role assignment to users in sap

Assign the User Roles

• How to create and assign a role collection in the SAP BTP subaccount.

Prerequisites

• You have an enterprise global account in SAP BTP. To use services for free, you can sign up for a CPEA (Cloud Platform Enterprise Agreement) or a Pay-As-You-Go for SAP BTP global account and make use of the free tier services only. See Using Free Service Plans .
• You have an S-user or P-user. See User and Member Management .
• You are an administrator of the global account in SAP BTP.
• You have a subaccount in SAP BTP to deploy the services and applications.
• Mozilla Firefox
• Google Chrome
• Microsoft Edge
• You have deployed your application in either the SAP BTP, Cloud Foundry runtime or the SAP BTP, Kyma runtime. See Deploy in SAP BTP, Cloud Foundry Runtime for deploying to the SAP BTP, Cloud Foundry runtime and Deploy in SAP BTP, Kyma Runtime for deploying to the SAP BTP, Kyma runtime.

Open the SAP BTP cockpit and navigate to your subaccount.

Choose Security → Role Collections , and then choose Create .

In the Create Role Collection popup, enter Incident Management Support in the Name field and choose Create .

Choose the role collection Incident Management Support from the list of role collections and choose Edit on the right.

Open the value help in the Role Name field.

Search for the role support , select it, and choose Add .

Choose Save .

Choose Security → Users , and then choose a user from the list.

Under Role Collections on the right, choose Assign Role Collection .

In the Assign Role Collection dialog, select the Incident Management Support role collection and choose Assign Role Collection .

You have assigned the Incident Management Support role collection to your user.

You might need to log out and log back in to make sure your new role collection is taken into account.

What is the name of the role that's created in your SAP BTP account as part of your application's deployment?

• Create a role collection and add role
• Assign a role collection to a user

2287206 - Using an assignment profile to change user Roles

• Admin created a user role for all Client users. When Admin Logs in as a Site User, they see that the site users are attached to the Default user role. How can they set the newly created role as a Default for site users?
• How to create Assignment profile
• How to change role of all users at once
• User role changed in Connector Configuration --> User Connectors to default role but this role is not applied for old users user.connector.defaultValue.studentRoleID= USER ROLE

Environment

SAP Success factor: Learning Management System(LMS)

There are 3 general ways of changing the role for multiple users, you can do this using:

• A user connector (System Admin >> Connectors)
• Import Data tool (System Admin >> Tools)
• Assignment Profile: a. Here what you want to do is the third option, add your role to an assignment profile and propogate this down to the desired users. This will replace their default role with your new role. b. You can use  Users >Assignment Profiles>Roles  to change a role for each user who is associated with the assignment profile. Propagating updates the role in  Users>Users>Summary. Propagating can also change a      user's access to the user interface depending on the role's workflows. After you add a role to the assignment profile, the role can have one of the following statuses: Valid (the assignment profile has been propagated) and Add Pending (the assignment profile has not been propagated). c. Be careful to only use one Valid assignment profile and role per user as the danger is they can overwrite each other.

assignment;profiles;role;change;user;default , KBA , LOD-SF-LMS-COR , LMS Core - Items, Catalog, Curricula , How To

Privacy | Terms of use | Legal Disclosure | Copyright | Trademark

Mass user to Role assignment using SECATT

We have already discussed how to create mass users using SECATT. This is one of those issues which Security Consultants always face during their day to day security activities. In this section, we are going to discuss on How to do Mass user to Role assignment using SECATT. It will not be a very tough task if all the users have to be assigned the same roles, which we can easily do using SU10 tcode.

But what if mass users have to be assigned different roles?

We can use SECATT script for this purpose. But the main question is – Can we use SU01 tcode for this script? The answer is a BIG NO . We know that SECATT Scripts are screen dependent and it follows the same steps and inserts data at the same place where we insert during recording of the scripts. Hence, if we use SU01 for role assignment to users, SECATT will try to insert the role at the same position again and again and hence it will fail. Then what is the solution? The solution is using SU10 tcode instead of SU 01. Lets start with SECATT for mass user to role assignment task.

(1) Step 1 – Recording the Tcode Execution

Lets name the script as Z_MASS_USER_ROLE_ASSIGNMENT and click create.

• Enter the title as “Mass User to Role Assignment”
• Enter Component as “BC-SEC-USR-ADM”
• Click Pattern as shown in the figure below

The system will then prompt “Create Object Directory Entry Box”. Select Local Object.

• Now in Insert Statement Dialog window, select UI Control for Group .
• Select TCD (Record) for Command.
• Select SU10 for Transaction. Press Enter. The Interface will get populated automatically with SU10_1.
• Click Continue check mark.

From this step onwards every step is recorded. So we need to be a little careful not to click any option which is not required. Clicking the continue check mark takes to the User Maintenance (SU10) screen. Follow the steps for assigning a role to a user id and click Save. Lets take the example of a user – ZTEST and assign a role using SU10 as shown below:

• Execute tcode SU10. Gve user id ZTEST and click “change”
• In the next screen, go to “Roles” tab. Select the “Add” radio button.
• Add a role and role validity

• In the next screen, Click Save to save the recorded test script.

(2) Step 2 – Creating the Parameters

As already discussed during the earlier discussion on SECATT, the next step after “Recording of tcode execution” is Creating the Parameters . Here, the VALINS (Values that were entered during the recording) are converted to Parameter Values. Lets see how this is done.

• Double click the interface value SU10_1.

• On expanding the dynpro mode, we get various sets of screens numbered [1], [2], [3] etc. Expand the 1st [1] set of screen.
• Double click on FIELD MODE (as shown in the figure below)

• On the right side of the screen, we get certain values for interface SU10_1. Double click on the value that was entered during user to role assignment. For example, we had used user id as ZTEST. Double click on the value (ZTEST here).

Change ‘ZTEST’ to ZUSERID and click Back button as shown below:

(3) STEP 3 – Creating Test Configuration

• Enter Test Configuration Name and click create icon as shown below:

• Enter Description of the Test Configuration (Here we have entered configuration as “Test Configuration for User to Role Assignment”)
• Enter Component as “BC-SEC-USR-ADM”. Click Save.

• System will prompt with “Create Object Directory Entry” Dialog window. Click Local Object.
• Now select “ Configuration ” tab.
• In the “Test Script” text box, enter the Test script name that we had created in the Step 1. (We had created Test Script Z_MASS_USER_ROLE_ASSIGNMENT )

• Select Utilities -> Settings
• Now select eCATT tab and then External tab
• Also set the path for eCATT Objects, Variants and WebDynpro . We have set the path to Desktop as shown in the figure below:

• Click Continue check mark
• Now download variants using “Download Variants” button as shown below:

• By default it will be downloaded to Desktop as we had set the path for variant download as Desktop in our previous step.
• The system will prompt with “Download Variant Data” dialog box. Click Yes:

(4) Step 4 – Updating and Uploading the Variant file

The variant file ( VAR_ECTC_Z_MASS_USER_ROLE_ASSIGNMENT.TXT ) gets downloaded to the desktop.

The file is in .txt format. The values present in this file should not be modified. For mass users to role assignment, we need to update this file with the list of users and roles which need to be assigned. The best way to do that is to open this file in .xls format as already discussed earlier (right click on the file and open with Microsoft excel). Now update this file with the list of mass roles which need to be assigned to mass users.

Save the file and make sure that we use it in .txt format in SAP since the script reads .txt format.

• Click Variants tab and select External Variants/Path. Select the Variant file and click execute.

Make sure that the variant file is not open while execution. When system prompts to save the configuration, save it.

Execute the File. Mass users to Role Assignment process starts and ends with a log file.

Please  Note : Due to Technical changes into SU01/SU10, SECATT no longer works for SU01/SU10 post Netweaver Release 7.3. Please refer to SAP Note 1864062 for more details.

• Kale by LyraThemes.com.

Managing the User Role

After completing this lesson, you will be able to:

• Create a User Role in SAP Fieldglass.

Many organizations have users who will need identical access to functions within SAP Fieldglass, but it can be laborious and time-consuming to have to set up those permissions for individual users. Therefore, SAP Fieldglass uses what’s called a User Role to define a set of permissions based upon a particular need. That User Role can then be assigned to users who require that set of permissions.

For instance, Mavis, as a hiring manager at WorkingNet, uses SAP Fieldglass to create job postings and work orders to help her procure and manage workers. Since there are other hiring managers who need identical access, instead of having to define each user’s permissions separately, WorkingNet created a User Role called "Hiring Manager" and associated it to the job postings, work orders, time sheets, and invoices that hiring managers need. That user role, in turn, is then assigned to Mavis and all of the other hiring managers, granting them access to the functions that are associated to that user role.

Navigating the User Role Admin Object

User Role List Page

Both transactional permissions and administrative permissions can be configured, so virtually every function within SAP Fieldglass can be assigned to a user role.

User Role Details Page

The details page is presented as a table indicating the types of permissions that the user has been granted by module or admin object. The page is further divided by User Permissions, which is presented first, and Administrative Permissions, which can be found by scrolling down the page.

Not all functions are present for every module and permissions can have dependencies on other permissions.

Access can be set to include any combination that allows a user to view, submit, manage, approve, close, pay, and even set the financial considerations for an item.

Create a User Role

WorkingNet requires a new user role for the Finance Department.

They are in the process of onboarding a team that will be responsible for the invoicing portion of the finance process. That includes creating, approving, and managing the invoices.

As the SAP Fieldglass administrator for WorkingNet, you will need to create this new user role.

Log in to track your progress & complete quizzes