Skip to Content
avatar image
Former Member

Direct assigned roles do not disappear

Our customer has an indirect role assignment concept. Roles are assigned towards positions and consists only of composite roles. This works fine and when user disconnected from his position in the HR system, it ends user account but sometimes during they were working , they were also assigned single roles direly and problems arise when the FM users terminate their employment and these single are not deleted Impact occurs when the account causes a license charge because it is located with active roles. it there any solution or do we have to deleted the roles manually from the account

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • avatar image
    Former Member
    Sep 01, 2011 at 12:49 PM

    Hi,

    Once that person leaves then if you deactivate his ID then at same time you can set expiration date of Roles in his/her user id. As a result roles will also be expired in his user id and at same time you need not to delete those roles.

    Thanks

    Sunny

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 01, 2011 at 11:30 PM

    Hi,

    the role assignment to account is stored in table AGR_USERS. There are two flags: ORG_FLAG and COL_FLAG. The first one tells you if role is coming from HR and the second if it's coming from composite role. In SUIM you can search for terminated users (not sure how exactly you terminate your users) and switch to view with role assignments. In the ALV with role assignments you can add field "Indirect assignment" that tells you if that role is manually assigned. So for example if all terminated users go to special user group called "TERMINATED" then you can search for all users in that group and switch to role assignment view. If there are any roles then probably they have been assigned manually. The field "Indirect assignment" tells you if that is true or not.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 03, 2011 at 12:20 PM

    Is the RHAUTUPD_NEW (User Master Data Reconciliation job) schedule to run every day? With the correct configuration. Normally that job takes care of the 'clean up ' of the user masters.

    Make sure that in the scheduled variant the Processing Types 'Composite Role Reconciliation' and 'HR Organizational Management: Reconciliation' are activated.

    You could also look into scheduling the PRGN_COMPRESS_TIMES job - Check some notes before implementing it, But this job will remove role assignment where validity date has passed. (In our production system we run daily a job with 2 steps, the first RHAUTUPD_NEW and the second step the PRGN_COMPRESS_TIMES).

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 03, 2011 at 01:11 PM

    Hi,

    in this case (1. composite roles are assigned through HR-Org, 2.their single roles get assigned therefore only through composite roles) no direct assignements shall be found at all in agr_users.

    So this is pretty straight forward, if your customer follows his concept strictly....

    Simply check agr_users as mentioned by Martin above and delete any direct assignement (either in SU01, SU10 or PFCG) you find. After that, the system is 'clean' and prepared for future usage of that 'indirect' assignement scenario.

    b.rgds, Bernhard

    Add comment
    10|10000 characters needed characters exceeded