Role assignments not set in ABAP but IdM indicates OK status

Similar Messages

• HT4061 i did not set a passcode but the Ipad is prompting for one

  I did not set a passcode but the IPad is prompting for one

  iOS: Device disabled after entering wrong passcode
  http://support.apple.com/kb/ht1212
  How can I unlock my iPad if I forgot the passcode?
  http://tinyurl.com/7ndy8tb
  How to Reset a Forgotten Password for an iOS Device
  http://www.wikihow.com/Reset-a-Forgotten-Password-for-an-iOS-Device
  Using iPhone/iPad Recovery Mode
  http://ipod.about.com/od/iphonetroubleshooting/a/Iphone-Recovery-Mode.htm
  Saw this solution on another post about an iPad in a school enviroment. Might work on your iPad so you won't lose everything.
  ~~~~~~~~~~~~~
  ‘iPad is disabled’ fix without resetting using iTunes
  Today I met my match with an iPad that had a passcode entered too many times, resulting in it displaying the message ‘iPad is disabled – Connect to iTunes’. This was a student iPad and since they use Notability for most of their work there was a chance that her files were not all backed up to the cloud. I really wanted to just re-activate the iPad instead of totally resetting it back to our default image.
  I reached out to my PLN on Twitter and had some help from a few people through retweets and a couple of clarification tweets. I love that so many are willing to help out so quickly. Through this I also learned that I look like Lt. Riker from Star Trek (thanks @FillineMachine).
  Through some trial and error (and a little sheer luck), I was able to reactivate the iPad without loosing any data. Note, this will only work on the computer it last synced with. Here’s how:
  1. Configurator is useless in reactivating a locked iPad. You will only be able to completely reformat the iPad using Configurator. If that’s ok with you, go for it – otherwise don’t waste your time trying to figure it out.
  2. Open iTunes with the iPad disconnected.
  3. Connect the iPad to the computer and wait for it to show up in the devices section in iTunes.
  4. Click on the iPad name when it appears and you will be given the option to restore a backup or setup as a new iPad (since it is locked).
  5. Click ‘Setup as new iPad’ and then click restore.
  6. The iPad will start backing up before it does the full restore and sync. CANCEL THE BACKUP IMMEDIATELY. You do this by clicking the small x in the status window in iTunes.
  7. When the backup cancels, it immediately starts syncing – cancel this as well using the same small x in the iTunes status window.
  8. The first stage in the restore process unlocks the iPad, you are basically just cancelling out the restore process as soon as it reactivates the iPad.
  If done correctly, you will experience no data loss and the result will be a reactivated iPad. I have now tried this with about 5 iPads that were locked identically by students and each time it worked like a charm.
  ~~~~~~~~~~~~~
  Try it and good luck. You have nothing more to lose if it doesn't work for you.
   Cheers, Tom

• Delete Role Assignments directly from an ABAP System

  Hi folks!
  I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
  Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!
  However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
  I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
  I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
  Thanks for your help!
  Matt

  Hello Matt,
  so you want to remove local administrated role?
  If the object really is to undo the local administration, I would do this:
  Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
  At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
  The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
  Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
  Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
  Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
  Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
  Best regards
  Dominik

• SAP IdM 7.2 SP6- Future dated role assignments not showing in the UI

  Hi All
  After assigning a role to an identity with a valid from date in the future it is not visible in the UI.
  I've tried to configure this in the MX_ASSIGNMENT attribute and also in task level (same attribute) but still no good.
  It only shows the current assignments. The Advanced option does not do anything.
  Is this due to SP6. Do we have to move to SP8 for this to work?
  Please advise.
  Ranjit

  Hi Steffi
  I've had success with this. I retested with the same settings (that I provided earlier) for the "change identity" task and it works fine. Then I tried the same with the "Display identity" task and it worked as well. However what I noticed with the "Display identity" task is that I actually had to choose the task rather than just look for the pending values in the initial screen - hope I'm making sense here . See below screenshots
  When I choose the task "Display identity" I get the below which is what I wanted to see in the above screen as well.
  Any ideas why I'm not able to see the pending values in the first screen (above). I have the same display task defined in MX_PERSON.
  Your thoughts please.

• I am experiacning problems,with yahoo messenger,everytime i try to go into e-mail or go to a site thru yahoo,i get a windows saying windows can't find due to cookis ,not set or something,but will still let me go to the site i wanted,how do i fix it?

  every time i either go into yahoo email,or type in a site on my messenger list,i get a "windows can't find"and says my cookies,need to be reset or configured wrong,but still allows me to go where i want to.....how can i get rid of it?

  1. You cannot make changes in iTunes: it only reads the feed. You have to make any changes in the feed itself - in your case in Podomatic. When for example you add a new episode you simply add it to the feed. There is no need to do anything else; subscribers will see it almost immediately and the Store will update in 1-2 days.
  2a. I can't adviseon the specifics of Podomatic. The 'itunes:new-feed-url' must be added to the RSS feed, not to the web page which is where it looks as if you are trying to add it. iTunes does not read the web page, only the feed. I have a feeling that Podomatic will not allow you access to the feed to add this tag, but I don't know for sure. If you can't add it you will have to contact Support at podcasts 'at' apple.com and ask them to move the Store to using a different feed.
  You can see a sample feed on my page at
  http://wilmut.uk/pc
  2B. I'm afraid I can't advise on WordPress either. You will need to make sure you have set it to produce an iTunes compliant feed.
  If you want me to check whether a feed is correct you can post the URL here.

• Keeping history... Currently not set to delete but it still does.

  I have one user that wants to keep all history that she uses. I've tried to encourage bookmarking, but is not sufficient. Privacy is set to remember and the files are not purged, although closing the browser clears the history.

  Here are the steps for AirPlay:
  Before starting Azul from your (running iOS 5.x/6.x) home screen where have have all your apps we need to turn on mirroring
  On your iPhone 4S/5 or iPad 2 or 3, double-click the Home  Button to view your recently-used apps.
  Swipe all the way to the right to until you see the  icon.
  Note: If the icon does not appear, go to the "If AirPlay Mirroring is not visible or available on your mobile iOS device" section.
  Tap the  icon to see the list of available AirPlay devices.
  Enable AirPlay Mirroring in this menu by tapping on an available Apple TV, then sliding the Mirroring slider to ON.
  Now you should be seeing your iPad/iPhone on your TV.
  Start up Azul now and using the settings icon on the top right corner go to the option that say "TV out" ON.
  When you do that you will see an Orange screen
  Now click "Done" and play the video you want to watch and it will AirPlay

• AD LDAP for Authentication but ABAP or IDM for Role Assignments

  Hi Portal Gurus,
  Is it possible to configure the UME in such as way so that it connects to the AD for authentication purposes but uses the CUA or SAP Identity Manager for role assignments?
  Thanks,
  Vibhu

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• ABAP Role Assignments stored in MSAD

  Hi all,
  unfortunately I have only found contradicting information in relation to the possibility to manage ABAP role assignments using a MS Active Directory.
  We plan to implement a WAS (ABAP) 6.40 SP14, synchronise data between the WAS and the corporate MSAD. While WAS (ABAP) is not capable of MSAD based authentication I suspect it is possible to manage the user/role assignments in MSAD. Am I right in my assumptions (see list below) that the following data entities can/cannot be managed and synchronised/stored with the WAS (ABAP) out of the box?
  WAS ABAP
  1. possible - user master data (e.g. userName, address, etc.)
  2. possible - user/role assignments
  3. not possible - user passwords (however, can be bypassed through SSO based on NTLM)
  Portal UME
  1. possible  - user master data
  2. possible - user password
  3. possible - role/group assignments
  4. possible - group/user assignments
  5. possible - user/group assignments
  6. possible - user/role assignments
  Thanks for the help!!
  Cheers Stefan

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• Provisioning of roles to ABAP system deletes role assignments in backend

  Hi all,
  following scenario:
  user has role A in an ABAP system which is connected to IDM. Assignment of role A to the user is not in the identity store.
  Now you assign role B via workflow to the user and IDM provisions this new assignment to the ABAP system.
  What will happen is that the user will get role B but assignment of role A will be deleted.
  This happens because in the job "SetABAPRole&ProfileForUser" the connector attribute "roles" will only consist the role assignments which are in the identity store. All assignments in the ABAP system which are not yet in the IDS will be overwritten.
  This behaviour can be very critical. If you still allow role assignments directly in the backend system and you read these assignments e.g. once a day to the IDS - but in the meantime assignments have been done via workflow - you will lose data.
  My customer wants to assign roles both directly in the system and also by workflow. Every night an ABAP update job runs which writes new assignments to the IDS.
  Do you have any idea how I could solve this? Is there a way NOT to overwrite assignments with the ABAP connector field "roles"? I tried to use multivalue operator but this didn't do the trick.
  I hope I was able to describe my problem properly and you have answers...
  Best regards
  Jörn Kaplan

  No, there is not a way to avoid that IdM replaces the role assignment in ABAP with the current assignments as know by IdM. IdM is the master!
  This is not directly an issue of IdM: The standard BAPIs in ABAP (up to release 7.0) offer "replace all role assignments" but not "add role assignment" or "remove role role assignment".
  However, there exist an exception: Role assignments in ABAP which are created indirectly by an HR-ORG assignment are not touched by IdM. (There role assignment are viewed in blue in transaction SU01.)
  See  http://help.sap.com/saphelp_nw70/helpdata/EN/50/e9683c5de8676fe10000000a114084/frameset.htm for details.
  Kind regards
  Frank Buchholz

• Not able to work with customized Java roles which were edited in ABAP stack

  Hello All,
  I am trying to copy standard roles into customized roles (i.e. Z roles) using PFCG in XI system. All ABAP based roles are working fine, but all JAVA based roles are not working. I generated profiles as well. And I check all the authorization objects in both standard and customized roles. Everything look same but customized roles are not working.
  And when I check the logs on JAVA stack I found the error which says " User XXXXXXXXXX IP address HTTP request processing failed. HTTP error [403] will be returned. The error is [You are not authorized to view the requested resource.No details available]."
  I thought there might be any Jco RFC connections missing between the stacks and I tried to check in Visual Admin, but I was not able to find much info regarding these roles.
  Am I missing anything or is there any other way for these roles to make customized roles.
  And can any one tell me how to run a trace for JAVA stack activitites as we do in ABAP using ST01. Any help will be rewarded. Thanks in advance.
  Regards,
  Farooq.

  Java roles work with influence of permissions in Application Server which we call actions in UME. As you are aware in PI user master record will be in ABAP stack. So the roles in ABAP stack will be having only RFC connections to JAVA stack for the specific JAVA based role. So you need to edit the permission on Java App Server. For that you need to log on to server through visual admin and then go to services and you will find the standard groups assigned to actions. But I don’t remember that under which service you will find them
  Under that service you will find some 200 actions. And you have to add the name of the custom created JAVA roles on ABAP to all those actions where you find the standard roles. And its a very very lengthy procedure. So SAP advice to go for customized ABAP roles and Standard JAVA roles.
  Hope this answer clears your query.
  Farooq.

• Participant 'userx' does not have role assignments in process '/ProcessP

  I am using Oracle BPM 10.3 MP2 Enterprise Edition
  Version: 10.3.2
  Build: #100486
  Have a process ProcessP and role RoleR.
  User 'userx' is assigned to role 'RoleR', when he tries logging into the workspace,
  getting exception message in page as below:
  "Participant 'userx' does not have role assignments in process '/ProcessP#Default-1.0'. This error usually takes place when the Process Execution Engine has not re-synchronized with the Directory Service. Try re-logging and executing the task again. If the problem persists, contact your Administrator"
  Tried deleting the user 'userx' from process admin and re-creating the user and gave role 'RoleR' but still the issue persists.
  This is working for other user 'usera', 'userb', 'userc' etc.
  Any suggestions.
  Thanks in Advance.

  Is restart of the engine server on which ProcessP deployed is the only solution since the error messages shows up as 'Process Execution Engine has not re-synchronized with the Directory Service. '

• Users are created but Roles are not Provisioned in the Target System

  Hi,
  It would be great if somebody would provided solution to my problem. The problem is when I try to create the Users in Identity Managment UI then the Users are created in the Target systems but the Roles are not provisioned to the Users.
  In the provisioning job SetABAPRole&ProfileForUser,
  It is says In the Error putNextEntry failed storing
  Exception from Modify operation:com.sap.idm.ic.ToPassException: User does not exist
  MSKEY 58437
  Please note the When we create the User, the user is created however the Roles is not provisioned to the user.
  Regards,
  Hakim

  Hello Nits,
  since this thread is from 2010 and the OP was logged on last in 2012 (as you can see in the profile), I don't think you'll get an answer here.
  Please create a new thread to explain your problem (with version and SP numbers, logs etc). You can add a link to this thread to show, that the problem is similar.
  Regards,
  Steffi.

• Change the pwd of the WBEM client:SLDAccess set to true but not available

  Hello,
  I checked on ABAP side with transaction SLDCHECK, everything fine.
  Then checked http://server:port/sld/ListServlet?bsview=true
  *Please find the log content below:*
  WARNING com.sap.lcr.cimsrv.ChangePasswordServlet: Password Change that service client users don't have initial passwords.Alternatively, logon to the SLD user interface with the corresponding user and assign a new password client settings must be updated accordingly.
  So suggestion was to change the WBEM client password.
  Due to the above scenario, *Error in SXMBMONI*_ is:
  com.sap.aii.af.ra.ms.api.ConfigException: SLDAccess set to true, but not available
  Can anyone let me know how to resolve this issue.
  Thanks in advance.
  Ganesh Karicharla

  HI ganesh
  check this thread for reference
  Unable to find an associated SLD element
  regards
  kummari

• Roles In SAP Web AS ABAP would not appear automatically in J2EE Engine

  I have an ABAP+Java Addin Instance Installed.
  When I create a user, it shows up in the Jave Engine when I goto Services->Security Provider.
  But the ABAP roles would not show up in the Java Engine.
  Please advise..

  HI,
  It depends on the UME chosen,
  You need to ensure your ume config allows groups to be created. check the xml you have chosen,
  also permission for sapjsf.
  Cheers,
  Chetan

• Risks when locking Prod in SCC4, but not setting Company Code to productive

  Hi,
  I am trying to figure out the risks related to not setting Company Codes to productive... even though the Production system is locked in SCC4. Will the lock in SCC4 mitigate the risk of not setting Company Codes to productive?
  To my understanding, setting Company Codes to non-productive in the Production system would result in a risk for deleting financial data. I therefore wonder if defining the lock in SCC4 would compensate for this risk.
  Regards
  IT-auditor

  I asked myself the same question.
  The F1-help in SCC4 says the following:
  "This field should be maintained by the customer for documentary purposes."
  But also:
  "- Production clients and SAP reference clients are protected from the client copy tools, including "Copy by Transport Request" (transaction SCC1).
  - There is corresponding protection from the automatic Customizing Distribution and other tools.
  - In a production client, customizing settings that can be maintained as "current settings" are excluded from a client lock or transport connection; this means current settings (e.g. exchange rates, posting periods) can always be maintained in a productive client without recording changes. Other clients usually require a transport request."
  So, i think that the client role option is more a documentation thing. But also disables some client copy and automatic transport functionality. In my opinion it should be "production" on a production system because if not there are several functions activated that shouldn´t be for security reasons. 
  That´s what i think. Maybe someone can correct me or give more information to this thread.
  regards
  Tobias