09-16-2011 11:55 AM
Hi experts,
I am very new this Security for BI.
I have list of 76 user,they should be removed from a single role..
belwo are the steps i followed
1. go to su10.
2. give the list of users
3.click on change .
4. roles tab> select Romove and give the role name .
5.click on save.
But still some user are not being deleted from a role.
i went manually to su01 and checked ,i find the role naem is in BLUE .viceversa,user name is blue in PFCG.
can any one suggest me on this.
Please help.
09-16-2011 12:01 PM
Hi,
When you remove the roles in SU10, you should also make sure that the Start date and End dates are the same for all the users. Else, it only removes the assignment during the mentioned dates.
As an alternative, you may look at eCATT scripts. If it is allowed to remove the user assignment, you can also do it from the users tab of Profile Generator.
Hope this helps.
Regards,
Raghu
09-16-2011 12:01 PM
Hi,
When you remove the roles in SU10, you should also make sure that the Start date and End dates are the same for all the users. Else, it only removes the assignment during the mentioned dates.
As an alternative, you may look at eCATT scripts. If it is allowed to remove the user assignment, you can also do it from the users tab of Profile Generator.
Hope this helps.
Regards,
Raghu
09-16-2011 12:39 PM
SU10 removal will expire the role validity. Then onwards you have to compare the role to remove the profile for the role from user. But the role will still stay in user role tab. To remove the expired role from user you need to user report PRGN_COMPRESS_TIME. However as this is removal of mass user from a single role then you should use PFCG instead of SU10 as mentioned in last post.
@ Raghu - Sorry but I think using script for role provisioning like this is like firing a bulet to kill a mosquito plus you need to take care role comparision separately or rely on midnight batch job.
Edited - @ pottilaxman - You need to do some study on SAP Security and also need to keep your eyes open to observe what is happening in the system. I am sure this particular topic been discussed many times before.
Regards,
Arpan Paik
Edited by: P Arpan on Sep 16, 2011 5:11 PM
Edited by: P Arpan on Sep 16, 2011 5:13 PM
09-16-2011 7:43 PM
Hi Laxman
If the roles are in blue color, then the roles assignment is indirect, might they have been assigned part of composite or from a HR Position.
SU10 can not remove the indirect roles assignment.
09-16-2011 8:27 PM
Hi,
i went manually to su01 and checked ,i find the role naem is in BLUE .viceversa,user name is blue in PFCG.
These roles were assigned from a composite. Check the composite that has added this role. Removing the composite role will also remove the roles that are in Blue color.
Regards,
Raghu
09-16-2011 8:31 PM
It might also remove a bunch of other single roles as well.
Removing the single role from the composite might impact a whole bunch of other users as well.
Sooner or later you always regret using composites...
Cheers,
Julius
09-17-2011 7:39 AM
Hi Julius,
I agree with you.. But, since he can't remove the roles that are in blue (assigned from a composite), I've asked OP to remove the composite. Forgot to highlight this point Thanks!
Regards,
Raghu