07-12-2014 6:27 PM
Hi,
Is there a way to set a 'Valid To' Time for a User Role Assignment.
I know there is a 'Valid To' Date field in SU01. But we need to expire a few Role Assignment at a particular time of the Day.
But we are looking for a 'Valid To' Time as well, along with the Date. We may create a Z TCode for this but what I want to know is there a Function Module which can be used or any other Inputs?
Thanks!
07-12-2014 11:05 PM
Hi,
ABAP AS does not support time for role assignment. So you have to use other system that supports time. I am not sure how hard would be to implement this in some IdM solution. If you want to stay on ABAP AS you will have to capture time restriction somewhere and then periodically run a job that will remove roles from users.
Cheers
07-17-2014 2:15 PM
Absolutely. Through SU01, we will set particular date for role expiry only in ABAP stack.
07-17-2014 2:29 PM
07-17-2014 4:08 PM
You could try to do it by specifying the time of PFUD job, but better is to assign and then remove the role again after time interval and ensure that PFUD always runs properly.
Cheers,
Julius
07-17-2014 4:41 PM
Julius,
I am looking at a way to expire the Role at a particular time. Currently we can expire it on a particular day in SU01.
For example, we assign a Role temporarily on say 7/17/2014 at 9:00 AM and I want the Role to get expired on the same day at 8:00 PM. How can we achieve that without manually removing it from the user-master at 8:00 PM? We have a lot of such requirements who needs a Role for some hours to do a particular task- kind of a firefighting Role.
07-18-2014 10:12 AM
Hello Bidwan,
in standard sap this is not possible to "automate" role removals at a particular time. In case you really want to remove role-assignments at a particular timestamp, the only option would be to create a custom ABAP to remove roles at a particular moment.
Other options would potentially be:
- Use Batch Input Mapping to delete roles (BIM's Creating via the SM35/SHDB transactions)
- Execute mass-role deletions via SU10, which is started at particular times
But both approaches still require some manual activities.
What I notice that you want to implement a particular firefighter process, and that you assign temporary roles to users. An other way would be to use the "own user ID's" but create additional,specific "firefight user ID's", which you can unlock/lock at the required times. Or use solutions offered by SAP GRC to implement an automated Firefighter process.