Trying to understand "User/Role/Profile Synchronization" and Batch Analysis

Hello,
Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job. 
I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile  to be included to the full and incremental jobs?
How the incremental analysis logic is built ?
br Janne

Janne,
In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
In terms of CC tables:
VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
VIRSA_CC_GENOBJ >> User, Role and Profile master data
VIRSA_CC_GENACT >> User-action, role-action and profile-action data
VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
VIRSA_CC_SAPOBJ >> Action-permission
VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
Hope this helps.
Regards,
   Imanol

Similar Messages

  • User, Role, Profile Synchronization Job Fails

    Hi Gurus,
    When I am scheduling a job the User, Role, and Profile Sync. job fails giving an error
    "Cannot assign a java.lang.String object of length 53 to host variable 5 which has JDBC type VARCHAR(40)."
    This happens when the synchronization happens with a portal system. We dont have a ruleset for the portal system, So if I put in a "*", it includes this system and results in the error, If I manually select all other system, it works fine. Is there any way to remove this error so that I can schedule the jobs without having to select every system manually.
    Regards,
    Chinmaya

    Hi,
    As per my knowledge, in the Portal system, you should perform only user sync. Roles/profile sync will not work since portal will have workset roles.
    Please refer SAP Note 1168120, which may help you to understand the limitations
    Hope this helps!!
    Rgds,
    Raghu
    Edited by: Raghu Boddu on Nov 4, 2010 7:39 PM

  • RAR: Best strategy for users/roles/profiles synchronization

    Hi all,
    Assuming that:
    1) we will be never interested about profiles risk analysis (just users and roles)
    2) roles risk analysis will be run first and after sometime (threee weeks) we will run it for users.
    and we will run batch risks analysis:
    Question 1) Is it possible to synchronize just roles and do it for users just when we want to execute risk analysis for them? Or is a best practice to synchronize always for users/roles and profiles eventhough risk analysis will not be done for all three?
    Question 2) If we execute just full sync and full risk analysis, users/roles or profiles deleted in backend between executions are also deleted from DB? or removal takes place only when executing incremental sync?
    Many thanks in advance. Best regards,
      Imanol

    Hi Imanol,
    Answer Q1: Yes, you can just select user and roles for the snych and risk analysis. Go to configuration-background jobs - shedule job. If you don't run risk analysis for profiles, you shouldn't sync and select them.
    Answer Q2: Both, the Full risk analysis will alwaly update your DB. I will recommend you, to do this job in some periodic times. The incremental sync job will as well update your DB, if anything changed in the backend system. Normally your are going to run your daily or weekly jobs with this selection.
    Thanks,
    Martin

  • User, Role, Profile Synchronization - Full sync job

    I've scheduled this job and it's been running since feb 2. I understand that this job brings only the header data into CC tables. When I look at the CC log file.- It says Delete user XXXX from all tables. I checked the userid in the backend system it actually does not exist.

    Hi Partha,
    GRC RIG has created an accelerator "How to Performance Optimize SAP GRC Access Control 5.3" which provides step by step instructions to increase performance of AC 5.3.
    Please find the document at the following link on SDN.
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90aa3190-8386-2b10-c4ba-ced67322ea6d?quicklink=index&overridelayout=true
    Hope this helps.
    Best Regards,
    Sirish Gullapalli.

  • Compliance Calibrator 5.2 user/role/profile sync

    I have run into an issue with a user.  Where the user is getting flagged as having risks associated in basis for having a combination of transactions.  Under CC it is saying that she has S_Develop Auth Obj with Activity 1 and 2.  However when we check the user in R3 all of her profiles and roles that have a Basis associated and have the auth object she has activity 3.  So the information is not synchornizing properly.
    Thanks for any help

    when was the last time you ran a user/role/profile synchronization or a batch risk analysis for this user ?
    In case you need more info, check : https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/50cd7177-5c22-2a10-8cba-8e0c64bc4ea8
    Regards.

  • Solution Manager 4.0 Solution Monitoring User -Roles-Profiles for Satellite

    Hi All,
    I have installed Solution Manager 4.0 (OS -Linux ,Database - DB2) .
    Now i need to connect solution manager to the R/3 4.6C
    Satellite Systems (DEV, QAS ,PRD) for Solution Monitoring
    and Service level Reporting .
    I have read the configuration guide , but unable to get clear idea .
    1) what users (alos type of user -Dialog , Service, Communication etc) do i need create in DEV , and Test in QAS  for solution Monitoring  .
    2) what exact roles /profiles need to be assigned to these users in satellite systems .
    3) what users/roles /profiles needs to be done in SOLMAN system
    i have applied all the required plug ins and support packs
    in satellite systems and solman 40 ..
    Please advice  . Your response will be a great help for me .
    Satish

    Hello Satish,
    Just clarify, if u have meant connecting the satellite systems for EWA reports to be precise. Early watch Reports. If its is the case, then repond so that i can putin my inputs which may be helpful for you in this config.
    Rgds,
    Sri

  • Function module to modify the user roles & profiles

    Hi All,
    I am working on user maintenance and i need a function module to modify the user roles & profiles.
    Thanks in Advance.
    Phani.

    i used the below fms
    BAPI_USER_ACTGROUPS_ASSIGN for assigning the roles.
    delete the profiles of the user qnd assign the profiles to the user:
    BAPI_USER_PROFILES_DELETE
    BAPI_USER_PROFILES_ASSIGN
    i used the above FMs for my requirement.
    Regards,
    Phani.

  • Trying to understand user load

    Hello all
    running Exchange 2013 sp1 CU8. CAS role are running on dedicated separate box from mailbox role.  To get a general understanding of user load on my CAS servers i am running perf mon using the below counter.  Is this a good counter to use that will
    give me a  general understanding on how much work the CAS servers are doing regarding user load?
    Web Service(Default Web Site)\Current Connections
    Shows the current number of connections established to the Default website which corresponds to the number of connections hitting the Front End CAS server role. Determines current user load.
    Bulls on Parade

    Hi skipster,
    Yes, this is a good counter to determine current user load, but not all. There are also some other user loads you should understand, like OWA, ActiveSync ..
    I recommend you refer to the following article, it will give you some hints about understanding user load:
    How many users are connected to Exchange per protocol?
    Best regards,
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Niko Cheng
    TechNet Community Support

  • Copy user roles/profiles : Su01

    Hello,
    I want to copy user roles /privileges from one user to other?
    how do we do this and which user can do this ? my pisuper does not seem to have authority to copy user profiles from one user to other?
    Thanks

    Try to Copy the user(Src user to Target user) from SU01 by logging in your user. When it displays authorization error, open a new Session  of SU53. It will tell you the missing authorization  objects. Add those authorizations to your user & you will be able to copy Users using ur userid.
    If you want to keep it simple.. Give yourselves SAP_All. You can do whatever you want.
    Copying Users
    http://help.sap.com/saphelp_nw04/helpdata/en/52/6711c5439b11d1896f0000e8322d00/content.htm
    Regards,
    Siva Maranani

  • How to create automatically users&roles in CUA and in chlid systems?

    Hi,
    i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
    i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
    are there any standard BAPI or Funcion modules that can do this job?
    is the role created automatically in CUA can be seen automaticall in the portal child system?
    any help?
    Thanks&Best regards

    You can use one of the various ways Java EE provides you, e.g. container managed authentication.
    It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
    You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
    Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/].

  • How to create automatically users&roles in CUA and child systems

    Hi,
    i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
    i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
    are there any standard BAPI or Funcion modules that can do this job?
    is the role created automatically in CUA can be seen automaticall in the portal child system?
    any help?
    Thanks&Best regards

    Thank you all. I got the solution.
    Regards
    Rajesh

  • XIUSER - Service users role/profile at R/3 system

    All,
    Currently, we have the following scenarios
    1) IDoc to XI to 3rd Party System
    2) 3rd Party System to XI to R/3 RFC
    3) R/3 RFC to XI to 3rd Party System
    These scenarios are working using service user XIUSER with SAP_ALL, SAP_NEW access at R/3.
    I would like to know the Roles needs to process the above scenarios.
    Thanks,
    Peter

    hi Peter,
    >>>>2) 3rd Party System to XI to R/3 RFC
    it depends what does your RFC do
    if you're posting MM transaction then you'll need MM roles if SD then SD, etc
    >>>>1) IDoc to XI to 3rd Party System
    SAP_XI_APPL_SERV_USER <-- user role on the XI
    http://help.sap.com/saphelp_nw04/helpdata/en/d4/d12940cbf2195de10000000a1550b0/content.htm
    Regards,
    michal

  • Error while scheduling Background Job for User/Role Full Synchronization

    Hi all,
    We have installed RAR 5.3 Component and uploaded the authorization data & established the connectors to the backend system.
    We have performed all the post installation activities and everything is complete.
    When we have scheduled User -Full Synchronization with the Back End system as  a part of Post Installation Activity we are receiving the below error message
    "Error while executing the Job:Cannot assign an empty string to host variable 2."
    Also the VIEW LOG/ Terminate Job buttons are disabled  in this screen.
    Can somebody please help us in resolving the above issue
    Thanks and Best Regards,
    Srihari.K

    Hi,
    We are copy pasting the error log (Part as it is huge) below here. We could able to do Full Synch for Roles and also for Profiles. Only for User Synch we are getting this error and none of the users are sychronized to RAR
    Jan 13, 2009 12:34:27 AM com.virsa.cscext.dao.CSCDAO populateGenObjUser
    INFO: Update user WILSONA of HL2-QAHR
    Jan 13, 2009 12:34:27 AM com.virsa.cscext.dao.CSCDAO populateGenObjUser
    INFO: Update user WINDC of HL2-QAHR
    Jan 13, 2009 12:34:27 AM com.virsa.cscext.dao.CSCDAO populateGenObjUser
    INFO: Update user WLADICHJ of HL2-QAHR
    Jan 13, 2009 12:34:27 AM com.virsa.cscext.dao.CSCDAO populateGenObjUser
    INFO: Update user WUK of HL2-QAHR
    Jan 13, 2009 12:34:27 AM com.virsa.cscext.dao.CSCDAO populateGenObjUser
    INFO: Update user ZENGS of HL2-QAHR
    Jan 13, 2009 12:34:27 AM com.virsa.cscext.dao.CSCDAO populateGenObjUser
    INFO: Update user ZHENGL of HL2-QAHR
    Jan 13, 2009 12:34:27 AM com.virsa.cscext.dao.CSCDAO populateGenObjUser
    INFO: All System Flag:false=====Last Batch Flag:true
    Jan 13, 2009 12:34:27 AM com.virsa.cc.xsys.bg.BatchRiskAnalysis loadUserData
    INFO: @@@ User sync completed for params true: Syskey List is [HL2-QAHR]
    Jan 13, 2009 12:34:27 AM com.virsa.cc.xsys.bg.BgJob run
    WARNING: *** Job Exception: Cannot assign an empty string to host variable 2.
    com.sap.sql.log.OpenSQLException: Cannot assign an empty string to host variable 2.
         at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:85)
         at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:124)
         at com.sap.sql.types.VarcharResultColumn.setString(VarcharResultColumn.java:57)
         at com.sap.sql.jdbc.common.CommonPreparedStatement.setString(CommonPreparedStatement.java:511)
         at com.sap.engine.services.dbpool.wrappers.PreparedStatementWrapper.setString(PreparedStatementWrapper.java:355)
         at com.virsa.cscext.dao.CSCDAO.updateIgnoredUserData(CSCDAO.java:1388)
         at com.virsa.cscext.dao.CSCDAO.populateGenObjUser(CSCDAO.java:1169)
         at com.virsa.cc.xsys.bg.BatchRiskAnalysis.populateGenObj(BatchRiskAnalysis.java:868)
         at com.virsa.cc.xsys.bg.BatchRiskAnalysis.insertBAPIUserData(BatchRiskAnalysis.java:142)
         at com.virsa.cc.xsys.bg.BatchRiskAnalysis.loadUserData(BatchRiskAnalysis.java:390)
         at com.virsa.cc.xsys.bg.BatchRiskAnalysis.performBatchSyncAndAnalysis(BatchRiskAnalysis.java:1275)
         at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:402)
         at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:264)
         at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.scheduleJob(AnalysisDaemonBgJob.java:240)
         at com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob.start(AnalysisDaemonBgJob.java:80)
         at com.virsa.cc.comp.BgJobInvokerView.wdDoModifyView(BgJobInvokerView.java:436)
         at com.virsa.cc.comp.wdp.InternalBgJobInvokerView.wdDoModifyView(InternalBgJobInvokerView.java:1225)
         at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doModifyView(DelegatingView.java:78)
         at com.sap.tc.webdynpro.progmodel.view.View.modifyView(View.java:337)
         at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.doModifyView(ClientComponent.java:481)
         at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doModifyView(WindowPhaseModel.java:551)
         at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:148)
         at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
         at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
         at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:319)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
         at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Jan 13, 2009 12:34:27 AM com.virsa.cc.xsys.bg.BgJob setStatus
    INFO: Job ID: 13 Status: Error
    Jan 13, 2009 12:34:27 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
    FINEST: --- @@@@@@@@@@@ Updating the Job History -
    2@@Msg is Error while executing the Job:Cannot assign an empty string to host variable 2.
    Jan 13, 2009 12:34:27 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
    INFO: -
    Background Job History: job id=13, status=2, message=Error while executing the Job:Cannot assign an empty string to host variable 2.
    Jan 13, 2009 12:34:27 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
    INFO: -
    Complted Job =>13----
    Please let us know how to resolve this error
    Thanks and Best Regards,
    Srihari.K

  • Cannot see BEx Query in user role profile in BEx query designer

    I assigned several BEx query objects into user profile menu via t-code PFCG first.
    Then expected - when I need and open them in BEx query designer I could find them after clicking "Role" button in  "Open" window. But unfortuantely I'm not able to do that.
    Do I miss anything to archive that? Is other customizing activity else neccessary?
    Thank you for any suggestion.

    Hi Brad.Ma,
    If you can open query from Area "button", after that, you publish it to roles you want assign.
    You try generate Authoriation in Role in Tcode PFCG.
    Hope help you to solve the problem.
    Dao
    Edited by: xuandao_sap on Sep 20, 2011 3:33 AM

  • Trying to understand capabilities of Flash Professional and Flash Builder 4

    I recently purchased the CS5 Master Collection and am struggling to understand the uses for Flash Professional and Flash Builder 4.  I was inspired by Jay Pavlina's Super Mario Crossover game and wish to make similar applications. 
    However, I am confused about whether I should be using Flash Professional or Flash Builder 4 or both?  I purchased the two books that Jay Pavlina recommended "ActionScript 3.0 Animation Making Things Move!" and "Essential ActionScript 3.0".  I've been trying to find resources that will help me understand exactly the purpose of each of these applications. 
    It appears to me that ActionScript 3.0 is used in both?  So which one should I be using?  Or both?  Or is one more design oriented and the other more development oriented?  Can one make flash game like Jay's using just one or the other?  Any help would be greatly appreciated.

    I thought about it a bit more. I think you should take my advice with a grain of salt. I am still standing behind what I said but there are some circumstances that we are not in control of.
    If your task is to be the beginning and the end of your code - don't bother with Flash IDE. BUT, if you plan to monetize on your Flash/ActionScript skills, you may not have choice but be familiar with as many environments as possible.
    Here is my personal experiense that illustrates this point.
    I always prayed to gods, chanted to mandalas and made offerings to spirits to avoid a single thing - not ever deal with custom Flash components. Rightly or wrongly I perceive them as one of the lamest Macromedia creations. I am not talking about SWCs but about this thing that you create with preview and all other crap. Above all, it did not (and still doesn't) make much sense to me from functionality standpoint.
    Anyway, as, I guess, a karmic retribution, I was dealt this card. I got involved in a project(s) where I was not told that my main task would be to, you are right, write and reverse engineer Flash custom components. If I did not know Flash IDE I would be totally lost. Custom components are so counter-intuitive that only people without programming background can view them as a convenience. Well, it is a convenience if they are written correctly.
    The point is that, if you want to make a career out of it, you should gradually get involved with Flash IDE for now. The truth is that there are tons of agencies out there that do not have resources to hire high level developers and they employ "drag n' drop, cut n' paste" individuals. And this is a real market segment. Even well seasoned development houses have to succumb to this reality and cater to such entities.
    It is your choice, of course, but I thought it wouldn't be fare to you to be very fascist about pushing my one-sided views.

Maybe you are looking for