Business Roles & Technical Roles
Colleagues,
With the whole process of creating Business Roles for the implementation of IdM we gotten to thinking and started looking for a best practice when it comes to creating and managing business roles aswell as technical (SAP, ABAP) roles.
Anyone have any good documentation in this regard?
Thx in advance,
Jonathan
Hey Sandeep,
It's a good document but not exactly what I was looking for.
Concerning the Business Roles I was looking for more of a functional (business) view point on the whole business role thing. Something I could use from a technical standpoint to help my customer in the business role creation process.
Concerning the Technical Roles (ABAP authorisations). We have the situation here at the moment that we're dealing with 14 years or role creation in the SAP systems with no guidelines what so ever. So to put it gently: it's a mess. And I was wondering if there was any best practice document out there describing the "best practice" of creating technical roles, handling authorisations in SAP etc.
I realise that the second question doesn't quite fit in this forum but I'm guessing here would be the closest match for the question.
Thx.
Similar Messages
-
Technical names in Business Role selection screen
Hello,
When I log on to the WebUI I get the selection screen for the Business Roles (correct because I'm assigned to multiple).
But in the selection screen the Technical Names of the Business Role is hown too and I don't want to show these to the users.
So does anybody know how we can disable showing the technical names in the business role selection screen?
Can it be done in BSP crm_ui_start > Page Fragments > selectBusinessRole.htm Selection of Business Role? If so, what do i have to change?
Thnx!
Regards,
JoostHi Joost,
This technical information is the tooltip that is comming from the following line.
crm_ui_start > Page Fragments > selectBusinessRole.htm
at line no 29
tooltip="<%= profile_detail %>"
If you can remove this line then technical information, that comes up when you do mouse over the role description, wouldn't come.
Regards
Ajay -
SAP Technical roles and IDM Business roles mapping
Hi Guys
Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
Cheers
LeoThanks Matt,
I think get I the picture now
One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
Here is what Ive done so far
1. HCM data loaded into productive identity store via vds
2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
Thanks again for all your help!
Leo -
Business role for technical users
Hi,
Does SAP deliever a crm 7.0 business role for technical/consultant users? I need to get access to the configuration mode i the webclient where I can change and add new fields. Can anybody help me?
Thanks,
regards CamillaHi Camilla
Check Best Practice Guide C04.
Create the Power User role as instructed in the document.
This will enable to to complete configuration tasks.
Regards
Arden -
Business Role, Technical Profile, Application, Start Page in UI for service
Hi CRM 2007 gurus,
I have made all the settings in accordance with C04 to use the UI for the services role (copy of business role SERVICEPRO). Created the relevant PFCG role and a position in the org model; with a user and the business role assigned to the position. But I am getting an empty page on login.
Then I changed the technical profile from DEFAULT to DEFAULT_IC; then it started giving an error "Permission denied".
I then changed the start application to CRM_UI_FRAME and the start page to DEFAULT.HTM; then Internet Explorer started exiting on its own after the login.
Can someone pls tell me what is amiss. Do I need to include some specific application and page as the "Startup Application" and "Start Page" in the technical profile (these are currently blank for the technical profile DEFAULT attached to the concerned business role).
Points to be won; kindly help asap.
Regards,
DPHi Deepak,
few cents that might help:
- Your problem is definitely not related to authorization issues. (easily derived by the nature of the error message and the point where it occurs (CL_BSP_WD_STREAM_LOADER))
- The error message you received is being raised when CRM UI runtime tries to load a runtime repository. In case a runtime repository of a component has dynamic parts (e.g. the shell part itself), the repository is being loaded by the system via HTTP or HTTPS, depending on system settings. This results in the system sending a HTTP(S) request to itself.
Now, there are two likely reasons for this going wrong:
a) the system cannot "see" itself on the network (hosts problem, reverse proxy sceanrios, etc.)
b) the runtime repository doesn't exist at all (ressource doesn't exist). This sometimes happens if component enhancements are active in a client (customizing settings) but the respective enhancement component (development objects) haven't made it into the system.
c) In your case we can rule out this one: the SICF service for the UI component is not active - in that case the response would likely have been something like "Access forbidden" and you confirmed already all SICF services being active
To get more clarity, you might want to proceed as follows:
- Set a breakpoint in the line mentioned in the error message. You can access the source code of the releavant method using SE38 even though the include name looks pretty scary in the message (CL_BSP_WD_STREAM_LOADER=======CM02 or so).
- In the debugger, check the name of the URL that had been tried to access (The variable should be available some lines above the breakpoint where the request gets sent).
- try to access the same URL directly from your browser.
Now, if you still don't get a valid response, b) might be the case. If you get an XML file back, a) might be the case.
Good luck!
Peter -
Fix Business Role / Technical Role assignment in Pending or Failed status
Hi,
We are facing issues with few users where Business role assignment or technical role assignment is going into Pending or failed status.
None of the jobs are failing or throwing any error related with the changes.
We are running IdM 7.2 version with SP8.
Is there a way to fix this issue other than removing and reassigning or recreating ID.
Regards,
ManishHi Manish,
If technical role (priv) in failed status, please check Tero's reply in the below post. You can set a periodic job to read users and privs in failed status and use uRetryPrivilegeAdd() function to retry the assignment.
Failed AD privileges
I was able to find a document on how to set up the periodic job.
Retry failed assignments (Privilege)
You should try searching the forum and wiki for answers. Most of the issues are addressed by our community experts already. Thanks.
Kind regards,
Jai
Message was edited by: Jai Suryan -
Common technical roles in different business roles in BRM & ARM
Hi Gurus ,
Some help please .
We have the following situation with BRM & ARM role provisioning .
In BRM we have for example two business roles setup (B1 & B2). We have in these two business roles a common technical role .
E.g. B1 (has role T1 ,T2 ) , while B2 (has roles T1 & T3) .
in our example an user already has role B1 (with T1 & T2) assigned. The user then needs access to role B2 as well .
Since role T1 is common in both business roles , When an user does an request , ARM then send them a notification saying that an duplicate role exist within the request. (which they have to remove before continuing) . This is confusing the some users .
My question is as follows. Is there a way to for the user to process the request without having the warning displayed & without having the duplicate technical role assigned ?
So essentially , they will get access to business role B1 & B2 (but technical role T1 will not be assigned twice) ?
Your help is greatly appreciated .
Regards,
AJHi AJ,
Could you share the notification message that ARM generates.And what about role T1 assignment.
Is it assigned two time in user profle?
Thanks,
Mamoon -
Business Role to System/Technical Role Mapping in CUP
All,
In our design of CUP we are having end-users logon and choose their "business role" and having CUP select the system/tecnhical roles. For example, we want an AP Clerk to be able to logon and choose "AP Clerk" and have role A, B & C from ECC selected and role D from BI.
Is this type of design possible in CUP 5.3 or are we extending into IDM functionality (which we do not have). Has anyone had experience in type of design? What are your recommendations?
Thank you,
Grace RaeGrace,
I assume you are looking for Job/Position roles roles but for SAP systems. Fortunately, CUP provides the flexibility to implement RBAC concept for both SAP & Non SAP systems.
In this case, catch would be your blueprinting which depends on various parameters like u2013 How sound your authorization concept is placed in all the managed systems (R3, BI, non sap etc), Approval criteria, organizational operational view etc. Concern is that we may run into other issues of violations, risk analysis, approvals etc if we donu2019t plan diligently
Alpeshu2019s hint would be really helpful in terms of implementing this requirement.
Thanks
Qalid -
CRM 7.0 How to create Business role & generate
Hi Team,
Can you please let me know some breif idea about CRM 7.0 security guide.
How to created Business role is this part of functional activity?
Whats the role of Technical colleagues BASIS guys in CRM 7.0 security .
Please help me to get some document regarding business role creation , generation , assignment & authorization checks in CRM 7.0.
Thanks & Regards,
Vyash MishraHello Viyash
I will add the most important information for generation of business roles and assignment of authorizations to users.
You must first create the PFCG roles. PFCG role is built based on the Business Role.
Please see documentation in : SPRO
SAP Implementation Guide => Customer Relationship Management
UI Framework > Business roles > Define Authorization Role
Then the PFCG role can be assigned to the business role in
SAP Implementation Guide => Customer Relationship Management
UI Framework > Business roles > Define Business role
Finally you must assign business roles to Organizations or positions in organizations in
SAP Implementation Guide => Customer Relationship Management
UI Framework > Business roles > Define Organizational Assignment
The users that are assigned to such organizations / positions will be therefore linked to the business role.
With the previous steps the users will have the authorizations that are assigned to the PFCG profile that is linked to their business role.
Business roles are the main way to configure authorizations for users in CRM but you have more options that give you flexibility.Each business role has assigned one PFCG role, but the relationship between business role and PFCG role is not strict. You can even assign a dummy PFCG role to a certain business role in business role customizing and then go to transaction PFCG and assign other PFCG role(s) to the users that are assigned to that business role.
I would say that the previous tasks must be performed by the basis team but in cooperation with the functional team
Best Regards
Luis Rivera -
Copied Business Role in Solution Manager ITSM
Hi All
This is eunhwa.
I have a question regarindg copied business role in Solution Manager ITSM.
To copy business role, I copied technical roles Navigation profile, configuration key and PFCT Role ID. And then I copied
a business Role. And assign copied technical roles to copied business role.
And I changed Direct link group UI. For example, in copied business role ZSOLMANPRO, There were many
direct links, I only left ‘incident’ and ‘problem.
However when I selected incident’ in direct link, there was no transaction ‘zmin’ assign. I couldn’t create a incident.
Why this error happened? Is there anything which I miss?
Thanks.
Best Regards,
Eunhwa ParkHi,
Well, there are multiple things you can check.
1. If you are using IE
You have to add the page/pop-up to the compatibility mode of your Browser.
IE -> EXTRAS -> Settings for Compatibility Mode -> Add -> Refresh the CRM WEB UI
2. Check if you had assign SM-CREATE in the ZSOLMANPRO Navigation profile. (In Assigning the direct link groups to Nav. Bar profile.
3. Check whether you had authorizations for ZMIN in PFCG profile.
4. Additionally check
1905448 - How to restrict the suggested transaction codes when creating an ITSM
Incident using CRM Web UI - Solution Manager
5. In define transaction types corresponding transaction types are active. (In SPRO under solman ->Capabilities->ITSM-> Transactions)
6. Check the copy control whether they are fine. (In SPRO under solman ->Capabilities->ITSM-> Transactions)
7. Ensure that the transaction type's channel definition in customizing is set to 'CRM Web-Client UI'
If your issue is still not resolved yet, please paste the error/screen you are getting.
Regards
Rishav -
Dear All,
In GRC 5.3 we perform the following mapping:
Business Role A mapped with (no owner)
- Technical Role 1 (from ECC with Owner1)
- Technical Role 2 (from CRM with Owner2)
- Technical Role 3 (from HR with Ownwer3)
IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
GRC 5.3 request is able to close and provisioned as it can see owners from child role.
Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
Please advice.
JackyHi Mustafa,
you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
Does this answer your question?
Regards,
Alessandro -
Business Role change made password deactivated or reset in ABAP systems.
Hi,
We recently made changes Business role by adding technical role but this changes has deactivated or reset password for assigned users who had Productive password in connected ABAP system.
We have two type of users, one who access SAP Portal and ABAP with Single Sign on and second who login into Portal and ABAP with password.
This BR change has impacted second type of users who had Productive password.
Regards,
ManishHello Manish,
you have marked the thread as "Assumed answered". Could you please share with the community the outcome of your OSS ticket with SAP, so that others can benefit, too? Then you can mark the post as answered. Right now the thread isn't really helpful to anyone (neither you nor the community).
Also, if you answer Jai's questions, maybe we can help in solving your problem?
Having several irons in the fire can't be bad, right?
Regards,
Steffi. -
Business Role changes not being provisioned
Guys (and girls),
We're having the issue that whenever we change something to a business role in IdM 7.1 SP5, like adding or removing a technical role (SAP role) the change isn't provisioned to the system authomatically resulting in users not being updated.
The workarround now is to change a business role and then remove it from a user and add it to that user again. Works ok when you're dealing with only a few users but I'm not looking forward to the day our basic role needs updating.
Same thing goes for changing users telephone number or SNC name or the likes.
I'm not sure if the two issues are related but am I missing an assignment of a task somewhere?
Cheers,
JonathanJonathan,
I think so, but a pretty simple one to fix.
I would do one of two things:
1. Put a MODIFY task on MXREF_MX_ROLE or whatever attribute you're holding roles in. Have this task do a role reconcilation.
2. As a part of the workflow, have a role reconciliation execute.
On the whole, I prefer the second option. Don't like adding baggage onto the MXREF attributes. Just keeps things running more efficiently.
By role reconciliation, I mean executing the functions/tasks needed to reassert the roles on the user. I think there's a built in scripting function to do this or you can automate the add/remove functionality you described in your message, holding the role MSKEYs in a temporary attribute.
Matt -
SAP CRM 2007 Business role assignment
Hi all,
We are using CRM 2007. and we are trying to assign Business roles to users using the PFCG ROLE ID attribute.
1- We create a PFCG role : "pfcgrole1"
2- We create a Business Role "Businessrole1" and put PFCG Role id = "pfcgrole1"
3- assign the user to the PFCG role "pfcgrole1"
We have two cases :
CASE 1:The user is assigned to a position in Org management but the position does not have any Business roles assigned.
RESULT : The user logs in to CRM, the user gets error message "Logon is not possible because you have not been assigned a business role"
CASE 2:The user is not assigned to any position in Org management.
RESULT : The user logs in to CRM, everything works fine
my interpretation : org management has precedence over business role assignment using PFCG roles and blocks Business role assignment even if the position has no Business roles assigned
Anyone has any idea how to assign business roles using PFCG ROle ID even if the user is assigned to a position without any business roles
Thanks in advance.Please review these old threads first:
Re: Reg: Business Role
Assignment pfcg-role to user and assignment pfcg-role to business role
There is a lot of technical background on how business role to PFCG role assignment works.
Thank you,
Stephen
CRM Forum Moderator -
ICM : Unable to login into DETECTIVE Business role
Hi ,
When I try to log in into DETECTIVE role ,I got issue "Security settings are not maintained, contact your system administrator" .
I have SAP_ALL access and I copied the pfcg role which is assigned to business role and provided full authorization for all auth objects.
Can you please assist by providing the key to access detective role in web ui.
Thanks,
Naveen.Hi ,
Thanks for your response.
Fixed by self ,change the technical profile in business role to DEFAULT.
Thanks,
Naveen.
Maybe you are looking for
-
Thoughts on new(est) clarity (Lr4.0)?
My .02 ===== Review of old clarity (PV2010): Mostly increased midtone contrast, but also would darken dark edges (and produce a faint glow in adjacent light areas - "halos"). Would not clarify shadows. Because highlight recovery in Lr3 was weak, one
-
Oracle Text And Oracle Ultra search
Hi all, I have a problem. I have some files in the server file system e.g C:/docs. I want to search these MS Office word files in order to see if they contain a word. I tried oracle ultra search but when i put File data source it provides a form file
-
Hello All, My client need to send and receive the data from Bank systems thorugh FTP over SSH, but they are not ready to buy any third party adapter or any tool to use FTP over SSH as PI doent support FTPS.so i used shell script to send and receive
-
My itouch froze last night and I can't even power it on anymore. I get the apple symbol for a few seconds and then it turns off. It does look like the apple has a line down it which i don't know if it usually does because i hardly ever turn it off. I
-
How to deactivate the start sound
how can i deactivate or change the start noisy sound ???