Question: Hello,
I wanted to remove one role from a large group of users using the Environment > Mass Changes. I chose the users, add the role that I want removed, chose the 'Remove' radio button, and try to save. I get the error "Do not confuse "Add" and "Delete" for roles and profiles". I navigate to the Profiles tab, see the corresponding profile for the role I want removed from all the users and follow the same steps there and am successful. However, when I go to the user record I still see the role in their setup but not the profile.
Any help would be appreciated.
thanks!
Answer:
Calgary,
Its my understanding that in order to use the remove role, you must also know the date the role was added. So in the user Master say the validity date for the role was 05/05/2005 to 12/12/9999. You must put the role name and the date then hit the remove button. This will remove only those that have that particular date. You must make sure that everyone you are removing it from has the same date, otherwise mass remove by date groupings.
twistsgrl
Answer:
twistsgrl,
Thank you! That was exactly the issue and now using the validity dates I have successfully removed the role.
Answer:
We use this alot with no problems. In mass change under role select the role you want to delete - select remove and before executing go to profile and change the add to remove, then execute. Should work fine. In SU01 you will see an ending date which should be the previous day. You can remove this by running PRGN_COMPRESS_TIMES or leave it so you can see what happened in case user calls to say they lost access.
Answer:
Brilliant instructions thanks for that: t'has been baffling me for some time. have always run a CATT to do this job
amazed this is the only post on this message type - nothing, as far as I could see, on service.sap.com/notes - astoundingly...
Answer:
Remove one role from many users - use PFCG and the user tab, to remove many roles from one user use SU01. Role tab.
There are several posts (old ones in the search ) that address this and the function module you add the the SU01-PFCG-PFUD user exit to remove the expired roles . THe PRGN_COMPRESS_TIMES report is relatively new and not available in many versions.
Answer:
In SU01 you will see an ending date which should be the previous day. You can remove this by running PRGN_COMPRESS_TIMES or leave it so you can see what happened in case user calls to say they lost access.
If you want to remove the role completely with SU10, you can specify a beginning date of 01/01/1900 and and end date of 12/31/9999. This will completely remove the role from the user as opposed to end-dating the role.
Changes can always be seen by looking at the change documents for your user.
Answer:
I have a system here with a very large number of expired assignments over a relatively large user base – it’s a 4.6c system so the cleanup program PRGN_COMPRESS_TIMES isn’t available and while the user exit updates will be of some use I can’t envisage revisiting 800+ user accounts (there are literally hundreds of thousands of expired role assignments).
Given the lack of PRGN_COMPRESS_TIMES in 4.6c are there any recommended ways of dealing with this size and scale of issue?
Answer:
Using information from a post in this forum, or was it OSS?, I instituted user exits to remove expired roles from users. There are three exits - one cleans up after PCFG save, after SU01 save and after PFUD. Roles are removed automatically after expiry on an ongoing basis.
In 4.6C
SE37 - create functions
Z_SEC_ASSIGN_AG_CLEANUP_SINGLE &
Z_SEC_ASSIGN_AG_CLEANUP as listed. Assign to function group Z???.
SM30 - SSM_CUST
Asign to parameters-
Z_USERS_TRANSFER = Z_SEC_ASSIGN_AG_CLEANUP ;
Z_SINGLE_USERPROF = Z_SEC_ASSIGN_AG_CLEANUP_SINGLE ;
Z_EXIT_USERS_SAVE = Z_SEC_ASSIGN_AG_CLEANUP_SINGLE
FUNCTION Z_SEC_ASSIGN_AG_CLEANUP_SINGLE.
*"----------------------------------------------------------------------
*"*"Local interface:
*" IMPORTING
*" REFERENCE(ACTIVITY_GROUP) LIKE AGR_DEFINE-AGR_NAME
*"----------------------------------------------------------------------
tables agr_users.
delete from agr_users where agr_name = ACTIVITY_GROUP and
to_dat LT sy-datum.
ENDFUNCTION.
and
Code:
FUNCTION Z_SEC_ASSIGN_AG_CLEANUP.
*"----------------------------------------------------------------------
*"*"Local interface:
*" TABLES
*" ACTIVITY_GROUPS STRUCTURE STR_AGRS
*"----------------------------------------------------------------------
field-symbols:
delete ACTIVITY_GROUPS where to_dat lt sy-datum.
assign ('(SAPLSUU4)G_USER_AGR_ACTIVITYGR-BNAME') to
if sy-subrc = 0.
delete from agr_users where uname =
to_dat lt sy-datum.
endif.
ENDFUNCTION.
This works excellently ...........
_________________
Regards.
ib
_________________________________
SAPFans help those who help themselves !
Answer:
Hello Everyone
My problem is slightly different. I need to massly change the validation date of ALL ROLES for each users.
We are changing our roles structures and I need to keep the old structure intact for history perpose.
1. I have to change the validation_to date from 9999/12/31 of each role to
2007/01/31 for each users.
2. I do have to add a role to all users. That can be done through SU10 or PFCG.
My problem is, how can I change the validation date of all roles at the same time for all users?
Any suggestion will be highly appreciated.
Answer:
1. Dowload the list of role assignments from AGR_USERS
2. Create a script based on SU10 and each iteration will have one user-role combination from AGR_USERS.
3. On Roles Tab put in the role with start date of 01/31/2007 and end date of 12/31/9999.
4. Click on Remove.
5. Go to Profiles Tab and click on remove and then Save.
By doing this, SU10 logically decides that the access to the role should be removed from 01/31/2007 to 12/31/9999 and hence it automatically puts an end date of 01/31/2007 on the role.
Mass Update Roles
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment