Showing posts with label ROLE FAQS. Show all posts
Showing posts with label ROLE FAQS. Show all posts

How to delete expired roles?

Here are 3 notes you may want to review to see if there is any helpful info, plus some documentation that may be helpful for others....we are going from 40B to 47 and have had a few issues with role deletion

Notes: 312943 504412 & 313587

Additional info

First, the report PFCG_TIME_DEPENDENCY is functioning as designed. It was not designed to remove activity groups.

Second, in transaction SU10 you must have the valid from and valid to fields filled in with the actual dates, 04/08/2002, in order to remove the invalid activity group. You need to be sure that the remove user radio button set in the role tab. But in the profile tab, the add user radio button is selected by default.

What you have to do is go to profile tab and select the remove user radio button. You have to make sure both role and profile has the same radio button selected, i.e. remove from users. Only then when you click save, it will allow you to delete the role from user.


In transaction SU10, you need to complete the following steps:

1. Click on the Authorization data button.

2. Entry the users name, latimerc

3. Click on the execute button.

4. Put a check in front of the users name.

5. Click on the transfer button.

6. Now highlight the user.

7. Click on the pencil button.

8. Click on the Activity Groups tab.

9. Enter the profile name (PM_NOTIFICATION_PROCESSOR).

10. Enter the valid from and valid to dates (04/08/2002).

11. Change the radio buttons to remove user from both the Activity Group and Profile Tabs.

12. Click on the trash can.


In another customer message the following was provided by developement:


We don't have a regular functionality for mass deletion of roles. But if you want to avoid the deletion by hand or with an own created report, I would suggest the following:

The attached note 324962 includes the report ZDELETE_RY_T_AGRS which could delete all roles with names like 'T_....' or 'RY....'. The report gives you a list of all these roles and deletes then the selected ones. You can modify the report to get all your roles in the selection list. Therefore you have to change the following:


SELECT * FROM AGR_FLAGS INTO TABLE L_AGR_FLAGS
WHERE FLAG_TYPE = 'COLL_AGR'
AND FLAG_VALUE = 'X'.
SORT L_AGR_FLAGS BY AGR_NAME.
LOOP AT SINGLE_ACTGROUPS WHERE AGR_NAME+11 <> SPACE AND <<<>
( AGR_NAME(2) = 'T_' OR AGR_NAME(2) = 'RY' ). <<<>
LOOP AT SINGLE_ACTGROUPS WHERE AGR_NAME+11 <> SPACE. <<<>

READ TABLE L_AGR_FLAGS WITH KEY AGR_NAME = SINGLE_ACTGROUPS-AGR_NAME
BINARY SEARCH.


Text from an additional customer message as further help:


- go on role tab

- select remove from user

- enter ZR.PRD.GENERIC and date : 06/04/2002 12/31/9999

- go to profile tab

- select remove from user

- save

- do the same for ZR:HR:ESS from 01/01/2002 to 12/31/9999 and worked
from date for testid was 01/01/2002 and testid2 02/01/2002 and the 2 assignement were deleted And the roles were removed from the 2 UMR.


How to delete expired roles?

Here are 3 notes you may want to review to see if there is any helpful info, plus some documentation that may be helpful for others....we are going from 40B to 47 and have had a few issues with role deletion

Notes: 312943 504412 & 313587

Additional info



First, the report PFCG_TIME_DEPENDENCY is functioning as designed.

It was not designed to remove activity groups.


Second, in transaction SU10 you must have the valid from and valid to fields filled in with the actual dates, 04/08/2002, in order to remove the invalid activity group. You need to be sure that the remove user radio button set in the role tab. But in the profile tab, the add user radio button is selected by default. What you have to do is go to profile tab and select the remove user radio button. You have to make sure both role and profile has the same radio button selected, i.e. remove from users. Only then when you click save, it will allow you to delete the role from user.

In transaction SU10, you need to complete the following steps:

1. Click on the Authorization data button.
2. Entry the users name, latimerc
3. Click on the execute button.
4. Put a check in front of the users name.
5. Click on the transfer button.
6. Now highlight the user.
7. Click on the pencil button.
8. Click on the Activity Groups tab.
9. Enter the profile name


(PM_NOTIFICATION_PROCESSOR).



10. Enter the valid from and valid to dates (04/08/2002).
11. Change the radio buttons to remove user from both the Activity Group and Profile Tabs.
12. Click on the trash can.

In another customer message the following was provided by developement:

We don't have a regular functionality for mass deletion of roles. But if you want to avoid the deletion by hand or with an own created report, I would suggest the following:



The attached note 324962 includes the report ZDELETE_RY_T_AGRS

which could delete all roles with names like 'T_....' or 'RY....'. The report

gives you a list of all these roles and deletes then the selected ones.

You can modify the report to get all your roles in the selection list.

Therefore you have to change the following:



SELECT * FROM AGR_FLAGS INTO TABLE L_AGR_FLAGS

WHERE FLAG_TYPE = 'COLL_AGR'

AND FLAG_VALUE = 'X'.

SORT L_AGR_FLAGS BY AGR_NAME.

LOOP AT SINGLE_ACTGROUPS WHERE AGR_NAME+11 <> SPACE AND <<< delete

( AGR_NAME(2) = 'T_' OR AGR_NAME(2) = 'RY' ). <<< delete

LOOP AT SINGLE_ACTGROUPS WHERE AGR_NAME+11 <> SPACE. <<< insert



READ TABLE L_AGR_FLAGS WITH KEY AGR_NAME = SINGLE_ACTGROUPS-AGR_NAME

BINARY SEARCH.



Text from an additional customer message as further help:

- go on role tab

- select remove from user

- enter ZR.PRD.GENERIC and date : 06/04/2002 12/31/9999

- go to profile tab

- select remove from user

- save

- do the same for ZR:HR:ESS from 01/01/2002 to 12/31/9999 and worked



from date for testid was 01/01/2002 and testid2 02/01/2002 and the 2 assignement were deleted And the roles were


removed from the 2 UMR.

So it works as designed.

SAP Role Maintenance Administration Tool

Role Maintenance and role administration are terms which were used for the first time in SAP 4.6C. The role maintenance tool in SAP is transaction PFCG. It is the most basic tool to control and manage security in all SAP systems. The menu path to access the role maintenance tool in SAP is given below.

Tools > Administration > User Maintenance > Role Administration > Roles

The role maintenance and administration tool in SAP is mainly used by the security administrators. One of the biggest tricks which SAP can play is in the area of security and user access. For this reason it is important to ensure that roles created match the security policies of the company. The role maintenance tool which is transaction PFCG (profile generator) consists of menus, authorizations and users. Menus contain transaction codes, reports, web addresses, and folders. Authorizations contain authorization objects, authorization values and organizational values. Users includes organization plan, time delimited users and so on. All these three together comprise the role maintenance and administration tool in SAP.

Which tables are logged?

Transaction SCU3 documents which tables are logged and allows evaluation of the changes.

What are the important tables for role content?

AGR_DEFINE, AGR_USERS, AGR_AGRS, AGR_1251, AGR_1252, AGR_PROF, AGR_TCODES