Access Enforcer - REMOVE roles/existing roles inoperant

Hello
After some time using the capability to ADD and REMOVE roles when creating a request on Access Enforcer (using the option 'Existing Roles' to REMOVE), now Access back to the screen to ADD always that we try to access 'Existing Roles'.
So, the function to REMOVE roles are inoperant.
Any ideas what It cold be?

Hi,
When you open a changing access request it's possible to add new roles and remove existing roles from the user, right?
However, the option to remove roles (which is accessed through the 'existing roles' button) is not working longer.
When that option is accessed, it's not showed anymore the current user's access: the screen returns to the add roles option.
I haven't found any setting for the feature to remove roles and still don't know how that option, previously used in other requests, is not working for anyone else.
Regards
Heverton Kesseler

Similar Messages

Upload of role in Access Enforcer 5.2.

Hi All,
I need to upload roles in Access Enforcer from SAP ECC system. Actually i have uploaded the roles in Access Enforcer, but all unwanted roles have also got uploaded.
Now i need some way, first to clean entire uploaded roles & then upload selected roles.
Please suggest.
Thanks & Regards,
Pravin

Hi Pravin,
Here are the steps:
1) Download all the roles into an excel spreadsheet:
Go to configuration -> Roles- Search roles -> Click on 'Export' button. This CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands.
2) Delete all the roles from CUP: Now, in the same screen as above, select all the roles and delete them.
3) Delete not needed roles from spreadsheet and upload it into CUP:
Now, delete all the unwanted roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
Regards,
Alpesh
SAP GRC Manager (PwC)

CC 5.2 - Risk Analysis on existing roles

Hello,
When I submit a change request via AE 5.2 in order to add a role to an existing user,
does CC 5.2 perform the risk analysis to the user corresponding roles (existing roles + new one) or only for the role to be added?
Thank you for your answer.
Abderrahim

Hi Abderrahim,
Yes. It will perform a risk analysis with the existing roles + newly added role. You should enable this in the CUP.
Go to Configuration --> Risk Analysis -> Set the default risk analysis level.
Regards,
Raghu

Access Enforcer Role Import - Reaffirm period

Hello
What does the following terms mean;
last reaffirm
reaffirmperiod
We current upload roles into AE, with last reaffirm as current date, and reaffirmperiod of 60 which means 5 years.
Can someone please explain what these terms mean, because many roles have reaffirm periods that end in 2010.
Thanks

Hi Prakas,
Reaffirm period ( in months ) is the duration after which you would like the Approver of the Role ( Role Owner /Role Approver ) to get notified on which all user in SAP has access to that Role and Does he want to continue giving that role to them or wants to remove that Role from all of them or any one of them .
He would get the details on which Role requires Reaffrim at following location :
In AE 5.2 ; login with Role approver id ( eg ABC ) into AE .
In tab Access Enforcer > Reaffirm .
A list of All the roles of which ABC is apporver and which require re-affrim would display here.
ABC can now take approriate action by selecting the role name.
*Last reaffrim * is the date when the Role was Reaffrim /revisited/reassgined last.
In your scenario you have given Reaffrim period = 60 which means your Role Owner would get the Role in his Reaffrim inbox after 5 years .
This is not best practise . For security reason , SAP advices to keep the Reaffrim period to a maximum of 2 months.
I hope this answers your query .
Thanks
Jasmine

Access Enforcer - Role Reaffirmation

Hi,
Access Enforcer offers a role <-> user assignment reaffirmation after a defined period.
My question is, what happens if using the Remove or Hold button in the Role Reaffirm menu entry.
I tried removing the access, but all that happens is the user entry is marked as "Remove".
Should an automatic Request for the role removal be triggered or what's the purpose of these two options?
Thanks,
Daniela

I answered the question myself.
Hold will keep the role in the queue to reaffirm.
Remove will automatically remove the role from the user once all user-role assignments have either been affirmed or removed.

Access Enforcer(error in approving the request) and import roles

Dear all,
error in approving the request at security stage(last)
manager and role owner are successfully approved.
and also importing roles into access enforcer was not successful.
imortstatus : 0 roles imported of 28 records found.
please find the system log:
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.messaging.MessageFormatter : parseDesc :   : INTO the method : desc :Please specify a file to import.paramNames :paramsMap :{FIELD_NAME=#_!FIELD_NAME#_!}
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
2008-09-05 13:02:28,234 [Thread-47] DEBUG

In Addition to my previous response:
I meant to include the following:
Some of the fields that need to be properly defined with attributes are:
       System: must have the know SAP system defined here
       Role Approver (i presently are using most of the roles without having need for approval; I created a user called NOAPPRV in AE)
       Functional Area: need to have all the areas defined that roles will be assigned to
       Company: I only have one company so that's an easy one
Some areas I presently do not use but found they must ne coded and coded properly:
       ResponsibilityID:   N/A (coded as is)
       CommentsMandatory: NO (coded as is)
       Parent Role Owner:   NO
       Business Process: NA (I believe I originally coded N/A and it did not like that)
       Sub Process: NA (again N/A I believe error on me)
       Reaffirm Period: presently I am using 0 (zero)
       LastReaffirm: presently using 12/31/9999
Hope this helps a bit
I wanted to include an attachment with a sample of my Role Import spreadsheet but I'm not sure exactly how to do that; if I figure that out or someone can provide me the process I will include it
Jerry Synoga
Ryerson Inc.
630-758-2021

Access Enforcer Import Role Automation

We would like to automatically import roles from SAP.
We do know that you can use Role Expert which in itself can be used to automate the import. However, we still have to manually import into AE - even if RE is used as the role source.
Is there a way to periodically automate the import from either SAP or RE because it does not make sense to have to manuall import roles every time a new role is created in SAP.
Thanks

Actually, it does make sense.
One of the prime features of Access Enforcer is that you don't import all the roles, but just the ones you want users to be able to request.
For each of the roles, it's useful to put them into some kind of category (functional area, business process, sub-process), which makes handling for users a lot easier, and you have to assign approvers.
One way to do that is to use an Excel spreadsheet and manage the data there. Easy to use and update, and quick to upload into AE.
Kind regards,
Frank.

Access Enforcer and Import Roles

Hi All,
I am having issues importing roles that have the exact same name across different systems. This makes it almost impossible to implement Access enforcer across Dev/QA and Production environments at once. I would have thought that AE uses the (System ID, role name) as the key for that particular table used.
Has anyone managed to find a workaround for this?
Cheers,
Cuneyt

Nevermind i have solved the problem.

Making existing roles watertight for HR data

Hello,
I hope to get nudged in the right direction in here. I already descended pretty much to the end of my rope and ... well ... I need some more rope
The situation is like this - I inherited everything that has to do with maintenance of authorizations on our system half a year ago, the guy that did that before me is no longer in the company (so there's no use in asking what he was thinking (if anything) when he was putting the roles together). Documentation is scarce/non-existing. When it exists it's usually not up to date. I'm not exactly a newbie in authorizations field, but at the same time I'm not really that far away from being a newbie yet, so I'm not beyond listening to basics being pointed out to me.
The Utopia:
There are five single roles built for all users of our system (say R1, R2, ... , R5). They're supposed to build on one another, R1 being the basic role, R2 having a couple more authorizations than R1, and so on until R5 which is the role that also has all HR authorizations.
The Reality:
The roles have been designed in a hurry and from the top down starting with the sap_all profile and removing some (or most of the) CA, BC and HR authorizations. They were not properly tested. They do not derive from one another in any way ... R2 for example is a complete copy of R1 with some additional objects and values, same for all the others. Every problem needed to be fixed five times, once for every role. That of course resulted in chaos, things got changed just in one place and the basic role suddenly got more powerful than all the rest. These roles are in use in the production system and there are no plans to substitute them with something better in the very near future.
The Problem:
Suddenly (yeah, right ) the need arose to have these roles watertight with regard to HR data. I did some rudimentary testing and sure enough they're nowhere near watertight even for the most common HR transactions. There are ranges defined in S_TCODE for which I have no idea why they are as they are, there was access to SA38 given where SAP HR programs with no authorization group (and no transaction code) assigned could be run by everyone ... there's god knows how many other security holes. The only help I got from the HR consultants was the list of all 2000 or so HR transactions (taken from the SAP menu tree) which shouldn't be accessible to a normal user. I suspect I might be in need of a typing monkey to check them all five times
Question:
How do I close as many security holes in these roles as possible? What's the strategy when dealing with such tasks? I've made it clear to the management that we probably won't have watertight roles if we don't create new ones, but making a set of new roles created properly from the bottom up is out of the question at this moment.
I'd be extremely grateful for any advice or if anyone could point me to any kind of documentation about making roles like ours more secure for protecting HR data (and also keeping the users away from any BC stuff).
In the meantime, I'm off to searching through the archives of the forum.
ursa

Mopping the floor with the water running is a spot on description
Actually we're in the process of setting up new and improved authorizations but (of course!) the testing phase turned out to be much more time consuming than anticipated. No surprise to me, however someone obviously thought authorizations are a matter of defining roles and their menus and the system does everything else by itself. Riiight.
What I did so far - first I educated myself on the specifics of HR authorizations. I never had to deal with those before, so (for example) it was a surprise to me that there's actually a separate SAP course dealing with HR authorizations Then I compared the existing roles to each other like you suggested and figured out a way that allowed me to do all the modifications with least amount of work. I cleaned most of the infotypes out of P_ORGIN and (to cover my behind), adjusted the ranges in S_TCODE to exclude the 2000 HR transactions our HR consultant listed for me.
Most importantly - I made it clear to the guys above me, that with the roles we use I can't guarantee HR data to be inaccessible for people who should stay away from it. So ... back to the testing of the new authorizations
Thanks for your help! It always makes a huge difference to get something like a second opinion when one can't decide if left is better than right or if it's the other way around.
ursa

Receiving an error when trying to remove P00 Security role from the user

Hi All,
I am receiving an error when trying to remove P00 Security role from the user.
After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
I click on Select Roles/Groups
On the next screen,
I click on Existing Roles/Groups
ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
Regards,
Vineet

Hi Vineet,
My be your selection is incorrect
Try this
in Applicaiton Area -- Select ALL
Functional Area -
Select ALL
Company -
Select ALL
Role/Profile/Group Names --- Give p00* and execute the report
if you give only p00 it wont give any result
Hope this helps
Thank you,
Kishore

Provisioning Allowed and Allow Auto-provisioning YES Role exists No

Hello,
I am unable to select the roles while submitting the user provisioning request.
The role additional details are set Yes for Provisioning Allowed and Allow Auto-provisioning
But Role exists is showing No; i have tried updating the roles in many ways, everything is getting updated except this paricular field.
Could you pls help me ...
Regards,
Sumanth

Hello Sumanth,
Can you successfully generate roles using the role generation option?
I have the same issue but I presently have issues with generating single roles ONLY as posted on this thread - "Illegal tcodes" error during the role generation phase of ERM in AC10
...so I am thinking it is becuase I can't generate single roles that is why the roles are not displaying. However, I can view the roles in other environments like risk analysis but not at the point of access request provisioning. It tells me no roles are available.
I sure hope someone will be able to help us out.
Thanks

Error when clicked on "Existing roles/groups" button in CUP

Can you guys please help in resolving the following issues I am facing currently.
CUP reports an error saying " Action failed" when clicked on "Existing Roles/Groups" button in CUP request form.
Below is the log
2010-03-25 10:21:16,762 [SAPEngine_Application_Thread[impl:3]_2] ERROR com.sap.mw.jco.JCO$Exception: (127) JCO_ERROR_FIELD_NOT_FOUND: Field EXP_ROLES_FLAG not a member of INPUT
com.sap.mw.jco.JCO$Exception: (127) JCO_ERROR_FIELD_NOT_FOUND: Field EXP_ROLES_FLAG not a member of INPUT
     at com.sap.mw.jco.JCO$MetaData.indexOf(JCO.java:9566)
     at com.sap.mw.jco.JCO$Record.setValue(JCO.java:14956)
     at com.virsa.ae.service.sap.RoleProfileDAO.findRoleProfByUser(RoleProfileDAO.java:110)
     at com.virsa.ae.search.bo.SearchRolesBO.searchExistingRoles(SearchRolesBO.java:580)
     at com.virsa.ae.search.actions.SearchRolesAction.loadExistingRolesHandler(SearchRolesAction.java:1610)
     at com.virsa.ae.search.actions.SearchRolesAction.execute(SearchRolesAction.java:372)
     at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
     at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
     at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
     at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
     at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
     at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
     at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
     at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

Hi Anand,
"Action Failed" error for "Exisitng Roles/Groups" comes up when Support Pack level of frontend(JAVA) and backend(ABAP) RTA are not synchronized. It happens mostly with HR RTA.
Please follow the SAP Note below to make sure your SP's are in Sync.
Note 1352498 - Support Pack Numbering - GRC Access Control
Best Regards,
Sirish Gullapalli.

Assigning and un-assigning the existing role to the existing participant

Hi,
My requirement is to assign the existing role to a participant and after doing some particular things un-assign that role from that participant
I am using oracle bpm 10g .
Any idea ?
Thanks

session as DirectorySession = DirectorySession.currentEngineSession
theRole as RoleAssignment = RoleAssignment.create(role : DirOrganizationalRole.fetch(session : session, id : "MyRoleName"), permissions : 95)
     dirHum as Fuego.Fdi.DirHumanParticipant = DirHumanParticipant.fetch(session : session, id : "MyUserId")
     curRoles as RoleAssignment[]
     curRoles = dirHum.rolesAssignment
          curRoles[] = theRole
          dirHum.rolesAssignment = curRoles
          update dirHumTo unassign the role, just remove the role from the 'curRoles' array.
HTH,
-Kevin

New Org Level impact in existing roles

Hi,
I would like to set/create 2 fields as organizational levels. For example KLART and DOKAR. Checking these I realized there is a big amount of roles "affected" by this change.
Because I plan to use the organizational level only for new roles , I would like to know which impact could have this change for existing roles, should one modify the existing roles after creating the Org Levels ? or in contrast they still work as always an no changes / adjustments is needed?
Thanks and regards
FedeX

Thanks Bernhard,
I have a question
As I mentioned before my goal is that the existing roles keep working after running that program... and do not want to perform any adaptation....only if there is a real error that avoid work correctly.
In these 2 cases the role will keep working properly ( I mean restricting in the way that it uses to do).
1) In case field is copied to the Orglevel area after running the program and the value(s) will stay in both places (OrgLevel and Original place)
2) In case field is NOT copied to the Orglevel area after running the program but the value still in the original place .
right?
Thanks
FedeX

Discoverer 4i error msg "A database role exists which confilcts with this username"

When I try to open workbooks -> from database, I get a Discoverer 4i error msg "A database role exists which confilcts with this username" with only an "OK" button in the window. The database works fine for Discoverer 3.1. After clicking on the OK button, I get an empty list of workbooks to open. If I create a new workbook & try to save it, I see the list of dozens of workbooks in the database.
Which role is it complaining about? How can I fix this?
null

What you will have to do is log into the database as a user with DBA priveleges, query the DBA_ROLES table (SELECT * FROM DBA_ROLES) and see what role exists that has the same name as the user you are logging in as... that should give you a direction to either rename the role, or the drop the user and recreate with a unique name... Good Luck!
<BLOCKQUOTE>quote:<HR>Originally posted by William Sheridan ([email protected]):
When I try to open workbooks -> from database, I get a Discoverer 4i error msg "A database role exists which confilcts with this username" with only an "OK" button in the window. The database works fine for Discoverer 3.1. After clicking on the OK button, I get an empty list of workbooks to open. If I create a new workbook & try to save it, I see the list of dozens of workbooks in the database.
Which role is it complaining about? How can I fix this?
<HR></BLOCKQUOTE>
null

Access Enforcer - REMOVE roles/existing roles inoperant

Similar Messages

Maybe you are looking for