Business Role to System/Technical Role Mapping in CUP

Similar Messages

• Fix Business Role / Technical Role assignment in Pending or Failed status

  Hi,
  We are facing issues with few users where Business role assignment or technical role assignment is going into Pending or failed status.
  None of the jobs are failing or throwing any error related with the changes.
  We are running IdM 7.2 version with SP8.
  Is there a way to fix this issue other than removing and reassigning or recreating ID.
  Regards,
  Manish

  Hi Manish,
  If technical role (priv) in failed status, please check Tero's reply in the below post. You can set a periodic job to read users and privs in failed status and use uRetryPrivilegeAdd() function to retry the assignment.
  Failed AD privileges
  I was able to find a document on how to set up the periodic job.
  Retry failed assignments (Privilege)
  You should try searching the forum and wiki for answers. Most of the issues are addressed by our community experts already. Thanks.
  Kind regards,
  Jai
  Message was edited by: Jai Suryan

• Common technical roles in different business roles in BRM & ARM

  Hi Gurus ,
  Some help please .
  We have the following situation with BRM & ARM role provisioning .
  In BRM we have for example two business roles setup (B1 & B2). We have in these two business roles a common technical role .
  E.g. B1 (has role T1 ,T2 )  , while B2 (has roles T1 & T3) .
  in our example an user already has role B1 (with T1 & T2) assigned. The user then needs access to role B2 as well .
  Since role T1 is common in both business roles  , When an user does an request , ARM then send them a notification saying that an duplicate role exist within the request. (which they have to remove before continuing) . This is confusing the some users .
  My question is as follows. Is there a way to for the user to process the request without having the warning displayed & without having the duplicate technical role assigned ?
  So essentially , they will get access to business role B1 & B2 (but technical role T1 will not be assigned twice) ?
  Your help is greatly appreciated .
  Regards,
  AJ

  Hi AJ,
  Could you share the notification message that  ARM generates.And what about role T1 assignment.
  Is it assigned two time in user profle?
  Thanks,
  Mamoon

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• Business Roles & Technical Roles

  Colleagues,
  With the whole process of creating Business Roles for the implementation of IdM we gotten to thinking and started looking for a best practice when it comes to creating and managing business roles aswell as technical (SAP, ABAP) roles.
  Anyone have any good documentation in this regard?
  Thx in advance,
  Jonathan

  Hey Sandeep,
  It's a good document but not exactly what I was looking for.
  Concerning the Business Roles I was looking for more of a functional (business) view point on the whole business role thing. Something I could use from a technical standpoint to help my customer in the business role creation process.
  Concerning the Technical Roles (ABAP authorisations). We have the situation here at the moment that we're dealing with 14 years or role creation in the SAP systems with no guidelines what so ever. So to put it gently: it's a mess. And I was wondering if there was any best practice document out there describing the "best practice" of creating technical roles, handling authorisations in SAP etc.
  I realise that the second question doesn't quite fit in this forum but I'm guessing here would be the closest match for the question.
  Thx.

• GRC 10 - Business role, no role owner but associated role have owner....

  Dear All,
  In GRC 5.3 we perform the following mapping:
  Business Role A mapped with (no owner)
  - Technical Role 1 (from ECC with Owner1)
  - Technical Role 2 (from CRM with Owner2)
  - Technical Role 3 (from HR with Ownwer3)
  IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
  GRC 5.3 request is able to close and provisioned as it can see owners from child role.
  Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
  Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
  Please advice.
  Jacky

  Hi Mustafa,
  you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
  Does this answer your question?
  Regards,
  Alessandro

• Role Mapping For Portal Role Assignment and ABAP Role Assignment

  Summary:
  - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
  - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Problem Description:
  Our Scenarios we tested:
  Scenario 1:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
  *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
  Scenario 2:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
  *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
  Questions:
  1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
  2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
  Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

  I tested this set up.
  1.  Defined ABAP role as Manin role
  2.  Defined Non-ABAP role as dependednt role
  3. ABAP role  is set up in initiator requiring business approval.
  4.  Non-ABAP role is set up in initiator with no approval required.
  Results Where Business Approver approves the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
  Results Where Business Approver rejects the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
  Thanks again for your help.

• What's the role of a Technical Consultant (ABAPer) in BPC/OutlookSoft?

  Experts,
  1) What's the role of a Technical Consultant (ABAPer) in BPC/OutlookSoft?
  2) Do ABAPers perform the Conversions/Transformations/Mappings etc?
  3) Are the data imports and exports done by ABAPers?
  NW

  >
  NW wrote:
  > Experts,
  >
  > 1) What's the role of a Technical Consultant (ABAPer) in BPC/OutlookSoft?
  > 2) Do ABAPers perform the Conversions/Transformations/Mappings etc?
  > 3) Are the data imports and exports done by ABAPers?
  >
  > NW
  Some of the planning functions require script writing or coding. ABAper is helpful in creating such codes.
  In our scenario, ABAPers created the conversion/ transformation as per mapping prepared by the Functional Consultant.
  The functional / business users do upload and download of data (imports and exports) wherever required.

• Role of BI Technical Consultant ?

  Hi Experts,
                   I am a newbie to SAP BW. I have a doubt regarding the roles of Bw Technical and BW functional consultant. I want to know what will be the exact roles of a BW technical and BW functional consultants in a BW project. That is what kind of work they need to do generally in a project?
  Points will be rewarded to helpfull answers
  Regards,
  Ravi

  Hi Ravi,
  In general Functional means, derive the funtional specification from the business requirement document. This job normally is done either by the business analyst or system analyst who has a very good knowledge of the business. In some large organizations there will be a business analyst as well as system analyst.
  In any business requirement or need for new reports or queries originates with the business user. This requirement will be recorded after discussion by the business analyst. A system analyst analyses these requirements and generates functional specification document. In the case of BW it could be also called logical design in DATA MODELING.
  After review this logical desing will be translated to physical design . This process defines all the required dimensions, key figures, master data, etc.
  Once this process is approved and signed off by the requester(users), then conversion of this into practically usable tasks using the SAP BW software. This is called Technical. The whole process of creating an InfoProvider, InfoObjects, InforSources, Source system, etc falls under the Technical domain.
  Regards
  sriram

• Role of a technical consultant

  Hi,
  What are the roles and responsibilities of a technical consultant in a upgradation project(in R12 upgradation)

  >
  NW wrote:
  > Experts,
  >
  > 1) What's the role of a Technical Consultant (ABAPer) in BPC/OutlookSoft?
  > 2) Do ABAPers perform the Conversions/Transformations/Mappings etc?
  > 3) Are the data imports and exports done by ABAPers?
  >
  > NW
  Some of the planning functions require script writing or coding. ABAper is helpful in creating such codes.
  In our scenario, ABAPers created the conversion/ transformation as per mapping prepared by the Functional Consultant.
  The functional / business users do upload and download of data (imports and exports) wherever required.

• Logical System for Role Integration Server

  Dear all,
  I need your help to clear my confuse.From ID I had assign business system as defined by Role Integration Server but when I check Adapter-Specific Identifiers, nothing show in Logical System. I already define Logical system in SLD. but I'm not sure incase of Role Integration Server will show logical system same with role Application System or not. becasue the other one as role Application System it's fine.
  Thanks and Regards
  Park

  Hi Park,
     I could not clearly understand your question .But i think you want to know the roles of the Integration server and Application system.I would like to share some thing on their difference .Hope this will clearify you.
  A business system can be configured as an Integration server or Application system:
    Integration Server
  The Integration server executes only integration logic available Integration Builder. They can also be identified as Pipe Line Steps. It receives XML message, determines the receiver, executes the mappings, and routes the XML message to the corresponding receiver systems. Thus configured Integration Engine is identified to be Central Configured Integration engine.
  Note: Only one client of SAP system can be configured as Integration Server.
     Application system
  The Application system will not execute the integration logic. It in turn calls the integration server to execute the integration logic if required. It acts as sender or receiver of XML messages. So, the Application system with a local Integration Engine requires the Integration server to execute the integration logic
  Thanks,
  Ram.

• CUA with HR-Org - How to assign systems for role

  Dear all,
  we are planning to use CUA with HR-Org assignment. Can please anyone explain to me how or where the system for the role comes from.
  I mean, normaly in SU01 -> Role Assignment I have in the first colum the system and in the second colum the role. It the role assigment come from HR-ORG there is always the local logical system in the system colum. This is not what we want.
  CUA is on Solution Manager, HR-ORG is replicated from R/3 HR Systeme and the user needs the roles in ECC production systeme.
  So how can we manage the system/role combination assignment?
  Thanks for any hints.
  Best regards
  Roman

  Hi,
  If I understand your problem you want to do role assignment from the HR-Org structure on a system that is using CUA.
  I have only managed this successfully when the CUA master is also the system with the HR-Org structure on it. Otherwise you have lots of issues with replicating data between systems. I did this for a UK council's SAP solution where we allocated all the roles from the HR system, including roles on ECC, SRM(EBP), CRM and BI - so it does work.
  PO13 on the system with the org. structure will only allow you to allocate a role that exists on that system, but if the roles that you are allocating are composite roles that include single roles on other systems, you can achieve this sort of business role allocation without having to go the IdM route.
  Darren Hague (no relation) gave a presentation at SAP Tech Ed 07 on such a scenario, that explains how the composites would be set up far better than I can, but in essence you use the CUA connectivity and the rights of the CUA master system (which includes the org. structure) to allocate roles on other systems / clients in your CUA landscape.
  Have a search through SAP Tech Ed 07 presentations and you should find what you are looking for.

• Business Role - Link to PFCG role

  Dear all,
  When I create a new business role in CRM there is a field called PFCG role ID in which you must provide a PFCG role.
  What is the functionality of this PFCG role in relation to the Business Role?
  When I look into standard SAP business roles and their associated standard SAP PFCG role I see a lot of "external services"/views. Is it possible to create such a role from scratch myself.
  Is there some documentation available that explain this relationship between the PFCG role and the business role.
  Thank you in advance,

  Dear Ivan,
  To start with Business Partner Roles and PFCG roles are different. Though you have an integration that one business partner cannot view the data of other business partner because of the roles that are being maintained in PFCG.
  Lets say you have two customers (BP Role Customer). One customer cannot view the data of other customer because of the role that is being assigned to his user id in SU01. You create the roles in PFCG.
  CRM Business Partner Roles:
  http://help.sap.com/saphelp_glossary/en/dc/926ecf5e1cd511bcbe0800060d9c68/content.htm
  Rights and responsibilities that a business partner can have in various business transactions.
  The assignment of a BP view determines the relevant data sets, so that only a particular part of the BP master data is displayed, depending on the business transaction in question.
  http://www.crmexpertonline.com/archive/Volume_03_(2007)/Issue_04_(May)/v3i4a4.cfm?session=
  Each business partner role contains a predefined set of functions based on the business partner’s relationship to your company. For example, you could have business partner roles such as employee or vendor. The business partner roles determine the fields you have available in the SAP CRM system for the business partner. Business partner role categories sort business partner roles into groups, such as person or company.
  PFCG Roles:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
  The SAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP System, after he or she has logged on to the system and authenticated himself or herself.
  To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
  Hope this will help.
  Regards,
  Naveen.

• Do we have to have system admin role for pdk???!!!

  Hi ,
  Pdk Is meant for Java developers.and we have a requirement where developers will not be given system admin role, but just java developer role, that comes with PDK(to deploy, download, par applications)
  i was going through the weblog
  and in that it is mentioned ·
  "To ensure that you have the correct permissions to run all the applications in the business package, you must be assigned to the following portal roles:
  Role ID     Description
  pcd:portal_content/administrator/super_admin/super_admin_role     Super Administration
  pcd:portal_content/com.sap.pct/administrator/super_admin/com.sap.portal.super_admin_role     Super Administration "
  if the pdk has to have system admin role, then there is no meaning that it comes with java developer role .
  can anyone tell me if i understood it a wrong way .
  please help
  Thanks,
  Lakshmi.

  Hi Lakshmi,
  The Java developer role only comes with Component manager and Component Inspector and some plugins for IDE.
  To work just with PDK a Java Developer role is fine, but once the PAR is deployed, a developer has to login and create the iview from that par.For this he needs a Content Admin Role.
  I have gone through the link mentioned by you and it says u need to have superadmin role,every user,conent admin role for all the iviews to work correctly which is true this way.
  If your iview is talking to the backend system u need access to the backend and to create a System object u need a System Admin role.
  So, along with the Java developer role, a developer has to have ContentAdmin and SystemAdmin roles.
  Hope this helps.

• Business Partner: Maintain addresses per role

  Hi Guros
  We have a customer in a bankin sector that needs to maintain multiple addresses per BP and role. What we see in the system is managing multiple addresses per BP.
  The requirement is the following data model:
  BP ->> roles ->> addresses.
  Please advise how to meet this requirement.
  Regards,
  Benni Perzy

  Hi Benni,
  In the standard, this is not possible.
  Address is a part of the Central Business partner  data sets- and is totally independent of role.
  In fact, role and address are different datasets that have a 1:n cardinality with the BP.
  You would need to make a modification to realise this.
  Option 1 :
  Use the Adderss usage concept.
  Create a new address type in TB009, e.g. : correspondence address. Now, to ensure that this address type is only linked to this role, hide this address type for all other roles (using code modification).
  So only your special role can maintain and see correspondence addresses.
  Option 2 :
  Create a new relationship category. Suppose you want the BP to have multiple role dependent addresses, manintan these addresses for a master BP, and derive these addresses for other BP using the Assign Address function.
  E.g : Suppose I want to see 10 addresses only in role employe. I maintain an Employee relationship with an organization, maintain 10 addresses for the org, and then derive the addresses for the BP using the orgnization addresses through the Employee relationship. You can make the role as a prerequisite for the relationship so the link is like this.
  BP1> Role>Relationship->BP2-->Addresses
  You would ultimately need to do some different to realize this requirement since this is not supported in the standard !
  I hope this helps you.
  Cheers,
  Rishu.