AC 5.3 Define role approvers based on System

Similar Messages

• AC10: Define role approvers based on system?

  Hi,
  we have a ERP landscape consisting of Dev, Test and Prod system.
  They all have the same roles, so we uploaded the roles into GRC10 to a landscape of those 3 ERP systems including role approver.
  However, we would like to provisioning to all 3 systems from GRC, but only for Prod there should be a role approver.
  Due to the same role naming:
  How can we differentiate that role A in system Dev and Test goes through without approver and in Prod has an approver. Is there a simple way to do this?
  We do not want to set up a different workflow for this.
  Thanks,
  Daniela

  Hi Anjan
  I'm very confuse with the creation of BRF+ rule and the MSMP rule.
  First, I created a BRF+ rule. With a table decision, but i dont know how to select the "result colum" as "Role Appover or role owner".  I selected the result colum with conditioning group, using the Conditing Group ID in Role owner definition in NWBC/Setup
  Then in MSMP i tried to created  a rule in the step two with error: "Select a valid rule id".
  could you help me with this dubt. Or maybe you can share with me material about role approvers and brf+ and MSMP.
  Thank you in advanced!!

• How to define role approver/owner - through condition id in ERM 10.0

  Hi All,
  We have created a BRF + rule for Role approver with Business Process & Function area by giving the Result value as Condition ID eg., Z001
  We have provided this condition ID Z001 - in Role Owners table [Under Set Up- Role Owners] and defined the role approver and assignment approver with the User details.
  Now when we are trying to create a role with the above attribute combination of Business Process & Function area - the role is not picking up the Role Owners automatically in Owners/Approver tab [In 5.3 we can maintain approval criteria where we can define the role owners/approvers based on different attributes].
  Are we missing any configuration setting here for auto pick up of Role Owners based on defined attributes from Role Owner table.
  Thanks and Best Regards,
  Srihari.K

  Hello All,
  Please help us , I am also struggling with same issue.
  Thanks in advance,
  Jagat

• Role Approval request not visible in Role Approvers ToDo tab

  Hi IDM Experts,
  We have implemented IDM 7.2 SP8 in our project. We have performed the basic configuration for Identity center and IDM UI. The initial load from CRM is also completed successfully.
  We followed the steps in guide https://scn.sap.com/docs/DOC-26322 to configure workflow such that in case role is requested to be assigned to user, the request goes to role approver(in his todo tab) for approval. The access will then be provisioned into backend CRM system on successfully
  approval. However, we are facing an issue where the Role approver does not get anything in "TODO" tab for approval. The request shows in "Pending" status and logs show that tthe request is pending approval, however, it never appears in role approvers queue.
  Kindly help on the issue. Please provide below information:
  1) We can check in logs that the request is pending approval. Is there any way we can check where is the request routed to and whoose approval is pending here if it did not goto "Role Approver" for approval.
  2) Any trouble shooting mechanism/tool available in IDM to debug issues like this.
  Thanks in advance for your help.
  Thanks and regards,
  Nitin

  Hi Nitin,
  How do you assign the role to the user? if it's trought IDM UI, you loggin with which user?
  There is a limitation on approval with SP08 : the requestor of the assignement can not be define as an approver.... but in this case the approval is automaticaly rejected by the system ...
  in which logs / table can you see that your request is "pending for approval" ?
  I also would recomand you to use the simple scenario "get approver from role/privs" of as krishna mentioned. (unless you need to do more custum actions)
  Besides, you can check approval entries and status in DB views :MXWV_ApprovalQueue ...
  Fadoua

• Business need to define credit limit based on material

  HI,
  Business need to define credit limit based on material,do we have option in SAP like this

  Hi,
  If you can consider the credit check deactivation at item category level, it is possible.  You can find a switch to deactivate credit check at VOV7.  If you can group such materials under Z item category, you can control those.
  But credit limit is not possible in standard.
  Regards,
  P Gomatheeswaran
  Edited by: Gomatheeswaran Palaniappan on Sep 22, 2011 12:21 PM

• How to define primary interaction based on hierarchy level

  I have a 3 level product dimension, such as brand, product type, and product. Now I want to define primary interaction based on the level. If click on brand or product type, it will be drill down. If click on product, it will be send master-detail. Since there is only one column for this dimension on the report when report is constructed, how can I apply different interaction based on the product level?
  Thanks

  iif you are trying to do a normal hierarchical drill down from brand down to product type down to product, and if they are defined so in your database, defining a normal hierarchy is suffice.
  iif you are trying to navigate to a different level in a hierarchy, do a pre-defined drill down.
  all the above options must be defiend in RPD.
  if your Q is not answered can you please elaborate further with the existing example.
  -bifacts
  http://www.obinotes.com

• Database design for Role/User based access to the application..

  We want to implement Role/User based access to the application.
  Can anyone tell me whats the optimized way of storing the data {User, Role, Access_Type etc} in the database.. The Roles might get added in the future so i dont want to maintain a single table to map User-Access_Type..
  Access_Type -->
  AT_1 | AT_2 |AT_N |
  ------- |------- |------- -|------|
  User_1 | | | |
  ------- |------- |--------|------ |
  User_2 | | | |
  ------- |------ -|--------|------ |
  I want to maintain a table which will map user with the Access_Type, which should be mainatained in a different table..
  Any help would be highly appreciated..
  Thanks in Advacnce,
  Shridhar..

  You find your answer here:
  http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html

• How to define roles for the reports that i have created using WAD?

  Hi all,
  Can anyone let me know how to define roles for the reports generated using WAD. And what is the procedure for creating and defining roles. Is this process take care of Bw consultant nor the basis guys.
  Can anyone let me know the entire procedure about the roles in bw 3.5
  thanxs
  haritha

  Following links might helps you
  create a role
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&

• CRM: PFCG Roles restricted based on Sales Organization

  Hi,
  I have a requirement in SAP CRM 7.0 to create roles restricted based on Sales Organization(locations). We have two Sales Organization XXX and YYY, for which users need to be restricted. I have used the following objects for this regard.
  CRM_ORD_OP,  CRM_ORD_LP, CRM_ORD_PR, CRM_ORD_OE,  CRM_BP_SA
  Every user has assigned a sales role in which the above objects are deactivated and separate roles with values to the objects, with respective Sales Org values for the objects CRM_ORD_OE,  CRM_BP_SA been provided. I have assigned these roles to respective users (User A with XXX, User B with YYY) based on their sales org locations. These users are positioned in the Organizational Model (PPOMA_CRM) under their respective Sales groups as per the requirement for the object CRM_ORD_LP, and authorization to this object is restricted to A for CHECK_LEV (Your Own Sales Organization). We use * for the objects CRM_ORD_OP and CRM_ORD_PR, as we do not control these.
  After restricting all these, we do not find that the result not appearing as we expect, that is, restricting the sales organization data. We need all accounts, all activities, all opportunities, all leads, all campaigns etc. should be restricted by Sales Org, but when we search for accounts, activities, opportunities, leads, campaigns, we get result list with all data without any restrictions. I even checked the following forum, http://forums.sdn.sap.com/thread.jspa?threadID=1579211, which talks about the same kind of issue, but as I have already using the same objects for the restriction, it didnt help me much. I tried deactivating object CRM_BP_SA as it is not discussed on the forum, also tried CHECK_LEV=A,B,C,D,E for object CRM_ORD_LP, but all results the same.
  Additional Info: When tried to create a project, with user A who is authorized for XXX, normally it would pick up the Sales Area Data for the project from the user (meaning User A from the XXX Sales Org.), but I get an error message: Enter a sales org, enter a dist. channel and enter an org unit etc. Even when I search for leads, it displays a list of data, when I click on any, it issues the error message: Enter a sales org, enter a dist. channel and enter an org unit (Sales) etc
  Is that we miss any object restriction that is not restricting these objects properly or is it any customization missing? Please advice.
  Thanks in advance.
  Regards,
  Shahul Hameed M
  BASIS Consultant

  Hi Shahul,
  I have a similar requirement as of yours.  I have maintained auth values, in role as below:
  CRM_ORD_LP
  03       ACTVT
  A        CHECK_LEV
  *         PR_TYPE
  CRM_ORD_OE
  03       ACTVT
  11       DIS_CHANNE   ( the user is assigned to this dstrbtion channel in org structure)
            SALES_GROU
            SALES_OFFI
  SO1   SALES_ORG
            SERVICE_OR   ( the user is assigned to this sales org in org structure)
  And, when I try to display the LEADs in CRM UI ...I still get the display of LEADs belonging to all sales orgs.
  And my trace record  for CRM_ORD_LP is....
  CHECK_LEV    ' blank '
  PR_TYPE          LEAD
  ACTVT               03
  that means, it is not considering the auth value ' A ' for auth field  CHECK_LEV
  Could you please let me know ...how you have achieved this restriction . Is there anything , i m missing here?
  Thank You

• Defining roles and access for OWB Designer

  Hi,
  Can i Define roles and access rights to different on 1 OWB Designer repository?
  I want to send my mappings for code review but i dont want them to log into the OWB designer with write access.
  How can i achieve this in the same OWB designer repository as the one i am using?
  I am using OWB 10.1.
  I found some table - WMP_USER_ROLES,WMP_GROUP_ROLES,WMP_GROUP_REPOSITORIES
  when i logged into the designer schema through sqlplus
  Thanks
  Sagar

  Hi Sagar,
  Yes you can do that. Basically you can create a db user, and then register the user with a repository. By default that user has all privileges, however it now is audited per user as to what he/she did. How to do this look at the doc (find SecurityHelper)
  To enable you to protect metadata there are a couple of strategies (implemented via a simple PL/SQL API). For an example (this one works with policies on the module level) take a look here (http://www.oracle.com/technology/sample_code/products/warehouse/files/Dev_Status_Policy.SQL)
  This would work as follows:
  - Create user REVIEW
  - Register user REVIEW to repos QA
  - For a module you want review for, set the status to QA
  Now the REVIEW user logs in and he can look at QA but cannot touch.
  Hope this helps,
  Jean-Pierre
  In your situation

• Error while trying to send a file through XI to SAP R/3 based OLTP system

  Hi all,
  I encountered with an error in the runtime workbench for the below mentioned scenario
  ERROR message
  <b>Unknown error: javax.ejb.CreateException: Neither messager server nor application server are defined for system IXI</b>
  SCENARIO
  The manufacturing system triggers an equipment failure. The failure message is sent through SAP Exchange Infrastructure (SAP XI) to the SAP R/3 based OLTP system,
  changing the equipment status to a failure state. This is achieved by triggering the execution of Remote Function Call (RFC) present in the OLTP system from the SAP XI integration server.
  Thanks and regards
  Jishi

  Hi Jishi,
  Please check the Receiver RFC communication channel in your integration directory.
  Check the logon parameters provided. From the error message, I guess there is no application server or message server provided, which is mandatory for XI to logon to the target backend R/3 system.

• Wireless Client PING-Based monitor system question

  Hi:
  I joined this forums because i need to recopilate info about a monitor system.
  So, i have a relative big wireless network and due to legal instances I MUST use a ping-based monitor system to see the status of my network devices and the final clients on wireless station.
  We developed a php linux-based system to make pings every 5 minutes to see if there is a host UP or DOWN. Everything works fine, the server is making the pings to the clients and MRTG generates graphic statistics.
  Reference image -> http://img103.imageshack.us/img103/9125/pingred0xq.jpg
  The problem is now I have received a notification to make a change on this system to send the pings FROM the clients TO the server and generate statistics.
  Is there any difference between making pings from the Client side to the server and viceversa? Does round-trip time is different maybe?
  What are the technicals issues on this system?
  I accept every critic, advice, suggestion, information, etc.
  PS: Sorry my poor english

  That's interesting. It sounds as if you may have a good reason for implementing this, but it would also seem to be an inefficient monitoring scheme. A polling interval of 5 minutes does not give that much granularity for statistics even if you are able to make it work from the client side. Also, you would need to centrally collect the statistics in some way. If it were me I would stick to a centrally based monitoring system. I make heavy use of the syslog capabiliy on Cisco access points since they log just about everything. You can even have a syslog monitoring system page you for something as small as dropped wireless connection if you want to go that far.
  Sorry if that's not much help, but I would definately have some people look at the big picture before implementing the proposed solution.
  Good luck with it.
  R Duke

• Connect SharePoint to SQL Server Database Then Build Rules Based Returns System

  Hello Guys,
  I work for an ecommerce business. We sell a wide range of products to customers all around the world which are ordered from our websites and then dispatched to our customers from our warehouses.
  I have been tasked with developing a computerised return system from the company because at the moment everything is done using paper forms.
  We have all our customer, order and product data within SQL Server databases.
  What I would like to know is...
  1. Can we connect sharepoint online to a local sql server database
  2. Could we then build searches within sharepoint to display data contained within these databases e.g. customer information etc
  3. How is the data presented in sharepoint - is there a way to design how the data is displayed within sharepoint etc?
  4. Can we then build a rules based return system within sharepoint? The on screen workflow would need to vary according to data contained within the database e.g. the weight if the product being returned and also on fields input by the service agent such
  as the reason for the return, what solution the customer would like etc.
  5. is it possible to build these workflows in such a way that they can be saved part way through then gone back to later
  6. Can reports be build based on the returns that are being generated e.g. list of products most commonly returned
  Sorry for all the questions, I am a bit of sharepoint novice. I think it may possible be able to do what we need but I just wondered if the answer to any of the above questions is definately a no because if it is that could mean it is not suitable
  Thanks

  You could use a BCS connection
  http://community.office365.com/en-us/b/office_365_community_blog/archive/2012/10/11/business-data-connectivity-services-in-office-365-sharepoint-online.aspx, this will allow you to edit data in your non SharePoint SQL DB, on premises, from Office 365 SharePoint.
  Search will index the web applications you point it at, and the lists from the BCS will be part of those web apps, site collections, sites at some place and will get indexed. 
  You can create views on the data, that can sort of work like a search, but when you search on the site where the lists are the query will return results based on the BCS data.
  These views can be based on criteria such as the weight of the product being returned and other fields.
  The data is presented as a list.
  You can make it read only or read-write based on SharePoint permissions on the list.  The account used to create the connection can edit.
  BCS is possible in on-premises SharePoint too
  here is a good read on it,
  http://www.dotnetcurry.com/showarticle.aspx?ID=632
  Stacy Simpkins | MCSE SharePoint | www.sharepointpapa.com

• Logon is not possible because you have not been assigned to a business role; please contact your system administrator

  Hi experts,
  I'm having a problem when our project approaching the end.
  If I assigned the business role in parameter CRM_UI_PROFILE and PFCG role in SU01.
  It works fine,and the user can logon the web ui.
  Now I created a new organization model and position,assigned the business role and user to the position.
     A PFCG role was also assigned to the business role:
  Then I removed all the roles and profiles in user master in SU01.
  The user can not login CRM WEB UI and the system raised "Logon is not possible because you have not been assigned to a business role; please contact your system administrator".
  Can anybody suggest what the problem is? Is there any other settings I should make?
  I suppose that,since the user was assigned to the position the organizational model, the system can determine the user's business role, and through the business role, the corresponding PFCG role can also be determined.
  Am I correct?
  Thanks.
  Jerry

  Jerry, yes, you're right.
  Let me point you to pretty good explanation right here: Logon is not possible because you have not been assigned to a business role; please contact your system administrator
  So business role determination is taken in three steps (you can observe them in class CL_CRM_UI_PROFILE_DETERM method LOAD_PROFILES):
  1. From user's parameter  CRM_UI_PROFILE (method LOAD_FROM_USER_PARAMETER);
       If  CRM_UI_PROFILE = * then the user needs to have S_DEVELOP authorization object with OBJTYPE = 'DEBUG' (debug authorization).
  2. If not found on previous step: From organizational management (method LOAD_FROM_ORG_MANAGEMENT)
  3. If not found on previous steps: Based on PFCG roles (method LOAD_FROM_PFCG_ROLE);

• Role Comparisons across Mutliple Systems

  Does anyone know an easy way to do a role compare across multiple systems?  Using the current SUIM reports only limits a compare between two systems.    Need to be able to look at the complete landscape from based upon a role.  Can SOLMAN help with this ?
  Any info or ideas would be great.
  Thanks

  Hi Mark,
  The best possible way is that you can schedule a job in every system which runs every 30 mins and it will do the user comparision for you in each of the systems. I have seen this working in one of my clients. For more information about this job you can search. Meanwhile let me check i can find the details for that job.
  Thanks,
  Avneesh