SAP Technical roles and IDM Business roles mapping

Hi Guys
Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?

Thanks Matt,
I think get I the picture now
One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
Here is what Ive done so far
1. HCM data loaded into productive identity store via vds
2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
Thanks again for all your help!

Similar Messages

  • SAP Vendor Number and MDG Business Partner mapping table name

    Hello Expert,
    We are using MDG for Materials and Suppliers, while using we found some times error on vendore number and business partner mis-matching.
    Could you please tell me which table I should check where I can see ECC vendor number with MDG business partner number.
    It will help us to validate the wrong mis-matched one to correct in one go.
    Vijay Mittal

    Hello Vijay,
    You can find the Vendors in table LFA1. Your Business Partners are in table BUT000.
    The number ranges transactions are as follows: Vendors - XKN1, Business Parners - BUCF
    You should check the NR Status and make sure your value is greater than the last created LFA1 record, so your PPO does not fail (that's in case you're going the direction BP -> Vendor and don't have the "Same flag" active in view V_TBC001). If you are trying to synch up from Vendor to BP, you'll have to check the view CVIV_VEND_TO_BP1 instead.
    Hope that helps,

  • Difference between SAP Access Control and IDM

    Hi Expert,
    I have one question What is the difference between SAP Access Control and SAP Identity Management ?

    That's a good question, but a tough one.
    While both applications can do most of what the other can do, it's a matter of specialization in my opinion.
    Access Control is all about managing and controlling access to SAP system roles and has the ability to report on role conflicts for compliance and reporting purposes. (I'm sure I'm leaving a lot out, but maybe a GRC / AC expert can fill in more details)
    SAP IDM is about managing the user life cycle with regards to landscape and enterprise systems. It will handle the creation, update and ultimately the removal (or de-provisioning) of users in SAP ABAP, SAP JAVA, LDAP, JDBC, and API based applications.  It will also do Role Management through a web based UI (User management is web based as well). and as of the latest Service pack for SAP IDM 7.2, it will do attestation (limited certification) as well. It is a definite upgrade to CUA as it will work with a greater variety of systems, include workflows and approvals.
    GRC will do some provisioning, but it's somewhat limited, as is IDM's compliance abilities.
    The applications are designed to work together, however it does not have a great track record and the integration is typically heavily modified to work as desired.
    If you have specific questions, feel free to post / DM.  Obviously I am more knowledgeable about IDM, but I'll be happy to help you in any way possible.

  • Business Role to System/Technical Role Mapping in CUP

    In our design of CUP we are having end-users logon and choose their "business role" and having CUP select the system/tecnhical roles. For example, we want an AP Clerk to be able to logon and choose "AP Clerk" and have role A, B & C from ECC selected and role D from BI.
    Is this type of design possible in CUP 5.3 or are we extending into IDM functionality (which we do not have). Has anyone had experience in type of design? What are your recommendations?
    Thank you,
    Grace Rae

    I assume you are looking for Job/Position roles roles but for SAP systems. Fortunately, CUP provides the flexibility to implement RBAC concept for both SAP & Non SAP systems.
    In this case, catch would be your blueprinting which depends on various parameters like u2013 How sound your authorization concept is placed in all the managed systems (R3, BI, non  sap etc), Approval criteria, organizational operational view etc. Concern is that we may run into other issues of violations, risk analysis, approvals etc if we donu2019t plan diligently
    Alpeshu2019s hint would be really helpful in terms of implementing this requirement.

  • Install SAP Technical Content

    I have heard about installation of Technical Content.
    Can any one tell me how to install SAP Technical Content and why we used it.

    After a new install or upgrade, Technical Content will be installed automatically after you run TCODE Rsa1 (BI_TCO_ACTIVATION) for the first time. It is used for the BI Stats and authorization to mention a few.
    See OSS note 979581 for more details.

  • Business Roles & Technical Roles

    With the whole process of creating Business Roles for the implementation of IdM we gotten to thinking and started looking for a best practice when it comes to creating and managing business roles aswell as technical (SAP, ABAP) roles.
    Anyone have any good documentation in this regard?
    Thx in advance,

    Hey Sandeep,
    It's a good document but not exactly what I was looking for.
    Concerning the Business Roles I was looking for more of a functional (business) view point on the whole business role thing. Something I could use from a technical standpoint to help my customer in the business role creation process.
    Concerning the Technical Roles (ABAP authorisations). We have the situation here at the moment that we're dealing with 14 years or role creation in the SAP systems with no guidelines what so ever. So to put it gently: it's a mess. And I was wondering if there was any best practice document out there describing the "best practice" of creating technical roles, handling authorisations in SAP etc.
    I realise that the second question doesn't quite fit in this forum but I'm guessing here would be the closest match for the question.

  • Fix Business Role / Technical Role assignment in Pending or Failed status

    We are facing issues with few users where Business role assignment or technical role assignment is going into Pending or failed status.
    None of the jobs are failing or throwing any error related with the changes.
    We are running IdM 7.2 version with SP8.
    Is there a way to fix this issue other than removing and reassigning or recreating ID.

    Hi Manish,
    If technical role (priv) in failed status, please check Tero's reply in the below post. You can set a periodic job to read users and privs in failed status and use uRetryPrivilegeAdd() function to retry the assignment.
    Failed AD privileges
    I was able to find a document on how to set up the periodic job.
    Retry failed assignments (Privilege)
    You should try searching the forum and wiki for answers. Most of the issues are addressed by our community experts already. Thanks.
    Kind regards,
    Message was edited by: Jai Suryan

  • User roles and role mapping

    I've just start as an intern in Change Management team that is helping to implement SD. My two tasks are to "develop SAP user roles specific to the new business processes" and "manage the role to position mapping for provision of security roles." None of the real employees in my team has ever done this, and my manager is now on three weeks leave. I'm new to SAP and I don't really know where to start. Can anyone offer any advice, or point me to some references? Thanks.

    Its a pretty cold manager who will dump a task on a inexperienced subordinate without any guidance or mentoring,  and then take three weeks off.
    Anyhow, you first need to get some insights as to what the expectations of the client are:  What type of users will there be?  What tasks will each user be responsible for carrying out?
    You also will want to collect a list of names of the actual users. Your Basis people will tell you which bits of data will have to be collected in order to create users on the system
    Next, you need to talk to the SD expert on your team about the solutions that will be implemented.  Quotes? Consignment? Scheduling agreements? Pricing? Customer Service? Marketing?  Customer Master? Material Master? The SD expert should be able to tell you at a very minimum which transactions should be made available.
    There are standard roles available delivered in the system.  These are pretty much un-usable as delivered, but they make a good starting point.  Review
    Once you have all the info needed from the client and your SD experts, you then design the supporting roles at a high level. I usually use an Excel Spreadsheet with two tabs:  One tab listing roles to be developed, with all the transactions and authorization object limitations for each one;  and another tab listing Users and the supporting data needed to create a user.  If you are a Basis expert, you already know the next steps.  If not, then you typically hand your designs to the Basis team for creation of the actual Roles.
    Good luck.  Remember not to treat your interns the same way you have been treated.

  • Role Mapping For Portal Role Assignment and ABAP Role Assignment

    - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
    - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
    - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
    Problem Description:
    Our Scenarios we tested:
    Scenario 1:
    Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
    Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
    *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
    Scenario 2:
    Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
    Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
    *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
    1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
    2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
    Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

    I tested this set up.
    1.  Defined ABAP role as Manin role
    2.  Defined Non-ABAP role as dependednt role
    3. ABAP role  is set up in initiator requiring business approval.
    4.  Non-ABAP role is set up in initiator with no approval required.
    Results Where Business Approver approves the ABAP Role
    1. Only the ABAP role is displayed in approver view which is desirable.
    2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
    Results Where Business Approver rejects the ABAP Role
    1. Only the ABAP role is displayed in approver view which is desirable.
    2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
    Thanks again for your help.

  • Common technical roles in different business roles in BRM & ARM

    Hi Gurus ,
    Some help please .
    We have the following situation with BRM & ARM role provisioning .
    In BRM we have for example two business roles setup (B1 & B2). We have in these two business roles a common technical role .
    E.g. B1 (has role T1 ,T2 )  , while B2 (has roles T1 & T3) .
    in our example an user already has role B1 (with T1 & T2) assigned. The user then needs access to role B2 as well .
    Since role T1 is common in both business roles  , When an user does an request , ARM then send them a notification saying that an duplicate role exist within the request. (which they have to remove before continuing) . This is confusing the some users .
    My question is as follows. Is there a way to for the user to process the request without having the warning displayed & without having the duplicate technical role assigned ?
    So essentially , they will get access to business role B1 & B2 (but technical role T1 will not be assigned twice) ?
    Your help is greatly appreciated .

    Hi AJ,
    Could you share the notification message that  ARM generates.And what about role T1 assignment.
    Is it assigned two time in user profle?

  • Cannot open cmc sap authentication - role and alias update failing

    I have two business objects environments. For two of them I am failing to login to a specific part of CMC.
    I want to go to Authentication tab, SAP authentication. The  page is not opening.
    I have on both environments 500.000 + Failed jobs. (settings - view global system metrics).
    I have the feeling my CRYSTAL user account's password has expired and the 500k+ failed schedules are due to the scheduled update of roles and aliases which is failing.
    Can anybody tell me how to cleanup these 500k events, and hopefully being able to access my sap authentication again (and update the password for crystal user? They cannot be deleted from instance manager.
    Any help is appreciated. Thanks!

    Dear Seb. I tried. No result. Let me share some screenshots to desribe my issue.
    what did I also try: redeploying BOE webapplication. Without success.
    My question is: how do I remove these failed instances from the system? Because I think that is a start of the solution.
    .. the admintoos entry (from upgrade management tool) was still increasing... It runs awfully long.

  • Technical systems and Business systems in SAP XI

    can any one tell me ,breifly explain the  diff b/w <b>Technical Systems</b> & Business Systems?
    steps to create Techincal system and Business systems?
    and also Steps for creating Software Components? For Technical System we can create more than one Business systems ,what it means?can any one explain?

    First I let u know with analogy and actual definition as below
    Any module of SAP like MM, SRM, FICO ets makes a logical system in combination according to business requirements is a business system which is actualy hosted on an application server like ABAP AS or Java AS which is basically a technical system.
    Technical systems are application systems that are installed in system landscape (a CRM server, for example). Most systems (Web AS ABAP and Web AS Java systems) automatically report information to the SLD about the elements that they contain by using the SLD data supplier programs. You need to manually register the following types of system only:
    Standalone Java systems
    Third-party systems
    Business systems are logical senders or receivers that exchange messages by using SAP XI and that are entered in the System Landscape Directory.
    The business systems in the System Landscape Directory relate to a system landscape.
    The business systems of business partners are not entered in the System Landscape Directory. To be able to address such business partners logically, use services in the Integration Directory. A business system is a way of specifying a service in the Integration Directory more precisely (business system service).
    U can also refer Blog's
    Re: Difference betweeen     Technical systems and Business systems
    For creation of software component see link
    <b>Reward point if it help u understand
    Message was edited by:
            Ajay Kumar

  • Is it possible to modify the tag structure tree and the role map via scripting?

    We use unstructured FrameMaker to produce training materials which we distribute as tagged PDF to meet accessibility requirements.
    When FrameMaker creates a tagged PDF, it does a fairly good job of populating the structure based on the PDF setup information for the paragraph formats in the FrameMaker documents. However, there are some limitations in the support that FrameMaker provides. For example, almost all paragraphs are assigned to the P role even if they are headings and should be mapped to H1-H6.
    We want to be able to easily post-process a PDF that has been generated from FrameMaker to fix some of the tag structure issues (including tag names and the role map) so that the PDF will provide the optimum experience for a user of the JAWS screen reader.
    I spent some time reading the SDK documentation but didn't find much information about manipulating a tagged PDF via the API, especially via scripting.
    Does anyone have any examples or references which explain how to do it?

    AFAIK, it's not possible with a script. You might want to ask in the SDK forum, as it could be possible with a plugin.

  • 20 technical tips and tricks to speed SAP NetWeaver Business Intelligence

    20 technical tips and tricks to speed SAP NetWeaver Business Intelligence query, report, and dashboard performance (note: for technical people).
    Dr. Berg


  • Problem with Security Role mapping and LDAP

    In Oracle Internet Directory I've created a group called OIDGroup1.OIdGroup1 has 2 users : OIDuser1 and OIDuser2.
    OIDGroup1 is mapped to EjbRole1 (is a security role defined in ejb-jar.xml, EjbRole1 can do everything in the application).Now if I login as OIDuser1 or OIDuser2, application said that the user does not
    have authorization to execute some method. The mapping in my orion-application.xml is :
    <security-role-mapping name="EjbRole1">
    <group name="admin/OIDGroup1"/>
    <jazn provider="LDAP" location="ldap://myhost:4032"><jazn-web-app auth-method="SSO"/></jazn>
    if I modified orion-application.xml like this :
    <security-role-mapping name="EjbRole1">
    <group name="admin/OIDGroup1"/>
    <user name="admin/OIDuser1"/>
    then login as OIDuser1, it works. But it does not work with OIDuser2.
    That's is a problem for me because our customer can not manage the user/group
    easily : each time they have a a new user, instead of simply adding this user
    in the OIDGroup1 (with graphic interface of OIDAS), they have to modify
    Do you have any idea ?
    Thanks in advance

    I found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).

Maybe you are looking for