don't assign S_A:SYSTEM. Find the actual missing value and add it to the role
↧
Re: User XYZ has no authorization for tp command IMPORT
↧
Re: Role (B007) deleted from Position
if you keep a delimited relationship it provides some additional context when understanding user change documents. When PFUD for org structure is run, you will see change documents for SU01 roles/profile removal. It's nice to know where the user got this access (esp if they held multiple positions)
if the HRP1001 has change logging then this is not so much an issue
in PO13 there are other selections (such as current) which limit seeing expired relationships
Regards
Colleen
↧
↧
Re: Issue with HR Security
Assuming, for the retired staff you are not changing the PA,EG,ESG & Org key and changing only default position. You need to check the structural authorization (if used) and the switch used for it in T77S0 table.
Regards,
Dadarao.
↧
LDAP Synch - reg
Hi Frns,
We have a requirement to synch the AD users from SAP HCM. We developed a custom report using LDAP mapping and things are fine.
Now we have requirement like when ever some user is terminated in SAP HCM we need to move the user from the actual OU to another OU.
Is there anyway that we can move the user profile from one OU to another? I tried to replace the employee DN with new DN but its not allowing.
The function module I am using is CALL FUNCTION 'SPLDAP_RECEIVE_ATTRIBUTES'
Please suggest.
Regards,
↧
Query User Group Mapping To Role
Dear All,
I understand that a query user group can be mapped to one authorization role, this is standard behavior (Transaction SQ10).
However, when I look in my current system (DEV) I can see that more than one role has been mapped earlier to one Query User Group. If I now try to simulate the same then I get an error that an earlier role is already assigned.
For e.g I have a role X that is already mapped to infoset query user group /SAPQUERY/H9. When I try to assign another role Y to this query user group I get an error as shown below:
Any ideas on how multiple roles would have been mapped to a single query user group?
We are on ECC 6.0 SP 2.
Regards,
Avinash
↧
↧
Re: Issue with HR Security
Not structural authorization i maintained all tyhe infotypes necessary to their work
↧
Re: Issue with HR Security
here we are not using structural authorization Dadarao so how can i proceed further can i add manually the auth object for s_tabu_dis and assign the table name .
↧
Re: Using eCATT and removing roles in SU01 screen
Hello Sathya/All,
I'm facing the same issue while running the same script for removing all roles of mass user ids in ECC 6.0 EHP 6.0 also.
I'm also following the same steps which sathya has mentioned above.
Please share if there is any resolution for it.
Regards,
Amit Bharti
↧
Re: Lock all users from company or at plant level
You can use table AGR_1252 to find out the roles for required company codes and then table AGR_USERS would give you the users assigned to those roles.
The best way would be to categorize the users in appropriate user groups. You can use a naming convention which suits your orgnization structure and then it will always help for reporting/access maintenance.
Regards,
Nitesh
↧
↧
Re: Deactivate password for users (mass) with SSO
Hi Abdul,
with security policies you could create one with PASSWORD_CHANGE_FOR_SSO set to 3 for your normal users and an other one with some other value, depending on your requirements for your admins.
You would then assign the first security policy to all users except admins and the second one to only admins. You are then also free to set tighter requirements for the admins if you like.
You could also set in the profile PASSWORD_CHANGE_FOR_SSO to 3 and just assign a security policy to the admins with PASSWORD_CHANGE_FOR_SSO set to some other level.
Kind regards,
Patrick
↧
Re: Using eCATT and removing roles in SU01 screen
Hi Amit,
Create a new ecatt script for role removal using SU10 tcode, instead of SU01. That should resolve the issue.
Regards,
Nitesh
↧
Re: Lock all users from company or at plant level
How about validity dates on the roles? That way same user is "locked" from processing orders in a plant but can still do accounting if he / she performs two jobs with the same user ID.
Or use the standard options to open / close periods for posting types. That way they are authorized but system does not allow it.
Or... even better... just tell them not to do it and monitor that it they do not co-operate then they don't get a bonus. That works very well!
Cheers,
Julius
↧
Re: Lock all users from company or at plant level
Julius von dem Bussche wrote:
Or... even better... just tell them not to do it and monitor that it they do not co-operate then they don't get a bonus. That works very well!
Cheers,
Julius
My favourite, they only do it once!
↧
↧
Re: Setting productive passwords from a CUA central system
Hello Tim,
I am researching into CUA and AD hookup.
Currently we have Enterprise Portal ECC ABAP Data Store in our SAP environment.
Per SAP note 718383, we cannot switch directly to AD because we are using data
source configuration file dataSourceConfiguration_abap.xml.
It appears from multiple readings that we can switch to
Central User Authentication (CUA) and connect the CUA system with AD to
circumvent the constraint. Is this idea feasible?
Your input will be greatly appreciated.
Thanks
Percy
↧
Re: Using eCATT and removing roles in SU01 screen
Hi Nitesh,
Thanks for your reply.
But how could we use SU10 tcode for this request if I want to select all the roles assign to the users and delete it.
Let us suppose in my variant I've 10 users and each has different roles assign to it.
so how can I use SU10 tcode and delete all the roles assign to the respective users via script.
However, I've raised the incident to the SAP in service market place and SAP has responded with this note "1864062 - Problems using Batch Input for User Maintenance".
I'm following the suggestion mentioned in this note. Will update if it works.
Regards,
Amit Bharti
↧
Re: Cannot display archived idoc data records in SARA
Thanks,
I was going through my old posts/questions and see this was never closed (marked as answered). My issue was SAP Auth related and our Auth team at that time was fairly new/junior and didn't work much with archiving structures it seems. They eventually managed to update my role & profile with the necessary missing objects.
Regards
Fawaaz
↧
Re: Authorization Issue while Data Preview from HANA View
Thanks a lot Nitesh
The issue has been solved.
Regards!
↧
↧
Re: Issue with HR Security
Hi Parimala
No idea where you are getting S_TABU_DIS from? Even if tables were required, it'd be better to use S_TABU_NAM
How are you trying to obtain the personnel - is it via PA30 matchcode search or are you running report elsewhere. It might be worth showing a screen shot of your error message (blank out any sensitive fields if you see them) and include the STAUTHRACE checks or failed checks
Also, what authorisations have you included already when you say you put all the values in there?
Regards
Colleen
↧
Re: Deactivate password for users (mass) with SSO
Try looking into parameters
login/disable_password_logon
login/password_logon_usergroup
Thanks,Krishna
↧
Re: Using eCATT and removing roles in SU01 screen
Hello Brahmeshwar,
Can you please elaborate these two FM in more detail ?
And explain in more detail to use them with ecatt.
That would be of great help.
Regards,
Amit Bharti.
↧