Approving Roles created in role expert

Similar Messages

• Error in Mass role import in Role Expert

  Hi,
  While configuring role expert, in mass role import ,I am able to import the bulk download file but its import is getting failed and error is "<b>File is in invalid format</b>"
  If I alter the downloaded file, another error is generated saying "<b>Cannot write to Upload Directory
  ursula\sap_temp\ROLEIMPORT or Directory does not exist.</b>
  Please help me out!
  Regards,
  Anubha

  Hi Michael,
  I am not able to import the SAP roles properly.
  I downloaded the roles from backend properly. But while importing them I am getting a list of backend roles and against each of them following message <b>Error in processing role infomation. Role not imported</b>.
  What could be the possible mistake? I have set <b>Upload Directory</b> = ursula\sap_temp.
  One more problem, while creating a new role I am able to reach successfully till the risk analysis phase. After that, as soon as I click on approval , i am getting message <b>Error in creating request</b>.
  I suppose the control should go to Access Enforcer from here.I have already set AC Workflow URL for role approval in Configuration -> miscellaneous.
  Thanks in advance!
  Anubha

• Problem with Edit option for a role created in GRC 10.0

  Hello Experts,
  I created a role in GRC 10.0 , I see my newly created role in the list of roles . If I want to Edit the role I select the row and click " OPEN" and edit the role.
  But when I click the role directly and enter the role , the "EDIT"  button is disabled and even maintain authorization button is disabled.
  Did SAP defined in such  a way that we should selct the role and click OPEN then only we can Edit or is this a Bug??
  Please let me know if any one of you faced the same problem.
  Regards,
  Jagadish Bhandaru

  Hi,
  Sabita is correct.
  Here is the link to the documentation
  SAP Access Control 10.0
  Simon

• Role created in ERM is not appearing in CUP request for assignment-GRC 10.0

  Hi,
  We are on GRC 10.0 - SP5
  We have created a role in ERM and it was succesfully created in backend system. However when we tried to assign the same role using CUP request - the role is not appearing.
  1) Do we need to upload roles for CUP  in GRC 10.0 (similar to 5.3) to populate. Will the role doesnot automatically appears in GRC database for CUP as it is created through ERM?
  2) If the roles are imported in ERM with role owner information, does the same reflects for CUP also for role owner approver assignments?
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
  Is the role status set to "production" ??
  Cheers,
  Diego.

• FM to create new role in BI

  Hi experts,
  Is there any FM to create a role exactly like in t-code PFCG?
  I get lost in PFCG abap so any suggestion would be helpful.
  Thanks in advance
  Soufiane.

  Hi experts,
  I ve found this:
  PRGN_RFC_CREATE_AGR_MULTIPLE to create role with role description
  BAPI_USER_ACTGROUPS_ASSIGN to assign user to a role
  is there any FM to assign authorisation to a role?

• Approver for the application role not working out

  Hi,
  I have created a role with type application and Approver A, then created a business role with the Approver B and included application role into the business role.
  When i assign this business role to a user the only request for approval goes to Approver B and after approval the both application and business roles are assigned. Strangely it seem to skip the Approver A. I did even remove the approver in business role, leaving only approver in application role, still same result - it skips Approver A.
  I'm using IDM 8.0.0.1, any ideas why it would skip the approver in the included role?
  Thanks!

  Thanks for the quick reply. I've tried optional with approval and here is what I found.
  It seems I need a combination of the two. My end goal is to have a second level approval, one group would be responsible for approving the business role and the system owners would be responsible for approving the nested application roles. When a user requests the business role, they must have approvals for the business role and all of the nested application roles for their request to be completed.
  If the app. roles are required, the workflow automatically incorporate the nested appl. roles in the request but does not require approval for them. If they are conditional with approval, the user would have to submit a second request to get all of the nested application roles. It looks like I need a combination of the two, required with approval.
  I need it to behave like it does when you have a role with approver that includes resources with an approver. The role and resources must all be approved before the request can be completed successfully.
  I'm trying to see if this is possible through the GUI before I customize the workflow.

• How to create authorization role for just displaying query prefix Q and X.

  Hi Expert,
  I hope someone can help me on how to create authorization role for just displaying and executing  BEX  Queries prefix Q and X. I'm currently using SAP BI 7.1.
  Actually, I already created one role called : Z_FORINDO_ONLYDISPLAY_QX
  where I only put in the Authorization Component (in the Role Maintenance - Tcode 'pfcg'):
  -->Manually Business Information Warehouse
      --> Manually Business Explorer - Components
  Activity : Display, Execute, Enter, Include, Assign
  InfoArea : *
  InfoCube : *
  Name(ID) of a reporting component : *
  Type of a reporting component : Calculated key figure, Restricted key figure, Template structure
      --> Manually Business Explorer - Components
  Activity : Display, Execute
  InfoArea : *
  InfoCube : *
  Name(ID) of a reporting component : Q* , X*
  Type of a reporting component : Query
  But, the problem is I still can make changes on that queries (Q* and X*). Even, I still can run query with prefix Z. I use S_RS_RREPU Tamplete for Query Display and execution.
  Please assist. Very much appreciate your help. Thanks.
  Edited by: nadiyah salleh on Mar 18, 2008 11:22 AM

  Question close. This issue has been resolved.

• Query regarding approval policies for custom Role

  Hi ,
  1.In OIM 11g R2 . I have created a Role named SecurityAdmin. Assigned it to a user named User1.
  Logged in as User1 and searched for another user say User2
  2.Modified its Profile and when clicked on save .Request was created and went to approval process.
  Similar thing happened when i tried to disable the user and assign roles to User2.(Note : I am logged in as User1 not xelsysadm)
  Created two auto approval policies for assign roles and Modify user profile
  Query : Do i have to create approval policy for each process like Disable User, Enable user , etc ?
  Is there any generalized way that i make a policy on high level that if Role is Security admin Request goes to Auto Approval.
  Please help.
  Thanks in advance.

  >
  Query : Do i have to create approval policy for each process like Disable User, Enable user , etc ?You have to create approval policy for each of these request types.
  Is there any generalized way that i make a policy on high level that if Role is Security admin Request goes to Auto Approval.
  Please help.In approval policies you can select Auto Approval checkbox and write a rule Requester.Role Name Equals Security admin

• Create users , roles, link roles to users

  Hi Experts,
  how do we create users , roles and link roles to users in oracle discoverer?
  If they are the users created in the oracle database, how is discoverer access given to them? EUL5_EUL_USERS has the list of the users and roles for discoverer.
  thanks.

  Hi User,
  Below is the document link step by step process how to give access to end-users here is the topic Viewer and Plus Access with E-Business Suite
  http://ascbi.com/thirdparty_documents.htm_
  Hope it helps you.promptly award points here is the link http://forums.oracle.com/forums/ann.jspa?annID=939
  By,
  KK

• Creating a Role view in a workflow

  I'm trying to create a role view in my workflow with the following code but it gives me an error: com.waveset.util.InternalError: Unable to locate ViewHandler for 'role'.
  <Action application='com.waveset.session.WorkflowServices'>
              <Argument name='op' value='createView'/>
              <Argument name='type' value='Role'/>
              <Return from='view' to='view'/>
            </Action>Has anyone created a role from a workflow, java or SPML?

  nvm figured it out.
  <Action id='0' application='com.waveset.session.WorkflowServices'>
            <Argument name='op' value='createView'/>
            <Argument name='type' value='Role'/>
            <Argument name='viewId' value='Role'/>
            <Argument name='Form' value='Empty Form'/>
            <Argument name='authorized' value='true'/>
            <Return from='view' to='role'/>
          </Action>       

• Is there a way to create a role like DBA role?

  is there a way to create a role just like DBA role?

  Karl wrote:
  thanks for the reply.
  yes, i know the command. but i still have concerns.
  DBA role come with oracle product, and it is very powerful. our client wants to have a role just like DBA role, but with the following excluded from it
  DELETE_CATALOG_ROLE
  GRANT ANY ROLEThen simply do NOT issue those two GRANT

• Is there any way to create admin role only for one resource.

  Hi all,
  I am trying to create an admin role with 'update user' capability. But I want to restrict the user(with the admin role) to be able to update a user's attribute only for one resource, The user(with the admin role) should not be able to update the attributes of the other resources which a user have.
  Is there any way to create admin role only for one resource?
  I customized the tabbed user form to show only one resource attribute (deleting the missing fields and adding my tab for the resource) and then assigned this new User Form to the user(with the admin role) in security tab.
  It works fine. But the problem is that if any user(with the admin role) is also admin of some other resource then he/she will not be able to view the other resource attributes.
  Please suggest,
  thanks

  The loop function always repeats the same region so of course the fade is also copied. So option+drag the original region to make a (non clone) copy, fade the first region and loop the second one (which you just copied).

• Creating a role

  I am trying to create some roles under one of my schemas and iwant to use OEM for that.
  The user has the create role privs bur it cant log in to OEM because it is a restricted user.
  I need to add the objcects and privs to the role but if i log in as sysdba or dba it doesn let me add the ojets because the dba is not the owner of the object.
  How do i work this out?
  Ashish

  If you want a user to be able to use OEM to do anything, you have to grant that user sufficient privileges to use OEM. In 9i, that's the SELECT ANY DICTIONARY privilege if memory serves. I believe in 8i it's the SELECT CATALOG role.
  Be sure you understand the implications of these grants before you start giving them out, though.
  Justin
  Distributed Database Consulting, Inc.
  www.ddbcinc.com

• Creating a role for t.code FBL1N

  Hi All,
  Creating a role (PFCG), I've to assign the t.code FBL1N only.
  In this role and for the t.code FBL1N, I've to exclude a certain Vendor Account Group.
  Could anyone help me?
  Thanks

  Hi ,
  For the task that you want to perform .
  First of all have a basic idea of how the authorization objects pertaining to a T code are checked , go to T code SU24 and give the input transaction as FBL1N and execute . there you will find the list of all the authorization objects that would be available for FBL1N.
  go through their documentation and understand the behaviour .
  Secondly , in case of FBL1n you cannot restrict based on account group at the granual level you can control on document type authorization group F_BKPF_BLA .
  For creating a role Go to t code PFCG create a role assing the t code , provide the auhtorization values , generate the role and assign the role to the user ID that you want to assign it to .
  Hope this helps .
  Regards ,
  Dewang T .

• Is it possible to create a role with PERM_READER_EXTENSIONS_WEB_APPLICATIONS without Service Invoke?

  I need to restrict user access to Workspace processes.  Using the adminui, service management, I gave my test group INVOKE_PERM permissions to this service.  This works good.  The users of the test group can only see this process.  However, for these users the SOAP calls do not work.  I am using a reader extended form and I am getting the error below.  If I add the Reader Extension Web Application role, the SOAP call work, but the user of the test group can see all other processes.  I created a role and gave it PERM_READER_EXTENSIONS_WEB_APPLICATIONS, Service Read, INVOKE_PERM and other combinations.  This role only works if I add Service Invoke and this give users access to all processes.  How can I get a role to provide the Reader Extension without using Service Invoke?
  An error has occurred. See error log for more details.
  User TORRES, ALEJANDRO G does not have the Service Invoke Permission on Service ReaderExtensionsService.

  I found the answer to my question.  I had to give INVOKE permission to all the services used by the process.