Role Mapping For Portal Role Assignment and ABAP Role Assignment

Summary:
- Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
- We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
- We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
Problem Description:
Our Scenarios we tested:
Scenario 1:
Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
*Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
Scenario 2:
Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
*Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
Questions:
1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

I tested this set up.
1.  Defined ABAP role as Manin role
2.  Defined Non-ABAP role as dependednt role
3. ABAP role  is set up in initiator requiring business approval.
4.  Non-ABAP role is set up in initiator with no approval required.
Results Where Business Approver approves the ABAP Role
1. Only the ABAP role is displayed in approver view which is desirable.
2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
Results Where Business Approver rejects the ABAP Role
1. Only the ABAP role is displayed in approver view which is desirable.
2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
Thanks again for your help.

Similar Messages

  • CUP - Unable to assign and delete role at the same time

    Hello everybody,
    I have an issue with CUP.
    Regarding a change account request, if I assign roles, it works. In the other hand, if I delete roles (also with a change account request) it works too. But if I mix both of them in the same request (assigning and deleting roles) it doesn't works. Only the deletion works. Some times we have no error message and some times we have:
    Error provisioning your request. Request no: 94. Error occurred in the system(s) : n/a, error details :
    DR1CLNT200-ZTEST01-USER CREATE-Function template /VIRSA/BAPI_USER_CHANGE could not be retrieved from DR1CLNT200
    Do you have please an idea to solve this issue?
    For information the CUP used is a 5.3 SP 5.0 version.
    Thanks in advance for any help.
    BMW

    Hi Ben,
    There may be a possibility of such a behaviour in SP05 as many of the changes in code has been done
    till now which may result into such issue and we can't confirm your findings by re-creating it. However, you can check few things functionally which may resolve this issue:-
    1) This error usually comes when the role selected is already assigned to the user or user doesn't exist in the system for which change request is created.
    2) when this error encounters the system, please take the system logs for that time from 'Monitoring' tab under configuration in 'English' and there the error cause can be found out or please paste the logs so that we can analyse.
    3) Also, you can refer to SAP Note:- 1168508 where many of the role related issues have been resolved after SP05, therefore, for smooth functioning of GRC-CUP 5.3, it's better to upgrade to the latest SP i.e. SP18.11(available at SMP).
    Best Regards,
    Akhil Chopra

  • Mapping between the query/report and the role with technical names - BI Sec

    Hi,
    How to find the mapping between the query/report and the role with technical names ?
    Like in R/3 we can find the mapping using table AGR_TCODES or thourgh SUIM. However in BI all reports have tcode RRMX.
    So. how to find the role for a given query/report like sales report with technical names?

    I looked into this quite a while ago and cannot remember the exact details, but I think there were 3 tables needed together with a structure to explore with a function module, and you need to use the program ID to think them.
    If you look in SQ01 then I am sure you will find one of the tables, and then search from there onward.
    Alternately, while searching you might find a nice report which does this for you.
    Hope that helps and let us know whether you find it.
    Cheers,
    Julius

  • Mapping between the query/report and the role with technical names

    Hi,
    How to find the mapping between the query/report and the role with technical names ?
    Like in R/3 we can find the mapping using table AGR_TCODES or thourgh SUIM. However in BI all reports have tcode RRMX.
    So. how to find the role for a given query/report like sales report with technical names?
    Edited by: Phoenix on Jul 26, 2008 4:15 PM

    Posted in wrong forum

  • Role mapping between Portal and Back end systems

    I am new to SAP EP.
    I just want to know how the mapping between portal and back end system happens.
    Scenario : There is a role in ECC system...say FI India. Now there is a request by the FI team that they want to access this role from Portal. In this case, please tell me how the security team will do it. Because I guess, it has to be done by the security team.

    Hi,
    Usually the role from backend is uploaded to portal then it will be seen as Group and we need to assign our portal roles to this group. Please refer [this|http://help.sap.com/saphelp_nw73/helpdata/en/d6/7859ec80df46738e23ccb4f4c8c502/content.htm].
    Regards,
    Samir

  • Portal Groups vs. ABAP Roles

    Hi,
    We have the following scenario:
    SAP EP (6.0 SP19) with content from BW and HR (ESS&MSS).
    The backend systems and the portal use CUA.
    The problem is that for example when a new user(employee) is created in HR, we would like that the user automatically gets a certain role in the portal (employee or manager, depending on the role given to him in the backend system).
    At the moment we first have to give the user a role in the backendsystem + assign the user to a group in the portal. Is there a better solution for this ?
    Regards,
    Kristian Rantakoski

    You can import backend roles in portal. After importing these backend roles in portal, these roles appear as Groups in portal.  As users are automatically part of these group in portal, You can assign manager roles of portal to Manager group ( which is actually a role in the backend) in Portal.
    The above approach worked for me in case when I configured Portal UME to ECC6.0 user database. I am not sure if the same approach will work in case of CUA.
    You can give it a try.
    Best Wishes
    Prabhakar

  • Changing the sequence of roles/groups for Portal users after Login

    Hi
    We are at EP 7.0 SP11.
    We have developed custom role for ESS, MSS, EIC and Reports etc.
    Now when all the 3 roles are assigned to any user, the sequence of the display is generally
    Employee Self Service, Manager Self Service and then EIC.
    We need to change this sequence in Dev QA and production environment for some users preferably (or for all portal users), so that the 1st page which loads in portal after user logs in , is not necessary ESS. 
    The requirement can also be considered as, we need to change the default page which displays after user logs in.
    Does someone have any idea how can we achieve this ?
    Looking forward for your response.
    Thanks
    Neha

    Hi Neha,
    Add custom Welcome page/Home page(eu_role) and Sort Priority property as per  Koti Reddy.
    Hope it helps
    Regards
    Arun

  • Abap+java stack for Portal 7.0 and MI - User Data Source

    The SAP pre-requisites for Portal and MI (Mobile Infrastructure) 7.0 is an ABAP and Java Stack. If you install an AS ABAP + Java, the UME is automatically set up to use the ABAP user management of the same AS installation. What does this mean? The user store will be created in ABAP, for both the Portal and MI.
    The impact of this is portal users management is in ABAP. This configuration by design cannot be connected to LDAP Active directory for user authentication.
    Please let me know , if some body had already face similar issue and come up with the solution.  Thanks in advance.

    Hi Surya ,
    When you install portal or any NW component with ABAP stack , ABAP stack hold precidence over the JAVA Stack , refer to this link to have more idea on this .
    http://help.sap.com/saphelp_nw2004s/helpdata/en/2b/306bb5bc98f24f8a85d489449af456/frameset.htm--
    http://help.sap.com/saphelp_nw04s/helpdata/en/12/7678123c96814bada2c8632d825443/frameset.htm
    Thanx
    Pankaj

  • Ovi map for other country downloaded and installed...

    I've used the Ovi Suite 2.2.0.245 and connected with N900 but selected PC suite mode instead of Mass storage. I read alot that you have to select Mass storage for N900, but Ovi Suite won't then be connected with my phone, but works with PC suite.
    I wanted to transfer country maps to the phone so I can use it offline. Selected the Map and downloaded and it said transfered to phone...so everything seems good. But when I go to open those maps on the phone...I can't find them anywhere at all! I'm not sure where they are.....I've check the 'ovi map', then the 'cities' folder but nothing. There are other files there but not titled with the cities i've downloaded. I tried to open those files anyways (having a "?" as their icon) and then selected I think 'Application' or something as ways to open the file.....then needed to download but 0kb...??? it then said unable to download, the file could be corrupted. So now..I'm stuck.
    I don't know where the maps were transfered to. Oh and I check on the Ovi suite Map tab and selected my device, and it should alllll the cities and countries listed in my device (phone) already....but I can't find/open them on the phone. Much help and guidance would be appreciated!
    Thanks in advance.
    Solved!
    Go to Solution.

    Thanks for reply. I did check the cities folder and it's not there...I've downloaded New York and cannot find it. Also, the folders I saw were all a few kb and not the appropriate size.
    I went to ovi maps on the n900 and only showed me where I am, I wanted to open new york map but don't know where and how. I clicked on search and entered new york but then ask me to connect to the internet. It did and it worked but then that means I have to connect.
    It said I can be offline for N900:
    http://www.nokia.com.au/get-support-and-software/download-software/maps-support/how-to/maps-for-n900
    I thought it can be veiwed offline, so how can I? I wanted to open the map when overseas but if there's no internet connection and I have transfered the map on the phone previously, I won't be able? =(

  • Ant tasks for portal's dpadmin and par commands

    Has anyone written ant tasks for the dpadmin and par commands? If you look at the shell scripts for dpadmin and par, they are just setting up environment for java method invocation and command-line parsing.

    I created some simple targets to deploy my portlets (copy jsp files and classes to appropriate directories) and the declare them with a target that invoked the dpadmin tool on my desktop xml file. I had experimented around with changing the directory priviledges in order to run my build script as a user other than root but had little success. I am sure building a custom ant task wrapped around dpadmin and par commands would be trivial to implement.

  • Pass through scenario in SAP PI with no mapping for File to IDoc and Idoc to file scenarios

    Hi Experts,
    Can i have step by step process in SAP PI for pass through scenario with no mapping in case of file to Idoc and Idoc to file both cases please.
    What objects i can skip.
    My PI system is 7.3 dual stack.
    I have seen below blogs, still its confusing to me.
    When and how to create an scenario in SAP PI without mapping objects.
    Pass Through Scenario with no Mapping in PI 7.1
    Appreciate your help on this.
    Regards,
    Mohan.

    Hi Mohan
    In pass thru interface you don't need to create any ESR objects, only ID objects are required.
    Just Create a Receiver Determination and Receiver Agreement for your scenario (no need for Interface Det. and Sender Agreement).
    Specify the IDOC in the Sender Interface and namespace as urn:sap-com:document:sap:idoc:messages
    Or instead of creating objects manually, Run the wizard with Idoc name/namespace in sender/receiver interface
    Regards
    Osman

  • SAProuter for Jco between Java and ABAP stack

    When configuring Jco at Java only, there is an option to use SAProuter.
    This is not for SMP download or OSS support.
    So is there any document for this kind of SAProuter usage?
    Thanks!

    I don't quite understand why you need SAProuter between 2 SAP instances, which means they locate in 2 different network segments and cannot communicate each other directly. But let's assume this scenario:
    1. ECC in network A, IP 10.10.10.1;
    2. Portal in network B, IP 192.168.1.1;
    3. SAProuter has 2 adapters, IP 10.10.10.2 and 192.168.1.2.
    Make sure all message server and dispatch info are maintained correctly in service file (or corresponding file on other platform) on all 3 hosts, and then when you configure Portal Jco connection routestring you need is /H/<SAProuter IP>/S/3299 to enable them communicate each other. Usually this is for security purpose of potential network attack to SAP hosts from user IP, for instance:
    4. All public users in network C, IP 172...*, then you need a SAProuter which has 3 adapters.
    Regards,
    Effan

  • Abap+java stack, users not mapping to portal role.

    We have the ABAP+java add-on install.
    The UME is by default ABAP engine.
    From Portal:
    1 I create a portal user, it ALWAYS creates ABAP user in ABAP stack of WAS.
    2. I create a portal role, it creates a role in the Portal.
    3. When I assign the user this portal role,
    having worksets and pages,
    I get no pages or worksets shown in the portal page as soon
    user logs in.
    Can you help configure this so that I could see the pages and iviews inside this workset when user logs in.
    Thanks  a lot.
    PS:  posted this in webdynpro-ABAP.  no reply came.  Sorry to double post.

    Hi Mike,
    can you check into your WorkSet (or Pages) if you have setting up the <b>Entry Point</b> flag?
    PS: Award points for good answers.
    Best regards,
    Gianluca Barile

  • Abap role in the enterprise portal?

    Can anyone give me a clear picture abt the enterprise protal and abap role in that?

    Hi when there is an integration between EP and R/3 and you click on the User Adinistration of the Portal you will find two types od users available there.
    1. UME Database - this is nothing but the Portal Roles here you will find all the roles related to portal administration, such as eu_role, eu_corerole etc etc .
    We assign portal developer roles to the user form here like Content Admin, System Admin, etc etc.
    2. ABAP Role : whatever role are defined for the user in the backened will appear here ...
    for instance if you implement ESS, hence the user must be able to apply for Travel so a backend r/3 travel role will be attached in SU01 for that user. This is visible on portal.
    Hope this clarifies!
    Cheers!
    SJ.

  • J2EE roles vs Portal roles vs ABAP roles

    (I also posted this on portal implementation, but i hope i receive more reactions here )
    Dear all,
    I have a question about the information on the following link:
    http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
    It says the following:
    "These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
    1. These "...certain functions..." they talk about, can someome give an example of these functions?
    2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
    3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
    4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
    From what I've read on help.sap.com, you always need to do certain actions in both places.
    A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
    I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
    Kind regards,
    Joren

    Hi Jorem
    Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
    Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
    Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
    Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

Maybe you are looking for