Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Assigning roles in CUA

former_member182337
Participant

‎03-13-2012 12:11 PM

0 Kudos

Hello,

I am to assign roles using CUA. I have a CUA master and other child systems.Let's assume i am on one of the child systems. I found out a BAPI  - BAPI_USER_ACTGROUPS_ASSIGN to pass role information to Master system. The problem is that this bapi deletes the existing roles. Hence i found another BAPI - ' BAPI_USER_GET_DETAIL' to get the existing role details. My idea is to add these role details with the new one and then send it to BAPI_USER_ACTGROUPS_ASSIGN. Please confirm if my process is right?

My questions:

1. When i am on child client, will the bapi - BAPI_USER_GET_DETAIL retrieve the information of roles on child system or the roles available in Master system?

2. Assuming it returns roles of the master system, how will i link the role to the systems. For example : if i pass my user name to the bapi it gives out various table entries. One table entry contains the activity groups with the list of role names etc and another table contains the system name. How do we map the role and system name?

3. Can we bypass the authorization check available in the BAPI?

This is urgent and it will be of great help if you can suggest solution.

Thanks,

Prem         

3 REPLIES 3

former_member182337
Participant

‎03-13-2012 1:02 PM

0 Kudos

hello,

Any thoughts?

Thanks.

Former Member

‎03-14-2012 5:07 AM

0 Kudos

Hi PremKumar,

Answer for your questions :

1) If you are executing "BAPI_USER_GET_DETAIL" in child system it retrieve the information of roles on child system only not a parent system.

2) I guess you have to create some logic to assign roles with systems.

BAPI_USER_ACTGROUPS_ASSIGN will delete the existing roles and create new roles, it will not append the new roles with old ones.So try to get existing roles of a user using BAPI_USER_GET_DETAIL and add new roles with that and then pass it to BAPI_USER_ACTGROUPS_ASSIGN.

the above suggestions are from my knowledge, i am working in CUA systems and i have worked with these BAPI's .

For more details kindly go through this.

BAPI: BAPI_USER_GET_DETAIL

Use: Use this BAPI to obtain information about a user, which includes the user’s role

assignments. For an example, see the test program IAM_API_TESTFRAME. Select the option

Roles of a user for a specific user. The use of wildcards in the search is not

supported.The corresponding include provided with the test program is IAM_USERROLES.

  BAPI: BAPI_USER_ACTGROUPS_ASSIGN

Use: Use this BAPI to assign roles. Note however, that if you want to change a user’s role

assignments, you must first use BAPI_USER_GET_DETAIL to obtain the user’s role

assignments. You can then add or remove roles and then set the new role assignment using

BAPI_USER_ACTGROUPS_ASSIGN. The system then replaces the old role assignments

with the new ones.

Fields FROM_DAT and TO_DAT: If these fields are not set, then FROM_DAT is

set to the current date and TO_DAT to December 31, 9999.

For an example, see the test program IAM_API_TESTFRAME. Select the option

Assign roles for a specific user and role you want to assign.

The corresponding include provided with the test program is

IAM_ROLEASSIGN.

   Considerations for Role and Profile Assignment

Functions

In a CUA landscape, roles or profiles can be assigned to users either in the child systems or

in the central system. If the role or profile assignment takes place in the central system, the

central system must have information about which roles or profiles exist in which systems.

The actual roles or profiles do not need to exist in the central system.

To maintain a user’s role assignment, use the function module

BAPI_USER_LOCACTGROUPS_READ to read the existing assignment. Modify it, and

reassign the changed roles using the module BAPI_USER_LOCACTGROUPS_ASSIGN. (To

maintain profile assignments, use the function modules BAPI_USER_LOCPROFILES_READ

and BAPI_USER_LOCPROFILES_ASSIGN accordingly.)

To delete role or profile assignments, use the function modules

BAPI_USER_LOCACTGROUPS_DELETE and BAPI_USER_LOCPROFILES_DELETE

respectively.

Regards,

Saravana.S

former_member213277
Active Participant
In response to Former Member

‎08-02-2012 8:47 AM

0 Kudos

Hi Saravana,

Could you please help me regarding this.

I am writting the code for automation of the user account creation ( which is normally done using Tx: SU01). Here I am using the BAPI's in the code provided by the SAP.

We have a scenario in which we need to assign the addition roles to the existing user. but the BAPI (BAPI_USER_ACTGROUPS_ASSIGN) thats provided for roles assignment will delete the existing roles and will assign the only the additional role

Say user ZUSER is having the two roles ROLE1 and ROLE2.

Now we need to add  few more roles say ROLE3 AND ROLE4.

If we use the above mention BAPI, it will delete the existing roles (ROLE1 and ROLE2) and assign only additional roles (ROLE3 and ROLE4), but our requirement is to retain the already existing roles along with additional roles.

I tried some logic to retain existing roles along with additional roles as below

First we will fetch the already existing roles and assign all these roles (already existing roles + additional Roles).

  1. i.e. assign both existing and additional roles, ROLE1, ROLE2, ROLE3 and ROLE4.

But in our case, we do not have authorization to assign few of the roles.

say if we do not have assign the ROLE1 then above logic will not work.

Please let me know if is there any other FM/ Calss Methods or any other way to assign the additional roles without deleting the existing roles

Thanks in advance for your effort

Regards,

Nagaraj