Assign role request through code not going to Operational level

Hi All
We are trying to assign roles through code using the OIM API's as suggested in the documentation
"http://docs.oracle.com/cd/E27559_01/doc.1112/e28183/oim_up.htm#autoId40".
We have 2 Approval policies one is at Request Level (i.e. Auto Approval) and the other is Operational level(Scope=ALL Scope) with workflow, So once the request is getting raised with the code successfully it is getting completed. The expected behavior is that it should go to the approval workflow attached at operational level.
When we tried to attach a workflow at the request level, the request is going through Approval workflow attached at request level and once we approve at request level it is getting completed and not going to operational level.
But we will have Request level as auto approved and Operational level with two level of Workflow.
Thanks in Advance

Check whether you have configured Request Type in your approval policy properly for operational level approval. In the Rule Components section check whether you have configured everything correctly. Also dont raise the request from system admin login as it will be treated as a direct provisioning request and your approval policies will not be invoked. Login through an end-user and test it

Similar Messages

  • OIM 11g - Modify Assign Roles request

    Hi everyone,
    I would like to know if it's possible to modify Assign Roles request in order to restrict the available assignees. I mean for example, if a manager wants to create a new Assign Roles request, he will be able to select only users whose he is the manager of.
    If someone knows how to do that he will be really helpfull !
    Thanks in advance,
    Thibault

    Thanks for both of you !!
    Indeed it's OOTB and it didn't work for me because there was another authorization policy configured for REQUEST_ADMINISTRATOR which allowed them to search for all users. And because all of my requesters had this role, they could search for all users. So I configured a new request template which allow a role, that I had already created before, to create request and now it works fine.
    Thanks !!
    Thibault

  • Assigning roles dynamically through an application

    We have an application being written in PowerBuilder 7.0.3 which accesses an Oracle 8.0.5 database running on OpenVMS. Is there a way to dynamically assign roles through the application to ensure that no modifications are made outside of the application?
    Thanks

    The use of dynamic roles for security is a very bad idea! Even if you set a password on the role, determining the name and the password for the role is trivial. Just open the binary using notepad, and search for "set role" and the password is right there.
    The only way to securely design your application is to place the controls in the database where they can not be manipulated. Use stored procedures, functions, and views!
    HTH,
    Aaron C. Newman
    AppProtect, Inc.

  • Controlling role visibility through code

    Hi All,
    I need to be able to hide worksets and roles depending upon the user that logs in. I have managed to control iviews and pages using the following code
    Hashtable env = new Hashtable();
    env.put(
           Context.INITIAL_CONTEXT_FACTORY,
           IPcdContext.PCD_INITIAL_CONTEXT_FACTORY);
    env.put(Context.SECURITY_PRINCIPAL, request.getUser());
    env.put(Constants.REQUESTED_ASPECT, PcmConstants.ASPECT_SEMANTICS);
    InitialContext iCtx = null;
    try {
    iCtx = new InitialContext(env);
         IiView result = null;
         Object currentObject  =  iCtx.lookup(iViewID);
         if (currentObject instanceof IiView) {
                               result = (IiView)currentObject;
         }else{
         result.putAttribute("com.sap.portal.navigation.Invisible",invisibleValue);
         result.save();
    } catch (UnsupportedOperationException e) {
                                                      e.printStackTrace();
    } catch (NamingException e) {
         e.printStackTrace();
    } catch (ValidationException e) {
         e.printStackTrace();
    } catch (IOException e) {
         e.printStackTrace();
    After looking around some more, i thought there must be something similar for worksets and roles as well.
    I found the use of IRoleService and IRoleDescriptor. But its only given how to create new roles using these. Can someone help me out on how to access existing roles so that I can set the property dynamically  for them?

    Hi Malita,
    The approach you have followed is not scalable. you should use PCD filter.
    Refer to
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/5021a57d-0601-0010-6097-ec94a09c626d?QuickLink=index&overridelayout=true
    Please note that you should use PCD filter only when there is no other option. Most of the times you can achieve the same result by tweaking your design.
    Also refer to
    Be Careful When Combining Navigation Cache, PCD Filter
    to understand when you shouldn't be using PCD filter.
    Let the community  know your exact requirement and the community should be able to suggest the best approach.
    Thanks
    Prashant

  • Activate project in Appropriation request through code

    I have created a WBS element for a appropriation request using FM CN2W_WBSELEMENT_CREATE_STRU.
    This project also needs to be activated. For this I have used the FM CJDW_PROJ_ACTIVATE_IM. But this is not activating the project.
    Also when this is done manually, the click of activate button does not activate it. The proj is activated only during save of the Appropriation request.
    Please let mw know your suggestions on how to actiavte the project using code.

    HI All,
    in order to meet the need of my customer, we made a program ( with BAPI ) in order to automatically create the Appropriation request and the project definition and Wbs by downloading a file...first steps works fine until the creation the WBS
    we receive message "MESSAGE E011 WITH  PSPID_IMP RAISING PROJ_NOT_EXIST." but when I check the project definition via cj03 , I find my project !!! I checked also that the field INACT is empty in ia table PROJ , during the Debugging , I find in the function module "CJDW_PROJ_ACTIVATE_IM" that he keep in memories somewhere the value X in field INACT , thus the database is not updated....
    FUNCTION CJDW_PROJ_ACTIVATE_IM.
    ""Lokale Schnittstelle:
    *"       IMPORTING
    *"             VALUE(PSPNR_IMP) LIKE  PROJ-PSPNR OPTIONAL
    *"             VALUE(PSPID_IMP) LIKE  PROJ-PSPID
    *"       EXCEPTIONS
    *"              PROJ_NOT_EXIST
    *"              NOT_POSSIBLE
      DATA: PROJ_IMP LIKE PROJ,
            LOC_TABIX LIKE SY-TABIX.
    Tabelle PRJTAB einlesen
      PERFORM READ_PRJTAB USING PSPNR_IMP
                                PSPID_IMP.
      READ TABLE PRJTAB WITH KEY PSPNR = PSPNR_IMP.
      LOC_TABIX = SY-TABIX.
      IF NOT SY-SUBRC IS INITIAL.
        MESSAGE E011 WITH  PSPID_IMP RAISING PROJ_NOT_EXIST.
      ENDIF.
      MOVE-CORRESPONDING PRJTAB TO PROJ_IMP.
    Minimalprüfung beim Aktivieren -> Org.daten konsistent ?
      CALL FUNCTION 'CJCK_CHECK_BUKRS_GSBER_KOKRS'
           EXPORTING
                I_BUKRS       = PROJ_IMP-VBUKR
                I_GSBER       = PROJ_IMP-VGSBR
                I_KOKRS       = PROJ_IMP-VKOKR
                I_WAERS       = PROJ_IMP-PWHIE
           EXCEPTIONS
                ERROR_MESSAGE = 99.
      IF NOT SY-SUBRC IS INITIAL.
        MESSAGE ID SY-MSGID     TYPE 'E'
                NUMBER SY-MSGNO WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4
                RAISING NOT_POSSIBLE.
      ENDIF.
       *PROJ = PROJ_IMP.
      CLEAR proj_imp-inACT.                                      "QRK260599
      CALL FUNCTION 'CJDW_PROJ_MODIFY'
           EXPORTING
                BEAKZ         = CON_CHANGE
                I_PROJ        = PROJ_IMP
                X_CHECK_INPUT = CON_NO
           IMPORTING
                E_PROJ        = PROJ_IMP
           EXCEPTIONS
                BEAKZ         = 1
                PSPNR         = 2.
      IF NOT SY-SUBRC IS INITIAL.
        MESSAGE ID SY-MSGID  TYPE 'E'
                NUMBER SY-MSGNO WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4
                RAISING NOT_POSSIBLE.
      ENDIF.
      MOVE-CORRESPONDING PROJ_IMP TO PRJTAB.
      CLEAR PRJTAB-INACT.
      IF PRJTAB-VBKZ IS INITIAL.
        PRJTAB-VBKZ = CON_CHANGE.
      ENDIF.
      MODIFY PRJTAB INDEX LOC_TABIX.
      MOVE PRJTAB TO *PROJ.
      PERFORM UPDATE_PROJ_IM ON COMMIT.
    ENDFUNCTION.
    I need help ,!!!
    Thanks in advance
    Said Ben Ajiba
    Edited by: Said Ben Ajiba Abdelwarit on Jun 9, 2011 11:20 AM

  • Invoice not going for second level approval

    i have an issue , gurus
    there is a invoice which should go through two level of approvals we have built a customised workflow for that , at the fist level there are say 5 approvers who can approve then at the second level there are again 3 , any one among them can approve the invoice at any level , and thereafter he work item gets deleted from the the remaing agents' inbox , now th issue is that after one among the first level approvers approves , it again comes back to him for approval without going to the next level .
    what can be the problem and what is the solution , if any one can help me ..

    Hi,
    It is related to workflow issue .Please check in SWIA
    please contact your ABAP (technical team)
    there is a problem in BADI
    G.Ganesh Kumar

  • Requests that are forwarded to another approver are not going to next stage

    We are having an issue with AE 5.2 with Forwarded requests.  When requests are forwarded to another approver and this person then approves the requests, they are not going on to the next stage in our workflow.  We have the Forward Type option set to 'Any one Approver' for the workflow stage.  Have also tried forwarding the requests with both the Forward With No Return and Forward With Return options.
    The approver that is receiving these Forwards is not listed as one of the approvers for the role in the request.  Is this the issue, are we not using the Forward process correctly, or is this a bug in AE 5.2.  (I think we are currently on SP 9 of GRC 5.2.)
    Thanks.

    Hi Bob,
    I am running AE 5.2 but do not use the "forward" feature. For request that require "role approvers" I have set up a seperate initiaor that includes the additional Stage for Role approval.
    I have initiators for 1) New User w/ no role approval 2) New User w/ role approval 3) Change User w/ no role approval 4) Change User w/ no role approval
    My "no role approvals" go through three stages 1) security initial review 2) Internal Control review 3) Final security provisioning; my "role approvals" go through four stages 1) security initial review 2) Role Approval Stage 3) Internal Control review 3) Final security provisioning
    If a request has roles that require approval and some that do not, the request will take the two seperate paths based on the roles defined for each; the provisoning will complete once both paths have completed all stages
    This allows us to treat the role approval just like any stage with assigned approvers and if multiple approvers allow for any one approver to complete the stage
    This is different from your approach of forwarding for role approval; I define the roles to the initialtors that require role approval, but gives you another perspective of doing it
    Jerry Synoga
    Ryerson,Inc.
    630-758-2021

  • Requestes are not forwarded to next level after approval

    Hi all,
    Apps version 11.5.10, Solaris 10
    we have modified a user name in apps after that what ever that particular user has approved is not going to next level. Is it not recommended to update a user name?
    Hope some one can help me fix the issue
    Thanks in advance
    uns

    Hi Bob,
    I am running AE 5.2 but do not use the "forward" feature. For request that require "role approvers" I have set up a seperate initiaor that includes the additional Stage for Role approval.
    I have initiators for 1) New User w/ no role approval 2) New User w/ role approval 3) Change User w/ no role approval 4) Change User w/ no role approval
    My "no role approvals" go through three stages 1) security initial review 2) Internal Control review 3) Final security provisioning; my "role approvals" go through four stages 1) security initial review 2) Role Approval Stage 3) Internal Control review 3) Final security provisioning
    If a request has roles that require approval and some that do not, the request will take the two seperate paths based on the roles defined for each; the provisoning will complete once both paths have completed all stages
    This allows us to treat the role approval just like any stage with assigned approvers and if multiple approvers allow for any one approver to complete the stage
    This is different from your approach of forwarding for role approval; I define the roles to the initialtors that require role approval, but gives you another perspective of doing it
    Jerry Synoga
    Ryerson,Inc.
    630-758-2021

  • Request Key for Role Requests in OIM 11.1.1.5.0

    Hi,
    We are currently working on an enhancement in which after the role request is approved in the work flow process (SOA), need to be assigned to a group. A notification has to be sent to this group with the request details and the task needs to be assigned to them.This functionality is implemented using the process task and providing the group name in the assignment tab of the task.
    The problem we are facing here is, we are not able to get the request key (of the role request) dynamically, which can be used in the adapter to get the request details/ role details.
    We have implemented the same process while requesting for RO. i.e. after the RO request is approved in the SOA work flow it gets assigned to a group.
    In that case we could get the request key by using the below sql query:
    "select usr.USR_LOGIN,req.request_key,usr.usr_first_name,usr.usr_last_name from usr usr,request req,oiu oiu where req.request_key=oiu.request_key and req.requester_key=usr.usr_key and oiu.orc_key=" + processInstanceKey;
    How ever for the role requests, we are not able to figure out the query / any other process using which we can get the request key dynamically that can be used in the process task adapter.
    Please suggest the db query or any other method to get the request key for the role request.
    Thanks in advance.
    Shakti.

    Hi Kevin,
    The complete steps that we are following are as below:
    1. The requester raises a request for assigning role xyz to user abc by using request template. Once the SOA workflow is completed the user gets the role.
    2. After the evaluate user policy scheduler is run and the record is inserted in to the child table, a task "ADD Role To User" is triggered,
    3. Have created an adapter to set Response= "SUCCESS" and associated it with the task "ADD Role To User".
    4. On Response= "SUCCESS" we are triggering two tasks.    i. Assigning task to a team
                                                                                               ii. Sending notification to the team about the role request.
    5. While writing the task for sending notification ,we have created an adapter. We need to get the request key(of step no 1) and role details to be displayed in this mail.
    As you have mentioned, "There should be no process instance key for a Role Request because there is no object.", i am not able to figure out a way to get the request key
    which i can use in the adapter to send notification.
    Please suggest how can i get it and let me know if you need any other details.
    Thanks in advance.
    Shakti.

  • What is  the purpose of assign roles to portal please describe

    what is  the purpose of assign roles to portal please describe

    Hi,
    You assign Roles to Users and not to portals.
    Check this to know about Role:
    http://help.sap.com/saphelp_nw70/helpdata/EN/45/c0d8e962336000e10000000a1553f6/frameset.htm
    So a role has contents that a user can see and also privilages that the user can have (UME Actions).
    http://help.sap.com/saphelp_nw70/helpdata/EN/fb/33f520d15f8f4092a60381365620b2/frameset.htm
    When a user is assigned certain roles which have contents and also UME Actions, this user sees them when he logs on onto the portal and also has this set of  privilages.
    Regards,
    Praveen Gudapati

  • User decision activity not going to the agents(Position Maintained).

    Hi All,
    I assigned a specific Position in the agent field of  the user decision activity. But after assigning, the decisiion step is not going to the expected agent but it getting executed by the WF-BATCH user.
    I have checked the same in the Tcode : PO13 and the corresponding user is the only one maintained for that position.
    Kindly guide what can be the possible reasons. Is there any thing i am missing.
    Thanks,
    Neslin.

    Thanks.Yes.Latest start and latest end are already maintained and there is a Rule when the latest start missed also.  kindly let me know how i can avoid this also..
    How to check whether the position is maintained to the SAP user id?.I have seen the user maintained under the position in Tcode PO13..
    The deadline is calculated 4 days after sydatum.
    One more thing the Workitem got reserved by the WF-batch and executed by WF-batch.
    Edited by: neslin on Jul 28, 2009 7:49 AM

  • When Role is assigned to User through membership rule then it's membership is not added to OID ?

    Hi All,
          I have OIM 11gR2 installed with  LDAPSync enabled.
    When tried to assign Role to User through membership rule, Role is successfully assigned to User in OIM, but it is not added in OID.
    Role membership is added in OID when User requests Role through Catalog search. Also, Role membership is added in OID after running job 'LDAPSync Post Enable Provision Role Memberships to LDAP '.
    How can I add Role membership in OID  as soon as Role is assigned to User  through membership rule in OIM ?

    Hi
    It sounds like you have not selected anything on the Presentation & Data tab of the Workspace Startpoint/User Service.
    You need to specify:
    Your Asset (the form you want to present to the user)
    An associated Action Profile (tells the server how you want the form rendered...typically it is set to Default which uses the Render PDF Form process)
    The variable to hold your data(typically an xml variable)
    Make sure these are set.
    Diana

  • Request Number is not generated for BRM "new" role creation

    Hello Gurus,
    I have configured BRM in SAP GRC AC 10, along with the workflow .
    I have selected the following methodology
    Define Role --> Maintain Auth >Analyze & Access Risk>Request Approval>Generate Roles>Maintain Test Cases
    Role name : Y_TEST_BRM_FUNCTIONALITY
    So i do the following steps and assign
    1) Role approver as Mr. ABC & Alternate approver as Mr. QRS
    2) Assign the Required transactions and do the RAR i.e i am done till step 3 of methodology
    When i click "Initiate Approval request"
    The approval triggers , and goes to the 1st stage as configured in MSMP
    1) Power User Approval .
    Here the Power User : EFG , open his workflow and see the request as
    Role approval required for role Y_TEST_BRM_FUNCTIONALITY
    The approver approves the request and then the request all together vanishes.
    Unfortunately i am not able to search the request for that role from NWBC -->Search request by
    Process Id : Role Approver Workflow
    It gives blank !!
    Hence neither i am able to find the request no able to do any debugging of it using
    GRFNMW_DBGMONITOR_WD
    Please note that the Request Id is created for any request in CUP.
    Is it that i have to create a number range for BRM request ??
    If so will you please let me know the object

    Hello All,
    I was wrong in posting the cause of problem.
    Please note no "Request number" is generated for Role creation Request.
    The problem was i was unable to search the Role Request approval status from "Search Request" via  Process Id
    It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
    My Issues is Resolved.
    Thank You.
    Regards,
    Victor

  • One CUP request for assigning role to multiple users

    Hi,
    We assign roles to users in production only through CUP requests.. We use GRC 5.3
    Here we have a case where we need to assign one role to  60 users in production(each user may have different  roles assigned in the back end) . I can raise one CUP request for all users using " multi-user" option in Copy request . But when we want to make a risk analysis , it will not show risks at user level as each user had different roles and may get different risks by adding new role.
    Instead it will give risks if any for only that new role which want to assign. Our manager is not accepting as this is not giving complete picture of risks for each user when we add new role.
    Please suggest me if there is any other way where I can make a risk analysis for each user when I created a CUP request for multiple users.
    Or the only solution is to create 60 CUP requests ?? this would be too manual
    Regards ,
    jaags

    Raghu,
    thanks for the reply, you are right as per the audit .But suppose if it is for 200 users ,creating 200 CUP requests will be impractical right.
    there should be some solution for this , because there will be many situations practically where we have to assign roles to N number of users.
    Is this possible in GRC 10 ? any idea ?
    Regards,
    Jaags

  • How to trigger approval request for resources after assigning role

    Hi,
    We have a use case where we need to assign resources to user via assigning roles.
    In order to achive this use case
    1. we have created a role and assigned the access policy to it which contain the resources to be provisioned once the role is assigned to the user.
    2. Created a SOA composite having manager approval and assigned this composite to a approval policy of type 'Assign Role'.
    3. I am already having the approval policy for the resources which are present in roles. The approval policy of resources is of type "Provision Resource".
    4. Also the SOA composite for resource apporal is deployed in OIM and assigned to the approval policy.
    5. Now when I am raising the request from OIM of type "Assign Role" the approval defined in the SOA composite for Role approval gets triggered. After approving the role request the role is assigned to the user and also the resources defined in the access policy gets provisioned to teh user account.
    Now I want to trigger the resource approval process after the role approval instead of directly provisioning the resources. So that once the role is approved the individual Approval Process of resources part of roles should also gets invoked. Based on the approval or rejection of resources approval, the resource gets assigned to the user.
    Please let me know how to achieve the above use case.
    Thanks in advance

    Access policy is saying whoever gets xyz role, will get this abc resource. Now once a user gets xyz role, you are stopping to get abc resource? both are contradictory. Don't go through access policy. User is anyway going to request for roles. Modify your flow and make user request for resource. Have your composite and approval policy attached. User will get resource once it is approved.
    regards,
    GP

Maybe you are looking for

  • Import Manager Usage : Approaches for developing Import file structure and text validations

    Hi Experts, We are having 50+ import maps. We have provided option to users to drop the files for data import. Currently Import Manager(7.1 Sp08) does not have capability of pre-import validation of file data such as a. file structure - number of col

  • Resolve technicak names

    Hello, is it possible to resolve any technical name in a table??

  • 11i-R12 upgrade and MOS 954704.1 (pre-upgrade

    I am performing the 11.5.10.2 -> R12.1.1 Upgrade using the Maint Wizard (v2.19) on Linux x86. I am at this step: Cat - Upg to Rel 12.1.1 ProdFamily - Perform the Upgrade Task - Apply Preinstall Patches Step - Check for critical pre-upgrade patches fo

  • Execute BMP Failed

    Hello, I m a beginner of J2EE and I try execute the J2EE Tutorial Example. So, when I execute the storage bin example, I have this error : javax.ejb.EJBException: ejbFindByWidgetId: Invalid table name "STORAGEBIN" specified at position 25.      at St

  • Abrupt Shutdown

    For the second time today (and never before) my computer suddenly shut down. It starts up again just fine but I cannot understand why this happens. I am appending my console log, perhaps someone can decipher it and let me know what's causing this. I