Business Roles & Technical Roles

Similar Messages

• Technical names in Business Role selection screen

  Hello,
  When I log on to the WebUI I get the selection screen for the Business Roles (correct because I'm assigned to multiple).
  But in the selection screen the Technical Names of the Business Role is hown too and I don't want to show these to the users.
  So does anybody know how we can disable showing the technical names in the business role selection screen?
  Can it be done in BSP crm_ui_start > Page Fragments  > selectBusinessRole.htm Selection of Business Role? If so, what do i have to change?
  Thnx!
  Regards,
  Joost

  Hi Joost,
  This technical information is the tooltip that is comming from the following line.
  crm_ui_start > Page Fragments > selectBusinessRole.htm
  at line no 29
        tooltip="<%= profile_detail %>"
  If you can remove this line then technical information, that comes up when you do mouse over the role description, wouldn't come.
  Regards
  Ajay

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• Business role for technical users

  Hi,
  Does SAP deliever a crm 7.0 business role for technical/consultant users? I need to get access to the configuration mode i the webclient where I can change and add new fields. Can anybody help me?
  Thanks,
  regards Camilla

  Hi Camilla
  Check Best Practice Guide C04.
  Create the Power User role as instructed in the document.
  This will enable to to complete configuration tasks.
  Regards
  Arden

• Business Role, Technical Profile, Application, Start Page in UI for service

  Hi CRM 2007 gurus,
  I have made all the settings in accordance with C04 to use the UI for the services role (copy of business role SERVICEPRO). Created the relevant PFCG role and a position in the org model; with a user and the business role assigned to the position. But I am getting an empty page on login.
  Then I changed the technical profile from DEFAULT to DEFAULT_IC; then it started giving an error "Permission denied".
  I then changed the start application to CRM_UI_FRAME and the start page to DEFAULT.HTM; then Internet Explorer started exiting on its own after the login.
  Can someone pls tell me what is amiss. Do I need to include some specific application and page as the "Startup Application" and "Start Page" in the technical profile (these are currently blank for the technical profile DEFAULT attached to the concerned business role).
  Points to be won; kindly help asap.
  Regards,
  DP

  Hi Deepak,
  few cents that might help:
  - Your problem is definitely not related to authorization issues. (easily derived by the nature of the error message and the point where it occurs (CL_BSP_WD_STREAM_LOADER))
  - The error message you received is being raised when CRM UI runtime tries to load a runtime repository. In case a runtime repository of a component has dynamic parts (e.g. the shell part itself), the repository is being loaded by the system via HTTP or HTTPS, depending on system settings. This results in the system sending a HTTP(S) request to itself.
  Now, there are two likely reasons for this going wrong:
  a) the system cannot "see" itself on the network (hosts problem, reverse proxy sceanrios, etc.)
  b) the runtime repository doesn't exist at all (ressource doesn't exist). This sometimes happens if component enhancements are active in a client (customizing settings) but the respective enhancement component (development objects) haven't made it into the system.
  c) In your case we can rule out this one: the SICF service for the UI component is not active - in that case the response would likely have been something like "Access forbidden" and you confirmed already all SICF services being active
  To get more clarity, you might want to proceed as follows:
  - Set a breakpoint in the line mentioned in the error message. You can access the source code of the releavant method using SE38 even though the include name looks pretty scary in the message (CL_BSP_WD_STREAM_LOADER=======CM02 or so).
  - In the debugger, check the name of the URL that had been tried to access (The variable should be available some lines above the breakpoint where the request gets sent).
  - try to access the same URL directly from your browser.
  Now, if you still don't get a valid response, b) might be the case. If you get an XML file back, a) might be the case.
  Good luck!
  Peter

• Fix Business Role / Technical Role assignment in Pending or Failed status

  Hi,
  We are facing issues with few users where Business role assignment or technical role assignment is going into Pending or failed status.
  None of the jobs are failing or throwing any error related with the changes.
  We are running IdM 7.2 version with SP8.
  Is there a way to fix this issue other than removing and reassigning or recreating ID.
  Regards,
  Manish

  Hi Manish,
  If technical role (priv) in failed status, please check Tero's reply in the below post. You can set a periodic job to read users and privs in failed status and use uRetryPrivilegeAdd() function to retry the assignment.
  Failed AD privileges
  I was able to find a document on how to set up the periodic job.
  Retry failed assignments (Privilege)
  You should try searching the forum and wiki for answers. Most of the issues are addressed by our community experts already. Thanks.
  Kind regards,
  Jai
  Message was edited by: Jai Suryan

• Common technical roles in different business roles in BRM & ARM

  Hi Gurus ,
  Some help please .
  We have the following situation with BRM & ARM role provisioning .
  In BRM we have for example two business roles setup (B1 & B2). We have in these two business roles a common technical role .
  E.g. B1 (has role T1 ,T2 )  , while B2 (has roles T1 & T3) .
  in our example an user already has role B1 (with T1 & T2) assigned. The user then needs access to role B2 as well .
  Since role T1 is common in both business roles  , When an user does an request , ARM then send them a notification saying that an duplicate role exist within the request. (which they have to remove before continuing) . This is confusing the some users .
  My question is as follows. Is there a way to for the user to process the request without having the warning displayed & without having the duplicate technical role assigned ?
  So essentially , they will get access to business role B1 & B2 (but technical role T1 will not be assigned twice) ?
  Your help is greatly appreciated .
  Regards,
  AJ

  Hi AJ,
  Could you share the notification message that  ARM generates.And what about role T1 assignment.
  Is it assigned two time in user profle?
  Thanks,
  Mamoon

• Business Role to System/Technical Role Mapping in CUP

  All,
  In our design of CUP we are having end-users logon and choose their "business role" and having CUP select the system/tecnhical roles. For example, we want an AP Clerk to be able to logon and choose "AP Clerk" and have role A, B & C from ECC selected and role D from BI.
  Is this type of design possible in CUP 5.3 or are we extending into IDM functionality (which we do not have). Has anyone had experience in type of design? What are your recommendations?
  Thank you,
  Grace Rae

  Grace,
  I assume you are looking for Job/Position roles roles but for SAP systems. Fortunately, CUP provides the flexibility to implement RBAC concept for both SAP & Non SAP systems.
  In this case, catch would be your blueprinting which depends on various parameters like u2013 How sound your authorization concept is placed in all the managed systems (R3, BI, non  sap etc), Approval criteria, organizational operational view etc. Concern is that we may run into other issues of violations, risk analysis, approvals etc if we donu2019t plan diligently
  Alpeshu2019s hint would be really helpful in terms of implementing this requirement.
  Thanks
  Qalid

• CRM 7.0 How to create Business role & generate

  Hi Team,
  Can you please let me know some breif idea about CRM 7.0 security guide.
  How to created Business role is this part of functional activity?
  Whats the role of Technical colleagues BASIS guys in CRM 7.0 security .
  Please help me to get some document regarding business role creation , generation , assignment & authorization checks in CRM 7.0.
  Thanks & Regards,
  Vyash Mishra

  Hello Viyash
  I will add the most important information for generation of business roles and assignment of authorizations to users.
  You must first create the PFCG roles. PFCG role is built based on the Business Role.
  Please see documentation in : SPRO
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Authorization Role
  Then the PFCG role can be assigned to the business role in 
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Business role
  Finally you must assign business roles to Organizations or positions in organizations in
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Organizational Assignment
  The users that are assigned to such organizations / positions will be therefore linked to the business role.
  With the previous steps the users will have the authorizations that are assigned to the PFCG profile that is linked to their business role.
  Business roles are the main way to configure authorizations for users in CRM but you have more options that give you flexibility.Each business role has assigned one PFCG role, but the relationship between business role and PFCG role is not strict. You can even assign a dummy PFCG role to a certain business role in business role customizing and then go to transaction PFCG and assign other PFCG role(s) to the users that are assigned to that business role.
  I would say that the previous tasks must be performed by the basis team but in cooperation with the functional team
  Best Regards
  Luis Rivera

• Copied Business Role in Solution Manager ITSM

  Hi All
  This is eunhwa.
  I have a question regarindg copied business role in Solution Manager ITSM.
  To copy business role, I copied technical roles Navigation profile, configuration key and PFCT Role ID. And then I copied
  a business Role. And assign copied technical roles to copied business role.
  And I changed Direct link group UI. For example, in copied business role ZSOLMANPRO, There were many
  direct links, I only left ‘incident’ and ‘problem.
  However when I selected incident’ in direct link, there was no transaction ‘zmin’ assign. I couldn’t create a incident.
  Why this error happened? Is there anything which I miss?
  Thanks.
  Best Regards,
  Eunhwa Park

  Hi,
  Well, there are multiple things you can check.
  1. If you are using IE
  You have to add the page/pop-up to the compatibility mode of your Browser.
  IE -> EXTRAS -> Settings for Compatibility Mode -> Add -> Refresh the CRM WEB UI
  2. Check if you had assign SM-CREATE in the ZSOLMANPRO Navigation profile. (In Assigning the direct link groups to Nav. Bar profile.
  3. Check whether you had authorizations for ZMIN in PFCG profile.
  4. Additionally check
  1905448 - How to restrict the suggested transaction codes when creating an ITSM
  Incident using CRM Web UI - Solution Manager
  5. In define transaction types corresponding transaction types are active. (In SPRO under solman ->Capabilities->ITSM-> Transactions)
  6. Check the copy control whether they are fine. (In SPRO under solman ->Capabilities->ITSM-> Transactions)
  7. Ensure that the transaction type's channel definition in customizing is set to 'CRM Web-Client UI'
  If your issue is still not resolved yet, please paste the error/screen you are getting.
  Regards
  Rishav

• GRC 10 - Business role, no role owner but associated role have owner....

  Dear All,
  In GRC 5.3 we perform the following mapping:
  Business Role A mapped with (no owner)
  - Technical Role 1 (from ECC with Owner1)
  - Technical Role 2 (from CRM with Owner2)
  - Technical Role 3 (from HR with Ownwer3)
  IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
  GRC 5.3 request is able to close and provisioned as it can see owners from child role.
  Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
  Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
  Please advice.
  Jacky

  Hi Mustafa,
  you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
  Does this answer your question?
  Regards,
  Alessandro

• Business Role change made password deactivated or reset in ABAP systems.

  Hi,
  We recently made changes Business role by adding technical role but this changes has deactivated or reset password for assigned users who had Productive password in connected ABAP system.
  We have two type of users, one who access SAP Portal and ABAP with Single Sign on and second who login into Portal and ABAP with password.
  This BR change has impacted second type of users who had Productive password.
  Regards,
  Manish

  Hello Manish,
  you have marked the thread as "Assumed answered". Could you please share with the community the outcome of your OSS ticket with SAP, so that others can benefit, too? Then you can mark the post as answered. Right now the thread isn't really helpful to anyone (neither you nor the community).
  Also, if you answer Jai's questions, maybe we can help in solving your problem?
  Having several irons in the fire can't be bad, right?
  Regards,
  Steffi.

• Business Role changes not being provisioned

  Guys (and girls),
  We're having the issue that whenever we change something to a business role in IdM 7.1 SP5, like adding or removing a technical role (SAP role) the change isn't provisioned to the system authomatically resulting in users not being updated.
  The workarround now is to change a business role and then remove it from a user and add it to that user again. Works ok when you're dealing with only a few users but I'm not looking forward to the day our basic role needs updating.
  Same thing goes for changing users telephone number or SNC name or the likes.
  I'm not sure if the two issues are related but am I missing an assignment of a task somewhere?
  Cheers,
  Jonathan

  Jonathan,
  I think so, but a pretty simple one to fix.
  I would do one of two things:
  1. Put a MODIFY task on MXREF_MX_ROLE or whatever attribute you're holding roles in.  Have this task do a role reconcilation.
  2. As a part of the workflow, have a role reconciliation execute.
  On the whole, I prefer the second option.  Don't like adding baggage onto the MXREF attributes.  Just keeps things running more efficiently.
  By role reconciliation, I mean executing the functions/tasks needed to reassert the roles on the user.  I think there's a built in scripting function to do this or you can automate the add/remove functionality you described in your message, holding the role MSKEYs in a temporary attribute.
  Matt

• SAP CRM 2007 Business role assignment

  Hi all,
  We are using CRM 2007. and we are trying to assign Business roles to users using the PFCG ROLE ID attribute.
  1- We create a PFCG role : "pfcgrole1"
  2- We create a Business Role "Businessrole1" and put PFCG Role id = "pfcgrole1"
  3- assign the user to the PFCG role "pfcgrole1"
  We have two cases :
  CASE 1:The user is assigned to a position in Org management but the position does not have any Business roles assigned.
  RESULT : The user logs in  to CRM, the user gets error message  "Logon is not possible because you have not been assigned a business role"
  CASE 2:The user is not assigned to any  position in Org management.
  RESULT : The user logs in to CRM, everything works fine
  my interpretation : org management has precedence over business role assignment using PFCG roles and blocks Business role assignment even if the position has no Business roles assigned
  Anyone has any idea how to assign business roles using PFCG ROle ID even if the user is assigned to a position without any business roles
  Thanks in advance.

  Please review these old threads first:
  Re: Reg: Business Role
  Assignment pfcg-role to user and assignment pfcg-role to business role
  There is a lot of technical background on how business role to PFCG role assignment works.
  Thank you,
  Stephen
  CRM Forum Moderator

• ICM : Unable to login into DETECTIVE Business role

  Hi ,
  When I try to log in into DETECTIVE role ,I got issue "Security settings are not maintained, contact your system administrator" .
  I have SAP_ALL access and I copied the pfcg role which is assigned to business role and provided full authorization for all auth objects.
  Can you please assist by providing the key to access detective role in web ui. 
  Thanks,
  Naveen.

  Hi ,
  Thanks for your response.
  Fixed by self ,change the technical profile in business role to DEFAULT.
  Thanks,
  Naveen.