Disable Roles

mubarakshabna_asmi · ‎11-19-2008

Is there a way to disable a role without deleting it. I would like to disable a role such that it cannot be assigned to any users, but would still like to keep the role.

Former Member · ‎11-19-2008

1) You could either delete the profiles of the role on the authorizations tab.

2) You could remove authority for S_USER_AGR from all admins so that they cannot assign the role.

3) There are exits in PFCG via which you could maintain a list of disabled roles which cannot be assigned.

4) Create a transport and release it, then delete all the roles you want to disable and import them again if need be...

No doubt there are more ways, but there is no flag called "Disabled" which is an attribute of the role itself that I am aware of.

Cheers,

Julius

Former Member · ‎11-19-2008

If you are using the AE in GRC suite you can configure it so that the "role' is hidden. so the user when requesting for the role will never get to it.

Most of it was already mentioned by Juluis

Former Member · ‎11-19-2008

Thanks GG. Didn't know that. I assume that "AE" = Access Enforcer in the GRC suite?

Hidding stuff from an application and the user on it acting as the client side is another option, but I don't know of any disable setting of the role on the server side except deleting it, immobilizing it or protecting it.

I guess corrupting it is out of the question...

Cheers,

Julius

mubarakshabna_asmi · ‎11-19-2008

Thanks Julius and George.

1. I have already deleted the profile.

2. I don't want to delete the role, but do have the roles in their original condition (before deleting profiles) in a released transport.

3.I will look into this. I am not sure how to restrict authority for S_USER_AGR to some roles and allow others.

Say for S_USER_AGR

Activity: Change, Display, Enter, Include, Assign

Role: I can give a role, but how do I exclude something

4. I am not sure what you mean by this:

"There are exits in PFCG via which you could maintain a list of disabled roles which cannot be assigned"

Could you please elaborate.

Thanks

S.

Former Member · ‎11-20-2008

> 4. I am not sure what you mean by this:

> "There are exits in PFCG via which you could maintain a list of disabled roles which cannot be assigned"

> Could you please elaborate.

See [SAP note 367660|https://service.sap.com/sap/support/notes/367660].

But these exit mechanisms are replaced in the new releases as far as I know.

However, you should be able to achieve the same with the new concept (to which I think SAP should add a "related" note to the above mentioned one).

But still, to your original question, I don't think it is configurable directly within an attribute of the role itself.

Cheers,

Julius

Former Member · ‎11-20-2008

> 3.I will look into this. I am not sure how to restrict authority for S_USER_AGR to some roles and allow others.

> Say for S_USER_AGR

> Activity: Change, Display, Enter, Include, Assign

> Role: I can give a role, but how do I exclude something

I haven't ever tried to rename a role (that I can think of) but I guess it is possible.

You could use a prefix like ZOBS (obsolete)..., and exclude that from your admin's authority?

After all, you want to restrict your user admins from assigning certain roles, right?

Why not use the authorization concept for it?

Cheers,

Julius

jurjen_heeck · ‎11-20-2008

> I haven't ever tried to rename a role (that I can think of) but I guess it is possible.

I have, but there's no SAP standard way to do so. Officially you can only copy roles and throw away the originals but that's no real renaming as you cannot retain the relations between parents and derived roles or singles and composites......... I once did it by actually changing PFCG download files.

Once again a nice example of the need for a proper naming convention.

Former Member · ‎11-20-2008

Given how easy it is to make design errors and how things change, perhaps a SAP release dependency in the role naming convention could help solve the problem in phases?

I think you have plenty if ideas and options now.

Let us know what you find best for your release, the design of your roles and the age of them.

It would be interesting and usefull to compare experiences for which solution works best in which case.

Cheers,

Julius

mubarakshabna_asmi · ‎11-26-2008

Thanks All.

I cannot go with renaming the role and leaving them out in the authorization range because I just have too many.

I had deleted the profile and saved the originals. If the end user, security admins accidently assign the old roles, they just won.t work and will serve as as reminder not to use those.