Migrate or Upload BI Roles to Portal Roles

Similar Messages

• J2EE roles vs Portal roles vs ABAP roles

  (I also posted this on portal implementation, but i hope i receive more reactions here )
  Dear all,
  I have a question about the information on the following link:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
  It says the following:
  "These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
  1. These "...certain functions..." they talk about, can someome give an example of these functions?
  2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
  3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
  4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
  From what I've read on help.sap.com, you always need to do certain actions in both places.
  A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
  I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
  Kind regards,
  Joren

  Hi Jorem
  Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
  Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
  Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
  Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

• Is there a way to automatically map CRM Roles to Portal Roles

  <b>Scenario:</b>
  When a new user registers on our portal he is assigned a CRM Role, however, he still needs to be assigned a Portal Role. Since we will have many users registering through our portal we do not want to assign roles to users manually. We want this to be an automated process, which requires almost no administration after the initial configuration.
  <b>Solution we are looking for:</b>
  Ideally we would like to do some configuration on the Portal side that would some how pull roles from CRM user store and map them on to appropriate Portal roles. In our case the reverse would also be ok as well, i.e. we do some configuration on the CRM side that would push the appropriate role to the Portal and do the Portal Role assignment.
  Does anyone know how to do this? I am very new to portals so a detailed explanation would be very helpful.
  Thanks for all the help!
  Muhammad Osman Yousuf

  No, the portal role will not be the same for the same CRM Role.
  So for example...
  On the CRM side we have CRM_ROLE_A, CRM_ROLE_B, and CRM_ROLE_C and on the Portal sider we have PORTAL_ROLE_A and PORTAL_ROLE_B.
  All mappings given are possible...
  CRM_ROLE_A = PORTAL_ROLE_A
  CRM_ROLE_B = PORTAL_ROLE_A and PORTAL_ROLE_B
  CRM_ROLE_C = PORTAL_ROLE_B
  The solution you mentioned, will it work with the above mappings?
  Thanks for all the help!
  Muhammad Osman Yousuf

• Link ECC roles to Portal roles (Portal is using LDAP source for UME)

  Hi all,
  If a user is assigned a certain ECC ABAP role, they should also receive a related portal role.  Our portal is using LDAP.
  If our portal ume source was an ABAP system, I think it would be easy to achieve the ECC to ABAP role linkage.
  We were thinking of developing a UME java webservice and have an ABAP proxy class consume it to allow our abap system to assign the correct portal role, and delete the portal role.
  Any other ideas?

  Rajendra,
  Thx for your reply.  Can you provide any more details as to the design of your solution with the web service?  We are thinking of running a batch job nightly with a some mapping table in ECC to determine what ABAP role should link to the portal group then call the webservice to add the user to the portal group or delete the user from the portal group. 
  A second question is...does SAP Identity Manager offer any solution for this type of requirement?
  Thanks

• Can anyone help me understanding the links between Launchpad roles, PFCG roles, and portal roles!?!

  Hi experts,
  I am looking at the newer EhP5 and EhP6 functionality for ESS and MSS, specifically the WD ABAP portal applications.  I've turned on all the business functions and services I think our team wants, however I'm confused on how to move forward in using them.  For a little tech info, we are on EhP6 for the backend, but our portal is 7.02.
  My first step was to assign the com.sap.pct.erp.ess.wda.Employee_Self_Service_WDA portal role to our test ESS user group in our sandbox environment.  The ESS user got a new ESS tab in the portal and it's linked to the Launchpad role ESS, Instance MENU.  I'm comfortable with ESS at this point, still need to learn more about customizing the menu for different employee groups without creating additional Launchpad or SAP roles.
  Question 1: Correct me if I'm wrong, but is the Launchpad roll ESS, instance menu linked to the PFCG role SAP_EMPLOYEE_ESS_WDA_2?
  Next, I was looking to see if there was a similar portal role for MSS, but it seems I can't find one.  I implemented the MSS Addon 1.0 for ABAP and the portal and got a new MSS portal addon role, but it doesn't seem to be connected to any MSS Launchpad role.
  Question 2: Is there a portal role to assign to users/groups that is linked to one of the MSS Launchpad roles? If yes, what business function or service is it a part of?
  I'd like to use of the existing MSS Launchpad role to test some of the new portal functionality, but I'm not sure how to do it.
  Question 3: How is a Launchpad role assigned to a SAP role in PFCG?  Anyone have some documentation they can point me too?
  Kind regards,
  Garrett Meredith

  Thank you Samuli, this was very helpful in connecting many of the pieces.
  For now I have a very good understanding of how the new ESS is controlled and modified.
  It appears that FPM_LAUNCHPAD_UIBB could be used to develop a similar component to call a custom launchpad role for MSS containing a customized list of WDA applications.
  Is a MSS Launchpad a good way to pursue since we use a SAP enterprise portal?
  I found a PAOC_MSS package containing other MSS embedded packages.
  Could I use one of the embedded packages in there and by creating a Component configuration in the FPM_LAUNCHPAD_UIBB for one of the MSS WD applications?
  Based on the documentation link above, PFCG roles are for NWBC HTML or Desktop versions.
  Kind regards,
  Garrett

• CRM Portal Role Copier

  Anybody used this tool?
  A portal role is linked to a backend single role.  SAP ships several standard portal roles / backend single roles specific to CRM.
  Since the CRM Portal Roles hyperlink between several portal iViews / PCUI applications within the Portal (this is setup in the backend on tables crmc_prt_role_mo & crmc_prt_role_rl).  To make things easier there is a role copied on the Portal (crm admin role)
  But I've tried using this by copying a crm backend single role and portal role that exists to a new single backend crm role and portal role.  So far hasn't work
  The documentation says make sure the single role and portal role exists - are they talking about the destination role?
  Also mentions addition to desitnation role field - what's this?

  To keep it clear ,using role copier copy CRM backend role to custom role whatever created on portal .Once portal role is generated assign that to user profile to get the object links .
  Thanks,
  Thirumala.

• Role Mapping For Portal Role Assignment and ABAP Role Assignment

  Summary:
  - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
  - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Problem Description:
  Our Scenarios we tested:
  Scenario 1:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
  *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
  Scenario 2:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
  *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
  Questions:
  1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
  2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
  Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

  I tested this set up.
  1.  Defined ABAP role as Manin role
  2.  Defined Non-ABAP role as dependednt role
  3. ABAP role  is set up in initiator requiring business approval.
  4.  Non-ABAP role is set up in initiator with no approval required.
  Results Where Business Approver approves the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
  Results Where Business Approver rejects the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
  Thanks again for your help.

• ABAP roles v/s Portal Roles

  Hi All,
  Currently I was going through  EP security docs where I came across this
  "An important difference between ABAP roles and Portal roles is that in the portal,no authorizations are defined for the backend application itself. This must still be
  done within the backend applications (for example, mySAP ERP)."
  Can somebody plz explain me this..
  Would also like to know more difference  between ECC and EP security,
  Thanks,
  Ajit

  Hi Ajit,
  I have been looking into this for some time as well, but am still not sure of some things myself nor which scenarios fit best to which security aspects.
  My understanding is that it depends on how the portal is connecting to the backend.
  If the portal user is the backend user, then the portal role is just a permission to click on things in the portal. The portal roles are mapped to the backend roles in the ABAP system (so you can, and need to, define what that portal role can infact do when the portal user "clicks" in the backend, using the backend roles of the same backend user context).
  If the portal user is not the backend user (i.e. it is a system service for generic access to the backend), then you should restrict the backend access to the bare minimum of that service and control the security in the portal application (the calling application) as the backend user context is not the same.
  So it is a "design" answer as well...
  There are a few good posts about this if you use the search. If you find a good one, then please link it here so that others who use the search and follow up on their questions can use it as well.
  At the top of the forum, there is a sticky thread on FAQs and other usefull discussions. Sadly, portal security does not have any links yet, so if you find a good one then let me know.
  Cheers,
  Julius

• Portal Roles (ABAP & JAVA)

  Hi,
  We are planning to go for a portal implementation for our BW reports..
  I had a few questions with regards to the roles (BW & Portal) or (ABAP & JAVA)
  Question 1:
  I want a single place (BW) where I can assign all the roles (BI & Portal) to users, so when ever a user account has to be createu2026the support team will create it BW System and assign all the relevant roles in BI system
  If YESu2026then how can I move the Navigational Role in portal (Role in which we publish iviews) that I created in portal to BW.
  And also
  How can I create a JAVA role in BW so that that role can be assigned to user and his portal options will be updated..
  Thanks

  Hi
  Thanks for all the updates.
  Few questions
  How can i know Which user repository is my portal system connected to ? (LDAP or ABAP datasource)
  and
  If you have configured your BW system as the ume datasource for your portal - then your backend roles in BW will show up in portal as Groups. You may choose to assign your portal roles to these groups.
  In BW if i assigned a Composite role to a user ...will it show as a group in portal and
  As my requirment is to single place to create user either in portal or BW....if BW user roles are avaliable in portal as groups...
  Can i insted of create a user account in BW and come to portal and assign portal roles to the user or user group to get portal previliges
  Can i create user account in portal and assing the user to the corresponding groups in portal....will this action will create a user account in BW as well
  Thanks

• Mapping SAP R3 role to EP role for WD ABAP Application

  Hi,
  I have a WD ABAP application which uses POWL component.
  I have assigned this application to a role in SAP R3 system.
  Now, I have created an iview in portal for this WD ABAP application.
  I want to map this SAP R/3 role to Portal Role so that only people having that role can see the application on portal.
  How do I handle this?
  Thanks and regards,
  Amey

  Hi,
  Scenario 1:
  You need to maintain 2 roles one from Portal and one from R/3
  On the portal end:
  Assign the role which have the WDA application to all the users who should have access.
  On the R/3 end:
  Assign the R/3 role which you have created to access the WDA application to all the users for whom you have added the Portal Role.
  Scenario 2:
  If using CUA (Central User Administration) as UME for Portal and also R/3 then you can maintain the roles from one place that is from CUA.
  You create a role in CUA and this role is shown as group in Portal now add the Portal role to the group or the CUA role.
  And create another role which gives access to the WDA application. Now add these 2 roles to all the users who are supposed to have access to the application.
  Hope this helps.
  Cheers-
  Pramod

• Mass upload of Portal roles

  Hi,
  I need to upload ESS and MSS roles to all my uesrs at one go.
  I have created all the users but now wanna assign only roles and group.
  Please guide for template or where can i do this mass upload.
  Regards,
  Brijesh Kumar
  do not put email addresses in your posts*
  Edited by: Michael Nicholls on Mar 16, 2009 10:37 PM

  Hi,
  I want to upload Portal roles ess and mss to all my 150 user id's at one go. for that i need a way out, can it be possible through a BDC or any format so that can be impoerted directly.

• How to programmatically upload roles to Portals.

  How can we programmatically upload roles from CUA to Portal. Are there any BAPI's or any other methods that we can use to accomplish this. We currently have a program that runs as a job every night to create users and assigns them roles in R/3, EBP and WP systems and we would it to do the same thing for portals.
  Any ideas/suggestions will be greatly appreciated.
  Thanks.

  Marek,
  Thank you very much for your guidance. We are still stuck, we checked the configuration and it's set to SAP system but we don't see any R/3 roles in portals. Can you give us a little more details on:
  1). Are there any specific entries in dataSourceConfiguration_r3_roles_db.xml file that would need to be changed?
  2). Do we have to create roles in R/3 any differently in order for them to appear as groups in portal? Should these roles be created in ABAP side of Portal client or in R/3 client. Also, Where do these roles appear as groups in portal(path to get to those groups).
  Any ideas/suggestions will be greatly appreciated.
  Regards
  Aurang

• Unhandled exception for uploading BW roles into portal

  Hi experts:
  I  got the following warning in the log viewer when I uploade 2 BW roles, ZB_SAP_BW_DEVELOPER
  ZB_SAP_BW_WEB_ADMINISTRATOR, into portal (7.3). They are copies of the standard SAP roles.  I succcessfully uploaded other BI roles. These are the only ones that can not be uploaded. There is no error on the portal. Upload completed 100% but these 2 roles are not in the uploaded role list.  I checked sm12 and they are not locked. Wonder if anyone has had the same issue and solution?
  Log viewer warning:
  The following unhandled exception: [java.lang.NullPointerException: while trying to load from an object array loaded from local variable 'templateUrlArr'] was detected in [Thread[RoleUpload_1312911561066,5,Dedicated_Application_Thread]]
  Thanks

  Hi Tiberiu,
  I am also getting the same while uploading the BW 3.5 role to Portal 6.0, Role gets created but iviews throws the same error as you are getting.
  Please help if you have found the solution for the problem.
  Thanks in advance.
  Bhuvnesh Goel

• Upload BI roles into Portal

  Hi Everybody,
  Cud i know how to upload BI roles into portal?
  Thanks in advance.
  Regards,
  lina

  Hi Lina,
  Checkout the below:
  1) Upload of Roles from ABAP-Based Systems
  http://help.sap.com/saphelp_nw04/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm
  2) Integration Using Role Upload (You can integrate BI content into the portal using the role upload function.)
  http://help.sap.com/saphelp_nw04s/helpdata/en/9d/8c174082fe1961e10000000a155106/frameset.htm
  Hope that helps and award points for helpful suggestions.
  Ray

• How to upload ABAP roles in Portal 6.0 N/W ABAP + Java

  Hi ,
  I have portal 6.0. How can i see the ABAP roles in portal. I know there is some backend system need to configured. please write step by step. I can create users in portal which is replicated in ABAP.
  i have gone thru some forums but did not get the answer.
  Regards
  Atul-

  Thanks for your reply... I am new to Portal. the document you sent me I did not understand where to configured backend system. please let me know where do I configured below information in portal
  When you create a system with a connection to an ABAP-based backend system, you must maintain at least the following property categories and properties:
  Property Category
  Property
  Connector
  Group;
  Logical System Name, e.g. QWACLNT100;
  Message Server;
  SAP Client;
  Message Server;
  SAP System ID
  User Management
  Logon method
  User mapping type (if you want to take advantage of user mapping)
  Internet Transaction Server (ITS)
  ITS Description, e.g. qwa_its
  ITS Host Name
  ITS Path
  ITS Protocol  
  Appreciate for your reply...
  Regards
  Atul