07-31-2008 9:04 PM
I need to delete all of the roles from multiple users and I was wondering if anyone knows of a way to do it simultaneously other than a Mercury script(it wont take the roles away that are lower than the initial 20)?
08-05-2008 4:15 PM
It seems as though the original question I had was changed somewhere along the lines. The question is that I need to delete multiple users roles(for inactive users). I do not have specific role names, nor do I specific authorization objects that I am looking for. I have a list of about 1000 users, all of which have a great degree of varying roles and authorizations in which I need all of them deleted, without deleting the user.
07-31-2008 9:33 PM
Hi there,
there could be easier ways to do it, but this is how I'd go about it if I didn't want to go to each user ID.
Get a list of all roles assigned to your users you want to restrict from SUIM (display the list of users via tcode S_BCE_68001400). Click on the 'roles' button and it will pull up a list of all the roles assigned to those users. Extract and save that).
Filter the list so you have only one entry of each role name.
Then go to SU10, enter in all your user IDs to change and go to the role tab, enter the unique list and put wide dates on it say from 01.01.1995 - 31.12.9999 (you want them earlier than the earliest role 'valid from' date and later than the latest role 'valid to' assignment).
Click the 'Remove' box and save and you should have all roles removed.
Good luck with it.
Cheers,
Dianne
07-31-2008 11:05 PM
>
>(it wont take the roles away that are lower than the initial 20)?
You can program it to delete all the roles, it is possible to do scripting in Mercury and get this one completed.
However, you can also opt to use table AGR_USERS (with Indirect assingment <>X) for all those users,
Go to SU10
Click Authorization data, paste all the users , execute it, select all and transfer them to SU10.
Click change, go to roles tab enter all the roles, check the remove radio button.
Go to profiles, check the radio button to remove profiles.
Execute it.. bingo !!! its done !!
Regards,
Zaheer
08-01-2008 8:02 AM
Hi,
You can do it using transaction code PFCG.
Execute pfcg -> give the role name in the role name field -> click on change -> go to user tab ,here you will find all the users aggaigned to that role.
select all the users you want to remove then click on delete button and save the role.
Regards
Ashok
08-01-2008 1:48 PM
Someone will suggest a CATT so it might as well be me.
Search this forum for how to write a CATT script. I would use tcode SU01 versus PFCG to create the CATT script.
08-01-2008 1:53 PM
> Someone will suggest a CATT so it might as well be me.
> Search this forum for how to write a CATT script. I would use tcode SU01 versus PFCG to create the CATT script.
How would one write a catt script to delete role assignments? You'd need to predict which line to delete in the SU01 roles tab.
Sounds a bit beyond (E)CATT to me.
08-01-2008 2:25 PM
I was able to do this using the find role function in SU01. It will place the role in the first position on the screen and then you can delete the role.
08-01-2008 2:55 PM
08-01-2008 3:54 PM
You can also use SU10 for this too, in general it is pretty useful as it when deleting a role from a user it will perform the find and when adding a role/s will append so bypassing the scroll.
Interesting to hear about the find functionality in SU01
08-03-2008 10:20 AM
Hi
This may not help but I do recall seeing a SAP Standard report for this when I worked on ERP 6.0. a couple of years ago but never had a chance to look at this in detail because I was happy with using a CATT script to remove redundant roles at that time.
Problem is that I dont have access to SAP at the moment and cannot recall the name of this report.
Has anyone used this feature and if so, did it work?
I remember a discussion I had with a collegue about this report who advised me at that time that it only worked for single roles and would need to be tweaked with ABAP to enable the deletion of multiple roles.
This is one area of SAP that frustrates me and it would be great if there was a SAP Standard Mass role deletion tool that actually worked.
Regards
Charmaine
08-05-2008 12:42 PM
Ahh... but such tools do indeed exist, if only on a very limited range of (exclusive) systems...
My outlined solution could be easily modified to delete (or allocate) roles in any number of systems, CUA or not, by selecting specific roles or, say, role name patterns (every role adhering to ZABAP123* etc...) - the possibilities are numerous.
Hm... maybe it's time I finished off my full-blown version of this thing and put it up for sale...
08-05-2008 4:15 PM
It seems as though the original question I had was changed somewhere along the lines. The question is that I need to delete multiple users roles(for inactive users). I do not have specific role names, nor do I specific authorization objects that I am looking for. I have a list of about 1000 users, all of which have a great degree of varying roles and authorizations in which I need all of them deleted, without deleting the user.
08-05-2008 4:30 PM
Yes I believe we were answering that question. I mentioned that you can delete the role assignment from SU01 by creating a CATT (ECATT). You will first need to run a list from SUIM of your inactive user ids and then list out all of the roles assigned.
08-05-2008 4:34 PM
If you just have the ID's you want to delete all roles from then you don't even need to know the roles you want deleting. eCATTing SU01 & clicking on the select all and then delete all icons will do the job.
I agree most of the answers did address the original question, there is always more than 1 way to skin a cat.
08-05-2008 4:43 PM
Alex,
Quite right - you don't need to know the roles - just "select all" and delete.
08-06-2008 6:05 AM
Hello James,
You may try the below procedure, programatically...with the help of a Developer.
- Recursively, Obtain the Roles of User using BAPI_USER_LOCACTGROUPS_READ
- Delete just the Local Role Assignments of User using BAPI_USER_ACTGROUPS_DELETE
Also, you may explore the other Methods (BAPI / Remote-enabled FMs) in the Business Object USER
Hope this resolves your problem.
With Regards
VG
08-05-2008 5:27 PM
I already have my list of inactive users, however if I have to list out the roles for the users(even if they share some assignments) wouldn't it just be as easy to delete each users roles one by one instead of compiling a list just to build a script. What I would like is a way to delete multiple users roles regardless of what they are assigned.
08-05-2008 5:29 PM
>
> I already have my list of inactive users, however if I have to list out the roles for the users(even if they share some assignments) wouldn't it just be as easy to delete each users roles one by one instead of compiling a list just to build a script. What I would like is a way to delete multiple users roles regardless of what they are assigned.
Between what JC & I have posted just now, you will have your answer