04-12-2012 8:12 AM
Hi.
I have a few doubts on role assignments / unassignments.
When a role is assigned to a user indirectly based on position, am able to remove the role for any particular user from PO 13. And say change / put a to date of yesterday, and save, the role immediately gets removed from the user.
However when i dont know whether the role was assigned directly or indirectly.
how to find this first whether the user is assigned based on position or the user is assigned roles directly?
And if i want to unassign/remove a particular role from a user, SU01 - does not really allow me to remove.
When i looked at SU10 and put the user name and then say USER/CHange and put the role name - put the to date as yesterday. And click radio button remove. and say save. It flashes some message.
Am not sure whether am looking at things the right way.
Why is that we are unable to change - to date validity of any role from SU01 ?
So that the access to a particular role can be removed immediately for any particular user on SU01.
Can anyone help me understand this.
Thanks
indu
04-12-2012 8:30 AM
Indumathy Narayanan wrote:
However when i dont know whether the role was assigned directly or indirectly.
how to find this first whether the user is assigned based on position or the user is assigned roles directly?
Hi,
Roles assigned indirectly appear in blue colour in PFCG user assignment tab or SU01 roles tab. Other way could be looking at AGR_USERS table.
Indumathy Narayanan wrote:
When i looked at SU10 and put the user name and then say USER/CHange and put the role name - put the to date as yesterday. And click radio button remove. and say save. It flashes some message.
Am not sure whether am looking at things the right way.
For role removal thru's SU10, in addition to the step you mentioned above you will need to select the 'remove' radio button in profile tab as well. However, indirectly assigned roles cannot be removed thru' SU01 or SU10.
I would strongly recommend you to go thru' the SAP R/3 and HCM authorization concepts with help from help.sap.com or documents like ADM 940/950/960 and HR940. If Julius is reading this post then your question will be soon moved to Test & playground forum ..not sure if it still exists in the new SCN
Thanks
Sandipan
04-12-2012 8:30 AM
Indumathy Narayanan wrote:
However when i dont know whether the role was assigned directly or indirectly.
how to find this first whether the user is assigned based on position or the user is assigned roles directly?
Hi,
Roles assigned indirectly appear in blue colour in PFCG user assignment tab or SU01 roles tab. Other way could be looking at AGR_USERS table.
Indumathy Narayanan wrote:
When i looked at SU10 and put the user name and then say USER/CHange and put the role name - put the to date as yesterday. And click radio button remove. and say save. It flashes some message.
Am not sure whether am looking at things the right way.
For role removal thru's SU10, in addition to the step you mentioned above you will need to select the 'remove' radio button in profile tab as well. However, indirectly assigned roles cannot be removed thru' SU01 or SU10.
I would strongly recommend you to go thru' the SAP R/3 and HCM authorization concepts with help from help.sap.com or documents like ADM 940/950/960 and HR940. If Julius is reading this post then your question will be soon moved to Test & playground forum ..not sure if it still exists in the new SCN
Thanks
Sandipan
04-12-2012 9:12 AM
Hi Sandipan /Ajesh.
Thanks.
@Sandipan : Ok i got the difference now between direct and indirect user assignment how to identify that. Just that i was not aware how to identify.
@Ajesh : Yes, am able to remove the role thro SU10 - roles which hve been assigned indirectly too.
When you do the removal of roles thro SU10, it gets highlighted in black letters - like direct user assignment. But i was not sure whether it is the right approach wherein we have to remove many roles for a huge list of users.
Regards
indu
04-12-2012 9:46 AM
Hi Indu,
Are you sure indirect role assignments are removed through SU10. As far as I know it shouldnt. There is a job (RHAUTUPD_NEW, PFUD Transaction) that is usually sheduled eery day that will sync the assignments. If removed it should assign the assignments back.
There were many discussion on this forum about these. You can check those for more insight
Regards,
Ajesh.
04-12-2012 9:57 AM
Hi Ajesh.
Ok thanks for the info.
I have a test server on which i tested a role - which i believe to be indirectly assigned. Because it was not allowing any edit or removal directly on SU01. And what i saw was that. :
when i went to SU10 and put the user. then change. put the role name. click on radio button remove. and here i also did the to date as yesterdays date. and also from the profile tab, removed the profile and just clicked on save. it popped up some message. But what i saw was a bit strange.
As you said, the existing role A remained as highlighted as before. But after the above activity on SU10, the same role A, appeared in SU01 - highlighted in black (2nd time) saying the validity is till yesterday.
Also under PFCG - if you check the role A, user tab says - validity of user Indu - valid only till yesterday and it is also highlighted in black letters. So that implies it is gone ?
So i got a bit confused as to what actually is happening on the system.
Thanks again.
.
Regards
indu
04-12-2012 8:56 AM
Hi Indu,
From SU01/SU10 you can remove direct assignments. For indirect assignments you have to remove from PO13.
Regards,
Ajesh.