in the role tab i can not work with roles-names like Z* to delete. I can select all z*-roles and select "remove" but when i click to save, i get the message no changes made on the users???
  Any idea?
  Gruß
  Toni

  Hi David.
  David Berry wrote:
  I take it this is being run in PRD? What checks are being carried out during the table entry deletions and are you 100% happy sitting at your keyboard when pressing the 'run' button?
  Changes are made in PRD. The program was tested and is approved by each customer.
  Is there an easy way back to the previous state should it go wrong and how do you explain it to the auditors if needed that you assigned-number of roles in PRD against your own user ID possibly with no CDHDR/CSDPOS entries to back you up.
  Sorry for the 'negative vibes' but I don't like direct table maintenance in PRD for security.
  Best wishes
  David
  The way back is uploading the old role assignment previously exported from AGR_USERS. The program takes an excel sheet. In addition this excel sheet is attached to the change requests.
  From risk perspective we say (and experienced): mass changes through copy and paste lead to much more errors and faulty authorizations.
  Regarding direct table maintenance: standard function modules are used (like the one mentioned above) and the changes are visible in the change documents, Therefore the auditors grant an exception for using such tools.
  Cheers, Tobias

• SIngle riole that belong to composite role with user

  HI,
  There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
  BR
  Nina

  There is option when user are belong to single role and also belong to composite roles (that include the single role ) ?
  SIngle role is created by pfcg where you assign the role name n safe it as single role n then after t codes been provided the user has been assigned accordingly
  Composite role is same just it contains many roleson to one and similarly the user has been assigned
  Thx
  Mysterious

• Not able to view the 'proxy-to-remote' iView under 'user admin' role

  Hi All,
  I am not able to view the 'proxy-to-remote' iView under 'user admin' role. I need this for Remote role assignment for FBN .
  I am using the portal version EP 7.0.
  Can anybody help me .
  Thanks & Regards,
  Amit Kade

  Hi, Amit
  u have to assign the one iview in User-Admin role
    Goto->Contentadmin-> portal content->content provded by sap->Admin interface->iview template ->select proxy to remote role iview.
  and this iview assign to user admin role the u can able to see.
  if its solve please give me 10 points
  thanks & regards
  chitta

• Delete user with db owner roles

  Dear All,
  I want delete user with db owner roles from all database and from server using sql query.
  So i want using one query to delete user from all database and also from server
  how i can do that?
  best regards,
  Surbakti

  I means it's login.
  I want delete because user whom use that login already resign from my company.
  so if i delete that login i can use that slot for the other user.
  best regards,
  Surbakti
  First you said you want to delete all logins with db owner roles and now you are saying I want to delete use login who has left the company. Was there mass exodus.
  If login was a domain login you should also make sure it gets removed from domain, then from local windows machine  and then from SQL server. If it is SQL Server login it can be removed straight. Search online you would find various methods to remove
  login
  Have alook at below links
  Question about removing logins from database
  Drop login
  Also note that any job which the login owned would be affected if login is removed. So you need to be careful
  Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
  My Technet Wiki Article
  MVP

• How to find roles of a Deleted User.

  Dear Gurus,
  Please assist me that how to find all the previous roles once the user has been deleted accidentally.
  Thanks,
  Regards,
  Kalyan Kumar.

  Hello Kalyan,
  you can find out the User classification and the status of the user (locked , deleted or active) in System measurement.
  i.e.... "usmm" T-code for System measurement, this will show you the list of deleted users.
  after finding out name of the deleted user/users, you can search for the customized profiles created in your system land scape.
  in my organization, we will create profile for the end user based on SOD (list of T-codes, Organisational data and activity on the T-codes.
  i.e... if user name is "kalyan" we will create a profile by following nomenclature.
  "zKalyan" or "Ykalyan".
  you can search your SAP system for the list of profiles avaliable, and also go through the user matrix.
  "scum" is central user administration, here you can find more information on the users.
  Best regards,
  Raghav.
  reward points, if helpful to you##

• Assign views to user roles

  Hi,
  we have created views for a particular application. Now we want to assign it to particular user "roles". Iam not sure of few things.
  1) How to create a role ?
  2) How to assign a particular view to a respective role?
  Thanks in advance,
  Raviraj

  Follow given steps:
  1 . For creating roles use the transaction PFCG ( Role Maintenance)
  2 . After creating the role ,inorder to provide authorization access to PCUI application use the authorization object BSP_APPL.
  After adding the BSP_APPL auth object ,you get 2 rows under 'Application Scenario' add your PCUI application object name and under 'View for UI Display ' add the view name.
  Thanks,
  Thirumala.

• How to revoked 'ANY' privileges being granted to user or role

  Hi all,
  I need to be revoked all 'ANY' privileges that have been granted to all non-DBA user or Role in the database.
  To achieve this what i assume is
  1> i need to find out Role as well all user who are non-DBA
  2> For all non-DBA user i need to find out and revoked 'ANY' privileges if they would have.
  Here i need some information about all tables related to privilieges and non-DBA users
  The below are some example as a reference.
  USER Privileges
  CTXADMIN SELECT ANY TABLE
  PUBLIC MERGE ANY VIEW
  LAXORA ANALYZE ANY
  EXECUTE ANY PROCEDURE
  GRANT ANY ROLE
  INSERT ANY TABLE
  SELECT ANY TABLE
  LAX_NEW ANALYZE ANY
  CREATE ANY TABLE
  DELETE ANY TABLE
  DROP ANY TABLE
  INSERT ANY TABLE
  SELECT ANY TABLE
  USER_NEW SELECT ANY TABLE
  Thank n reagrds
  Laxman

  Hi,
  LAX_ORA wrote:
  Hi all,
  I need to be revoked all 'ANY' privileges that have been granted to all non-DBA user or Role in the database.
  To achieve this what i assume is
  1> i need to find out Role as well all user who are non-DBA
  2> For all non-DBA user i need to find out and revoked 'ANY' privileges if they would have.
  Here i need some information about all tables related to privilieges and non-DBA users
  The below are some example as a reference.
  USER Privileges
  CTXADMIN SELECT ANY TABLE
  PUBLIC MERGE ANY VIEW
  LAXORA ANALYZE ANY
  EXECUTE ANY PROCEDURE
  GRANT ANY ROLE
  INSERT ANY TABLE
  SELECT ANY TABLE
  LAX_NEW ANALYZE ANY
  CREATE ANY TABLE
  DELETE ANY TABLE
  DROP ANY TABLE
  INSERT ANY TABLE
  SELECT ANY TABLE
  USER_NEW SELECT ANY TABLE
  Thank n reagrds
  LaxmanYou can fiind out all the users and roles who have been granted system privileges by querying dba_sys_privs.
  For example:
  SELECT     grantee
  ,     privilege
  FROM     dba_sys_privs
  WHERE     privilege     LIKE '% ANY %'
  ;The grantee column includes users and roles together.
  If you want to find which users have the dba role, then query dba_role_privs.

• Profile for a composite role

  Hello Experts,
  We are having a problem dealing with a composite role.
  Whenever we add the composite role to a user master; a profile appears for each of the single roles (which is normal) BUT we also get a profile for the composite role.
  We verified in the table AGR_1016  and found that there is a profile asocited to the composite role.
  We tried the clean-up option of the transaction PFUD which did not work in our case.
  We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
  Any answer is most welcome!
  Thanks & Reagards

  > We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
  Sounds to me as if there has been an import of a composite role overwriting a single role with the same name. The pfcg import facility has very few checks in them so something unwantend could have happened. I think it is not possible to change a role from single to composite with the PFCG or other tools. What does table AGR_PROF say about this role?
  I would suggest to copy the composite to a new name (without copying the singles) and see how that looks. If it is OK you can delete the corrupted role, check wether it is completely gone and copy the new role back to it's original name.

• Assign single role to composite role with alternate logsys assignments

  Dear gurus,
  In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
  Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
  But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
  Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
  Cheers,
  Julius

  Hi Martin and others,
  I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
  While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
  Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
  You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
  There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
  That is a bit of a bummer because it means that you also cannot ever test anything...
  Did anyone ever try to actually use this?
  Cheers,
  Julius

• Deassignment of users from roles

  Hi,
  We have a couple of users in our system who are assigned to some standard SAP roles.
  These roles are themselves not composite roles , but form a part of some composite roles.
  Now when I try to deassign the "blue" users from these roles, it's not possible.
  How do I go about it?
  Please help.
  Thanks,
  Saba.

  Hi,
  Both ways its not possible.
  When I remove the user from the role, it comes back after user comparison:((
  & the role refuses to get deleted from the user.
  Also, both appear in blue.
  Plsss. help..
  Thanks,
  Saba.