Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Best way for limit users ? How to limit also the role assignment?

eloisadazpalaci
Participant

‎09-15-2008 11:39 AM

0 Kudos

Hi gurus, we are facing a strange situation.

due to the politics implemented in our company , we are not allowed to delete the user record once this guy has finished in the company. We need to have an historic of users to consult who has made something in our R3 4.7 ERP

We use instead the fiel VALID TO in the user record, so the user can´t access the system once the date is reached (it is the same thing that the standard transaction HRUSER manages the validity of the users...)

The problem is that the roles assigned to the users are not limited the same way, I mean if an user has the validity of a role form the 2008/01/01 to 9999/21/31 its not limited.

That means that in PFGC you can see the roles with user assigned but they are not really actives...

Please, is there any possibility to limit also this range of dates in PFCG in an automatic way? It will help us a lot to have the role assignments up to date

Thanks in advance

Best regards.

9 REPLIES 9

jurjen_heeck
Active Contributor

‎09-15-2008 11:43 AM

0 Kudos

due to the politics implemented in our company , we are not allowed to delete the user record once this guy has finished in the company. We need to have an historic of users to consult who has made something in our R3 4.7 ERP

Good! There are many discussions in the forum on the disadvantage of deleting users.

We use instead the fiel VALID TO in the user record, so the user can´t access the system once the date is reached (it is the same thing that the standard transaction HRUSER manages the validity of the users...)

The problem is that the roles assigned to the users are not limited the same way, I mean if an user has the validity of a role form the 2008/01/01 to 9999/21/31 its not limited.

What's wrong with taking away all roles from these users? You can always retreive their previous assignments from the change documents.

eloisadazpalaci
Participant
In response to jurjen_heeck

‎09-15-2008 11:52 AM

0 Kudos

Hi Jurjen, thanks for your quick reply!!

The problem is that we don´t know how to do it in an automatic way. The HRUSER transaction allows you to limit the field VALID TO for a 1000 users in seconds, but the role assignment is not touched, the field VALID TO in the role assigment is not changed ......so you have the roles fulled of non active users.....

We want to delete also this roles assigment. How can we do it?

Thanks in advance.....

jurjen_heeck
Active Contributor
In response to jurjen_heeck

‎09-15-2008 11:59 AM

0 Kudos

If you really want to automate it you should have an abaper look in to the security/user related bapi's.

What you can do semi-manually is list all users which have expired, (SUIM), list their role assignments (table AGR_USERS) and combine these lists to create:

1 - a list of users whose role assignments can be deleted

2 - a list of roles relevant for these users

3 - the first known assignment date

4 - the highest known assignment end date

With this information you can go to SU10, enter the users, enter the roles, specify a begindate before the first date and an enddate higher than/equal to the last date. That should take care of the roles.

Jurjen

eloisadazpalaci
Participant
In response to jurjen_heeck

‎09-15-2008 12:03 PM

0 Kudos

Thanks Jurjen, so it means that there is no standard way to achieve it....we wanted to avoid the development if possible.

jurjen_heeck
Active Contributor
In response to jurjen_heeck

‎09-15-2008 12:08 PM

0 Kudos

> Thanks Jurjen, so it means that there is no standard way to achieve it....

Nope. The role expiry date in combination with PFCG_TIME_DEPENDENCY takes care of all possible security issues as the profiles are taken from the users' master records. Cleanup is still manual labour

However, the SU10 route I've described is reasonably easy, especially when carried out on a regular basis.

Jurjen

former_member1061482
Participant
In response to jurjen_heeck

‎09-15-2008 12:12 PM

0 Kudos

You can get the list of users whose validity has expired using usr02 table. Search by giving the necessary value in the "valid through" field.

Now go to agr_users table.

Give the users that you got from usr02 table. Give the "End date" as the last date for role assignment validity (e.g. greater than today's date .. as >09/15/2008).

From here you get the list of users whose validity has expired but still hold the roles with valid date.

From SU01/SU10 , you can delete these role assignments.

former_member1061482
Participant
In response to jurjen_heeck

‎09-15-2008 12:14 PM

0 Kudos

Hi Jurjen,

Is it possible to delete roles from users using SU10 in one shot even if they contain different combination of roles? or do we need to give only roles common to users?

Thanks!

eloisadazpalaci
Participant
In response to jurjen_heeck

‎09-15-2008 12:19 PM

0 Kudos

It seems to be a lack of functionality ....or a missing one.

The question is ...why the stardad HR transaction that allows you to create / limit users for the ESS uses this way of limiting the users cannot be completed with the PFCG_TIME_DEPENDENCY and you can do it in one shot?

Maybe in future versions / patches it will be implemented?

jurjen_heeck
Active Contributor
In response to jurjen_heeck

‎09-15-2008 12:24 PM

0 Kudos

> Is it possible to delete roles from users using SU10 in one shot even if they contain different combination of roles? or do we need to give only roles common to users?

As far as I know you can do it in one shot. So if you enter alle roles for the group of users and make sure the dates are well before and after the actual assignment dates you should be fine.