Solved: Assigin Role or profile using ABAP

Former Member · ‎05-25-2007

Hello,

Need to know how to assign profile or role to dialogue user without using pfcg or su01?

Thanks

Osama

Former Member · ‎05-25-2007

As of new release of SAP you have to create Roles (Authorisation groups) for assigning any user authorisation previously it was possible to create profiles through SU02 and assign profile to the user but now It is not recommended.....

So remains only one way...to assign role.....for a particular tcode.

As I know 3.0D is using such way for authorization. Before su02 create profile, you should create the object in su03. Then assign it to profile in su02. Finially assign to user's profile tag. In new version, pfcg seems the only way to do so. But if you are expertise in such area, you can also assign profiles in user's profiles tag. FYI, you can assign not more than 300 profiles yo each user. That is limitation of SAP. When you assigned role to user, at the same time system assign the related profile to user automatically.

Rewads points if helpful

--Sreejesh

Former Member · ‎05-25-2007

As of new release of SAP you have to create Roles (Authorisation groups) for assigning any user authorisation previously it was possible to create profiles through SU02 and assign profile to the user but now It is not recommended.....

So remains only one way...to assign role.....for a particular tcode.

As I know 3.0D is using such way for authorization. Before su02 create profile, you should create the object in su03. Then assign it to profile in su02. Finially assign to user's profile tag. In new version, pfcg seems the only way to do so. But if you are expertise in such area, you can also assign profiles in user's profiles tag. FYI, you can assign not more than 300 profiles yo each user. That is limitation of SAP. When you assigned role to user, at the same time system assign the related profile to user automatically.

Rewads points if helpful

--Sreejesh

dhorions · ‎05-25-2007

For assigning roles you can use following bapi's :

first get all roles user currently has


CALL FUNCTION 'BAPI_USER_GET_DETAIL' destination destination
  EXPORTING
    username       = uname
  TABLES
    activitygroups = ta_agr
    RETURN         = ta_bapiret.

then add the new role to ta_agr





append wa_agr to ta_agr.

Then assign all these roles to the user :


CALL FUNCTION 'BAPI_USER_ACTGROUPS_ASSIGN' destination destination
  EXPORTING
    username             = uname
  tables
    activitygroups       = ta_agr
    return               = ta_bapiret

For assigning profiles :


CALL FUNCTION 'BAPI_USER_PROFILES_ASSIGN'
    EXPORTING
      username = uname
    TABLES
      profiles = ta_profiles
      return   = ta_return.

I hope this is what you were looking for.

(please assign points if helpfull)

Former Member · ‎05-25-2007

Hello,

Thank for your help, however do you know the step by step. One more question , how do u prevent developer from being able to do this?

Thanks

Osama

fredrik_borlie · ‎05-29-2007

The BAPI, does perform a check on authorization groups S_USER_AGR with ACTVT 02. So if your developers do not have access, the call will be unsuccessful with an error message.

Regards

Fredrik

Former Member · ‎05-29-2007

That is unless they hobble the authorisation check via debug & replace

dhorions · ‎05-29-2007

That should not be possible in a production environment.