Portal Roles (ABAP & JAVA)

Similar Messages

• Portal in ABAP+Java Add-in WAS

  <b>Hi There,</b>
  I'm evaluating a possibility of a implementation of SAP EP 6.0 SP 11 in an WAS 6.40 ABAP+Java Add-in some peoples have spoken for me that still have problems with this implementation. Do you can help me with your experiences!?
  <i>Regards;</i>
  Carlos Motta

  Hi
  Which kinds of problems?
  We have installed an EP 6.0 SP12 in a java add-in without any installation problems at all...  so again: Which kinds of problems have you heard of?
  We are not using the portal yet, som of cause problems can arise that we haven't seen yet.
  I can think of one issue, namely that when installing on a java add-in the the uset store configuration is set to R3 (abap stack) and it it not supportet to change this to i.e. LDAP after the installation (installing EP on a Java standalone uses "database", which can be change for LDAP)
  BR
  Tom Bo

• Abap+java stack, users not mapping to portal role.

  We have the ABAP+java add-on install.
  The UME is by default ABAP engine.
  From Portal:
  1 I create a portal user, it ALWAYS creates ABAP user in ABAP stack of WAS.
  2. I create a portal role, it creates a role in the Portal.
  3. When I assign the user this portal role,
  having worksets and pages,
  I get no pages or worksets shown in the portal page as soon
  user logs in.
  Can you help configure this so that I could see the pages and iviews inside this workset when user logs in.
  Thanks  a lot.
  PS:  posted this in webdynpro-ABAP.  no reply came.  Sorry to double post.

  Hi Mike,
  can you check into your WorkSet (or Pages) if you have setting up the <b>Entry Point</b> flag?
  PS: Award points for good answers.
  Best regards,
  Gianluca Barile

• Abap+java abap-user and portal-role PROBLEM?? help

  We have the ABAP+java add-on install.
  The UME is by default ABAP engine.
  From Portal:
  1 I create a portal user, it ALWAYS creates ABAP user in ABAP engine.
  2. I create a portal role, it creates a role in the Portal.
  3. When I assign the user this portal role,
  having worksets and pages,
  I get no pages or worksets shown in the portal page as soon
  user logs in.
  Can you help configure this so that I could see the pages and iviews inside this workset when user logs in.
  Thanks  a lot.

  Hi Mike,
  You did right,
  Just check the Entry Point Property of your iView, page and workset to YES
  there are two radio buttons yes and no select the yes one,
  you can see your pages afte rlogin with the new user.
  Regards
  Abhimanyu L

• J2EE roles vs Portal roles vs ABAP roles

  (I also posted this on portal implementation, but i hope i receive more reactions here )
  Dear all,
  I have a question about the information on the following link:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
  It says the following:
  "These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
  1. These "...certain functions..." they talk about, can someome give an example of these functions?
  2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
  3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
  4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
  From what I've read on help.sap.com, you always need to do certain actions in both places.
  A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
  I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
  Kind regards,
  Joren

  Hi Jorem
  Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
  Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
  Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
  Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

• J2EE_ADMIN has no Port Role in ABAP+JAVA stacks system

  I installed 2004s BI IDES SR2 with ABAP+JAVA on Win 2003 + Oracle, default client 800.
  I find the J2EE runs fine, I can log into SDM, configtools. And I can launch
  http://host:50000/index and http://host:50000/irj/portal, which mean the portal is up.
  But with http:host:50000/index.html, I can't goto http://host:50000/useradmin, nor http://host:50000/nwa
  The error message is:
  Application cannot be started.
  Details:        com.sap.engine.services.deploy.container.ExceptionInfo: Naming error.
  with http://host:50000/irj/portal, both j2ee_admin and sap* can log in, but without any portal role. Thus
  only logoff link available, and I can't do anything else.
  I read through all the related post and can't figure out a way to assign the portal role to j2ee_admin or create additional portal user, anyone can help my situation.
  I also can not log into Visual Admin with j2ee_admin, connect error:
  Error while connecting
  com.sap.engine.services.jmx.exception.JmxSecurityException: Caller J2EE_ADMIN not authorized, only role administrators is allowed to access JMX
  (which I checked sap_j2ee_admin role is green on su01 role tab with correct valid period.)
  what should I do?
  Thanks

  Thanks for prompt reply, Debasis.
  Could you please elaborate the steps I need to take? Thanks.
  eg. how do I "Assign a user a role that has the permission for the UME action JMX.JmxManageAll"
  I don't have any portal tools working properly yet, I don't have useradmin, and I don't have nwa. I don't even have visual admin. Everything I do in ABAP, pfcg, su01, seems have no effect to those portal functionalities.
  The fact that I enable emergency sap* from configtool also doesn't make useradmin / nwa work...
  Any idea? Thank you.

• How to create Roles in UME (ABAP+JAVA stack)

  Hi,
  I have created roles earlier on JAVA stack alone. However, this time I am working on JAVA+ABAP stack. When I am trying to create role in UME, I am getting only two tabs:
  General Information
  Assigned Groups
  I am not getting Assinged Actions tab here.How do I assing actions ?
  Can any one please help me in creating roles in ABAP+JAVA stack.
  That would be  a great help!
  Regards
  Faisal

  HI Faisal,
  When ABAP is the UME, you can only edit users / groups that are J2EE only. Any group that is defined in ABAP is read-only for the Java Server to prevent conflicts (there is no synchronization) and has to be changed in ABAP.
  Please take a look at this link, which has a great graphic describing this.
  http://help.sap.com/saphelp_nw04s/helpdata/en/7c/36dcd59865b246b993c471199ba37a/content.htm
  So, if the Java group was created in ABAP, the ABAP user has to have the ABAP role assigned to him, so that he is in the group on the Java server. make sense? The graphic in the link above really explains it well I think.
  If you a new / custom Java group (not in ABAP) then you should be able to assign users to it from the Java server.

• Abap+java stack for Portal 7.0 and MI - User Data Source

  The SAP pre-requisites for Portal and MI (Mobile Infrastructure) 7.0 is an ABAP and Java Stack. If you install an AS ABAP + Java, the UME is automatically set up to use the ABAP user management of the same AS installation. What does this mean? The user store will be created in ABAP, for both the Portal and MI.
  The impact of this is portal users management is in ABAP. This configuration by design cannot be connected to LDAP Active directory for user authentication.
  Please let me know , if some body had already face similar issue and come up with the solution.  Thanks in advance.

  Hi Surya ,
  When you install portal or any NW component with ABAP stack , ABAP stack hold precidence over the JAVA Stack , refer to this link to have more idea on this .
  http://help.sap.com/saphelp_nw2004s/helpdata/en/2b/306bb5bc98f24f8a85d489449af456/frameset.htm--
  http://help.sap.com/saphelp_nw04s/helpdata/en/12/7678123c96814bada2c8632d825443/frameset.htm
  Thanx
  Pankaj

• ABAP+JAVA Portal needs to authenticaticate to LDAP MS active directory

  Hello all,
  i am working on moving a portal from a NW04 (java standalone) to a NW 7.0 EHP1 sp3 ABAP+JAVA.
  in the source system i have UME setup to authenticate against an LDAP MS AD. In the target system this option does not seem to be available due to the fact that when the xml file is changed to "dataSourceConfiguration_ads_readonly_db.xml" for the LDAP the system cannot find the users in ABAP. i understand that i will have to setup this connection through ABAP but i could only find sync instructions with AD Link: [http://help.sap.com/saphelp_nw04s/helpdata/en/e6/0bfa3823e5d841e10000000a11402f/frameset.htm]
  i only require a one way authentication from my portal to AD.
  is there a way to get this working through ABAP or have the JAVA side UME be able to authenticate and add users from AD so they may gain access?
  your help is appreciated.
  Regards,
  Joe

  Hi all!
  the issue is that i am ussing the dataSourceConfiguration_abap.xml. when this is picked in the configtool it will not give you the option to change dataSourceConfiguration to anything else and the LDAP tab is not displayed in portal.my end result would probably be a way to use mixed authentication where ABAP and LDAP will be used as authentications sources. in my current portal system i am ussing the ADS readonly dataSourceConfiguration which lets me read from the java DB users and LDAP.

• Accessing portal roles in webdynpro for java

  Hi,
  Please let me know how to access portal roles in webdynpro for java.
  Rgds,
  Patana

  Hi ,
  Please use this API to access the portal roles:
  IRoleFactory fact=UMFactory.getRoleFactory();
  Also see this code to get more information of role using code:
  IRoleFactory rolef=UMFactory.getRoleFactory();
  IRoleSearchFilter searchfilterrole= rolef.getRoleSearchFilter();
  ISearchResult searchResult = rolef.searchRoles(searchfilterrole);
  while(searchResult.hasNext())
  String unq=(String) searchResult.next();
  IRole role1=rolef.getRole(unq);
  String roleName = role1.getDisplayName();
  String roleID = role1.getUniqueID();
  // Once you get the informationof role you can use it in your application as per your requirement.
  Also please note that:
  You should add "com.sap.security.api.jar" to your project`s java build path for getting the Portal Security API's.
  I hope this solves the problem. Please revert back incase you need any further informationon this.
  Thanks and Regards,
  Pravesh

• Role Mapping For Portal Role Assignment and ABAP Role Assignment

  Summary:
  - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
  - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Problem Description:
  Our Scenarios we tested:
  Scenario 1:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
  *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
  Scenario 2:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
  *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
  Questions:
  1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
  2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
  Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

  I tested this set up.
  1.  Defined ABAP role as Manin role
  2.  Defined Non-ABAP role as dependednt role
  3. ABAP role  is set up in initiator requiring business approval.
  4.  Non-ABAP role is set up in initiator with no approval required.
  Results Where Business Approver approves the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
  Results Where Business Approver rejects the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
  Thanks again for your help.

• ABAP roles v/s Portal Roles

  Hi All,
  Currently I was going through  EP security docs where I came across this
  "An important difference between ABAP roles and Portal roles is that in the portal,no authorizations are defined for the backend application itself. This must still be
  done within the backend applications (for example, mySAP ERP)."
  Can somebody plz explain me this..
  Would also like to know more difference  between ECC and EP security,
  Thanks,
  Ajit

  Hi Ajit,
  I have been looking into this for some time as well, but am still not sure of some things myself nor which scenarios fit best to which security aspects.
  My understanding is that it depends on how the portal is connecting to the backend.
  If the portal user is the backend user, then the portal role is just a permission to click on things in the portal. The portal roles are mapped to the backend roles in the ABAP system (so you can, and need to, define what that portal role can infact do when the portal user "clicks" in the backend, using the backend roles of the same backend user context).
  If the portal user is not the backend user (i.e. it is a system service for generic access to the backend), then you should restrict the backend access to the bare minimum of that service and control the security in the portal application (the calling application) as the backend user context is not the same.
  So it is a "design" answer as well...
  There are a few good posts about this if you use the search. If you find a good one, then please link it here so that others who use the search and follow up on their questions can use it as well.
  At the top of the forum, there is a sticky thread on FAQs and other usefull discussions. Sadly, portal security does not have any links yet, so if you find a good one then let me know.
  Cheers,
  Julius

• Find user SAP Portal role in an abap program

  Dear all,
  We would like to check the SAP Portal role of a Portal user in a R/3 abap program.
  do you know if there is a bapi or a RFC module function to do that ?
  For example : the user CCDEMO (exists in EP and in R/3 backend) has a Buyer Portal role. In an abap program, I would like to have this information.
  Thanks
  kind regards
  Véronique

  Dear all,
  We would like to check the SAP Portal role of a Portal user in a R/3 abap program.
  do you know if there is a bapi or a RFC module function to do that ?
  For example : the user CCDEMO (exists in EP and in R/3 backend) has a Buyer Portal role. In an abap program, I would like to have this information.
  Thanks
  kind regards
  Véronique

• Web Dispatcher configuration (ABAP+Java vs. ABAP+Portal)

  We are using an internal Web Dispatcher to allow the connections from different networks.
  This Webdispatcher entry we add to WAS configuration within Portal system object
  By defintion of ABAP+Java double stack we do not have any problems and the test
  http://webpispatcher:port/sap/bc/ping is successful.
  When we have a ABAP system + Portal (Java) we only can test the connection
  http://webpispatcher:port/
  When we execute the test
  http://webpispatcher:port/sap/bc/ping we get an error, because the url goes to Java stack.
  We also detected that on Web Dispatcher configuration for ABAP+Java we have ABAP and J2EE server groups and  application servers.
  For ABAP+Portal we have only J2EE groups on Web Dispatcher configuration.
  Question:
  Which SAP parameter (e.g. ms/server_port_0, icm/HTTP/j2ee_0) or Web Dispatcher parameter (ms/http_port) is responsible for generation of ABAP groups (e.g. PUBLIC) within Web Dispatcher?

  Which SAP parameter (e.g. ms/server_port_0, icm/HTTP/j2ee_0) or Web Dispatcher parameter (ms/http_port) is responsible for generation of ABAP groups (e.g. PUBLIC) within Web Dispatcher?
  In ABAP the logon group is handled by the ICF. In SICF you specify within the actual services(properties) which logon group that service should use for load balancing. As far as I remember though there is an exception if you are using an "end-to-end" ssl configuration where you can specify the destination logon group using wdisp/HTTPS/dest_logon_group parameter.
  rdisp/mshost is the parameter on your web dispatcher that points to your message server to get a list of available logon groups.
  Nelis

• LSO CP installed on a non Enterprise Portal or ECC (ABAP+JAVA) server

  Hello,
  Has anyone installed the LSO CP on anything besides SAP Enterprise Portal or ECC (ABAP +JAVA)? If so what are the requirements for determining an approprate server for installation. How was this deployed without the use of the JAVA deployment tool? What issues if any did you encounter when performing this installation and deployment?
  Cheers
  Alan

  Hi
  CP needs to be installed on the J2EE engine.
  The URL of the Content Player needs to be specified in the IMG.
  Hope this helps
  Best Regards
  Reddy