Create Role Option in CUP 5.3

Similar Messages

• Role Creation in CUP 5.3

  Hello,
  I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
  My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.  
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  Please tell me if I'm wrong.
  HM

  HM,
    The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
  The below statement is wrong.
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
  Regards,
  Alpesh

• How to do Enhancements in Reporting & What is Role and How to create Roles

  Hi All,
  Can any one tell How to do Enhancements in Reporting, and also What is Role and How to create Roles in Reporting?
  Plz reply back me on [email protected]
  Regards,
  Kiran

  Reporting Enhancement - RSR00001 - BW: Enhancements for global variables in reporting
  And using the SAP Exit - EXIT_SAPLRRS0_001
  RSR00001- With this enhancement to global variables in reporting you have the option of determining your default values for variables. You can use this enhancement for variables, for which 'Processing by Customer-Exit' has been selected in the variable maintenance. This is valid for all variable types (characteristic value, node, hierarchy, formula and text variables). You use the Exit EXIT_SAPLRRS0_001 for this.
  The Enhancement component (RSR00001) must be assigned to a Project Created using the Transaction CMOD. On activating the Project, the Exit would become active and in turn the logic written inside the Exit.
  To ensure that the data warehousing soultion reflects your company's structure and business needs it is critical that you establish who is authorized to access the data.With SAP BW, Authorizations can be defined and maintained by object and can also be applied to hierarchies and these authorizations can be inserted into roles that are used to determine what type of content is available to specific users or user groups.
  T-code for Role maintainence -PFCG.
  Please assign points if it is useful.
  Regards
  Pavan Prakhya

• GRC AC 10.0: Info about rejected roles in the CUP Email

  Hello all,
  the GRC componetent CUP seems to be technically mature in comparison to Role Management component, but there is one thing where I am not sure, is it an error or did I miss some config parameters:
  When the CUP Request ist closed, the user gets an email (Template ID: GRAC_AR_CLOSE). Not all of the roles were approved, some of the roles were rejected. But the user gets an email where only the approved roles are listed:
  We would like to inform the user about the status of all roles in the CUP requests: which roles were approved and which roles were rejected. Is it possible to configure in MSMP Workflow?
  Right now we have the following setting:
  Thanks,
  regards Sabrina

  Hi Sabrina,
  To notify the requester for the roles which got rejected, you can try with Email notification template: GRAC_MSMP_ERM_REJECTED for the for the message class.
  You can create custom version of this template. For more understanding on how to customize the Email notification template, you can refer to: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3?QuickLink=index&…
  Hope this helps, Let us know if you face any issues.
  Regards,
  Ameet

• Creating Roles for Purchase Req. release strategy with classification

  Hi friends,
  Since I have created Purchase req rel strategy where I have four release strategy
  1. For Plant 1 When value <= 5000 (Officer) will release , release code 01 release release strategy r1 and rel code L1
  2 For Plant 1 When value >= 5000 (Manager) will release , release code 01 release release strategy r2and rel code L2
  Now the manager will have 2 release code,if  officer is absent he could release the requisition.
  Same has to be done for plant 2
  The release Group and code needs to be assigned to the Roles , could anybody tell  me  where i could know about roles and will be able to create roles and assign authorisation objects to the Roles , and release group and code to the enduser.
  though its a basis job , since I have no idea , I mean I have never worked with Roles ,as now I have created the Release strategy with classification I need to assign authorisation objects to the Roles as I have four release strategy
  1. For Plant 1 lower value of requisition 1 codeL1(Officer)
  2  For higher value of requisition 2 code say Li and L2(Manager)
  Manager should have 2 codes if  officer is absent he could release
  Same has to be done for Plant 2
  Thanks N Regards
  Siddhartha

  Hii,
  Steps:
  1) Create a Role
  2) Add the authorization Object  M_EINK_FRG by taking the manual option
  3) Assign Release Code and Release Grp
  4) Assign the Role to the User ID which has the authorization of the Release Code and Grp.
  Regards,
  Kumar

• HOW TO CREATE ROLE AND ASSIGN TO USER

  Dear all
  1- Create ROLE data_entry
  2- Now open the Form Builder --> open Mennu.mmb --> F4,it open the property pallete --> Set use secturity option
  YES and in Module Role option set Roles --> form_entry
  5- Press F3 (Come back in Navigator Pane) then double click on Mennu, it open Mennu which is attached Forms then
  double click on that one Form which attach Role with it --> click on Item Role --> and attach the Role
  6- Go start Mennu --> Oracle Form6i-Admin --> Build after this it will ask
  ‘Enter System Passwors’ then Give the Local Password.
  'Enter database connection ( e.g. t:node:SID) [LOCAL] ' Give ORCL ( but me confused what should i give over
  here)
  7- Create User DEO Identified By DEO
  8- Grant DBA to DEO
  9- Grant data_entry to DEO
  When i run my application and get login by DEO user then i receive this Error:
  FRM-10247: No activate items in root menu of application.
  please let me know where i am making mistake
  Thanks in advance
  Regards,

  Hi,
  Just check your second point.
  - Now open the Form Builder --> open Mennu.mmb --> F4,it open the property pallete --> Set use secturity option
  YES and in Module Role option set Roles --> form_entryHere, you are using "form_entry" role to the menu but you've granted data_entry role to the user.
  Hence, at run time forms is expecting user with form_entry role, which it's not getting.
  Hope it helps.
  Please mark answer as helpful / correct, if it helps you
  Navnit

• What is a Role option in Bex and what is its primary purpose?

  What is a Role option in Bex and what is its primary purpose? My understanding is that the role option in bex is used so that everybody can able to access queries and workbooks is it right?
  Please don't ditch me I already searched forum to find exact answer about it.
  Thanks
  York

  Hi Les ,
  With SAP NetWeaver 7.0 SP Stack 6 a new dialog is available for publishing queries, Web applications and reports.
  You can call this dialog from the corresponding menu bar in the BEx Query Designer, BEx Web Application Designer and BEx Report Designer. The queries, Web applications and reports are created as iViews and stored in the selected directory of the Portal Content Directory (PCD).In Bex there are three optins by which u can publish and one amongst them is roles according to which u can publish the result set of the query to roles which have authorized users assigned to them . So u can be more specific that each user can see data relevant to his cost center or his region.
  The My Portfolio, CM Repository View and Collaboration Room views that you called from the dialog in the Query Designer and Web Application Designer in SAP BW 3.5 are no longer available in the same form. Now you can use the BEX Broadcaster to store the queries and Web applications as links in your personal portfolio, a folder or collaboration room.
  Regards,
  Supriya

• How to create role(s) in Web As Java?

  Hi there,
  Can you please tell me how to create roles and assign to a user in Web AS Java Standalone system? I know How to do it if it is Dual Stack...but not with Standalone java System?
  Thanks In Advance
  Kumar

  Hello Kumar,
                      I guess by by dual stack you mean an ABAP+JAVA environment right?
  Anyways, in a JAVA only schema, if you are using your user store as UME, you can create the roles in UME through the browser by logging in as J2EE_ADMIIN or a suer with equivalent authorizations.
  on the other hand you can create J2ee roles in Visual administrator(VA). For that you need to login to VA and go to the service Security provider. There you will find the option to create roles. But please be advised that the actions (equivalent of authorizations in ABAP stack) should already have been defined by your programmers before you can go ahead with the task of creating roles.
  One morething, each J2EE role can contain only one action.
  Where as in UME roles you can group them together.
  Regards,
  Prashant

• How to raise create role request in OIM 11gR2?

  How can I let a user to raise a create role request in OIM 11gR2?
  If I assigned the Role Viewer or Role Authorizer admin role to the user, the create button for role is disabled.
  If I assign the user as Role Administrator, the role will be directly created without raising any request.
  If I assign the user as SPML Admin, the create button is enabled, but after filling the form and clicking the "save" button, an exception will be thrown saying "IAM-3054100 : The logged-in user AA10127 does not have createRole permission on Role entity."

  Hi,
  i have changed identity page logo by using customize option, But in sysadmin page there no such option, is it possible to change image same as identity console.

• Role Import in CUP

  Hi
  There are two options of choosing the source system for role import in CUP
  1. Back end system
  2. ERM
  I am facing problems in importing roles in CUP from ERM. The system shows a successful import but the number of roles imported are Zero. However if I choose the Backend system as source system, the roles get imported in CUP.
  can someone help me with this issue. I want to import roles from ERM because roles imported from ERM will have all the role attributes like Business process, Sub business process, functional area etc which are not available if we import roles from backend.
  Regards,
  Nitin

  Hi Sahad,
     Did you look at CUP logs? Is ERM and CUP installed on same server? Have you configured Business process and sub process exactly same as in ERM?
  There are 2 ways to upload roles into CUP using spreadsheet:
  1) Cumbersome method, if you don't have roles maintained in Excel: You can get R/3 roles via SUIM or some other method and manipulate them to match the role import template of CUP
  2) Easy method : Import all the necessary roles into CUP via Backend. Once you have all the roles in CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands. Now, delete all the roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
  Both these methods require some manual work.
  Regards,
  Alpesh

• Creating Roles

  Hi ,
             What are the steps involved in creating Roles In EP inorder to assign a Webdynpro Application.
  Thanks& Regards,
  Kumar

  Follow the below steps
  1) First deploy your webdynpro application in porta using SDM password. Hope you alreadsy done this.
  2) Create an WEbdynpro iview based on your application. for this
  Go to Content administration -> portal content
  3) After that create a role  and assgin your webdynpro iview to that role. (you can also create a page and then assign your iview to that page and page to workset  and workset to role. This is the standard way and also optional. Search in SDN about these basic topics). Make the role 'entry point' property as yes.
  3) then go to User Administration-> Identity management.  There you can selct role in the drip down and search for your role and assign this role to the end users.
  It is very simple and there lof of helpful documents in help.sap.com. Just go and search.
  Raghu

• Deletion of mass roles from GRC CUP 5.3

  Dear All,
  I have requirement to delete 1000 roles from GRC CUP 5.3.
  I can see option to delete the roles individually under "search role" option but I am not able to find option to delete mass roles.
  Please advice.
  Regards
  Trinadh Bokka

  Hello Trinadh,
  It is not possible to delete all the roles at once through the User Interface. However, you can select a lot of roles at the same time by searching for a role pattern. For example, retrieve all roles starting with Z*:
  Hope it helps,
  Fernando

• ORA-00439 error while Creating Roles

  Hi All,
  I am using Oracle 10.2.0.3. When I am trying to create role for ex: :"create role rolename identied globally" I am getting ORA-00439 Error. When I search in v$option view, almost all the values are disabled. Can anybody pls. let me know how to enable the features in v$option or the solution for the above error code.
  Appreciate your earlier response.
  Bhanu.

  I don't have much exposure to the feature,
  you can check Oracle document Configuring Enterprise User Security for Password Authentication
  Are you sure you want to use this feature? or you could just create the role identified externally instead of globally.

• TIPS(42) : SCRIPT FOR CREATING ROLES

  제품 : SQL*PLUS
  작성날짜 : 1997-02-10
  TIPS(42) : SCRIPT FOR CREATING ROLES
  ====================================
  REM
  REM SCRIPT FOR CREATING ROLES
  REM
  REM This script must be run by a user with the DBA role.
  REM
  REM This script is intended to run with Oracle7.
  REM
  REM Running this script will in turn create a script to build all the roles
  REM in the database. This created file, create_roles.sql, can be run
  REM by any user with the DBA role or with the 'CREATE ROLE' system privilege.
  REM
  REM Since it is not possible to create a role under a specific schema, it is
  REM essential that the original creator be granted 'ADMIN' option to the role.
  REM Therefore, such grants will be made at the end of the create_roles.sql
  REM script. Since it is not possible to distinguish the creator from someone
  REM who was simply granted 'WITH ADMIN OPTION', all grants will be spooled.
  REM In addition, the user who creates the role is automatically granted
  REM 'ADMIN' option on the role, therefore, if this script is run a second
  REM time, this user will also be granted 'ADMIN' on all the roles. You must
  REM explicitly revoke 'ADMIN OPTION' from this user to prevent this from
  REM happening.
  REM
  REM NOTE: This script will not capture the create or grant on the Oracle
  REM predefined roles, CONNECT, RESOURCE, DBA, EXP_FULL_DATABASE, or
  REM IMP_FULL_DATABASE.
  REM
  REM Only preliminary testing of this script was performed. Be sure to test
  REM it completely before relying on it.
  REM
  set verify off
  set feedback off
  set termout off
  set echo off
  set pagesize 0
  set termout on
  select 'Creating role build script...' from dual;
  set termout off
  spool create_roles.sql
  select 'CREATE ROLE ' || lower(role) || ' NOT IDENTIFIED;'
  from sys.dba_roles
  where role not in ('CONNECT','RESOURCE','DBA', 'EXP_FULL_DATABASE',
  'IMP_FULL_DATABASE')
  and password_required='NO'
  select 'CREATE ROLE ' || lower(role) || ' IDENTIFIED BY VALUES ' ||
  '''' || password || '''' || ';'
  from sys.dba_roles, sys.user$
  where role not in ('CONNECT','RESOURCE','DBA', 'EXP_FULL_DATABASE',
  'IMP_FULL_DATABASE')
  and password_required='YES' and
  dba_roles.role=user$.name
  and user$.type=0
  select 'GRANT ' || lower(granted_role) || ' TO ' || lower(grantee) ||
  ' WITH ADMIN OPTION;'
  from sys.dba_role_privs
  where admin_option='YES'
  and granted_role not in ('CONNECT','RESOURCE','DBA', 'EXP_FULL_DATABASE',
  'IMP_FULL_DATABASE')
  order by grantee
  spool off
  exit
  REM ---------------------------------------------------------------------------

  One thing that stands out as being undesirable as far as best practices go is that you are placing code on objects (using the on() approach).  The proper approach is to assign instance names to your interactive objects and use them to place all of your code on the timeline where it is readily visible.  In doing so you may just find that alot of the code you show can be modularized into functions that can be shared by different objects rather than having each one carrying a full load on its back. You may find you can pass arguments to shared functions that make the same functions capable of supporting interactions with different objects
  Your on(press) call performs an unnecessary conditional test.  If you change the condition to be   if (project._currentframe != 25) you can avoid this.
  In your on(rollOver) call's set of conditionals, you have some lines that repeat in each condition, so they can be moved to the end outside the conditionals.
  Your on(release) call has the same issue as your on(press) call.  Also the overrun use of the _parent target is an indication that most of the code in this call would likely serve you better sitting in the _parent timeline, and your button could just call that function

• Unable to create a request in CUP

  Hi All,
  We are unable to create a request in CUP 5.3.We have created the "Number Range" and it is activated. Workflow path is looking fine.
  The strange thing is I am not getting any error message after submitting the request.
  Please let me know the possible causes of this.
  Regards,
  Rakesh Narne

  Rakesh,
     What message do you get? There has to be some message. If you are not receiving any message then you might not have uploaded the .xml files into CUP. CUP comes with some initial data in the form of xml files and you need to import these files into CUP before using the tool.
  Without error message or some kind of long information, we won't be able to help you.
  Regards,
  Alpesh