ABAP Role Assignments stored in MSAD

Similar Messages

• Mapping ABAP roles and assignments to EP UserGroups and EP Roles

  Hello.
  I have set up my EP7 UME to upload ABAP roles as Portal Groups . Im expecting the ABAP role to user assignment to also reflect as EP Group to User assignment.
  All my roles that 'exist' in the ABAP source system are created in EP7 correctly as expected. However, only "direct" user to role assignments are uploaded. NONE of my "indirect" user to role assignments (ie: Via HR Org in ABAP system) are reflected in EP.
  Qtn: Is there a way I can encorporate indirect user-role assignments into the upload into EP as well ??
  Thanks
  Andrew
  ps: I have played with HR org active switch in vain in ABAP syst

  Hi Kumar,
  Have you tested the connection of your R3 system?
  Do you want to connect to the ABAP UME?  If so do the following:
  1.     Logon to the portal as administrator
  2.     Go to:
  1.     System Administrator
  2.     System Configuration
  3.     UME Configuration
  4.     Click Modify Configuration
  5.     From the drop down select ABAP system
  Fill in the details for your system. 
  Click on the User Mapping tab
  Click on the reference system combo box and select the relevant system
  (in this case R3)
  Click on the ‘Test Connection button’.  If the test has been successful you should get a ‘Connection test successful’. ~<b>It is important to test the connection before saving otherwise this could cause you lots of problems!</b>
  Thanks,
  Nick

• Delete Role Assignments directly from an ABAP System

  Hi folks!
  I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
  Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!
  However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
  I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
  I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
  Thanks for your help!
  Matt

  Hello Matt,
  so you want to remove local administrated role?
  If the object really is to undo the local administration, I would do this:
  Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
  At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
  The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
  Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
  Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
  Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
  Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
  Best regards
  Dominik

• Provisioning of roles to ABAP system deletes role assignments in backend

  Hi all,
  following scenario:
  user has role A in an ABAP system which is connected to IDM. Assignment of role A to the user is not in the identity store.
  Now you assign role B via workflow to the user and IDM provisions this new assignment to the ABAP system.
  What will happen is that the user will get role B but assignment of role A will be deleted.
  This happens because in the job "SetABAPRole&ProfileForUser" the connector attribute "roles" will only consist the role assignments which are in the identity store. All assignments in the ABAP system which are not yet in the IDS will be overwritten.
  This behaviour can be very critical. If you still allow role assignments directly in the backend system and you read these assignments e.g. once a day to the IDS - but in the meantime assignments have been done via workflow - you will lose data.
  My customer wants to assign roles both directly in the system and also by workflow. Every night an ABAP update job runs which writes new assignments to the IDS.
  Do you have any idea how I could solve this? Is there a way NOT to overwrite assignments with the ABAP connector field "roles"? I tried to use multivalue operator but this didn't do the trick.
  I hope I was able to describe my problem properly and you have answers...
  Best regards
  Jörn Kaplan

  No, there is not a way to avoid that IdM replaces the role assignment in ABAP with the current assignments as know by IdM. IdM is the master!
  This is not directly an issue of IdM: The standard BAPIs in ABAP (up to release 7.0) offer "replace all role assignments" but not "add role assignment" or "remove role role assignment".
  However, there exist an exception: Role assignments in ABAP which are created indirectly by an HR-ORG assignment are not touched by IdM. (There role assignment are viewed in blue in transaction SU01.)
  See  http://help.sap.com/saphelp_nw70/helpdata/EN/50/e9683c5de8676fe10000000a114084/frameset.htm for details.
  Kind regards
  Frank Buchholz

• AD LDAP for Authentication but ABAP or IDM for Role Assignments

  Hi Portal Gurus,
  Is it possible to configure the UME in such as way so that it connects to the AD for authentication purposes but uses the CUA or SAP Identity Manager for role assignments?
  Thanks,
  Vibhu

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• Role assignments not set in ABAP but IdM indicates OK status

  Hi,
  We went live with IDM 7.2 SP8 last month. We have started to see issues with Business Role assignments in target systems. Generally, BR assignments are parsed to respective privileges and assigned correctly. Sometimes privileges in one target will get assigned but not in another target. Occassionally assigning privileges to one target does not get through either. In all cases the IdM assignment is marked as 'OK', but when we check the backend the assignment is not there. Log entries don't show any jobs triggered for the target that failed to update (and consequently there is no log entries in that target either). But why would IdM mark the specific privilege as 'OK' status -- it should either remain 'Pending' or 'Failed' but certainly not 'OK'.
  This effect is inconsistent -- it works correctly at times and fails at others -- increasingly more failures. There is nothing different about the users or environment. We see this in ECC, BW, GTS, etc. We have 36 prd and non-prd systems linked systems. Initially we thought this only affected prd systems as BR's only have prd privileges and the PRD targets are load-balanced. For non-prd systems the assignments are direct privileges, not BRs, and they are not load-balaced. We are now seeing this in behavior in all environments for BR's or direct privilege assignments, in prd and non-prd targets.
  Since BR's have appovers we cannot remove BR's and re-assign in production. So for non-prd targets we have removed the privileges, those that indicated 'OK' but did not get set in the target, and reapplied -- the privileges get deleted successfully without any corresponding job being triggered and then when we re-add it the assignment goes into 'OK' status without any job being triggered.
  When we tried assigning another user the same privileges it went through fine to the target and IDM marked 'OK' -- exactly as it is supposed to work (non-prod privileges have no approvals).
  We are not able to re-produce this in our DEV environment -- the targets are non-load balanced. The assignments work consistently, both BR's and privileges.
  Has anyone seen such behavior by IdM?
  Thanks for your thoughts.
  Ashok

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• J2EE roles vs Portal roles vs ABAP roles

  (I also posted this on portal implementation, but i hope i receive more reactions here )
  Dear all,
  I have a question about the information on the following link:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
  It says the following:
  "These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
  1. These "...certain functions..." they talk about, can someome give an example of these functions?
  2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
  3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
  4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
  From what I've read on help.sap.com, you always need to do certain actions in both places.
  A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
  I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
  Kind regards,
  Joren

  Hi Jorem
  Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
  Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
  Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
  Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

• SAP R/3 : Indirect Role assignments - Is position unique to every user?

  Hi.
  While am exploring /learning SAP R/3 roles and auth, I would appreciate if I could get clarity on the following :
  This  link on SDN on Indirect role assignments are very informative.
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f03e6f6c-8c16-2a10-1581-ed8812e2effe
  This link is also more explanatory : http://my.affinitext.com/public/book/5442/-1/1423831
  So if my understanding is correct, it is better to assign roles - indirectly by position, so that if an employee's position changes, his role can be removed, based on position again ??? And somewhere we are linking with infotype 105.
  My only doubt is : if we are going to assign roles by position and remove the roles by position, so that as the position of an employee changes, the previous roles become null and void and new roles can be assigned as per new position.
  So would like to know :
  as to whether this position number which we see from PA20, is unique to every user on the system ?
  So that, if there is a need to remove a role based on postion, we could remove the role from PO13;
  BY doing that, then will it not affect other users ?
  Can somebody help me understand this.
  Because if i want to see the effect immediately, if i go to PFUD and put the role name and say execute, i see that the role which was removed from PO13 is gone immediately from the user.
  Many thanks
  Indu
  Edited by: Indumathy Narayanan on Nov 22, 2011 9:25 AM

  GOT IT THANKS.
  Hi Prashant.
  Good morning and wishes.
  Can you please help me understand this.
  I understand from HR person that position is uniquely defined (from hire to retire)
  and roles are generally given based on position.
  However, I see a person : whose roles have been assigned as per position all these years.
  He had 2 roles in project A. He now moved into a different project B.
  But. when i check, i still see the roles - reflecting on SU01  & well as in the tab of user of the role X under pfcg.
  BUT when i check PO13 - and put the position / relationship and say overview.
  I dont see the roles at all there.
  Why this is so.  Why the discrepancy on different screens.
  Also How can I get a confirmation that - these roles are actually removed and is not there for the user.
  Rather.
  How could the removal of roles based on position become completely effective on the system.
  So that all screens display the same information.
  Also would like to know - whether it is ok to remove the role expiry date directly from PFCG/ROLE Display/user tab/select user/
  and then make the role invalid or expired / or extend the expiry.
  Many thanks.
  Indu
  Edited by: Indumathy Narayanan on Dec 7, 2011 12:09 PM
  Edited by: Indumathy Narayanan on Dec 7, 2011 1:42 PM
  Edited by: Indumathy Narayanan on Dec 7, 2011 5:17 PM

• Abap role in the enterprise portal?

  Can anyone give me a clear picture abt the enterprise protal and abap role in that?

  Hi when there is an integration between EP and R/3 and you click on the User Adinistration of the Portal you will find two types od users available there.
  1. UME Database - this is nothing but the Portal Roles here you will find all the roles related to portal administration, such as eu_role, eu_corerole etc etc .
  We assign portal developer roles to the user form here like Content Admin, System Admin, etc etc.
  2. ABAP Role : whatever role are defined for the user in the backened will appear here ...
  for instance if you implement ESS, hence the user must be able to apply for Travel so a backend r/3 travel role will be attached in SU01 for that user. This is visible on portal.
  Hope this clarifies!
  Cheers!
  SJ.

• How to find the user - role assignments in the database for EP6 SP9?

  L.S.,
  We have a quite specific requirement: to see which users have access to our portal environment (EP6 SP9). It does not immediately matter (though would probably still be nice to know if possible) which roles users have exactly.
  I've been looking in the database to find user-to-role assignments there, but I'm unable to find any. The closest I got is the PID filed in the UME_STRINGS table, but users remain listed there even when all their portal roles are revoked afterwards. Any ideas?
  Kind Regards,
  Steven Dijkman

  hi Steven,
       Sorry but you will have to write some code. the following lines of code will work for you.
  IRoleSearchFilter rolefilter = UMFactory.getRoleFactory().getRoleSearchFilter();
            ISearchResult result = UMFactory.getRoleFactory().searchRoles(rolefilter);
            while (result.hasNext()) {
                 String rolestr = (String) result.next();
                 IRole r = UMFactory.getRoleFactory().getRole(rolestr);
                 response.write(r.getDisplayName());
                 response.write("<br>");
                 Iterator users = r.getMembers(true);
                 while (users.hasNext()){
                      String userstr = (String)users.next();
                      IUser user = UMFactory.getUserFactory().getUser(userstr);
                      response.write(user.getDisplayName());

• Error messages in ABAP program are stored in which table

  hi all,
  Can anyone tell
  error messages in ABAP program are stored in which table??

  Hi Sir ,
  Please have a look below .Hope it is suitable and simpler solution for your question.
  Please do reward if useful.
  Thankx.
  Fuction module for storing error messages  ->'format_message'
  for example...
  data : v_message(100) type c.
  call transaction NNNN mode A update S messages into it_messages.
  loop at it_messages where msgty = 'E'.
  call function 'format_message'
  exporting
  *it_messages details
  importing
  v_message.
  write :/ v_message.
  clear v_message.
  endloop.
  Anothe method - ->
  Here is a sample of the program code for that:
  LOOP AT it_messtab.
  CALL FUNCTION 'FORMAT_MESSAGE'
  EXPORTING
  id = it_messtab-msgid
  lang = it_messtab-msgspra
  no = it_messtab-msgnr
  v1 = it_messtab-msgv1
  v2 = it_messtab-msgv2
  IMPORTING
  msg = g_msg
  EXCEPTIONS
  OTHERS = 0.
  IF it_messtab-msgtyp = 'S'.
  it_sucess-sucess_rec = g_msg.
  it_sucess-lifnr = it_header-lifnr." Based on your field
  it_sucess-tabix = v_lines.
  APPEND it_sucess.
  ELSEIF it_messtab-msgtyp = 'E'.
  it_error-error_rec = g_msg.
  it_error-lifnr = it_header-lifnr.
  it_error-tabix = v_lines.
  APPEND it_error.
  ELSE.
  it_info-info_rec = g_msg.
  it_info-lifnr = it_header-lifnr.
  it_info-tabix = v_lines.
  APPEND it_info.
  ENDIF.
  ENDLOOP.

• How to upload ABAP roles in Portal 6.0 N/W ABAP + Java

  Hi ,
  I have portal 6.0. How can i see the ABAP roles in portal. I know there is some backend system need to configured. please write step by step. I can create users in portal which is replicated in ABAP.
  i have gone thru some forums but did not get the answer.
  Regards
  Atul-

  Thanks for your reply... I am new to Portal. the document you sent me I did not understand where to configured backend system. please let me know where do I configured below information in portal
  When you create a system with a connection to an ABAP-based backend system, you must maintain at least the following property categories and properties:
  Property Category
  Property
  Connector
  Group;
  Logical System Name, e.g. QWACLNT100;
  Message Server;
  SAP Client;
  Message Server;
  SAP System ID
  User Management
  Logon method
  User mapping type (if you want to take advantage of user mapping)
  Internet Transaction Server (ITS)
  ITS Description, e.g. qwa_its
  ITS Host Name
  ITS Path
  ITS Protocol  
  Appreciate for your reply...
  Regards
  Atul

• Participant 'userx' does not have role assignments in process '/ProcessP

  I am using Oracle BPM 10.3 MP2 Enterprise Edition
  Version: 10.3.2
  Build: #100486
  Have a process ProcessP and role RoleR.
  User 'userx' is assigned to role 'RoleR', when he tries logging into the workspace,
  getting exception message in page as below:
  "Participant 'userx' does not have role assignments in process '/ProcessP#Default-1.0'. This error usually takes place when the Process Execution Engine has not re-synchronized with the Directory Service. Try re-logging and executing the task again. If the problem persists, contact your Administrator"
  Tried deleting the user 'userx' from process admin and re-creating the user and gave role 'RoleR' but still the issue persists.
  This is working for other user 'usera', 'userb', 'userc' etc.
  Any suggestions.
  Thanks in Advance.

  Is restart of the engine server on which ProcessP deployed is the only solution since the error messages shows up as 'Process Execution Engine has not re-synchronized with the Directory Service. '

• UME problem - ABAP roles not showing up in UME

  Hello,
  I'm having a problem where the ABAP roles (UME groups)  for my PI system are not showing up as assigned to a user in the UME.  The roles assigned to the user are not reflecting the roles (UME groups) that are in the ABAP side.  But, other users are showing up fine.    The user is shown to have only the standard basic roles.
  This works fine on my development and AS system.  Any help would be greatly appreciated. Thanks.

  Hi George,
  There is a 30 minute delay before these roles/groups show up in the Java system. Could that be the problem in your case?
  See the [documentation|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/af3ac012d32e78e10000000a155369/frameset.htm].
  -Michael

• Documentation for PI ABAP roles

  Hi all,
  is there a general documentation for the PI ABAP roles? I assume something like that:
  - User should access J2EE Adapter Engines / SOAP Adapter (used for sending a Webservice to PI from a 3rd Party Application) --> necessary role abc
  - User should be able to process Alerts in Alert Inbox --> necessary role def
  - User should be able to create repository objects --> necessary role ghi
  - User should be able to create scenario objects in intergration directory --> necessary role jkl
  What I still don't know which ABAP role is used for which purpose. We'd like to assign minimal roles to the users.
  BR
  Holger

  Hi,
  Check in this link:
  http://www.erpgenie.com/sap/netweaver/xi/xiauthorizations.htm
  For alerts refer this:
  The following predefined user roles are available for customizing and administration:
  • SAP_BC_ALM_CUST for customizing authorization.
  • SAP_BC_ALM_ADMIN for administration authorization. The administrator has the authorization for all activities. He or she can also read and confirm alerts for other users. In addition, the administrator can execute report RSALRTPROC to delete, escalate, and deliver alerts as well as to delete logs.
  • For the sending of alerts via external communication methods (e-mail, sms, fax) and for inbound processing, an RFC user has to be created on the central alert server with the role SAP_BC_ALM_ALERT_USER. The authorization objects contained in this role are S_OC_SEND and S_RFC.
  • Accessing alert inbox the userid has to have the role SAP_XI_MONITOR.
  • SAP_ALM_ADMINISTRATOR - Alert Management Administrator Give this rights
  Refer the SAP_XI_ADMI topic and see the roles.
  http://www.erpgenie.com/sap/netweaver/xi/xiauthorizations.htm
  Refer link for user roles: http://help.sap.com/saphelp_nw2004s/helpdata/en/74/03b140ade49c2ae10000000a155106/content.htm
  Roles needed for IR and ID:
  Role: SAP_XI_Developer
  SAP_XI_DEVELOPER (Composite)
  SAP_SLD_DEVELOPER
  SAP_XI_DEMOAPP
  SAP_XI_DEVELOPER_ABAP
  SAP_XI_DEVELOPER_J2EE
  Role: SAP_XI_Configurator
  SAP_XI_CONFIGURATOR (Composite)
  SAP_SLD_CONFIGURATOR
  SAP_XI_BPE_CONFIGURATOR_ABAP
  SAP_XI_CONFIGURATOR_ABAP
  SAP_XI_CONFIGURATOR_J2EE
  SAP_XI_DEMOAPP
  Regards,
  Nithiyanandam
  Edited by: Nithiyanandam A.U. on Feb 18, 2008 2:31 PM