Solved: Indirect Role Assignment

Former Member · ‎08-04-2010

I am adding roles to positions using indirect role assignment, when adding the role to the position I am prompted to carry out a reconcilliation of indirect user assignments, receive message 'Indirect user assignments ok' so then I've run PFUD. When I check both the role and the user I cannot see the role attached to the user, but the role is listed in the 'Relationships' in PP01.

A new organisation structure has been created, when I click on the drop down at the 'change agent assignment' the old organisation structure is displayed. Any suggestions please how I can select the new organisation structure?

Thanks

Former Member · ‎08-04-2010

Hi,

I guess, you are assigning role to position via PFCG.

Try using PPOME u2013 Change. in this way you can choose the new org struture (other way of assigning postion to role)

Thanks,

Sri

Former Member · ‎08-04-2010

Hi,

I guess, you are assigning role to position via PFCG.

Try using PPOME u2013 Change. in this way you can choose the new org struture (other way of assigning postion to role)

Thanks,

Sri

Former Member · ‎08-04-2010

You can do indirect assignment from PFCG , Click user tab use the GOTO button and you should have the "Organizational Management" option, search in the forum plenty of answers are available regarding this.

Former Member · ‎08-05-2010

Hello Anthea,

to pass on a role from a position to a SAP user id I would suggest the following.

Go to transaction SA38 and run report RHPROFL0.

Some notes on the report and report selections.

The report can be used to eveluate and assign roles from HR objects to SAP users. The report starts reading at a given HR object along an evaluation path. It then updates the SAP user found with authorisation roles.

Selections:

You have assigned the roles to a position therefore you should select object type S.

Then put the position number in the Object ID.

The key date is hopefully self explaining.

The evaluation path might have defaulted to PROFL0. That would be the correct one.

The program has a test mode. I suggest you run the test mode first. It will tell you what the program would change in an actual run.

In the next selection box - "Generate authorization profiles"

You might leave the ticks in the boxes:

- Standard authorizations

- PD authorizations

That will generate profiles if they aren't generated yet.

Next selection box - "Delete manually maintained authorisation profiles"

Leave the tick boxes blank if you have any direct assigned roles.

If you tick the boxes all roles and profiles directly assigned to SAP user ids will be deleted.

In section "New Users"

There is a tick box "Generate".

If that box is ticked the report will create new SAP user IDs for all occupied positions with roles but without SAP user ID on the Employee record.

You might leave that box unticked for the moment.

I suggest to create the application log --> Last tick box on the selection screen.

Some general comments at the end.

The report RHPROFL0 might be scheduled in production systems if indirect role assignments are used. Depending on your needs make sure that the deletion of manual assigned profiles is activated or deactivated.

If you do not enter an object id, the report will run for all object ids.

A further note on the indirect setup.

If roles should be passed on from a Position to a SAP user id, it is important, that the following conditions are fulfilled.

The Position is valid/active as of the report key date.

The position has a holder at key date.

The holder has an assignment of a valid SAP user ID at key date. Infotype 0105 subtype 0001 for object type P.

The Roles on the position are valid at the key date.

I hope that helps solving your issue.

Best regards

Karsten

Former Member · ‎08-05-2010

Karsten,

Is this the steps for structural authorization? or indirect role asssignment?

Also the report you mention ( it would display the automatically assigned and deleted authorization profiles )

Can we do indirect assisnment of roles using this report ?

Edited by: Franklin Jayasim on Aug 5, 2010 7:42 PM

Former Member · ‎08-06-2010

Hello,

RHPROFL0 can be used for both assignments - indirect standard authorisations and indirect structural authorisations.

If you look at the selection screen of the report you will find check boxes for either

- Standard authorizations or

- PD authorizations.

So it is your choice what you want to do.

And the report will display a log of the automatically assigned and deleted authorization profiles as long as you flag the check box right at the end of the selection screen.

- Application Log

---> Create

Best regards

Karsten

Former Member · ‎08-06-2010

I've run RHPROFLO and all looks ok, ie when checking users role assignment in SU01 the indirectly assigned role shows in blue, however when I check the role using PFCG the 'user' tab is green with the user name in blue but the organizational management button is red, when I click receive the message 'Require reconciliation of indirect user assignment' when I reconcile the role message 'Indirect user assignments ok' received but the user assignment is removed. This could be due to the old organisational structure only being displayed when using the drop down search in PFCG, any suggestions as to how to view the new organisational structure in the drop down?

Thanks

Anthea

Former Member · ‎08-06-2010

Karsten,

You can generate the profiles for directly or indirectly assigned profile for the user , I agree on this.

Can you do indirect assignment from this report , was my question? If so can you please list the steps.

I always followed pfcg --> indirect role assignment

or the PP...transaction.

Former Member · ‎08-07-2010

Hello,

@ Anthea,

I guess there is one good thing. RHPROFL0 seems to do the job. It passes the roles from the indirect assignment to the SAP user ID. Presumably that is what you were looking for in the first place.

On the organisational management button I just can say that I usually ignore that. As I described I get the same result using RHPROFL0 and I usually suggest to my clients to schedule the report daily.

I think the message you receive on the "old organisational structure" sounds really odd to me. I browsed quickly some things on the organisational management button and there was just one thing which sticks out as prerequisite with regards to the message. You must have an active plan version setup in the logon client.

Anyway I would really ignore the organisational management button. If RHPROFL0 runs regularly, SU01 and the PFCG user tab are a reliable indication on the role assignment.

Just one trick, if you like to see the role assignments via the HR structure.

Use transaction PPOMW.

Good luck Anthea.

And now @ Franklin

I am sorry as I might have misunderstood your last question.

RHPROFL0 will not create any indirect authorisation assignments. The program will just read whatever indirect assignment exist and pass the authorisation on to the SAP user IDs.

To maintain the indirect assignments of authorisations I would use PP01 or PPOMW. Looking at your post that does not seem to be anything new to you.

Best regards

Karsten

Edited by: Karsten Arold on Aug 7, 2010 11:21 AM

Former Member · ‎08-17-2010

RHPROFL0 is run as an overnight job which does update SU01 and PFCG correctly, however we also have PFUD set up as an overnight job and this removes the assignment from SU01 and PFCG.

Former Member · ‎08-18-2010

Hello Anthea,

RHPROFL0 updates the indirect role assignments from the HR structure to the user record correctly. That is at least what I read from you message.

And surely you still want to run PFUD.

In PFUD on the selection screen is a check box called " Organizational Management: Reconciliation". You might try to un-check that box. That Org Management Reconcilliation should be replaced by RHPROFL0.

Best regards

Karsten

Former Member · ‎08-18-2010

Hi Karsten

I've unchecked the Organizational Management Reconcilliation box in PFUD and run both PFUD and RHPROFL0, When I check SU01 I can see the role assigned to the user. In PFCG the user is also assigned, however on the User tab within PFCG the Organizational Mgmt button is red and when I click on it receive message ' Require reconciliation of indirect user assignment', when I click the 'Indirect User Assignment Reconcilliation' button I can no longer see the role assigned to the user in either PFCG or SU01. I would like to see the user assigned correctly in the Organizational Mgmt screen of PFCG.

Former Member · ‎08-18-2010

However for the user to have the access /ability there are few more steps you will need to do :

1. Transaction OOSB need to be executed and populate the user id as wel las the profile

2.. Check if th euser neeeds to be indexed - RHBAUS00 - if so populate table T77UU trhu RHBAUS02

3. Now run PFUD

Thx

To add roles to possition - please use TCD PPOMW .

Former Member · ‎08-19-2010

Just a brief note on table T77UU, Reports RHBAUS00 and RHBAUS02.

You will only need to add users in T77UU and you will only need to run the reports if you use structural authorisations. The reports will generate an index of the HR objects users are authorised for, which will speed up the runtime of the structural authorisation check.

So that will not do anything for indirect role assignments.

Former Member · ‎09-16-2010

Hi,

My understanding is that RHPROFL0 standardard authorisations was the method how profiles prior to Profile Generator were assigned to users (those profiles were entered to position infotype 1016 where as structural profiles still are in infotype 1017).

If your version of SAP has Profile Generator and you have created the profiles using it you actually just need to create relationship between the role and the position. This can be done in PFCG expert mode in Users tab or in PO13 (or PP01) for positions infotype 1001 (table HRP1001).

My guess is that you don't have authorisations to maintain relationships between position and role. Check you PLOG authorisation object and add following to test:

PLOG

Infotype: 1001

Planning Status: *

Object Type: S, AC

Plan Version: 01

Function Code: *

Subtype: *

Regards,

Saku

Former Member · ‎09-16-2010

The problem has now been resolved by adding access to Object type AG, Role to authorisation object PLOG

Thanks

Former Member · ‎10-06-2010

For those that want to do this faster and I find more user friendly you may want to look at PP02 and you then select S

enter the position number , IT 1001 then B007 and the next I user 1

do a create, then enter AG and the role name. you can create a ECATT on this and it really will make entry easy. Also there are Bapi for this as well.

When all asignments are done run RHprofl0 or PFUD and you should see everything on the user.