Assign WB to existing role always require role regeneration

Similar Messages

• Assigning and un-assigning the existing role to the existing participant

  Hi,
  My requirement is to assign the existing role to a participant and after doing some particular things un-assign that role from that participant
  I am using oracle bpm 10g .
  Any idea ?
  Thanks

  session as DirectorySession = DirectorySession.currentEngineSession
  theRole as RoleAssignment = RoleAssignment.create(role : DirOrganizationalRole.fetch(session : session, id : "MyRoleName"), permissions : 95)
       dirHum as Fuego.Fdi.DirHumanParticipant = DirHumanParticipant.fetch(session : session, id : "MyUserId")
       curRoles as RoleAssignment[]
       curRoles = dirHum.rolesAssignment
            curRoles[] = theRole
            dirHum.rolesAssignment = curRoles
            update dirHumTo unassign the role, just remove the role from the 'curRoles' array.
  HTH,
  -Kevin

• Need to delet or assign individual roles without changing all existing role

  Hi
  I am looking for a way in order to delete or add single roles without touching all other roles a user has.
  I found various BAPI_USER_* , however they always change the entire role assignment.
  Does anybody got an idea or an associated BAPI`?
  Thanks a lot,
  Kind regards,
  Mingolo

  Hello Minima
  The corresponding BAPI is BAPI_USER_ACTGROUPS_ASSIGN. In to delete only specific roles you first have to read the assigned roles of the user using BAPI BAPI_USER_GET_DETAIL.
  Now here the procedure:
  (1) Read the assigned roles for a given user using BAPI_USER_GET_DETAIL. The roles are returned in TABLES parameter  ACTIVITYGROUPS.
  (2) Delete the role you want to unassigned from ACTIVITYGROUPS.
  (3) Change the user using BAPI_USER_ACTGROUPS_ASSIGN with the modified list of roles (in ACTIVITYGROUPS).
  The logic behind this is as follows:
  - the BAPI BAPI_USER_ACTGROUPS_ASSIGN compared the imported list of roles with the currently assigned roles.
  - If one is missing, it is unassigned.
  - If one is new, it is assigned.
  - All others role assignements remain.
  Regards
     Uwe

• Making existing roles watertight for HR data

  Hello,
  I hope to get nudged in the right direction in here. I already descended pretty much to the end of my rope and ... well ... I need some more rope
  The situation is like this - I inherited everything that has to do with maintenance of authorizations on our system half a year ago, the guy that did that before me is no longer in the company (so there's no use in asking what he was thinking (if anything) when he was putting the roles together). Documentation is scarce/non-existing. When it exists it's usually not up to date. I'm not exactly a newbie in authorizations field, but at the same time I'm not really that far away from being a newbie yet, so I'm not beyond listening to basics being pointed out to me.
  <u>The Utopia</u>:
  There are five single roles built for all users of our system (say R1, R2, ... , R5). They're supposed to build on one another, R1 being the basic role, R2 having a couple more authorizations than R1, and so on until R5 which is the role that also has all HR authorizations.
  <u>The Reality</u>:
  The roles have been designed in a hurry and from the top down starting with the sap_all profile and removing some (or most of the) CA, BC and HR authorizations. They were not properly tested. They do not derive from one another in any way ... R2 for example is a complete copy of R1 with some additional objects and values, same for all the others. Every problem needed to be fixed five times, once for every role. That of course resulted in chaos, things got changed just in one place and the basic role suddenly got more powerful than all the rest. These roles are in use in the production system and there are no plans to substitute them with something better in the very near future.
  <u>The Problem</u>:
  Suddenly (yeah, right ) the need arose to have these roles watertight with regard to HR data. I did some rudimentary testing and sure enough they're nowhere near watertight even for the most common HR transactions. There are ranges defined in S_TCODE for which I have no idea why they are as they are, there was access to SA38 given where SAP HR programs with no authorization group (and no transaction code) assigned could be run by everyone ... there's god knows how many other security holes. The only help I got from the HR consultants was the list of all 2000 or so HR transactions (taken from the SAP menu tree) which shouldn't be accessible to a normal user. I suspect I might be in need of a typing monkey to check them all five times
  <u>Question</u>:
  How do I close as many security holes in these roles as possible? What's the strategy when dealing with such tasks? I've made it clear to the management that we probably won't have watertight roles if we don't create new ones, but making a set of new roles created properly from the bottom up is out of the question at this moment.
  I'd be extremely grateful for any advice or if anyone could point me to any kind of documentation about making roles like ours more secure for protecting HR data (and also keeping the users away from any BC stuff).
  In the meantime, I'm off to searching through the archives of the forum.
  ursa

  Mopping the floor with the water running is a spot on description
  Actually we're in the process of setting up new and improved authorizations but (of course!) the testing phase turned out to be much more time consuming than anticipated. No surprise to me, however someone obviously thought authorizations are a matter of defining roles and their menus and the system does everything else by itself. Riiight.
  What I did so far - first I educated myself on the specifics of HR authorizations. I never had to deal with those before, so (for example) it was a surprise to me that there's actually a separate SAP course dealing with HR authorizations Then I compared the existing roles to each other like you suggested and figured out a way that allowed me to do all the modifications with least amount of work. I cleaned most of the infotypes out of P_ORGIN and (to cover my behind), adjusted the ranges in S_TCODE to exclude the 2000 HR transactions our HR consultant listed for me.
  Most importantly - I made it clear to the guys above me, that with the roles we use I can't guarantee HR data to be inaccessible for people who should stay away from it. So ... back to the testing of the new authorizations
  Thanks for your help! It always makes a huge difference to get something like a second opinion when one can't decide if left is better than right or if it's the other way around.
  ursa

• New Org Level impact in existing roles

  Hi,
  I would like to set/create 2 fields as organizational levels. For example KLART and DOKAR. Checking these I realized there is a big amount of roles "affected" by this change.
  Because I plan to use the organizational level only for new roles , I would like to know which impact could have  this change for existing roles, should one modify the existing roles after creating the Org Levels ? or in contrast they still work as always an no changes / adjustments is needed?
  Thanks and regards
  FedeX

  Thanks Bernhard,
  I have a question
  As I mentioned before my goal is that the existing roles keep working after running that program... and do not want to perform any adaptation....only if there is a real error that avoid work correctly.
  In these 2 cases the role will keep working properly ( I mean restricting in the way that it uses to do).
  1) In case field is copied to the Orglevel area after running the program and the value(s) will stay in both places (OrgLevel and Original place)
  2)  In case field is NOT copied to the Orglevel area after running the program but the value still in the original place .
  right?
  Thanks
  FedeX

• Report to fetch assigned transactions for multiple role.

  Hi,
  I am looking for some report or the way, i can get the list of transaction assigned to multiple roles in one go.
  Actually i tried SUIM, but here i have to specify one role at a time and have the list of transactions assigned to it.
  My scenario is, i have around 100 composite roles. Now there is a requirment for a report, which gives information of transactions assigned to each role. If i do it one by one, i have to do it for 100 times.
  Please suggest the best and quickest way.
  Thanks & Regards,
  Pravin

  > Another way could be to look into the AGR_1251 table for object S_TCODE values. But, this will populate transactions that could possibly not have included intentionally (in the menu). For eg there are many transactions which need authroization for another tcode in the background which have to be inserted as an authroization value.
  Which is good, because those are the actual tcode rights, not only the intended ones......
  To do this for composites I disagree with Julius on using Excel or Acces
  Try the SAP query tools, they're there for you. If you go to the quickviewer (SQVI) you can easily join tables AGR_AGRS and AGR_1251 by AGRNAME. Now if you look for object S_TCODE you can see the relation between a tcode assignment and a composite role.

• Programmatically assigning Authorization Objects to roles

  Hi there,
  I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
  What I want to do is the following:
  There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
  In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
  Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
  I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
  Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
  Thank you very much,
  Gregor
  Edited by: Gregor Bender on Mar 11, 2008 8:41 AM

  >
  Gregor Bender wrote:
  > I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
  Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
  For mass regenerating profiles there's transaction SUPC.
  For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
  If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.

• Track new roles / change in existing roles

  Hi,
  I have a requirement to track the creation of new role OR changes to existing role in the system. In either case I have to send an email to the group of people.
  I tried to find the enhancements but found nothing useful.
  Basically, I need to find how can I track the even for creation / change of a role...
  Please help me out to find the solution for this...
  Thanks,
  Gagan Chodhry

  Hi Atish,
  Thanks for the reply...
  No, I tried to find the enhancements, but could not get the one I need...
  I found couple of things more like transaction PFAC_CHG / PFAC_INS for change or create role, but not sure how  exactly to use these... if these are the correct one to be used....
  Thanks,
  Gagan Chodhry

• View sites without assigning "Web Page Composer" role

  I have created a site in web page composer, created a "Test" role in portal and connected it with the site.
  Now the requirement is to assign the "Test" role to users so that users can see the output of the sites as a visitor but they should not be assigned the "Web Page Composer" role.
  I removed the role "Web Page Composer" from users and assigned them the "Test" role to view the output. As a result, they are able to open the site but do not see any content.

  Hello Arpita,
  You should check the initial configuration steps from the online documentation
  http://help.sap.com/saphelp_nw70/helpdata/EN/45/3fea9ff34d4a18e10000000a114a6b/frameset.htm
  Do you have the Everyone group assigned to the Standard User role (eu_role), and have you assigned your test user to the Everyone group? 
  Check the following documentation:
  http://help.sap.com/saphelp_nw70/helpdata/EN/47/f0f7415e639c39e10000000a155106/frameset.htm                          
  Regards,
  Lorcan.

• Access Enforcer - REMOVE roles/existing roles inoperant

  Hello
  After some time using the capability to ADD and REMOVE roles when creating a request on Access Enforcer (using the option 'Existing Roles' to REMOVE), now Access back to the screen to ADD always that we try to access 'Existing Roles'.
  So, the function to REMOVE roles are inoperant.
  Any ideas what It cold be?

  Hi,
  When you open a changing access request it's possible to add new roles and remove existing roles from the user, right?
  However, the option to remove roles (which is accessed through the 'existing roles' button) is not working longer.
  When that option is accessed, it's not showed anymore the current user's access: the screen returns to the add roles option.
  I haven't found any setting for the feature to remove roles and still don't know how that option, previously used in other requests, is not working for anyone else.
  Regards
  Heverton Kesseler

• Error :Authorization check for caller assignment to J2EE security role whil

  Hi Experts,
               i m working as a portal resource .
  after the deployment of standered Sap e-rec package .
  i m getting some error. i have assigned the recruiter role to one test user.
  Now i m getting two issue:
  1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
  2) I m able to see few iview for the test user but those are also in detailed navigation view.
     And few ivews are giving following error :
    i)Internal error
  ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  /System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
  Full Message Text
  ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  please suggest what can be  done or what is pending from my side.

  Prajakta2602 wrote:
  Hi Experts,
  >
  > the previous issue got solved..
  > it was due to servies pack miss match and applying notes
  > the Basis guy  checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
  > notes 1445294 and 1175239 were applied.
  > now the issue is:
  >
  >
  >  After implemetation and  i assigning the standerd sap roles
  > 1)Recruiter Administrator
  > 2)Recruiter
  > to the test user .
  > but for few iview it is showing error as in
  > 1) you are not a authorized user
  > 2) internal error
  >
  > please help experts.
  >
  >  i m working on portal side have i to assign any role to that test user..
  >
  >
  > Thnaks & Regards,
  > Prajakta
  You can run a quick check using the below steps:
  1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
  2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
  Regards,
  Mahesh

• Error assigning users to application Role in Obiee 11.1.1.7.0

  Hello
  I installed Obiee 11.1.1.7.0 both on Windows and Linux platform and after that, I successfully set Active Directory integration. I have a problem assigning users to Application Role in EM. When I'm trying to search a user on Display name, the Principal userName returned is blank and the error is : Java Null Pointer Exception
  After that I install a fresh copy of 11.1.6.0. After AD Integration, I was able to assign users to Application Role. I made 11.1.1.7.0 upgrade and same error has come. I think this is a bug because same AD settings on 11.1.1.6.0 works.
  The error:
  ava.lang.NullPointerException
  #{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException
       Hide Additional Trace Information
  javax.faces.FacesException: #{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118) at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:190) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:103) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:97) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:1086) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:434) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:207) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emSDK.license.LicenseFilter.doFilter(LicenseFilter.java:101) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:128) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177) at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emas.fwk.MASConnectionFilter.doFilter(MASConnectionFilter.java:41) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.AuditServletFilter.doFilter(AuditServletFilter.java:179) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:203) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.model.targetauth.EMLangPrefFilter.doFilter(EMLangPrefFilter.java:158) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.app.perf.PerfFilter.doFilter(PerfFilter.java:141) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:542) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119) at java.security.AccessController.doPrivileged(Native Method) at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324) at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460) at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103) at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171) at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) Caused by: javax.faces.el.EvaluationException: java.lang.NullPointerException at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:51) at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) ... 67 more Caused by: java.lang.NullPointerException at oracle.sysman.emas.model.security.DialogAdminBean$1.compare(DialogAdminBean.java:567) at java.util.Arrays.mergeSort(Arrays.java:1270) at java.util.Arrays.mergeSort(Arrays.java:1281) at java.util.Arrays.sort(Arrays.java:1210) at java.util.Collections.sort(Collections.java:157) at oracle.sysman.emas.model.security.DialogAdminBean.fetchPrincipals(DialogAdminBean.java:563) at oracle.sysman.emas.pagemodel.security.identity.EditAppRolePageModel.searchPrincipal(EditAppRolePageModel.java:496) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(Unknown Source) at com.sun.el.MethodExpressionImpl.invoke(Unknown Source) at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:46) ... 68 more
  Any suggestion?
  Thx
  Gabriel
  Edited by: Gabbriel on Apr 23, 2013 10:46 PM

  We received from Oracle a work-around of this problem.
  It seems to be related to the virtualize flag set to true. I f you set it to false the problem disappear (it works for me).
  (rif. http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/privileges.htm#BABDCJBH)
  There's an open BUG on this problem: Bug 16808088 - 11G JAVA.LANG.NULLPOINTEREXCEPTION ADDING USER TO ROLE AFTER UPGRADE TO 11.1.1.7.
  Hope this works.
  S.

• Participant Assignment to BPM Process Role

  Hi everyone ;
  I need to custom application for participant assignment to BPM process role. You know, this operation has been made under Business Process Workspace > Administration Areas > Organization > Roles But this page is not useful for Administrator user. I want to develop an application that it makes set Participant to BPM App Role. But, i haven't any API.
  Firstly, is this possible? And than, how can i implement it?
  Thanks.

  Is restart of the engine server on which ProcessP deployed is the only solution since the error messages shows up as 'Process Execution Engine has not re-synchronized with the Directory Service. '

• How to assign Users to process roles?

  Hi All,
  I have designed a process and I have consolidated all the roles,
  when I intiate the process from the runtime workset it asks to assign users to these roles(I have consolidated all the roles to three mail roles). The problem that I am facing is that the user should not see this screen, depending upon the user login id the approvers should be automatically assigned to the respective roles.
  Is this possible...
  Kindly guide me
  Thanks in Advance
  Sivaprasath

  Hi Sivaprasath,
  assuming that I've got you wright you could try to model the following using the callable object "business logic" and the callable object "assign user to process role".
  With the help of the first CO you can implement the logic to assign the respective approvers to the users (initiator) and let the processflow go on directing it to the appropriate step where the above mentioned second CO assigns the user to the process role (using the result states of the bussiness logic CO)
  At least you are supposed to need an appropriate Parameter that you can consolidate with the User ID.
  Just a quick idea, hope this will work with you.
  Greetings
  Berndt

• Add a base permission to an existing role definition in sharepoint using CSOM

  I have to add a base permission to an existing role definition in sharepoint using CSOM Managed API in SP2013, to update base permission of a permission level. I did use below code . But Role definition is not getting updated. What could be the reason? I
  have updated RoleDefinition and Web as well but it did not help.
    RoleDefinition rd = oClientContext.Web.RoleDefinitions.GetByName("My Permission");
                        if (!rd.BasePermissions.Has(PermissionKind.ManagePermissions))
                            rd.RoleTypeKind.ToString();
                            rd.BasePermissions.Set(PermissionKind.ManagePermissions);
                            rd.Update();
  oClientContext.Web.Update();
                            oClientContext.ExecuteQuery();
  Ashish Baranwal To know what you know and what you do not know, that is true knowledge

  Hi Ashish,
  I tested the same scenario per your post in my environment, and I got the same results as you got.                                                                                                                                                                  
  As a workaround, I recommend to delete the permission level and then recreate the permission level with the needed permissions:
  ClientContext ctx=new ClientContext("http://sp");
  RoleDefinition rd=ctx.Web.RoleDefinitions.GetByName("My Permission");
  ctx.Load(rd);
  ctx.ExecuteQuery();
  if(!rd.BasePermissions.Has(PermissionKind.ManagePermissions))
  rd.DeleteObject();
  BasePermissions permissions = new BasePermissions();
  //add the permissions needed
  permissions.Set(PermissionKind.ManagePermissions);
  RoleDefinitionCreationInformation roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
  roleDefinitionCreationInfo.BasePermissions = permissions;
  roleDefinitionCreationInfo.Name = "My Permission";
  roleDefinitionCreationInfo.Description = "My Custom Permission Level";
  RoleDefinition roleDefinition = context.Web.RoleDefinitions.Add(roleDefinitionCreationInfo);
  context.ExecuteQuery();
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support