Role approver removed from role in GRC

Similar Messages

• Users are not removed from role using UME API

  Hello,
  I am using this code to remove users from a batch of roles that I have.
  Everything is running OK, no exception is thrown and at the System.out I see all the actions that needs to be taken correctly. The problem is that if I'll go later to one of the roles the users are still assigned to it. Any idea what I'm doing wrong here?
  try
  IRoleFactory roles = UMFactory.getRoleFactory();
  IUserFactory users = UMFactory.getUserFactory();
  IRoleSearchFilter filter = roles.getRoleSearchFilter();
  filter.setUniqueName("<My_filter>", ISearchAttribute.LIKE_OPERATOR, false);
  ISearchResult sresult = roles.searchRoles(filter);
  if ( sresult.getState() == ISearchResult.SEARCH_RESULT_OK )
       while(sresult.hasNext())
       String id = (String)sresult.next();
       IRole role = UMFactory.getRoleFactory().getMutableRole(id);
       Iterator i = role.getUserMembers(false);
       while (i.hasNext())
                       String uid = (String)i.next();
            IUser user = users.getUser(uid);
            role.removeUserMember(user.getUniqueName());
            System.out.println("Removed user: " + user.getUniqueName() + " from role: " + role.getDisplayName());
       role.save();
       role.commit();
  catch (Exception e)
       manager.reportException(new WDNonFatalException(e), false);

  Solved it!
  It needs the FQDN User ID...

• NW IDM Role approval based on Role

  Hi there....
  I'm looking at the document: "How to...Create Approval Tasks in SAP NetWeaver Identity Management 7.1"
  I seem to have a slightly different use case than the ones listed.
  In my use case I need the approver to be any one Member of a given IDM role.  Do I need to go through the whole PVO setup or can I just use the approval tab and designate the IDM Role? Or do I just modify one of the existing use cases?
  Thanks,
  Matt

  Kai, I had a chance to look at this over the weekend  good stuff.
  The only problem I have left now is..."philosophical"
  What happens if I need the approval just to pause the process.  Here's my use case:
  User created in AD by IDM
  User assigned roles in AD by IDM
  User needs email address which is still handled manually per the business
  User gets welcome email.
  Now I can't send an email until the email address is provisioned.  In 7.0 and other IDM projects I have PM'ed, we've put an approval in so that the Email Admin can approve(confirm really) that the Email address has been created.
  I don't necessarily want a role created for this as it would serve no further purpose.  I'm working on an alternative workflow to handle the approval/confirm process, but I'd rather not reinvent the wheel if I can avoid it.
  Thanks!
  Matt

• OIM 11.1.1.5 BP2 Roles removed from users automatically

  Hi All,
  We are using OIM 11.1.1.5 BP02 and facing issues with event handlers, role membership and access policy. We have a custom post create user handler and a custom user post update event handler. We are creating users through trusted reconcilication by using EBS Employee Recon connector and provisioning users to AD & Exchange by using the 11.1.1.5 ICF connectors.
  The issue we are seeing is with the Roles of the users, the behavior we are seeing is that, on user creates through trusted recon, the users are getting roles correctly and then the resources are assigned correctly, but after sometime, the roles are removed from the user. We donot have 'Revoke if no longer applies' on the access policy and thus the resources are appearing fine for the user, but we donot want roles to be removed from the user since the rule membership rules criteria is still holding good for the user.
  We are seeing this issue only with trusted reconcilication and not when we create users through the UI. Our custom event handlers have the same logic for both the execute methods; with the difference that the bulk execute method is working on the array of identities received from trusted recon while the normal execute method working on just one identity through the UI.
  We are doing complex computation in the event handlers (& setting multiple fields of the user) and are forced to use UserManager API to set the fields in the create user handler (Following article: 1469286.1); this we believe is effecting the ordering of the custom event handler and the OOTB Role ChangeCalculator event handler.
  We have already checked the bugs(14075985 & 14221435) and wanted to confirm if we are hitting the same and/or how can we debug this more. We have already checked the UPA_USR table but that does not tell us as to why the role is revoked from the user.
  Anyone faced similar issue?
  Thanks,
  Bikash

  The patch we were given was 14226386, also called 11.1.1.5.2AK. The readme has the following overview:
  This patch addresses the concurrency issues encountered in 11g R1 PS1 as described below
  1. Unlike in OIM 11g R1 PS1, when a user's role membership changes policy evaluation doesn't
       kick off immediately. Instead the user is flagged for policy evaluation in the future.
       'Evaluate User Policies' scheduled task then triggers policy evaluation for such users.
       The scheduled task ensures that there is only one policy evaluation for a user at any
       given time. So, duplicate accounts or entitlements wouldn't be provisioned to a user.
       With this fix, access policy based provisioning events will be triggered only when
       'Evaluate User Policies' scheduled task runs. Hence, the frequency of this scheduled
       task needs to be tuned for the customer's deployment. The recommendation is to set it to
       10 minutes.
       In addition to binary changes, this fix involves data model and metadata changes as
       described below.
  2. In a custom event handler, use Platform.getServiceForEventHandler() instead of
  Platform.getService() to get a handle to a Service available in OIM before making an API
       call. This ensures that the API completes in its entirety (including any post processing)
       when it returns. Also, this brings in predicability in the order of execution of OIM
       events on the same entity created from one another.
  3. When trusted source reconciliation brings in multiple events on the same user these events
  are processed by OIM sequentially.
  But since then BP03 and BP04 have been released, I would suggest you find out if BP04 has resolved this from support before applying anything.
  -Kevin

• Removing a role from a user

  Hi All,
  My requirement is to remove a role from the user so the resources assigned to that role has to be deleted once the role is removed from the user. But I am having some trouble to remove the role in the workflow.
  I am checking out the view of type User and removing the role from waveset.roles and then checking in the view. I don't see any errors but the role is not getting removed from the user and in turn the end resource is not getting deleted.
  Can anybody post some points like what is the correct way to remove the role from the user in the workflow itself.
  Thanks in advance.

  Thanks for the reply.
  Nevermind, actually I managed to solve the issue, there was mistake in the express code.
  I have one question, can you help me? I am removing a role from a user and for example there are 2 resources (A and B) assigned to the role, while removing the role from the user it is deleting the account in both resources A and B but I don't want to delete the account in resource B. Is there a way to do this?
  I am the checking out and checking in the user view and I am using the following code but it is not working. It is deleting the account from both the resources.
  +<set name='delview.update.selectAll'>+
  +<s>false</s>+
  +</set>+
  +<set name='delview.update.accounts.selected'>+
  +<s>false</s>+
  +</set>+
  +<set name='delview.update.accounts[A].selected'>+
  +<s>true</s>+
  +</set>+
  +<remove name='delview.waveset.roles'>+
  +<ref>myrole</ref+>
  </remove>
  can anybody post some points regarding this issue?
  Thanks

• Role Mapping For Portal Role Assignment and ABAP Role Assignment

  Summary:
  - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
  - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Problem Description:
  Our Scenarios we tested:
  Scenario 1:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
  *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
  Scenario 2:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
  *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
  Questions:
  1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
  2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
  Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

  I tested this set up.
  1.  Defined ABAP role as Manin role
  2.  Defined Non-ABAP role as dependednt role
  3. ABAP role  is set up in initiator requiring business approval.
  4.  Non-ABAP role is set up in initiator with no approval required.
  Results Where Business Approver approves the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
  Results Where Business Approver rejects the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
  Thanks again for your help.

• I tried to remove a role from one of my 2012R2 DC's

  I tried to remove a role from one of my 2012R2 DC's and now I basically can't do anything to that DC.  Attempting pretty much anything on it tells me that it can't do it because it needs a reboot, and a reboot fixes nothing.  The role I wanted
  to delete is removed (print services), but I can't re-add it, or change any other role or feature.  There is a 'pending.xml' file, and it is rather large.  I can't delete, or rename the 'pending.xml' file, as it is owned by 'TrustedInstaller'.  This
  is the FSMO DC and there are some other services on it that I would rather not have to re-install and reconfigure. I've looked for other things that could prohibit installs and more, but there are no 'Pending Renames' in the registry.
  At least getting server manager to stop complaining would be a good start.
  Thanks in advance for any assistance.

  Hi Mike,
  Just addition, please run
  sfc /scannow command to scan all protected system files and use
  Chkdsk command to check the status of the disk in the current drive. any find?
  à
  The role I wanted to delete is removed (print services), but I can't re-add it, or change any other role or feature.
  Just a confirmation, did you mean that had un-install
  print services successfully? No error occurred? Please check relevant log file (such as event log file and so on) if find some errors. In addition, I noticed that you attempt to re-install the role. Did you get any error message when failed to re-install?
  Did you use Install-WindowsFeature PowerShell command to install? Any difference?
  If any update, please feel free to let us know.
  Hope this helps.
  Best regards,
  Justin Gu

• How to copy and remove admin Role from SAP_ALL profile

  Hi SDN Experts,
  I need to copy SAP_ALL profile to another in CRM 5.0 system, thereafter i need to remove admin Role from SAP_ALL profile. Can any help regarding this point..
  regds
  gcp

  Chandra,
  I saw ur post in this forum regarding configuring sap intergration with genesys gplus adapter. We are in need of the same configuration. Can you please help me in configuring sap phone for gplus adapter. Reply me on [email protected]
  Thanks in Advance

• Role Approver of Removal of Roles

  HI Everyone,
  We are coming across a situation where the management team would like to have the "removed roles" in the access request not require the role approver approval and review. 
  Is there a way that AE allows for this?  I have tested various ways and can only come up with situations where the role approver has to approved removed roles.
  Thoughts?
  Thanks,
  Jerri,

  Hello Jerri,
  For achieving the role deletion without the approver of the role owner, create a different initiator with Request type change and probably some custom attribute and have this initiator configured with a path which has no Role Owner at any of the stages.
  This wil have the Request type "role deletion" with no Role Owner required to approve.
  Regards,
  Hersh.

• Removal of tcode from role

  Hi Experts,
  I need to remove tcode from role menu, my requirement is as below
  I need to go in a role, search tcode in role menu and if tcode is present in role n times then remove that tcode.
  For example tcode SU01 is present in role menu 5 times then I need to remove all these 5 occurenses.
  As of now I have developed script using SECATT to remove tcode from role but it is static one,  means I already know that tcode is present 3 times then script will search tcode three times and delete and generate profile and come out.
  I want this functionality to be dynamic, i.e. I need to enter tcode only once in data input and then script should remove all occurence of that tcode from role.
  Looking forward for expert advice and comments, please let me know if my requirement is not clear.
  Thanks,
  Ashish Mistry

  Hello,
  1. Check the data base by writing ABAP Query.
  2. Get the length of the received data eg. number of record is present in the data base for your Query.
  3. Now you know exact number of T-Code so you can delete them.
  Regards,
  Bhavesh

• Removal of T.Code from role

  Hi all,
  i have to remove a t.code FBRA from all the plants users, there are 40 single roles, with T.Code FBRA,  how can i remove it at a time, without deleting individually in each roles. Is there any method , plz let me know.
  Thanks & Regards
  Syed..

  Hi Syed,
               Are you using a role which is created by using the standard role.
               Copy the role to a new role then delete the transaction from the role
               and assign the user with the newly created role. I think this would be one of the possible way. After that remove the users from the previous role.
  Please reward points if helpfull.
  Regards,
  Vamshi

• Role Approver Actions-Add, Keep, Remove

  Currently, our role approvers were not able to modify the action of (ADD, KEEP, REMOVE).  This fields was greyed out and it was passed in by IDM as ADD or REMOVE depending on what the user selected.  We just implemented SP12 for CUP. We noticed that under Workflow>Stage>Change Request Content if this is set yo YES then the approver has the ability to do perform these functions below.  1 & 2 are ok.  We reject roles at the role level on the request.  However, we want to disable the ability for the role approver to modify ADD, REMOVE, KEEP  on #3.  
  1.  Approver can reject
  2.  Approver can modify the Valid State Date and Valid To Dates
  3.  Approver can modify the action and change it to KEEP or REMOVE.  We wnat to disable this drop-down selection.
  We noticed that if we Workflow>Stage>Change Request Content and change the value to No then the role approver can no longer reject the role.
  Does anyone know how to disable this functionality so that role approvers cannot change the action on the request?

  SAP confirmed  that there is no way turn this feature off if the approver needs to reject at the role level so this will be a process change we need to implement most likley.  However, it would appear that with the Add Role feature turned on there is a new button called Existing Roles/Groups that is displayed.  Approver can now view the roles assigned in the SAP ABAP back-end without adding new roles which is very nice that it is display only.  Thank you for your quick response to my question.
  New question:  Do you know if there is a web service that is used to call this new feature Existing Roles/Groups.  We would like to utilize that for our IDM system to call a web service and display this on the request form.

• Role removal from Multiple users

  Hi All
  I have a query related to removal of roles from user profile.
  I want to delete a particular role from a set of users (say more than 600 users)
  is it possible with su10 you to  remove the role from the users  at a stretch or is it the right way to get it removed from the user tab in PFCG and get the user- master record adjusted?
  Please Suggest

  Hi,
  Preferably, you should use PFCG for your need...
  It will be a easiest way to perform this task...
  After that dont forget to do "user comparison"...
  Regards.
  Rajesh Narkhede

• GRC 10 BRM - Approve Single Role assignment in Business Roles

  Hello,
  I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
  The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
  Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
  Do you know any way to configure this?
  Thanks,
  Fernando

  Hi Claudio - thanks for breaking it down
  @ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
  By using this role approval methodology your single role approvers are indirectly allowing  any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
  As mentioned - you are using two different workflow process ids
  Role Build - using BRM to approve the single roles being part of the business role
  Access Assignment - approving the user to receive the business role which includes the single roles
  Regards
  Colleen

• Adding/Removing Authorizations from Roles

  Hi
  I need to modify  some roles by removing and adding authorizations.
  I'm I required to make the changes in DEV, create a change request and then import to QAS and  subsequently PRD so that the roles are modified across the landscape  ?
  if so how do I go about it ?
  Kind Regards

  Hi,
  In your Dev box --> execute "PFCG"  --> provide the role in role name place --> click the change button --> do the necessaary change --> save it --> check the authoriztaion field --> save the role --> come back to welcome screen of "PFCG" --> here you will find a truck button for transport --> click the transport truck buttton( remember) you should specify the role in role name ) ---> it will ask for change request --> create the change request in pop up screen --> leave " PFCG "
  Next go to se09 --> release the request created by you in the PFCG
  Now import the request in target system using STMS.
  Hope this will help you.
  Regards,
  Partha