03-13-2012 12:11 PM
Hello,
I am to assign roles using CUA. I have a CUA master and other child systems.Let's assume i am on one of the child systems. I found out a BAPI - BAPI_USER_ACTGROUPS_ASSIGN to pass role information to Master system. The problem is that this bapi deletes the existing roles. Hence i found another BAPI - ' BAPI_USER_GET_DETAIL' to get the existing role details. My idea is to add these role details with the new one and then send it to BAPI_USER_ACTGROUPS_ASSIGN. Please confirm if my process is right?
My questions:
1. When i am on child client, will the bapi - BAPI_USER_GET_DETAIL retrieve the information of roles on child system or the roles available in Master system?
2. Assuming it returns roles of the master system, how will i link the role to the systems. For example : if i pass my user name to the bapi it gives out various table entries. One table entry contains the activity groups with the list of role names etc and another table contains the system name. How do we map the role and system name?
3. Can we bypass the authorization check available in the BAPI?
This is urgent and it will be of great help if you can suggest solution.
Thanks,
Prem
03-13-2012 1:02 PM
03-14-2012 5:07 AM
Hi PremKumar,
Answer for your questions :
1) If you are executing "BAPI_USER_GET_DETAIL" in child system it retrieve the information of roles on child system only not a parent system.
2) I guess you have to create some logic to assign roles with systems.
BAPI_USER_ACTGROUPS_ASSIGN will delete the existing roles and create new roles, it will not append the new roles with old ones.So try to get existing roles of a user using BAPI_USER_GET_DETAIL and add new roles with that and then pass it to BAPI_USER_ACTGROUPS_ASSIGN.
the above suggestions are from my knowledge, i am working in CUA systems and i have worked with these BAPI's .
For more details kindly go through this.
BAPI: BAPI_USER_GET_DETAIL
Use: Use this BAPI to obtain information about a user, which includes the user’s role
assignments. For an example, see the test program IAM_API_TESTFRAME. Select the option
Roles of a user for a specific user. The use of wildcards in the search is not
supported.The corresponding include provided with the test program is IAM_USERROLES.
BAPI: BAPI_USER_ACTGROUPS_ASSIGN
Use: Use this BAPI to assign roles. Note however, that if you want to change a user’s role
assignments, you must first use BAPI_USER_GET_DETAIL to obtain the user’s role
assignments. You can then add or remove roles and then set the new role assignment using
BAPI_USER_ACTGROUPS_ASSIGN. The system then replaces the old role assignments
with the new ones.
Fields FROM_DAT and TO_DAT: If these fields are not set, then FROM_DAT is
set to the current date and TO_DAT to December 31, 9999.
For an example, see the test program IAM_API_TESTFRAME. Select the option
Assign roles for a specific user and role you want to assign.
The corresponding include provided with the test program is
IAM_ROLEASSIGN.
Considerations for Role and Profile Assignment
Functions
In a CUA landscape, roles or profiles can be assigned to users either in the child systems or
in the central system. If the role or profile assignment takes place in the central system, the
central system must have information about which roles or profiles exist in which systems.
The actual roles or profiles do not need to exist in the central system.
To maintain a user’s role assignment, use the function module
BAPI_USER_LOCACTGROUPS_READ to read the existing assignment. Modify it, and
reassign the changed roles using the module BAPI_USER_LOCACTGROUPS_ASSIGN. (To
maintain profile assignments, use the function modules BAPI_USER_LOCPROFILES_READ
and BAPI_USER_LOCPROFILES_ASSIGN accordingly.)
To delete role or profile assignments, use the function modules
BAPI_USER_LOCACTGROUPS_DELETE and BAPI_USER_LOCPROFILES_DELETE
respectively.
Regards,
Saravana.S
08-02-2012 8:47 AM
Hi Saravana,
Could you please help me regarding this.
I am writting the code for automation of the user account creation ( which is normally done using Tx: SU01). Here I am using the BAPI's in the code provided by the SAP.
We have a scenario in which we need to assign the addition roles to the existing user. but the BAPI (BAPI_USER_ACTGROUPS_ASSIGN) thats provided for roles assignment will delete the existing roles and will assign the only the additional role
Say user ZUSER is having the two roles ROLE1 and ROLE2.
Now we need to add few more roles say ROLE3 AND ROLE4.
If we use the above mention BAPI, it will delete the existing roles (ROLE1 and ROLE2) and assign only additional roles (ROLE3 and ROLE4), but our requirement is to retain the already existing roles along with additional roles.
I tried some logic to retain existing roles along with additional roles as below
First we will fetch the already existing roles and assign all these roles (already existing roles + additional Roles).
But in our case, we do not have authorization to assign few of the roles.
say if we do not have assign the ROLE1 then above logic will not work.
Please let me know if is there any other FM/ Calss Methods or any other way to assign the additional roles without deleting the existing roles
Thanks in advance for your effort
Regards,
Nagaraj