Common technical roles in different business roles in BRM & ARM

Similar Messages

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• Fix Business Role / Technical Role assignment in Pending or Failed status

  Hi,
  We are facing issues with few users where Business role assignment or technical role assignment is going into Pending or failed status.
  None of the jobs are failing or throwing any error related with the changes.
  We are running IdM 7.2 version with SP8.
  Is there a way to fix this issue other than removing and reassigning or recreating ID.
  Regards,
  Manish

  Hi Manish,
  If technical role (priv) in failed status, please check Tero's reply in the below post. You can set a periodic job to read users and privs in failed status and use uRetryPrivilegeAdd() function to retry the assignment.
  Failed AD privileges
  I was able to find a document on how to set up the periodic job.
  Retry failed assignments (Privilege)
  You should try searching the forum and wiki for answers. Most of the issues are addressed by our community experts already. Thanks.
  Kind regards,
  Jai
  Message was edited by: Jai Suryan

• Business Roles & Technical Roles

  Colleagues,
  With the whole process of creating Business Roles for the implementation of IdM we gotten to thinking and started looking for a best practice when it comes to creating and managing business roles aswell as technical (SAP, ABAP) roles.
  Anyone have any good documentation in this regard?
  Thx in advance,
  Jonathan

  Hey Sandeep,
  It's a good document but not exactly what I was looking for.
  Concerning the Business Roles I was looking for more of a functional (business) view point on the whole business role thing. Something I could use from a technical standpoint to help my customer in the business role creation process.
  Concerning the Technical Roles (ABAP authorisations). We have the situation here at the moment that we're dealing with 14 years or role creation in the SAP systems with no guidelines what so ever. So to put it gently: it's a mess. And I was wondering if there was any best practice document out there describing the "best practice" of creating technical roles, handling authorisations in SAP etc.
  I realise that the second question doesn't quite fit in this forum but I'm guessing here would be the closest match for the question.
  Thx.

• How can we copy an enhancement set to a different Business Role?

  Experts,
  How can we copy an enhancement set to a different Business Role?
  Currently we have an enhancement to a Business Role "SALES PRO."  How can i make the same enhancement set active for a different Business Role? ie. MARKETINGPRO.
  Thanks,

  Hi,
  it is recommended to have only one active enhancement set per client.
  For your businessrole you could use the role configuration key.
  In our system each businessrole has it´s own role configuration key. But we implemented also a BADI if no configuration is found use our company default role configuration key and only if there is also no configuration use SAP .
  Kind regards
  Manfred

• Business Roles configuration for ARM

  Hi Gurus,
  We have implemented ARM piece of AC but now we have a requirement to map our security technical roles to business roles. Can we create and use business roles without using BRM ?
  Example: Create/maintain single roles in backend (ECC/BW etc) and import in GRC then map single roles to Business roles for requestors to select.
  Regards,
  Salman

  Yes Salman,
  You can use BRM to create business roles to group roles as per your requirement. You need to confirm the check box for connection group as Business, as below:
  As you mentioned, I assume you have defined the Methodology Processes and Steps for role maintenance then under NWBC, you would be able to see role type as Business.
  Hope you completed the action for: Deactivate Role Types
  Let us know if you need more info on this or for any issues.
  Regards,
  Ameet

• Authorization object for a technical role

  Hi all,
  I have a technical role "SM_ORDERAPPROV_00", to which I need to find out the authorization object.  Could anybody help me in finding this.  I searched this in SUIM also, but I didn't find any.
  Thanks,
  bsv.

  Hi,
  Please check in transaction PFCG.
  Regards,
  Renjith Michael.

• Need to build the security roles (actual technical roles) with HRCON object

  I need to build the security roles (actual technical roles) with HRCON objectfor date driven security.
  Please help me that how could i learn and what should be the approach.
  i.e. What is the requirement for learing to build the security roles (actual technical roles) with HRCON object for date driven security.

  Hi marco,
  It is related to Context solution and I need to implement HR Security in terms of context solution.
  So Could you please describe Following points:
  1. What is context solution
  2. How can i implement this context solution and HR Basic security as well
  3 What is the prerequiest to learn about HR security
  4. I am new for HR Security, SO what would be the approach to implement HR Security.
  Thanks

• Error Sending proxy from 2 different business system to PI

  Hi All,
  We are trying to send the proxy to XI system from 2 different business systems. One is ECC and other is POSDM, It is successfully sent from ECC but when sending the same from POSDM we are getting following error
  "An error occurred when determining the business system (LD_ERROR)"
  We checked the RFC SAPSLDAPI, LCRSAPRFC they are in place. We have also created the type H connection from POSDM pointing to PI and from PI pointing to POSDM.
  And the In sxmb_adm of POSDM system the role is maintained as Application System and IS_URL parameter is pointing to PI, but still we are getting same error.
  Could you all experts please provide you valuable input why this error is coming and how to resolve this?
  Thanks
  Ankit

  Hi Soni,
  check your config in sxmb_adm > Integration Engine Configuration. Also run S_BCE_68001402 and check for locked users.
  Try refreshing the cache in SXI_CACHE in that system.
  Check if u r executing the report in the same client in which u have done all the settings.
  Also make sure that u have included the commit work statement after the Execute Asynchronous method call.
  regards,
  ganesh.

• Mapping in interconnect between different Business Objects

  I want to know how to do transformation and mapping between different business objects in interconnects.
  Always,We have a very complex SQL,when We do intergration
  with Oracle interconnect ,We use DB Adapter or Jdbc Adapter,but the complex SQL have to be excuted in the resource DB or the destination DB which may be a big pressure to them ,I think can We use different Business Objects, and do the Mappings in interconnect,so the big pressure will be on the interconnect server just like the ETL tools, But I just find that Interconnect can do tranformation and mapping in one Business Object ,how can I do? Is anyone meet this problem like me ?thanks for discussion.

  For me, Business Objects are logical groupings of business processes. For example, we have a Business Object called "Maintain_Employees". Under this we have 1 Procedure (Create_Employee) and 2 Events (Update_Employee and Delete_Employee).
  We have 1 Oracle system interfacing with 23 other legacy systems. Some of these legacy systems will be using this "Maintain_Employees" Business Object (Common View), and our main transformations will be between the Common View and the legacy Application Views.
  We are using a number of techniques to assist in "validating" data in the InterConnect. The main ones are using 'Cross Reference Tables (XREF)' and 'DatabaseOperation' transformations. By using 'Content Based Routing' we are able to send the right message to the right legacy system, and therefore do the right transformation/validation on the message payload. However, this is only a small part of a complex puzzle.
  I also have the "problem" of having "very complex SQL" on our Oracle system too. This is not unusual when using the InterConnect.
  To my mind, the InterConnect does 2 main operations. Firstly, it performs some message transformation (mapping), and secondly, it acts as a transportation engine (routing) using the adapters.
  The remainder of the effort required to create or consume the message resides with the Applications themselves. Whether it is parsing an XML CLOB payload, inserting data into staging tables, writing to log files, pre-processing data, calling API's or something else, your Application side programming and processing overhead can get large.
  The trade off it to ask the question, do I want to be able to track and manage messages from start to finish in high detail? Or can I trust that all message payload data will be consumed with no additional processing on the Application side?
  My experience has shown that the bottleneck is always at the Application side, and almost never in the InterConnect.
  The short answer to your first question is "You are right. Mappings can take place only between Application Views and Common Views only - not between Business Objects.".
  To answer your second question "Probably everyone reading this forum has this problem. The intelligence that is able to really interpret message data, validate it and process it is only found in the Application, not the InterConnect. You could, however, use the Workflow engine within OAI in order to provide additional pre-validation, human interaction and logic, but this too could be complex."
  At my current client, we are architecting an Application OAI Message handling schema. This will contain staging tables, pre-processing tables, "OAI" wrapper PL/SQL scripts, "APPS" wrapper PL/SQL scripts and Message Logging and Exception tables. Ours will be a complex set of PL/SQL processes too.
  I hope this helps, just in letting you know that you are not alone with this problem.
  I wonder if anyone else would like to share how they have architected their InterConnect and Application side mapping and transformation solutions.

• Multiple integration flows for different business operations

  Hi - I have following business requirement & need ur advice.
  There are different business operations (read as INSERT/DELETE/QUERY) to performed on same business object (read as CUSTOMER). In order to develop these integration use case I can have following three approaches.
  *1. Single Requestor ABCS & Single Provider ABCS -* Develop single integration flow & implement logic for the business operations in them. That means, Develop single Requestor ABCS for all business operations, which will call the EBS and again EBS would call same Provider ABCS. Both Requestor & Provider ABCS would implement business logic for all business operations required.
  *2. Single Requestor ABCS & Multiple Provider ABCS -* In this case the flows for all business operations starts with single point service. That means, Develop single Requestor ABCS for all business operations, which will call the EBS and again EBS would call different Provider ABCS based on the business operations. The Requestor ABCS would implement business logic for all business operations required. There would be different ABCS service for different business operations.
  *3. Multiple Requestor ABCS & Multiple Provider ABCS -* In this case the completely independent flows are to be developed for all business operations. Independent Requestor ABCS and independent Provider ABCS. Off course if there some common business logic for all or some business operations, those can be implemented as common service & can used across all independent flows for different business operations.
  Please do suggest what approach would be best one to pick up. Or it is case to case basis. In case yes, please suggest the criteria on which the decision can be taken.
  Thanks In Advance
  Priyadarshi

  Hi Pryadarshi,
  AIA recommends having an ABCS for each Verb and Noun combination for a specific Business Process, i.e. CreateCustomerABCS and UpdateCustomerABCS. Therefore, #3 would be the preferred approach. This is to allow for maximum flexibility. However, you may have a process that demands to model the integration as #2.
  The decision would depend on how the participating application services are modeled and the granularity of individual service call. For example, a ProcessCustomer invocation at the source end may call CreateCustomer provider service.
  Regards
  Rohit

• Common Technical Questions ( Discovery/Analysis Phase )

  Hi All,
  Could some one please post the Common Technical Questions which need to be asked to Customer at the Discovery/Analysis Phase.
  I mean common questions like Different types of Clients in SAP R/3, Procedure of Transports to be relased to Production , Approvals/Authorizations for Testing, Testing Clients etc.
  Thanks in advance.
  Best regards,
  Prashant

  Hi All,
  Could some one please post the Common Technical Questions which need to be asked to Customer at the Discovery/Analysis Phase.
  I mean common questions like Different types of Clients in SAP R/3, Procedure of Transports to be relased to Production , Approvals/Authorizations for Testing, Testing Clients etc.
  Thanks in advance.
  Best regards,
  Prashant

• GR/IR Automatic Clearing for Different Business areas items

  Hello All,
       we have different business areas, and some times we create a PO for all business areas and invoice it in a specific business area
  in F.13 automatic clearing:
  for GR/IR account
  Documents with different business area cannot be cleared.
  any idea to solve this issue is appreciated,

  Thanks for your reply,
  I've tried such a solution with more parameters ( EBELN, XREF3 and EBELP)
  but in F.13 :
  - the document cannot be cleared when >>> selecting GR/IR account special process.
  if we treat GR account as a normal GL account, I mean without selecting GR/IR account special process.
  the document can be clear
  i want to be able to clear the document with selecting GR/IR field ( is it possible )
  and if it is not allowed, do we will face a problem by clearing GR account without selecting GR/IR parameter ??
  Many Thanks

• Different Business Area in Customer line item while Billing

  Dear Friends,
  We are on Ecc 6.0 and We have a requirement of Different Business Area in Customer line while billing. Since we had defined Business area location wise and requirement is Sundry Debtors should always book to Location as maintained in delivery plant field of sales area data in customer master.
  Requirement:- Our material is assigned to Plant 115.In customer master, sales area data -> shipping tab  -> Delivery Plant (KNVV- VWERKS), we are maintaining "112", Now while billing and while generating Accounting document account entry is
  Customer 1000.00 (Business area=115)
  sales    1000.00 (Business area=115)
  But our requirement while accounting document after billing is
  Customer 1000.00 (Business area=112), system should check and derive the same from TABLE KNVV - VWERKS(DEL PLANT)
  sales    1000.00 (Business area=115).
  Please revert.
  Regards,
  Sandeep

  Dear Friends,
  One can do the same via using a userexit.
  Regards,
  Sandeep

• Same Logical System Name, different Business System

  Hi all,
  I have a problem regarding SLD and Integration Directory. The client is requiring me to use the same logical system name for two different business systems. It seems that this is not possible in XI. When I tried activating the business system in ID, I'm getting the error, 'Logical system XXX already exists in communication component YYY'. Please help. Thanks!
  IX

  Hi,
  You cannot have same logical name for two business systems....
  Why you need it?? How will the SAP system understand which which system the message was sent for?? Some workaround like
  1. Create a business system with this logical system
  2. Overwrite sender/receiver business system in the receiver agreement for messages sent to 2nd business system..
  This may lead to discrepancies....
  Regards
  Suraj