Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Direct assigned roles do not disappear

Former Member

‎09-01-2011 12:40 PM

0 Kudos

Our customer has an indirect role assignment concept. Roles are assigned towards positions and consists only of composite roles. This works fine and when user disconnected from his position in the HR system, it ends user account but sometimes during they were working , they were also assigned single roles direly and problems arise when the FM users terminate their employment and these single are not deleted Impact occurs when the account causes a license charge because it is located with active roles. it there any solution or do we have to deleted the roles manually from the account

4 REPLIES 4

sunny_pahuja2
Active Contributor

‎09-01-2011 1:49 PM

0 Kudos

Hi,

Once that person leaves then if you deactivate his ID then at same time you can set expiration date of Roles in his/her user id. As a result roles will also be expired in his user id and at same time you need not to delete those roles.

Thanks

Sunny

martin_voros
Active Contributor

‎09-02-2011 12:30 AM

0 Kudos

Hi,

the role assignment to account is stored in table AGR_USERS. There are two flags: ORG_FLAG and COL_FLAG. The first one tells you if role is coming from HR and the second if it's coming from composite role. In SUIM you can search for terminated users (not sure how exactly you terminate your users) and switch to view with role assignments. In the ALV with role assignments you can add field "Indirect assignment" that tells you if that role is manually assigned. So for example if all terminated users go to special user group called "TERMINATED" then you can search for all users in that group and switch to role assignment view. If there are any roles then probably they have been assigned manually. The field "Indirect assignment" tells you if that is true or not.

Cheers

m_coenjaerts
Explorer

‎10-03-2011 1:20 PM

0 Kudos

Is the RHAUTUPD_NEW (User Master Data Reconciliation job) schedule to run every day? With the correct configuration. Normally that job takes care of the 'clean up ' of the user masters.

Make sure that in the scheduled variant the Processing Types 'Composite Role Reconciliation' and 'HR Organizational Management: Reconciliation' are activated.

You could also look into scheduling the PRGN_COMPRESS_TIMES job - Check some notes before implementing it, But this job will remove role assignment where validity date has passed. (In our production system we run daily a job with 2 steps, the first RHAUTUPD_NEW and the second step the PRGN_COMPRESS_TIMES).

Bernhard_SAP
Employee
Employee

‎10-03-2011 2:11 PM

0 Kudos

Hi,

in this case (1. composite roles are assigned through HR-Org, 2.their single roles get assigned therefore only through composite roles) no direct assignements shall be found at all in agr_users.

So this is pretty straight forward, if your customer follows his concept strictly....

Simply check agr_users as mentioned by Martin above and delete any direct assignement (either in SU01, SU10 or PFCG) you find. After that, the system is 'clean' and prepared for future usage of that 'indirect' assignement scenario.

b.rgds, Bernhard