Automatic Role Provision tool in ECC
Hi All - In my company we have very tedious procedure for role provisioning, users sometimes get totally lost when requesting roles.
We have no budget to implement SAP Access Enforcer, is there any tool within SAP which provides role provisioning.
Or can you guys suggest me any ideas with which I can make things easy to users in role provision.
As for now our process is user have to manully find roles which they want from couple of 100 roles, than it goes to role owner for approval after approval Sec Admin assigns requested role to user.......
Can you guys suggest me some ideas on how to make this process not complex to users.
Thanks All!
Thanks Auke for quick response!
I should have been more clear, my bad! When I say users I mean my IS users (BA's, functional Architects, PM's). Actually they request roles for end users or for business.
I was thinking to create standard roles (composite) per module/business specific. I dont know weather this idea will be any easy. When user request access to ECC per there responsibilities/business we can assign standard composite role to kick start user......
And also question with your previous post :
"_secondly make a download of AGR_1251 select on object S_TCODE and ONLY your ENDUSER roles_."
Could you explain me a little bit more...sorry!
Thanks Again.
Similar Messages
-
Role of Developers in ECC 6.0
Hi Gurus,
Our company have recently moved from 4.7 to 6.0.
1. What are the steps/points to be taken into considerations after the implementation, taking developer view into consideration...
2. In terms of tools, what 6.0 has offered us, apart from traditional abap programing...
3. Heard the thing that developers have more restricted use/value now in comarison to 4.7, are v , programmers in a danger of extinction, literally..
Thanx,Role of Developers in ECC 6.0
With every new version release SAP releases Version / Release note. You should check the changes made from release to release.
You can find the difference in release notes of each SAP version.
Here are the links.
http://help.sap.com/saphelp_47x200/helpdata/en/fc/e3003deddfae4de10000000a114084/frameset.htm
http://help.sap.com/saphelp_scm50/helpdata/en/28/b34c40cc538437e10000000a155106/frameset.htm
http://help.sap.com/saphelp_erp2005/helpdata/en/43/68805bb88f297ee10000000a422035/frameset.htm
Follow the life cycle of upgradation project:
Hi , plz find the high level design of the upgrade life cycle.
Activity
Description
SPDD adjustments (Adjustments in Data Dictionary objects)
Adjustment of data dictionary objects
Identify SPAU objects and Custom objects
Prepare the list of SPAU objects and Custom objects
Reassessment of effort for modification and adjustment activity
Reassessment of effort required for modification and adjustment activity
Object Tracking Sheet
Prepare the object tracking sheet
Modification and adjustments of
SPAU and Custom objects
Modification and adjustment activity
Object Testing (typically for custom objects)
Primary testing of object to avoid any short dump
QA Objects and documents
Quality Control of modification and adjustment
Release Request
Transport the request from DEV to QA system
Delivery of Objects to Client
Completed objects are delivered to the client
Integration Testing
Integration testing
Rework Objects
Objects requiring rework after integration testing by the client and receipt of feedback
There are two types of Upgradation:
1) Technical
2) Functional.
Technical: It is puerly relevant for ABAP development.
First they will prepare Business Process Master List.(BPML).
It contains what are the business process, transaction codes, programs etc.
They will cross check whether the business process, transaction codes, programs etc are functioning properly in the existing system. If not, they will go for
ABAP development in that System.
Then they will go for user document preparation and user training documentation & Scripts.(Nothing but templates).
While doing Upgrade You have to aware of all related program like BDC's , Screens related errors and all dictionary related problems.
Some function modules may become obsolete, and some screens will change
and some new fields will be added in the new versions etc.
Also take care of SPAU and SPDD tcodes.
You should be able to know about Unicode concept in sap.
check this
http://www.thespot4sap.com/upgrade_guide_v2.pdf#search=%22upGRADE%20STEPS%20-%20SAP%22
also chk these 2 notes in service.sap.com
Technical Upgrade is only a version upgrade without any functionality changes.
The objects that are needed to be upgraded are:
Includes
Function Groups / Function Modules
Programs / Reports
OSS Notes
SAP Repository Objects
SAP Data Dictionary Objects
Domains, Data Elements
Tables, Structures and Views
Module Pools, Sub Routine pools
BDC Programs
Print Programs
SAP Scripts, Screens
User Exits
Reward Points if useful. -
I have an original Apple ID from my personal iPhone and iPad. I bought a MacBook Pro for business and the Apple Store clerk told me to use the old Apple ID to make setup faster and that I could change to a new one later. So... I did all that and changed the Apple ID everywhere I can find a place to do so. And everything seems okay, except the Automatic Updates download tool defaults back to my original Apple ID. That old Apple ID is grayed out in the login, so I cannot seem to change it to download and update under my new, business-related Apple ID for my MacBook Pro. What to do?
Yes, absolutely, you can still use the old ID to update, etc., but I understood the OP to want to simply discard the old one and use only the new one. Maybe I misunderstood...
And, actually just now re-reading the first post, it could be that the ID had only been associated with the iDevices, so if he established a new ID and associated that with the new MBP, I frankly have no idea if he can still use the old ID on that machine (based on him saying that the old ID is greyed out) - have not come up with this type of situation before. -
I am want to keep AdminCredential as a parameter in VM Role Authoring Tool but I do not want user to be able to able to provide the password. As an Enterprise, we have a password policy that we use for Admin Password. The reason i want to keep it as an parameter
is because if we ever decide to change the policy, i do not have to go back and change it at 100 places it was used. I just change the parameter value and it gets applied everywhere.
This is what i have tried so far:
I added the AdminCredential parameter in the separate category. I made
Configurable to No and provided DefaultValue
in the format Administrator:Password1 in the parameter and imported the definition in the Admin Portal. Now Administrator:Password1 shows up in the username field and password is still editable.
In short, if possible, i do not want users to see the AdminCredential parameter. If i cannot hide the parameter, i want to disable username and password fields and provide hard coded value for it.
Is there a way to achieve what i am trying to do?The assumption with Azure Pack is that the OS is Server and the OS has been generalized.
Now, in the Azure Pack world this local admin credential is actually a special credential. You cannot take it away, but you can set a default value in the designer.
If a default value is set, you may be able to hide it from the view definition (I am not sure, since this is a special parameter), but you cannot remove the parameter from the resource itself.
And a credential in Azure Pack gets interpreted to a username plus password string.
I have added secondary accounts that capture a password string and a username (as strings, not credentials). But again, I am not positive that this is allowed.
Sorry for not having a straight answer, maybe someone will jump in with a better one.
Brian Ehlert
http://ITProctology.blogspot.com
Learn. Apply. Repeat. -
It's posible the OID role Provisioning With OIM?
Hi experts,
I'm installing and configuring the OIM connector for OID. However I've found on the installation guide the next 'warnings':
- Reconciliation of roles is supported only for ODSEE and Novell eDirecotory target systems.
- Provisioning of roles is supported only for ODSEE and Novell eDirecotory target systems.
then my question is: how can I provision OID roles to any user using OIM??? If I can't do role provisioning to OID, I cant see so much utility for this connector.
My request its to provisioning roles that I've created on OID, using OIM interface.
Has anyone done this?
Thanks for you time.
regards.
Edited by: Daniel Cermeño on Sep 10, 2012 4:39 PMHi Leoncio and Gyanprakash,
Tanks for your response, thats make me feel more quiet.
I have still one question about this. In the installation and configuration guide says:
- If you are using the default connector configuration, for every group in the target system, create a corresponding organizational unit (with the same group name) in Oracle Identity Manager. This ensures that all groups from the target system are reconciled into their newly created organizational units, respectively.
- You can also configure the connector to reconcile the groups under one organization.
Then, when I run the reconciliation of OID groups in OIM. I obtain one organization with one resource representing my OID group. Or, if I prefer, I obtaion one organization with many resource that represents all my OID groups. However, I dont find how to provision this resources to my OIM users, cause I need that one user be part of one o more groups. If I put the user in the organization that represent my OID group, how I can provision more groups?
Furthermore, the reconciliations of OID groups creates resources/organizations, but in my understending this no create OIM roles isn't?
I'm sorry for my ignorance. This maybe is a trivial question, but I hope you can clarify this concepts to me.
Thanks for your time.
regards.
Edited by: Daniel Cermeño on Sep 11, 2012 8:08 AM -
Data Transfer Tool for ECC 6.0
Hi All,
Good Morning. I would like to know if anybody has had the opportunity to use this tool in ECC 6.0. If so, where did you obtain the software related to this tool?
Please Advise.
Kind Regards,
Daniel A. La MendolaI am actually looking for where the program resides and if it exists for ECC 6.0. I have found tons of documentation, but nothing on how to obtain the tool itself.
If anybody can assist me in the endeavor it would be greatly appreciated.
Thanks again for you help -
VPT (Voice Provisioning tool 1.0.2) issue- Can't see device
Hi,
Just wondering if anyone has seen this issue with VPT 1.0(2). When the customer tries to add a new phone via Voice Provisioning Tool he can't select a device type as there isn't anything in the drop down section. I have attached screen snapshot. It iss talking to CCM 4.1(3)SR5d.
I have seen the bug CSCsb40475 but the IIS restart didn't help. Any help would be appreciated.
Cheers
AtiVPT 1.0(2) does not support the CCM 4.1(3) version 2. Please remove the CCM 4.1(3) version 2 plug-in via the procedure described here:
http://www.cisco.com/en/US/docs/voice_ip_comm/vpt/1xrelnotes/mig/vptrnote.html
Make sure you are following the install procedure here when installing Unity 4.1(1) plug-in:
http://www.cisco.com/en/US/docs/voice_ip_comm/vpt/1xrelnotes/mig/vptrnote.html -
SAP GRC AC 5.3 Roles provisioning
Dear all,
Anyone knows if SAP BW, SAP XI, SAP WF and SAP SP are standard sopported by SAP GRC AC for the roles provisioning?
Thanks for your help!
Kind regards,
SergioHi Sergio,
let's put the answer the other way round to make it easy.
AC 5.3 CUP can provision ABAP roles and UME/Portal roles. Not more not less.
This means if you have a solution which needs additonal provisioning to be done (e.g. CRM business partner assignment) then CUP won't be able to do that.
Best,
Frank -
Need Resource planning tool in ECC 6.0
Hi
i need to findout Resource Planning Tool in ECC 6.0,Can anybody help me how to findout RPT tool in ECC6.0.
Thanks & regards
Vikram GopalHello,
Resource Planning
Use
Resource planning is a planning aid. If you only know the quantities of consumed resources (see also: Resources) you can use resource planning to plan activity-dependent or activity-independent primary costs or revenues by quantity. You can carry out detailed planning of a cost element by subdividing the cost element on the basis of the resources. The system valuates the given resource consumption with a price, which you can store separately in the system.
You can also link resources to a material or to a base planning object. This means that a resource or a base planning object has been entered in the resource master record. For the valuation of resource consumption during planning, the system uses the price of the material, regardless of whether you have defined a price for the resource during pricing (see also: Pricing).
http://help.sap.com/erp2005_ehp_02/helpdata/en/17/316cc3b43011d19296c8d204c10000/frameset.htm
Regards,
Sourabh -
Automatically role up reporting when manager leaves
Hi,
How do we automatically role employees up to the next level of reporting relations when a manager is terminated & they are not moved?
For eg: if my manager leaves, my reporting should automatically role up to my manager's manager.
Please advise if there is some configuration or standard report to perform this activity.
Thank you,
ManishThis is actually standard SAP behaviour. When a manager position is empty, SAP considers the manager to be the next manager up the hierarchy. This is how eg. MSS and reports for managers work. Also I believe the FM that finds managers work this way.
Note that for workflows, the switch WFLOW/VAPOS needs to be set for the system to skip the vacant manager positions and go one level up.
Kirsten -
Succesful commands for Provisioning Tool(CS6/PC)
Hi,
Have any of you guys had any luck using the Provisioning Tool to unserialize a CS6-installation?
If so - what was the command line you used?
We've tested various commands but none of them have been succesful.
Some gives the return code 1 and a single one gives the return code 0.
The one giving the return code 0 should work, but sadly it doesn't actually unserialize.
Our CS6-package is made using AAMEE and packed as a serialized install.
After the install we plan on unserializing the install, but have no luck doing so.
The reason for this procedure is bad experiences trying to serialize a trial install of CS5.5.
KennethHi,
First of all some basics about our procedure.
We deploy a serialized version of Master Collection packaged using AAMEE3.0.
Once successfully installed we run this command:
adobe_prtk --tool=UnSerialize --leid=MasterCollection-CS6-Win-GM
to unserialize Master Collection. This gives the return code 0 and leaves us with a trial version.
We then want to serialize to eg. Design & Web Premium - using the Provisioning Tool - and the Master Collection CS6 Install using this command:
adobe_prtk --tool=Serialize --leid=DesignWebSuitePremium-CS6-Win-GM --serial=xxxx-xxxx-xxxx-xxxx-xxxx-xxxx --adobeid=[email protected]
This gives the return code 0.
If we then use the Provisioning Tool to unserialize Design & Web Premium using this command:
adobe_prtk --tool=UnSerialize --leid=DesignWebSuitePremium-CS6-Win-GM
this gives the return code 6.
According to the oobelib.log this should be due to the LEID not being valid.
I don't have a clean oobelig.log and amt3.log at the moment, but could prepare one if you want to take a look at it.
Is it no longer possible to serialize to a different package using the Master Collection-install?
This procedure worked in CS5.5 where we use it today. -
Hi Everyone we are facing following issue in GRC-SAC-SAE 5.3_16.3. So far our CUP was connected to Enterprize portal (7.01) and auto provisioning for group to users worked. However now it is not working with below error.
Role Provisioning failed for System(s) : <Connector Name>. Error Message :
malformedRequest
Failed request now
Successful request used to provision
Regards,
Arpan PaikArpan,
We used to get those "malformed request" errors. We dealt with them by requesting the portal to be re-booted during the weekend maintenance window, making the portal security changes manually, cancelling the CUP request and notifying the requester. It's not a great solution, I know, but it was all we could come up with at the time. Then they upgraded the portal to NW 7.31, which is incompatible with GRC 5.3, and we have to do everything manually, so our situation went from bad to worse. Good luck!
Cheers,
Gretchen -
TR History Data Migration Tool in ECC 6.0
Hi,
Is there any tool is ECC 6.0 to migrate old 4.6C transaction data in to ECC 6.0?
We want to configure a new ECC 6.0 system with TR-TM and migrate all transaction data from old system 4.6C to ECC 6.0. All configuration of 4.6C in TR-TM and FI-CO will be maintained in ECC 6.0
Please advise if you know any such tool in ECC 6.0
Thank you.
With Kind Regards,
Naresh B. PandyaHi,
Got it. I have done a similar project from 4.0B to 4.6C a few years back and it was painful, as there were no tools available.
In ECC6, SAP provides an elaborate set of tools, however the process will still be painful, as you would first need to customise your ECC6 box as per 46C customisation, but there will be a difference in customisation due to the fact that FSCM is now used for Treasury, where position management and business parters are handled very differently.
The 46C data will now need to be treated as legacy, the only benefit will be that data availability in the form you want will be easy.
After you activate the extension EA-FS as suggested earlier, you will see the node for Financial Supply Chain Management in the IMG. Navigate as below for the data transfer process:
Financial Supply Chain Management ->Treasury and Risk Management->Transaction Manager->General Settings->Tools->Legacy Data Transfer
You will need to refer to the IMG help and the link below for help.
[Legacy Data Transfer|http://help.sap.com/saphelp_erp2005/helpdata/en/56/d880392c58ab54e10000000a114084/frameset.htm]
Cheers. -
Hi,
I have done provisioning manually from OIM to AD sucessfully.
Now i wants it to automate. For example if i create a user in OIM in abc org, then it should automatically provision to AD in the abc org.
To achive this i did the below steps
1. Create a rule abcRule in Rule designer - organization name=abc
2. Create a org name abc in the OIM and AD.
3. Create a Role in OIM abcUserRole assign the Rule abcRule to this Role
4. Create a access policy abcPolicy
assign the AD user to this policy
Now create a user in OIM, user is created in OIM and a member of abcUserRole, user is not provision to AD. Geeting the error
javax.servlet.jsp.JspException: Can't insert page '/layouts/tjspClassicLayout.jsp' : Connection reset by peer: socket write error
at org.apache.struts.tiles.taglib.InsertTag$InsertHandler.doEndTag(InsertTag.java:902)
at org.apache.struts.tiles.taglib.InsertTag.doEndTag(InsertTag.java:465)
Can you please suggest me.These errors can be ignored. But your issue is that resource not get provisioned to user.
role is assigned to user or not after creation? if yes then check provisioning process is initiated or not I mean resource available under resource tab or not even in provisioning status.
Let me know the answer for above query so that I can help you for further proceeding
share console log with us
--nayan -
OIM 11g Peoplesoft Roles provisioning issue
Hi All,
We have configured Peoplesoft Connector 9.1.1.6 to provision roles to Peoplesoft through access policy. We are not able to provision multiple roles into Peoplesoft. It just provisions first role to user in peoplesoft and errors when provisioning the other role. The role names are matching in peoplesoft and OIM, pulled into the lookup.
Error on Server :
Running CREATEUSER
Target Class = oracle.iam.connectors.psft.usermgmt.integration.PSFTUMUserProvisi
onManager
PSProperties not loaded from file. Couldn't find file: pstools.properties
<Dec 19, 2011 1:26:54 PM EST> <Warning> <PSFTUM> <BEA-000000> <oracle.iam.connec
tors.psft.usermgmt.integration.PSFTUMUserProvisionManager : createUser : Exclusi
on List Attribute lookup not initialized>
Running MODIFYUSERROLE
Target Class = oracle.iam.connectors.psft.usermgmt.integration.PSFTUMUserProvisi
onManager
PSProperties not loaded from file. Couldn't find file: pstools.properties
Running MODIFYUSERROLE
Target Class = oracle.iam.connectors.psft.usermgmt.integration.PSFTUMUserProvisi
onManager
PSProperties not loaded from file. Couldn't find file: pstools.properties
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : modifyUserR
ole : Unable to Save user profile>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================
>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
r : The value entered in the field does not match one of the allowable values.
You can see the allowable values by pressing the Prompt button or hyperlink.>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================
>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
r : An error occurred while changing the value of the field.>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================
>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
r : An error occurred while changing the value of the field.>
<Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================
>
Running MODIFYUSERROLE
Target Class = oracle.iam.connectors.psft.usermgmt.integration.PSFTUMUserProvisi
onManager
PSProperties not loaded from file. Couldn't find file: pstools.properties
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : modifyUserR
ole : Unable to Save user profile>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================
>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
r : The value entered in the field does not match one of the allowable values.
You can see the allowable values by pressing the Prompt button or hyperlink.>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================
>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
r : An error occurred while changing the value of the field.>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================
>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
r : The value entered in the field does not match one of the allowable values.
You can see the allowable values by pressing the Prompt button or hyperlink.>
<Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
=======================================
Any pointers would be appreciated.
Regards,
AshokHi All,
Any pointer.
Regards,
Ashok
Maybe you are looking for
-
Error while Creating Flat file Source System
Hi Friends, The message "No entry for BW_USER in table RSADMIN available" is shown when I try to create a Source System for File System(Manual Metadata, Data using File Interface). Could somebody help me please. Thanks in advance. Hanuma Reddy
-
How to hear the 5.1 sound when watching some TV chanels that are transmited with A
Hi all, I've got some question that i haven't found an answer to on goole, finnaly i've decided to try to search at source - at Creative site. I've read many post on this forum but it seems there isn't answer for my problem. I have got:? TV satellite
-
Photoshop elements 13 organiser I want to import the photos into folders by shot name in the following format: yyyy mm dd, NOT yyyy dd mm. This used to be possible.. I have nearly 100 folders organised already as yyyy mm dd (actually half are yyyy-mm
-
ZFS options for Solaris 10 5/08 install?
In the next couple weeks I'll be installing Solaris 10 on a new Intel box that will be my new workstation. For various reasons, I won't be installing OpenSolaris or Solaris Express, I'll be going with plain vanilla Solaris 10. I can find a lot of lin
-
Unsupported image format after merging aperture libraries
I've experienced a large number of files with 'unsupported image format' after merging aperture libraries from separate external hard drives. I did not have this problem in either library prior to merging them. Can anyone advise how to rectify this