05-25-2007 7:01 AM
Hello,
Need to know how to assign profile or role to dialogue user without using pfcg or su01?
Thanks
Osama
05-25-2007 7:27 AM
As of new release of SAP you have to create Roles (Authorisation groups) for assigning any user authorisation previously it was possible to create profiles through SU02 and assign profile to the user but now It is not recommended.....
So remains only one way...to assign role.....for a particular tcode.
As I know 3.0D is using such way for authorization. Before su02 create profile, you should create the object in su03. Then assign it to profile in su02. Finially assign to user's profile tag. In new version, pfcg seems the only way to do so. But if you are expertise in such area, you can also assign profiles in user's profiles tag. FYI, you can assign not more than 300 profiles yo each user. That is limitation of SAP. When you assigned role to user, at the same time system assign the related profile to user automatically.
Rewads points if helpful
--Sreejesh
05-25-2007 7:27 AM
As of new release of SAP you have to create Roles (Authorisation groups) for assigning any user authorisation previously it was possible to create profiles through SU02 and assign profile to the user but now It is not recommended.....
So remains only one way...to assign role.....for a particular tcode.
As I know 3.0D is using such way for authorization. Before su02 create profile, you should create the object in su03. Then assign it to profile in su02. Finially assign to user's profile tag. In new version, pfcg seems the only way to do so. But if you are expertise in such area, you can also assign profiles in user's profiles tag. FYI, you can assign not more than 300 profiles yo each user. That is limitation of SAP. When you assigned role to user, at the same time system assign the related profile to user automatically.
Rewads points if helpful
--Sreejesh
05-25-2007 7:56 AM
For assigning roles you can use following bapi's :
first get all roles user currently has
CALL FUNCTION 'BAPI_USER_GET_DETAIL' destination destination
EXPORTING
username = uname
TABLES
activitygroups = ta_agr
RETURN = ta_bapiret.
then add the new role to ta_agr
append wa_agr to ta_agr.
Then assign all these roles to the user :
CALL FUNCTION 'BAPI_USER_ACTGROUPS_ASSIGN' destination destination
EXPORTING
username = uname
tables
activitygroups = ta_agr
return = ta_bapiret
For assigning profiles :
CALL FUNCTION 'BAPI_USER_PROFILES_ASSIGN'
EXPORTING
username = uname
TABLES
profiles = ta_profiles
return = ta_return.
I hope this is what you were looking for.
(please assign points if helpfull)
05-25-2007 4:27 PM
Hello,
Thank for your help, however do you know the step by step. One more question , how do u prevent developer from being able to do this?
Thanks
Osama
05-29-2007 12:46 PM
The BAPI, does perform a check on authorization groups S_USER_AGR with ACTVT 02. So if your developers do not have access, the call will be unsuccessful with an error message.
Regards
Fredrik
05-29-2007 12:57 PM
05-29-2007 1:11 PM