[ Automatic cross-system pre-requisite role check enhancement ]

This is an enhancement to SU01 within a CUA client that allows for cross-system role pre-requisite checks to occur.

For example:

When role X is assigned in system Y, role A in system B must also be assigned in order for the user access to function correctly.

Previously this was only possible via manual checks, which proved to be inefficient

 

How does the enhancement work?

First for the enhancement to function the role mapping rules must be populated in table ZTS_ROLE_MAP. To do this execute the following report:

ZSU_ADD_ROLE_CONDITION

Complete the fields as required and then simply press the execute button to add the entry to the table.

Source Role: The role that will be searched for on save  - The role that needs the pre-req.
Source system: The system that the source role belongs to.
Prerequisite Role: Required dependant role.
Prerequisite System: The system that the dependant role belongs to.
Rule Description: Description of rule or reason why rule is required.

Note: All this data must be maintained in the CUA system/client. If the CUA system is ever migrated then the enhancement along with the conditions table must also be migrated.

Once rules have been added the table will look like the following:

Once the rule set is complete the enhancement will come into effect.

Making user access changes

When you are in the CUA client and you add role(s) to a user the following will occur on the save event:

All the roles assigned to the user are checked against the ZTS_ROLE_MAP table which contains all the combinations of cross-system roles

If a role/system is found to match in the role conditions table then the prerequisite is checked. If the prerequisite is not found the role will be noticed and presented via a dialog box once all roles have been checked.

If role(s) are found to be missing the following dialog box will be presented, asking if you wish for the missing roles to be automatically assigned:


The above shows that the ZNZC_PM_EP_MGR1 role is required in the BB0100 system. Please note that if the user does not exist in that system and you select the “yes” then user will be created in the system first and then the role will be assigned.

 

The enhancement exists in the following function group:

Z_SEC_ASSIGN_AG_CLEANUP

*       check for special role combinations
        gv_role_prereq_found = space.

*       Only continue if in the CUA system
        IF gv_central_cua EQ 'X'.

*         Get a list of all pre-req role for current user role assignment
          SELECT *
            FROM zts_role_map
            INTO TABLE gt_role_map
            FOR ALL ENTRIES IN gt_roles
          WHERE src_role EQ gt_roles-agr_name
            AND system_src EQ gt_roles-subsystem.

          IF gt_roles[] IS NOT INITIAL.
*         Sort table to allow for binary search
            SORT gt_roles BY subsystem agr_name ASCENDING.

*         Find all the pre-req roles that have not yet been satisfied
            LOOP AT gt_role_map.
              READ TABLE gt_roles INTO gs_roles
                   WITH KEY subsystem = gt_role_map-system_dest
                           agr_name = gt_role_map-dest_role
                           BINARY SEARCH.


              IF sy-subrc NE 0.
*             populate message table to show which roles are required
                gs_msgtab-msgv1 = text-e04.
                gs_msgtab-msgv2 = gt_role_map-system_dest.
                gs_msgtab-msgv3 = gt_role_map-dest_role.
                gs_msgtab-msgty = 'W'.
                gs_msgtab-msgno = c_msg.
                gs_msgtab-msgid = c_msg_class.

                gs_cua_roles-subsystem = gt_role_map-system_dest.
                gs_cua_roles-agr_name = gt_role_map-dest_role.
                gs_cua_roles-from_dat = sy-datum.
                gs_cua_roles-to_dat = '99991231'.

                APPEND gs_cua_roles TO gt_new_cua_roles.

                APPEND gs_msgtab TO gt_msgtab.
                CLEAR gs_msgtab.

*             Set the pre-req found flag
                gv_role_prereq_found = 'X'.
              ENDIF.
            ENDLOOP.
          ENDIF.
        ENDIF.
      ENDIF.


*     Check if a message needs to be displayed
      IF gt_msgtab IS NOT INITIAL.
*       Display popup with all success/fail messages
        CALL FUNCTION 'C14Z_MESSAGES_SHOW_AS_POPUP'
          TABLES
            i_message_tab = gt_msgtab.
      ENDIF.

*     If a pre-req role was found
      IF gv_role_prereq_found EQ 'X'.

*       Call dialog box to ask user if they want the
*       pre-req roles automatically added
        CALL FUNCTION 'POPUP_TO_CONFIRM'
          EXPORTING
            text_question = text-i01
          IMPORTING
            answer        = gv_popup.

*       If changes are confimed
        IF gv_popup EQ '1'.


*         Get the current roles assigned
          CALL FUNCTION 'SUSR_USER_LOCAGR_ACTGROUPS_GET'
            EXPORTING
              user_name           = <fcuaname>
            TABLES
              user_activitygroups = gt_cua_roles.



*         Append the new pre-req roles to the exsisting roles
          LOOP AT gt_new_cua_roles INTO gs_cua_roles.
            APPEND gs_cua_roles TO gt_cua_roles.
          ENDLOOP.


*         Assign the roles to the user
          CALL FUNCTION 'BAPI_USER_LOCACTGROUPS_ASSIGN'
            EXPORTING
              username       = <fcuaname>
            TABLES
              activitygroups = gt_cua_roles
              return         = gt_role_msg.

          READ TABLE gt_role_msg INTO gs_role_msg INDEX 1.

          MESSAGE ID gs_role_msg-id TYPE gs_role_msg-type NUMBER gs_role_msg-number
                  WITH gs_role_msg-message_v1 gs_role_msg-message_v2
                       gs_role_msg-message_v3 gs_role_msg-message_v4.
        ENDIF.
      ENDIF.