[ Automatic cross-system pre-requisite role check enhancement ]
This is an enhancement to SU01 within a CUA client that allows for cross-system role pre-requisite checks to occur.
When role X is assigned in system Y, role A in system B must also be assigned in order for the user access to function correctly.
Previously this was only possible via manual checks, which proved to be inefficient
How does the enhancement work?
First for the enhancement to function the role mapping rules must be populated in table ZTS_ROLE_MAP. To do this execute the following report:
Complete the fields as required and then simply press the execute button to add the entry to the table.
Source Role: The role that will be searched for on save - The role that needs the pre-req.
Source system: The system that the source role belongs to.
Prerequisite Role: Required dependant role.
Prerequisite System: The system that the dependant role belongs to.
Rule Description: Description of rule or reason why rule is required.
Note: All this data must be maintained in the CUA system/client. If the CUA system is ever migrated then the enhancement along with the conditions table must also be migrated.
Once rules have been added the table will look like the following:
Once the rule set is complete the enhancement will come into effect.
Making user access changes
When you are in the CUA client and you add role(s) to a user the following will occur on the save event:
All the roles assigned to the user are checked against the ZTS_ROLE_MAP table which contains all the combinations of cross-system roles
If a role/system is found to match in the role conditions table then the prerequisite is checked. If the prerequisite is not found the role will be noticed and presented via a dialog box once all roles have been checked.
If role(s) are found to be missing the following dialog box will be presented, asking if you wish for the missing roles to be automatically assigned:
The above shows that the ZNZC_PM_EP_MGR1 role is required in the BB0100 system. Please note that if the user does not exist in that system and you select the “yes” then user will be created in the system first and then the role will be assigned.
The enhancement exists in the following function group:
* check for special role combinations gv_role_prereq_found = space. * Only continue if in the CUA system IF gv_central_cua EQ 'X'. * Get a list of all pre-req role for current user role assignment SELECT * FROM zts_role_map INTO TABLE gt_role_map FOR ALL ENTRIES IN gt_roles WHERE src_role EQ gt_roles-agr_name AND system_src EQ gt_roles-subsystem. IF gt_roles IS NOT INITIAL. * Sort table to allow for binary search SORT gt_roles BY subsystem agr_name ASCENDING. * Find all the pre-req roles that have not yet been satisfied LOOP AT gt_role_map. READ TABLE gt_roles INTO gs_roles WITH KEY subsystem = gt_role_map-system_dest agr_name = gt_role_map-dest_role BINARY SEARCH. IF sy-subrc NE 0. * populate message table to show which roles are required gs_msgtab-msgv1 = text-e04. gs_msgtab-msgv2 = gt_role_map-system_dest. gs_msgtab-msgv3 = gt_role_map-dest_role. gs_msgtab-msgty = 'W'. gs_msgtab-msgno = c_msg. gs_msgtab-msgid = c_msg_class. gs_cua_roles-subsystem = gt_role_map-system_dest. gs_cua_roles-agr_name = gt_role_map-dest_role. gs_cua_roles-from_dat = sy-datum. gs_cua_roles-to_dat = '99991231'. APPEND gs_cua_roles TO gt_new_cua_roles. APPEND gs_msgtab TO gt_msgtab. CLEAR gs_msgtab. * Set the pre-req found flag gv_role_prereq_found = 'X'. ENDIF. ENDLOOP. ENDIF. ENDIF. ENDIF. * Check if a message needs to be displayed IF gt_msgtab IS NOT INITIAL. * Display popup with all success/fail messages CALL FUNCTION 'C14Z_MESSAGES_SHOW_AS_POPUP' TABLES i_message_tab = gt_msgtab. ENDIF. * If a pre-req role was found IF gv_role_prereq_found EQ 'X'. * Call dialog box to ask user if they want the * pre-req roles automatically added CALL FUNCTION 'POPUP_TO_CONFIRM' EXPORTING text_question = text-i01 IMPORTING answer = gv_popup. * If changes are confimed IF gv_popup EQ '1'. * Get the current roles assigned CALL FUNCTION 'SUSR_USER_LOCAGR_ACTGROUPS_GET' EXPORTING user_name = <fcuaname> TABLES user_activitygroups = gt_cua_roles. * Append the new pre-req roles to the exsisting roles LOOP AT gt_new_cua_roles INTO gs_cua_roles. APPEND gs_cua_roles TO gt_cua_roles. ENDLOOP. * Assign the roles to the user CALL FUNCTION 'BAPI_USER_LOCACTGROUPS_ASSIGN' EXPORTING username = <fcuaname> TABLES activitygroups = gt_cua_roles return = gt_role_msg. READ TABLE gt_role_msg INTO gs_role_msg INDEX 1. MESSAGE ID gs_role_msg-id TYPE gs_role_msg-type NUMBER gs_role_msg-number WITH gs_role_msg-message_v1 gs_role_msg-message_v2 gs_role_msg-message_v3 gs_role_msg-message_v4. ENDIF. ENDIF.