Assign role request through code not going to Operational level
Hi All
We are trying to assign roles through code using the OIM API's as suggested in the documentation
"http://docs.oracle.com/cd/E27559_01/doc.1112/e28183/oim_up.htm#autoId40".
We have 2 Approval policies one is at Request Level (i.e. Auto Approval) and the other is Operational level(Scope=ALL Scope) with workflow, So once the request is getting raised with the code successfully it is getting completed. The expected behavior is that it should go to the approval workflow attached at operational level.
When we tried to attach a workflow at the request level, the request is going through Approval workflow attached at request level and once we approve at request level it is getting completed and not going to operational level.
But we will have Request level as auto approved and Operational level with two level of Workflow.
Thanks in Advance
Check whether you have configured Request Type in your approval policy properly for operational level approval. In the Rule Components section check whether you have configured everything correctly. Also dont raise the request from system admin login as it will be treated as a direct provisioning request and your approval policies will not be invoked. Login through an end-user and test it
Similar Messages
-
OIM 11g - Modify Assign Roles request
Hi everyone,
I would like to know if it's possible to modify Assign Roles request in order to restrict the available assignees. I mean for example, if a manager wants to create a new Assign Roles request, he will be able to select only users whose he is the manager of.
If someone knows how to do that he will be really helpfull !
Thanks in advance,
ThibaultThanks for both of you !!
Indeed it's OOTB and it didn't work for me because there was another authorization policy configured for REQUEST_ADMINISTRATOR which allowed them to search for all users. And because all of my requesters had this role, they could search for all users. So I configured a new request template which allow a role, that I had already created before, to create request and now it works fine.
Thanks !!
Thibault -
Assigning roles dynamically through an application
We have an application being written in PowerBuilder 7.0.3 which accesses an Oracle 8.0.5 database running on OpenVMS. Is there a way to dynamically assign roles through the application to ensure that no modifications are made outside of the application?
ThanksThe use of dynamic roles for security is a very bad idea! Even if you set a password on the role, determining the name and the password for the role is trivial. Just open the binary using notepad, and search for "set role" and the password is right there.
The only way to securely design your application is to place the controls in the database where they can not be manipulated. Use stored procedures, functions, and views!
HTH,
Aaron C. Newman
AppProtect, Inc. -
Controlling role visibility through code
Hi All,
I need to be able to hide worksets and roles depending upon the user that logs in. I have managed to control iviews and pages using the following code
Hashtable env = new Hashtable();
env.put(
Context.INITIAL_CONTEXT_FACTORY,
IPcdContext.PCD_INITIAL_CONTEXT_FACTORY);
env.put(Context.SECURITY_PRINCIPAL, request.getUser());
env.put(Constants.REQUESTED_ASPECT, PcmConstants.ASPECT_SEMANTICS);
InitialContext iCtx = null;
try {
iCtx = new InitialContext(env);
IiView result = null;
Object currentObject = iCtx.lookup(iViewID);
if (currentObject instanceof IiView) {
result = (IiView)currentObject;
}else{
result.putAttribute("com.sap.portal.navigation.Invisible",invisibleValue);
result.save();
} catch (UnsupportedOperationException e) {
e.printStackTrace();
} catch (NamingException e) {
e.printStackTrace();
} catch (ValidationException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
After looking around some more, i thought there must be something similar for worksets and roles as well.
I found the use of IRoleService and IRoleDescriptor. But its only given how to create new roles using these. Can someone help me out on how to access existing roles so that I can set the property dynamically for them?Hi Malita,
The approach you have followed is not scalable. you should use PCD filter.
Refer to
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/5021a57d-0601-0010-6097-ec94a09c626d?QuickLink=index&overridelayout=true
Please note that you should use PCD filter only when there is no other option. Most of the times you can achieve the same result by tweaking your design.
Also refer to
Be Careful When Combining Navigation Cache, PCD Filter
to understand when you shouldn't be using PCD filter.
Let the community know your exact requirement and the community should be able to suggest the best approach.
Thanks
Prashant -
Activate project in Appropriation request through code
I have created a WBS element for a appropriation request using FM CN2W_WBSELEMENT_CREATE_STRU.
This project also needs to be activated. For this I have used the FM CJDW_PROJ_ACTIVATE_IM. But this is not activating the project.
Also when this is done manually, the click of activate button does not activate it. The proj is activated only during save of the Appropriation request.
Please let mw know your suggestions on how to actiavte the project using code.HI All,
in order to meet the need of my customer, we made a program ( with BAPI ) in order to automatically create the Appropriation request and the project definition and Wbs by downloading a file...first steps works fine until the creation the WBS
we receive message "MESSAGE E011 WITH PSPID_IMP RAISING PROJ_NOT_EXIST." but when I check the project definition via cj03 , I find my project !!! I checked also that the field INACT is empty in ia table PROJ , during the Debugging , I find in the function module "CJDW_PROJ_ACTIVATE_IM" that he keep in memories somewhere the value X in field INACT , thus the database is not updated....
FUNCTION CJDW_PROJ_ACTIVATE_IM.
""Lokale Schnittstelle:
*" IMPORTING
*" VALUE(PSPNR_IMP) LIKE PROJ-PSPNR OPTIONAL
*" VALUE(PSPID_IMP) LIKE PROJ-PSPID
*" EXCEPTIONS
*" PROJ_NOT_EXIST
*" NOT_POSSIBLE
DATA: PROJ_IMP LIKE PROJ,
LOC_TABIX LIKE SY-TABIX.
Tabelle PRJTAB einlesen
PERFORM READ_PRJTAB USING PSPNR_IMP
PSPID_IMP.
READ TABLE PRJTAB WITH KEY PSPNR = PSPNR_IMP.
LOC_TABIX = SY-TABIX.
IF NOT SY-SUBRC IS INITIAL.
MESSAGE E011 WITH PSPID_IMP RAISING PROJ_NOT_EXIST.
ENDIF.
MOVE-CORRESPONDING PRJTAB TO PROJ_IMP.
Minimalprüfung beim Aktivieren -> Org.daten konsistent ?
CALL FUNCTION 'CJCK_CHECK_BUKRS_GSBER_KOKRS'
EXPORTING
I_BUKRS = PROJ_IMP-VBUKR
I_GSBER = PROJ_IMP-VGSBR
I_KOKRS = PROJ_IMP-VKOKR
I_WAERS = PROJ_IMP-PWHIE
EXCEPTIONS
ERROR_MESSAGE = 99.
IF NOT SY-SUBRC IS INITIAL.
MESSAGE ID SY-MSGID TYPE 'E'
NUMBER SY-MSGNO WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4
RAISING NOT_POSSIBLE.
ENDIF.
*PROJ = PROJ_IMP.
CLEAR proj_imp-inACT. "QRK260599
CALL FUNCTION 'CJDW_PROJ_MODIFY'
EXPORTING
BEAKZ = CON_CHANGE
I_PROJ = PROJ_IMP
X_CHECK_INPUT = CON_NO
IMPORTING
E_PROJ = PROJ_IMP
EXCEPTIONS
BEAKZ = 1
PSPNR = 2.
IF NOT SY-SUBRC IS INITIAL.
MESSAGE ID SY-MSGID TYPE 'E'
NUMBER SY-MSGNO WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4
RAISING NOT_POSSIBLE.
ENDIF.
MOVE-CORRESPONDING PROJ_IMP TO PRJTAB.
CLEAR PRJTAB-INACT.
IF PRJTAB-VBKZ IS INITIAL.
PRJTAB-VBKZ = CON_CHANGE.
ENDIF.
MODIFY PRJTAB INDEX LOC_TABIX.
MOVE PRJTAB TO *PROJ.
PERFORM UPDATE_PROJ_IM ON COMMIT.
ENDFUNCTION.
I need help ,!!!
Thanks in advance
Said Ben Ajiba
Edited by: Said Ben Ajiba Abdelwarit on Jun 9, 2011 11:20 AM -
Invoice not going for second level approval
i have an issue , gurus
there is a invoice which should go through two level of approvals we have built a customised workflow for that , at the fist level there are say 5 approvers who can approve then at the second level there are again 3 , any one among them can approve the invoice at any level , and thereafter he work item gets deleted from the the remaing agents' inbox , now th issue is that after one among the first level approvers approves , it again comes back to him for approval without going to the next level .
what can be the problem and what is the solution , if any one can help me ..Hi,
It is related to workflow issue .Please check in SWIA
please contact your ABAP (technical team)
there is a problem in BADI
G.Ganesh Kumar -
Requests that are forwarded to another approver are not going to next stage
We are having an issue with AE 5.2 with Forwarded requests. When requests are forwarded to another approver and this person then approves the requests, they are not going on to the next stage in our workflow. We have the Forward Type option set to 'Any one Approver' for the workflow stage. Have also tried forwarding the requests with both the Forward With No Return and Forward With Return options.
The approver that is receiving these Forwards is not listed as one of the approvers for the role in the request. Is this the issue, are we not using the Forward process correctly, or is this a bug in AE 5.2. (I think we are currently on SP 9 of GRC 5.2.)
Thanks.Hi Bob,
I am running AE 5.2 but do not use the "forward" feature. For request that require "role approvers" I have set up a seperate initiaor that includes the additional Stage for Role approval.
I have initiators for 1) New User w/ no role approval 2) New User w/ role approval 3) Change User w/ no role approval 4) Change User w/ no role approval
My "no role approvals" go through three stages 1) security initial review 2) Internal Control review 3) Final security provisioning; my "role approvals" go through four stages 1) security initial review 2) Role Approval Stage 3) Internal Control review 3) Final security provisioning
If a request has roles that require approval and some that do not, the request will take the two seperate paths based on the roles defined for each; the provisoning will complete once both paths have completed all stages
This allows us to treat the role approval just like any stage with assigned approvers and if multiple approvers allow for any one approver to complete the stage
This is different from your approach of forwarding for role approval; I define the roles to the initialtors that require role approval, but gives you another perspective of doing it
Jerry Synoga
Ryerson,Inc.
630-758-2021 -
Requestes are not forwarded to next level after approval
Hi all,
Apps version 11.5.10, Solaris 10
we have modified a user name in apps after that what ever that particular user has approved is not going to next level. Is it not recommended to update a user name?
Hope some one can help me fix the issue
Thanks in advance
unsHi Bob,
I am running AE 5.2 but do not use the "forward" feature. For request that require "role approvers" I have set up a seperate initiaor that includes the additional Stage for Role approval.
I have initiators for 1) New User w/ no role approval 2) New User w/ role approval 3) Change User w/ no role approval 4) Change User w/ no role approval
My "no role approvals" go through three stages 1) security initial review 2) Internal Control review 3) Final security provisioning; my "role approvals" go through four stages 1) security initial review 2) Role Approval Stage 3) Internal Control review 3) Final security provisioning
If a request has roles that require approval and some that do not, the request will take the two seperate paths based on the roles defined for each; the provisoning will complete once both paths have completed all stages
This allows us to treat the role approval just like any stage with assigned approvers and if multiple approvers allow for any one approver to complete the stage
This is different from your approach of forwarding for role approval; I define the roles to the initialtors that require role approval, but gives you another perspective of doing it
Jerry Synoga
Ryerson,Inc.
630-758-2021 -
Request Key for Role Requests in OIM 11.1.1.5.0
Hi,
We are currently working on an enhancement in which after the role request is approved in the work flow process (SOA), need to be assigned to a group. A notification has to be sent to this group with the request details and the task needs to be assigned to them.This functionality is implemented using the process task and providing the group name in the assignment tab of the task.
The problem we are facing here is, we are not able to get the request key (of the role request) dynamically, which can be used in the adapter to get the request details/ role details.
We have implemented the same process while requesting for RO. i.e. after the RO request is approved in the SOA work flow it gets assigned to a group.
In that case we could get the request key by using the below sql query:
"select usr.USR_LOGIN,req.request_key,usr.usr_first_name,usr.usr_last_name from usr usr,request req,oiu oiu where req.request_key=oiu.request_key and req.requester_key=usr.usr_key and oiu.orc_key=" + processInstanceKey;
How ever for the role requests, we are not able to figure out the query / any other process using which we can get the request key dynamically that can be used in the process task adapter.
Please suggest the db query or any other method to get the request key for the role request.
Thanks in advance.
Shakti.Hi Kevin,
The complete steps that we are following are as below:
1. The requester raises a request for assigning role xyz to user abc by using request template. Once the SOA workflow is completed the user gets the role.
2. After the evaluate user policy scheduler is run and the record is inserted in to the child table, a task "ADD Role To User" is triggered,
3. Have created an adapter to set Response= "SUCCESS" and associated it with the task "ADD Role To User".
4. On Response= "SUCCESS" we are triggering two tasks. i. Assigning task to a team
ii. Sending notification to the team about the role request.
5. While writing the task for sending notification ,we have created an adapter. We need to get the request key(of step no 1) and role details to be displayed in this mail.
As you have mentioned, "There should be no process instance key for a Role Request because there is no object.", i am not able to figure out a way to get the request key
which i can use in the adapter to send notification.
Please suggest how can i get it and let me know if you need any other details.
Thanks in advance.
Shakti. -
What is the purpose of assign roles to portal please describe
what is the purpose of assign roles to portal please describe
Hi,
You assign Roles to Users and not to portals.
Check this to know about Role:
http://help.sap.com/saphelp_nw70/helpdata/EN/45/c0d8e962336000e10000000a1553f6/frameset.htm
So a role has contents that a user can see and also privilages that the user can have (UME Actions).
http://help.sap.com/saphelp_nw70/helpdata/EN/fb/33f520d15f8f4092a60381365620b2/frameset.htm
When a user is assigned certain roles which have contents and also UME Actions, this user sees them when he logs on onto the portal and also has this set of privilages.
Regards,
Praveen Gudapati -
User decision activity not going to the agents(Position Maintained).
Hi All,
I assigned a specific Position in the agent field of the user decision activity. But after assigning, the decisiion step is not going to the expected agent but it getting executed by the WF-BATCH user.
I have checked the same in the Tcode : PO13 and the corresponding user is the only one maintained for that position.
Kindly guide what can be the possible reasons. Is there any thing i am missing.
Thanks,
Neslin.Thanks.Yes.Latest start and latest end are already maintained and there is a Rule when the latest start missed also. kindly let me know how i can avoid this also..
How to check whether the position is maintained to the SAP user id?.I have seen the user maintained under the position in Tcode PO13..
The deadline is calculated 4 days after sydatum.
One more thing the Workitem got reserved by the WF-batch and executed by WF-batch.
Edited by: neslin on Jul 28, 2009 7:49 AM -
Hi All,
I have OIM 11gR2 installed with LDAPSync enabled.
When tried to assign Role to User through membership rule, Role is successfully assigned to User in OIM, but it is not added in OID.
Role membership is added in OID when User requests Role through Catalog search. Also, Role membership is added in OID after running job 'LDAPSync Post Enable Provision Role Memberships to LDAP '.
How can I add Role membership in OID as soon as Role is assigned to User through membership rule in OIM ?Hi
It sounds like you have not selected anything on the Presentation & Data tab of the Workspace Startpoint/User Service.
You need to specify:
Your Asset (the form you want to present to the user)
An associated Action Profile (tells the server how you want the form rendered...typically it is set to Default which uses the Render PDF Form process)
The variable to hold your data(typically an xml variable)
Make sure these are set.
Diana -
Request Number is not generated for BRM "new" role creation
Hello Gurus,
I have configured BRM in SAP GRC AC 10, along with the workflow .
I have selected the following methodology
Define Role --> Maintain Auth >Analyze & Access Risk>Request Approval>Generate Roles>Maintain Test Cases
Role name : Y_TEST_BRM_FUNCTIONALITY
So i do the following steps and assign
1) Role approver as Mr. ABC & Alternate approver as Mr. QRS
2) Assign the Required transactions and do the RAR i.e i am done till step 3 of methodology
When i click "Initiate Approval request"
The approval triggers , and goes to the 1st stage as configured in MSMP
1) Power User Approval .
Here the Power User : EFG , open his workflow and see the request as
Role approval required for role Y_TEST_BRM_FUNCTIONALITY
The approver approves the request and then the request all together vanishes.
Unfortunately i am not able to search the request for that role from NWBC -->Search request by
Process Id : Role Approver Workflow
It gives blank !!
Hence neither i am able to find the request no able to do any debugging of it using
GRFNMW_DBGMONITOR_WD
Please note that the Request Id is created for any request in CUP.
Is it that i have to create a number range for BRM request ??
If so will you please let me know the objectHello All,
I was wrong in posting the cause of problem.
Please note no "Request number" is generated for Role creation Request.
The problem was i was unable to search the Role Request approval status from "Search Request" via Process Id
It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
My Issues is Resolved.
Thank You.
Regards,
Victor -
One CUP request for assigning role to multiple users
Hi,
We assign roles to users in production only through CUP requests.. We use GRC 5.3
Here we have a case where we need to assign one role to 60 users in production(each user may have different roles assigned in the back end) . I can raise one CUP request for all users using " multi-user" option in Copy request . But when we want to make a risk analysis , it will not show risks at user level as each user had different roles and may get different risks by adding new role.
Instead it will give risks if any for only that new role which want to assign. Our manager is not accepting as this is not giving complete picture of risks for each user when we add new role.
Please suggest me if there is any other way where I can make a risk analysis for each user when I created a CUP request for multiple users.
Or the only solution is to create 60 CUP requests ?? this would be too manual
Regards ,
jaagsRaghu,
thanks for the reply, you are right as per the audit .But suppose if it is for 200 users ,creating 200 CUP requests will be impractical right.
there should be some solution for this , because there will be many situations practically where we have to assign roles to N number of users.
Is this possible in GRC 10 ? any idea ?
Regards,
Jaags -
How to trigger approval request for resources after assigning role
Hi,
We have a use case where we need to assign resources to user via assigning roles.
In order to achive this use case
1. we have created a role and assigned the access policy to it which contain the resources to be provisioned once the role is assigned to the user.
2. Created a SOA composite having manager approval and assigned this composite to a approval policy of type 'Assign Role'.
3. I am already having the approval policy for the resources which are present in roles. The approval policy of resources is of type "Provision Resource".
4. Also the SOA composite for resource apporal is deployed in OIM and assigned to the approval policy.
5. Now when I am raising the request from OIM of type "Assign Role" the approval defined in the SOA composite for Role approval gets triggered. After approving the role request the role is assigned to the user and also the resources defined in the access policy gets provisioned to teh user account.
Now I want to trigger the resource approval process after the role approval instead of directly provisioning the resources. So that once the role is approved the individual Approval Process of resources part of roles should also gets invoked. Based on the approval or rejection of resources approval, the resource gets assigned to the user.
Please let me know how to achieve the above use case.
Thanks in advanceAccess policy is saying whoever gets xyz role, will get this abc resource. Now once a user gets xyz role, you are stopping to get abc resource? both are contradictory. Don't go through access policy. User is anyway going to request for roles. Modify your flow and make user request for resource. Have your composite and approval policy attached. User will get resource once it is approved.
regards,
GP
Maybe you are looking for
-
Import Manager Usage : Approaches for developing Import file structure and text validations
Hi Experts, We are having 50+ import maps. We have provided option to users to drop the files for data import. Currently Import Manager(7.1 Sp08) does not have capability of pre-import validation of file data such as a. file structure - number of col
-
Hello, is it possible to resolve any technical name in a table??
-
11i-R12 upgrade and MOS 954704.1 (pre-upgrade
I am performing the 11.5.10.2 -> R12.1.1 Upgrade using the Maint Wizard (v2.19) on Linux x86. I am at this step: Cat - Upg to Rel 12.1.1 ProdFamily - Perform the Upgrade Task - Apply Preinstall Patches Step - Check for critical pre-upgrade patches fo
-
Hello, I m a beginner of J2EE and I try execute the J2EE Tutorial Example. So, when I execute the storage bin example, I have this error : javax.ejb.EJBException: ejbFindByWidgetId: Invalid table name "STORAGEBIN" specified at position 25. at St
-
For the second time today (and never before) my computer suddenly shut down. It starts up again just fine but I cannot understand why this happens. I am appending my console log, perhaps someone can decipher it and let me know what's causing this. I