Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to set a Valid To Time for a Role

former_member185604
Participant

‎07-12-2014 6:27 PM

0 Kudos

Hi,

Is there a way to set a 'Valid To' Time for a User Role Assignment.

I know there is a 'Valid To' Date field in SU01. But we need to expire a few Role Assignment at a particular time of the Day.

But we are looking for a 'Valid To' Time as well, along with the Date. We may create a Z TCode for this but what I want to know is there a Function Module which can be used or any other Inputs?

Thanks!

6 REPLIES 6

martin_voros
Active Contributor

‎07-12-2014 11:05 PM

0 Kudos

Hi,

ABAP AS does not support time for role assignment. So you have to use other system that supports time. I am not sure how hard would be to implement this in some IdM solution. If you want to stay on ABAP AS you will have to capture time restriction somewhere and then periodically run a job that will remove roles from users.

Cheers

Former Member

‎07-17-2014 2:15 PM

0 Kudos

Absolutely. Through SU01, we will set particular date for role expiry only in ABAP stack.

former_member185604
Participant
In response to Former Member

‎07-17-2014 2:29 PM

0 Kudos

I am looking at a option/way of setting aTime not only the Date.

Former Member
In response to Former Member

‎07-17-2014 4:08 PM

0 Kudos

You could try to do it by specifying the time of PFUD job, but better is to assign and then remove the role again after time interval and ensure that PFUD always runs properly.

Cheers,

Julius

former_member185604
Participant
In response to Former Member

‎07-17-2014 4:41 PM

0 Kudos

Julius,

I am looking at a way to expire the Role at a particular time. Currently we can expire it on a particular day in SU01.

For example, we assign a Role temporarily on say 7/17/2014 at 9:00 AM and I want the Role to get expired on the same day at 8:00 PM. How can we achieve that without manually removing it from the user-master at 8:00 PM? We have a lot of such requirements who needs a Role for some hours to do a particular task- kind of a firefighting Role.

m_coenjaerts
Explorer
In response to Former Member

‎07-18-2014 10:12 AM

0 Kudos

Hello Bidwan,

in standard sap this is not possible to "automate" role removals at a particular time. In case you really want to remove role-assignments at a particular timestamp, the only option would be to create a custom ABAP to remove roles at a particular moment.

Other options would potentially be:

- Use Batch Input Mapping to delete roles (BIM's Creating via the SM35/SHDB transactions)

- Execute mass-role deletions via SU10, which is started at particular times

But both approaches still require some manual activities.

What I notice that you want to implement a particular firefighter process, and that you assign temporary roles to users. An other way would be to use the "own user ID's"  but create additional,specific "firefight  user ID's", which you can unlock/lock at the required times. Or use solutions offered by SAP GRC to implement an automated Firefighter process.