Access Request "Model User" - Role Type "Role" disabled in "Select Model Access" screen.
Hi All,
I am implementing GRC AC 10.0 - ARM for provisioning in SAP R/3 and Enterprise Portal systems.
While using "Model User" access request, I find that UME portal groups are coming as disabled and are not available for selection in tab 'Select Model Access'.
Also only Type "Single Roles" appear for assignment or selection in the "Model User" form. Type "Role" appears disabled.
Request help, thanks.
Regards,
Piyush.
Thanks all for the suggestions but issue persists.
I ran repository object sync in full sync mode for the portal system.
I re-imported the portal groups.
Still as earlier while using "Model User" request, I can see the groups with the reference user but it is grayed out and not available for selection.
The other three scenarios (Access request, Copy Request & Template) work fine. In those request I can select the portal groups as well.
Similar Messages
-
GRC10 Access Request give dump when slecting role
Note
The following error text was processed in system ACS : Unable to interpret YES as a number.
The error occurred on the application server ch01erp9001_ACS_06 and in the work process 9 .
The termination type was: RABAX_STATE
The ABAP call stack was:
Method: ON_BROWSE_COLLECT_SELECT of program /1BCWDY/KHXHSW01UB84G8JOLL8O==CP
Method: ON_BROWSE_COLLECT_SELECT of program /1BCWDY/KHXHSW01UB84G8JOLL8O==CP
Method: IF_WDR_COMPONENT_DELEGATE~WD_INVOKE_EVENT_HANDLER of program /1BCWDY/KHXHSW01UB84G8JOLL8O==CP
Method: INVOKE_EVENTHANDLER of program CL_WDR_DELEGATING_COMPONENT===CP
Method: FIRE_EVENT of program CL_WDR_COMPONENT==============CP
Method: IFWDR_INTERNAL_API~RAISE_EVENT of program SAPLWDR_RG_PROXY_FACTORY
Method: IF_COMPONENTCONTROLLER~FIRE_GRAC_BROWSE_COLLECT_EVT of program /1BCWDY/KHXHSW01UB84G91MXG7Q==CP
Method: RETURN_SELECTION of program /1BCWDY/KHXHSW01UB84G91MXG7Q==CP
Method: IF_COMPONENTCONTROLLER~RETURN_SELECTION of program /1BCWDY/KHXHSW01UB84G91MXG7Q==CP
Method: ONACTIONOK of program /1BCWDY/KHXHSW01UB84G91MXG7Q==CPHi there,
If it is type RABAX_STATE, then you will probably find further information in transaction ST22 since it is an ABAP error.
I would check this and then look at the underlying code. It might be a system bug which is fixed through an SAP note or might benefit from an ABAP'ers eyes.
Simon -
No Roles In Access Request - GRC 10 SP06
Hello Experts ,
With GRC 10 SP 06 ,I am facing strange issue .In Access request when I search for roles to be assigned I am not getting any result .
I have performed all post installation system and same working with SP 05 in other landscape .
Important steps like running back ground jobs for user.role.profile synch role import all is done .
Thanks & Regards
AshishHi,
You have hit a similar problem I faced after moving to SP06.
What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them.
Hope that helps. -
How to notify the selected user of a role.
Hi,
Currently I have GP Role Approving Officer link to the EP Group : ApprovingOfficer and GP Role Applicant link to EP Group: Applicant. I have also tag a list of EP user to the EP Group accordingly.
Whenever the Applicant submit a request via Web Dynpro, the Applicant can select a list of person who of the ApprovingOfficer Group from a dropdown list in WD UI. Once the Applicant submits the request, there will be a task pending in the ApprovingOfficer GP Runtime.
I want only the task to be pending only for that selected person of the ApprovingOfficer instead of all the person which is the current case.
For example,
Role - ApprovingOfficer consisting user A, user B and user C
If I am from dept A, the WD UI will displayed user A and user C for selection. Whenever, I select user A, I would like the pending request entry to be reflected in user A GP Runtime only.
how to I do that? can advise?
thank you.Hi cocomo,
This is possible. In GP design time, now I think you are assigning the EP Groups at the block level (for each action). That is the reason the request is send to all the users (approvers) in that group and they all will see it as pending task in their inbox.
You have to pick the users dynamically at runtime. For this you can follow these steps.
1. When the Initiator selects his approver from the dropdown list of webdynpro UI (It should be a portal ID), capture it from the current context element and expose it into GP Context as an attribute say DynApprover (in complete method.... before this you have to define an attribute DynApprover in getDescription also).
2. In GP Design time at the block level, instead of assigning the roles directly, make it dynamic -
>
-- Select the Process and click on Roles Tab.
-- Select the Administrator, Overseer, Owner roles manually and leve it as "Initiation Defined" as Role Type
--Change the Approver's Role Type to "Runtime Defined" (Select this option from the drop down in RoleType column).
-- Select the Approver's Block and click on Roles Tab.
-- In the Processor of Approver's Action Choose the GP Attribute (that you have filled with dropdown value and exposed already) from the dropdown list of the "Filled from context Parameter" Column.
Let me know if you need any clarifications and I am sure it can be made to work....
Regards
Ramesh -
Hi,
I have a requirement in which I have to assign couple of email ids to the "Manage Access Request" field to process site access requests. And, this is possible using server object model but I have to achieve this on SharePoint Online with the help
of CSOM.
There are two properties which control the access request configuration, first is "RequestAccessEnabled", a Boolean flag which turns on or off the access request feature for the site. The second property defines one or more email addresses where
requests will be sent to. It is named "RequestAccessEmail".
The above both properties are available for server object model but not for CSOM.
So, is there any other workaround or way to achieve the sane in CSOM?
Thanks,I don't think there is a programmatic workaround for SharePoint Online. But the email address is just used for Notification. Anyone with Manage Permissions can approve Access Requests. If you create an email distribution list for the multiple
addresses that should be notified you should be able to add the email address for the distribution list into the Access request email field using the user interface.
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem. -
Assigning Users to a Role in a BPM Task
Hi,
Is it necessary to have User Admin access to add Users to a Role in a BPM Task ?
Is there any work around to it ?
Regards,
UtsavHi Utsav,
Yes you require User Admin role to search and add UME Users.
A workaround can be using the 'Use an Expression' :
User: getPrincipalByUniqueName(string uniqeName,"user")
Role: getPrincipalByUniqueName(string uniqeName,"role")
Regards,
Unni -
Create users , roles, link roles to users
Hi Experts,
how do we create users , roles and link roles to users in oracle discoverer?
If they are the users created in the oracle database, how is discoverer access given to them? EUL5_EUL_USERS has the list of the users and roles for discoverer.
thanks.Hi User,
Below is the document link step by step process how to give access to end-users here is the topic Viewer and Plus Access with E-Business Suite
http://ascbi.com/thirdparty_documents.htm_
Hope it helps you.promptly award points here is the link http://forums.oracle.com/forums/ann.jspa?annID=939
By,
KK -
Email content in GRC access request
Dear Experts,
Can any one let me know from where GRC access request email content is picked up which creating creating throught access request.?
I.e when ever the requestor creating request, the manager will get an email( and in my scenario the email document is maintained in document maintenance(se61 tcode) ). Now i need to prefix user full name in email content(which the manager receives) with Mr./Ms.
Thanks
KatriceHi,
My issue is resolved my enhancing the method GET_NOT_VARS_AND_ATTACHMNTS( ) of class CL_GRFN_MSMP_NOTIFICATION
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(1) Class CL_GRFN_MSMP_NOTIFICATION, Method GET_NOT_VARS_AND_ATTACHMNTS, End A
*$*$-Start: (1)---------------------------------------------------------------------------------$*$*
ENHANCEMENT 1 ZGRC_EMAIL_TITLE. "active version
DATA: lw_fullname TYPE string,
lw_variables TYPE grfn_s_msg_variable,
lw_logsys TYPE logsys,
lw_system_id_temp TYPE string,
lw_user TYPE grac_user,
lw_return TYPE int4,
lW_user_details TYPE grac_s_user_detail.
SELECT SINGLE logsys INTO lw_logsys FROM t000 WHERE mandt = sy-mandt.
IF sy-subrc = 0.
lw_system_id_temp = lw_logsys.
ENDIF.
READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_ID'.
IF sy-subrc EQ 0.
lw_user = lw_variables-value.
TRY.
CALL METHOD cl_grac_ad_access_mgmt=>get_user_detail
EXPORTING
iv_system_id = lw_system_id_temp
iv_user = lw_user
IMPORTING
ev_return_code = lw_return
es_user_details = lw_user_details.
CATCH cx_grfn_exception . "#EC NO_HANDLER
ENDTRY.
ENDIF.
READ TABLE et_variables INTO lw_variables WITH KEY name = 'USER_FULL_NAME'.
IF sy-subrc EQ 0.
CONCATENATE lw_user_details-address-title_p lw_variables-value INTO lw_variables-value SEPARATED BY space.
MODIFY et_variables FROM lw_variables index sy-tabix.
ENDIF.
ENDENHANCEMENT.
*$*$-End: (1)---------------------------------------------------------------------------------$*$*
Thanks
KH -
Is it possible (and if so, how) to automatically approve Access Requests
SharePoint 2013 (we are using SP 2013 On-Prem.) provides the ability for users to "request" access to a site, or for Site Members to "share" content with users outside of the current site users. In both cases, however, the request
for access/sharing is added to the hidden list Access Requests, and a notification sent to the Site Collection Owner/Administrator, who must then "approve" the request before access is actually granted to the outside user.
We have a use case where we would like to have any access requests (specifically those initiated by Member users to share content with non-site users) automatically approved. We still want the Access Request list to track all the requests, but we want
to somehow set all requests to Approved as soon as they come in, so that the Site Owners/Admins do not become a bottleneck where it takes time for access to be granted.
Is there any way to accomplish this without the need for custom code?
I tried leveraging a SPD-based workflow, but there are not properties on Access Request that seem to represent the Approved/Declined selections available in the Request user interface, so there does not appear to be a way (at least via workflows) to set
a request to approved.
Any ideas/thoughts on how to maybe accomplish this?Don't think there is a way to do this OOB.
--Cheers -
Access sequence of the output type ?
HI All
where can i set the routine in access sequence of the billing document output type?
rewards will be given
regards
pinalhi,
<b>assigning access seq to o/p type</b>
tcode: NACE-> select V3 -billing> click output types.>now select RD00->click the bino ikon whick in the top, this is take u inside RD000-> here u will find access sequence-->here u can assign
<b>assigning processing routines</b>
In the same procedure-> click processing routines on the left hand side->here u will find the form routine column
hope this helpd u
regards,
Arun prasad -
Access Request Creation - Role or System Required at Creation
Hi - We are installing GRC 10.1 SP6. When I create a request it is forcing me to include at least one system or role. Is there a system setting that I'm missing to not enforce the requirmenet to add either a system or a role at the time you create a request?
This is not a huge deal to me as I created templates that include the systems we provision to by default. However, if I don't need to include a system or role at time of request creation I would prefer that this requirement be turned off.
Thanks,
RichHi Richard,
additionally to what Colleen has already mentioned you can set up the provisioning configuration in the way that you don't have to select a system in the access request. So basically a requests requires either a system or a role. Most of the time (best practice) users select a role without a system. Personally I also recommend that way as the system comes with the role automatically.
In the global provisioning configuration (SPRO > AC > User Provisioning > Maintain Provisioning Settings) you have to define that the user gets created when the role gets assigned.
Alternatively, as you would like to remove both, you can check if it is workable via the request type settings. I don't have a system to test, but you might be lucky. Remove the "Assign object" action from the request type and check if it is still mandatory to add at least one assignment.
SPRO > GRC > AC > User Provisionign > Define Request Type
Please let me know if this helps.
Regards,
Alessandro -
GRC 10.0 SP 14 access request form displays unassigned roles
Dear experts, when I open the Access Request form and I select a user, and then I click on existing assignments, I am shown a list of roles and systems assigned to this user. However, when I go to those corresponding backend systems to see if the roles are actually assigned, it turns out that they are not. I have rerun all the sync jobs and they all completed successfully. Auto provisioning works on all these systems and there are no issues in terms of the RFC. However, as indicated by the attachments, it continues to show rules that were unassigned from this user some time ago. where might these assignments be coming from?
Hi Santosh,
did you run the repository object sync job in full mode for this connector? This has mostly to do with outdated sync information as you can also see in the following note:
http://service.sap.com/sap/support/notes/1667112
Please check again.
Regards,
Alessandro -
ARQ: Default Role Provisioning Problem in Access Request???
Hi,
This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
MSMP Issue - GRC 10
I have also followed the note#1616092 for configuring the Default Roles.
I have performed below activities:
1. Param#2009 = YES
2. Param#2010 = 001
3. Param#2011 = REQUEST
4. Param#2013 = SYSTEM
5. Param#2038 = YES
6. Imported a test role and NO ROLE OWNER is maintained.
7.In NWBC->-AM->RM, I maintained a test role as a default.
Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
May I know what I am missing here? Why I am getting error and how can I resolve it?
Please advise.
Regards,
FaisalHi Faisal,
sorry for late resposne I was away traveling.
default roles are being added by default to access request
Yes, these roles are added to the access request.
FN: OK
and this roles are following your normal paths which I guess assumes manager and role owner.
How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
- request is going to detour path
Does it answer my question?
FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
Deafault roles can have separate path (in my case) where only supervisor is approving it.
Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER" I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
FN; correct
It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
correct
If you do not have separate path - this role like any other will follow standard path you have.
Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
FN: good
My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
Are you asking for default roles?
Please advise.
Regards,
Faisal -
Cannot select role in AC10 Access Request: VVV urgent
Hello,
when i try to create request i cannot select role
it says no record found. Did sync job and imported role as well.
I f i selct existing assigment for any user it shows role assigned but disable since its not maintained in ERM
Please help,
Prasantwow , our mistake, since it a sandbox we have teste lot of thing, unfortunately the connector entries and connector group was changed as per naiming convention and we have not made integrated with scenario..
Thanks,
prasant -
Composite role not showing in Access request screen. (BRM not used)
Dear All
I have created a composite role in backend system with 2 single roles.
a. I have imported the single roles using the NWBC screen.
b. run the auth sync job.
c. imported the composite role as a techincal role using the NWBC import screen.
the import procedure was successfully completed.
But when i try to search for the role in Access request screen for a user - i can only see the single roles & not the composite roles?
Pls advise
RajuHi Raju,
In addition to Alessandro's valuable inputs, you need to be sure whether or not you were able to generate the composite roles (in NWBC).
The final stage of the composite role has to be in complete status.
Regards,
Ameet
Maybe you are looking for
-
Can my boyfriend have a different account on the same ipad
How can me and my boyfriend use but have our own separate accounts on the same ipad ?
-
IMac or MacBook Pro with retina?
I am having a crisis. I purchased both an iMac (2.7GHz/1TB/8GB) and a base 13" MacBook Pro with retina display. I purchased both with the intention of weighing out which one is best for me and returning the other. Both have great things about them in
-
Priority on Destinations in a Broker?
Hey, I've a bit of a problem with the JMS queue, it goes like .. I've 1 broker with 4queues/destinations in queue 1, 2 and 3 .. the consumer will possibly create a message to be put onto queue 4 If 1 + 2 + 3 are getting alot of traffic, I'm seeing th
-
Why can't I hear the talking sometimes on videos on my ipad
Sometimes I can't hear videos on my iPad. Does anybody else have this problem? My volume is up as far as it will go
-
Why is the earpiece volume so low
for some reason, I can barely head on my iphone ear piece. I have to use the speaker to hear anyone