Business Roles Provisioning - Issue

Similar Messages

• OIM 11g Peoplesoft Roles provisioning issue

  Hi All,
  We have configured Peoplesoft Connector 9.1.1.6 to provision roles to Peoplesoft through access policy. We are not able to provision multiple roles into Peoplesoft. It just provisions first role to user in peoplesoft and errors when provisioning the other role. The role names are matching in peoplesoft and OIM, pulled into the lookup.
  Error on Server :
  Running CREATEUSER
  Target Class = oracle.iam.connectors.psft.usermgmt.integration.PSFTUMUserProvisi
  onManager
  PSProperties not loaded from file. Couldn't find file: pstools.properties
  <Dec 19, 2011 1:26:54 PM EST> <Warning> <PSFTUM> <BEA-000000> <oracle.iam.connec
  tors.psft.usermgmt.integration.PSFTUMUserProvisionManager : createUser : Exclusi
  on List Attribute lookup not initialized>
  Running MODIFYUSERROLE
  Target Class = oracle.iam.connectors.psft.usermgmt.integration.PSFTUMUserProvisi
  onManager
  PSProperties not loaded from file. Couldn't find file: pstools.properties
  Running MODIFYUSERROLE
  Target Class = oracle.iam.connectors.psft.usermgmt.integration.PSFTUMUserProvisi
  onManager
  PSProperties not loaded from file. Couldn't find file: pstools.properties
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================>
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
  nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : modifyUserR
  ole : Unable to Save user profile>
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================
  >
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================>
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
  nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
  r : The value entered in the field does not match one of the allowable values.
  You can see the allowable values by pressing the Prompt button or hyperlink.>
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================
  >
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================>
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
  nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
  r : An error occurred while changing the value of the field.>
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================
  >
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================>
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
  nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
  r : An error occurred while changing the value of the field.>
  <Dec 19, 2011 1:26:57 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================
  >
  Running MODIFYUSERROLE
  Target Class = oracle.iam.connectors.psft.usermgmt.integration.PSFTUMUserProvisi
  onManager
  PSProperties not loaded from file. Couldn't find file: pstools.properties
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================>
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
  nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : modifyUserR
  ole : Unable to Save user profile>
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================
  >
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================>
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
  nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
  r : The value entered in the field does not match one of the allowable values.
  You can see the allowable values by pressing the Prompt button or hyperlink.>
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================
  >
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================>
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
  nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
  r : An error occurred while changing the value of the field.>
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================
  >
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================>
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <oracle.iam.co
  nnectors.psft.usermgmt.integration.PSFTUMUserProxyProvisionManager : errorHandle
  r : The value entered in the field does not match one of the allowable values.
  You can see the allowable values by pressing the Prompt button or hyperlink.>
  <Dec 19, 2011 1:26:58 PM EST> <Error> <OIMCP.PSFTUM> <BEA-000000> <=============
  =======================================
  Any pointers would be appreciated.
  Regards,
  Ashok

  Hi All,
  Any pointer.
  Regards,
  Ashok

• Business Role changes not being provisioned

  Guys (and girls),
  We're having the issue that whenever we change something to a business role in IdM 7.1 SP5, like adding or removing a technical role (SAP role) the change isn't provisioned to the system authomatically resulting in users not being updated.
  The workarround now is to change a business role and then remove it from a user and add it to that user again. Works ok when you're dealing with only a few users but I'm not looking forward to the day our basic role needs updating.
  Same thing goes for changing users telephone number or SNC name or the likes.
  I'm not sure if the two issues are related but am I missing an assignment of a task somewhere?
  Cheers,
  Jonathan

  Jonathan,
  I think so, but a pretty simple one to fix.
  I would do one of two things:
  1. Put a MODIFY task on MXREF_MX_ROLE or whatever attribute you're holding roles in.  Have this task do a role reconcilation.
  2. As a part of the workflow, have a role reconciliation execute.
  On the whole, I prefer the second option.  Don't like adding baggage onto the MXREF attributes.  Just keeps things running more efficiently.
  By role reconciliation, I mean executing the functions/tasks needed to reassert the roles on the user.  I think there's a built in scripting function to do this or you can automate the add/remove functionality you described in your message, holding the role MSKEYs in a temporary attribute.
  Matt

• Use GRAC_USER_ACCES_WS to provision Business Role

  I have situation where I need to provision several hundred users across 90 business roles. I have been experimenting with FM GRAC_IDM_USR_ACCS_REQ_SERVICES (underlying FM for enterprice service GRAC_USER_ACCES_WS) to automate mass provisioning using GRC access requests. I figured out how to use the FM to provision technical roles to users but cannot get it to work for GRC Business Roles.
  If the service cannot provision business roles, that would imply that an IdM would also not be able to do so. We are currently looking at IdM (non-SAP) solutions. Now I wonder if the value of business roles we are building will be diminished if an IdM is used.
  Is it possible to provision business roles using the service and/or FM? If so, any details on the input values required would be much appreciated.

  Hi Harinam,
  Thanks for the details. I have already raised a OSS message to SAP.
  I have implemented SAP note 1930923 in GRC sandbox system and can see that the mail issue I am reporting was no longer appearing. But I have seen new one this time
  After note implementation: (Change Account Request Type with Business Role Assignment)
  Hi GRC User Demo 1 (Z_GRAC_USER1),
  The Request number : 592 , has been processed and the Request is Closed. The details are as follows:
  XX Business role assigned to Z_GRAC_USER1
  Kind regards,
  Access Control Administrator
  Before and After note implementation: (Change Account Request Type with Business Role removal)
  Hi GRC User Demo 1 (Z_GRAC_USER9),
  The Request number : 593 , has been processed and the Request is Closed. The details are as follows:
  YY Role removed from Z_GRAC_USER9 ( )
  Kind regards,
  Access Control Administrator
  Now the issue during role assignment is resolved, but during role removal mail notification says role has been removed from user and ends with empty brackets ().
  For single roles in this brackets it usually fills the system name. May be for business roles since there will not be any specific system it is coming empty, but I think SAP should fix this.
  Let me know if you are also facing the same
  Since you confirmed that you are using business roles, let me know any critical issues which you came across as part of SP13 as we are also on SP13 and could be helpful.
  Thanks once again for taking your time in replying for my issue.
  Regards,
  Sai.

• Issue regarding Business Role assignment

  Hi All,
  1.
  I have a user Agent1 which is assigned to position POS_IC_AGENT in my org structure.
  In the infotype Business Role I have assigned IC_AGENT (standard) business role.
  IC_AGENT has PFCG role SAP_CRM_UIU_IC_AGENT assigned to it.
  But, when I run the application (for my user Agent1), only telephony buttons are visible on top, navigation bar and work area is empty (nothing is visible there)
  2.
  Now, when I open my user Agent1 in SU01 and assign PFCG role SAP_CRM_UIU_IC_AGENT.
  Now when I run the application everything is visible (telephony, navigation bar and workarea).
  Why is it not visible in first case?
  I think it should work without assigning Role in SU01.. I mean it should have taken settings from Org. structure
  Regards,
  Ashish

  Hi Ashish,
  As far as work center page context is concerned , its decided by the navigation bar profile and business role customizations ( we add work center home and several related stuff etc in navigation bar profile and make them activate/deactivate, visible/invisible through business role customizing ) .
  PFCG role has nothing to do with what you see on the Work Center...it decides whether you can see or not..meaning whether you have authorization for disply of a business object and its related subobjects.
  PFCG role basically determines the authorization objects that will be grated to the particular business role ( to which this PFCG role is linked ) PFCG is about CREATE/CHANGE/DELETE authorizations.
  In first case, its business role linked authorizations. You dont see the work centers may be because USER has not granted the DISPLAY authorization for the business Object related to BP( i.e Account ) , or BO related to account search (BUPASEARCH ) as the IC agent home basically has Account identification home , or account search home...which overrides the PFCG authorizations attached to the business role.
  Remember, individual object authorizations set for a user using transaction PFCG will have more priority over the Business role linked authorizations as 1 business role can be assigned to many users however if one user is not grated to see BP related data, this will still remain enforced even though the business Role PFCG is granting him to see...There is a difference between user specific authorizations and Business Role specific authorization...
  In second case,its user linked Authorizations. When you add the PFCG role in SU01, this is being the User Specific Authorizations which will always have the priority and thus granting the display.
  This is my basic understanding. I am 100% sure that PFCG role only controls the DISPLAY/CREATE/CHANGE related authorizations and lots more in context of authorizations. However what to include & show is decided by Navigation Profile and Business Role customizations.
  If everything is intact in navigation bar profile and business role customizations, and still you dont see anything on the work center, then i am 100% sure that its related to User Authorizations
  Refer pg 56 in CR580, it will clear your doubt.
  Thanks & regards,
  Suchita

• Assigning Business Roles - No such task exists

  I am trying to create a user ID and assign a Business Role in the process.  The attribute that I am using is MXREF_MX_ROLE.  It is defined as a multivalue system attribute with a data type of entry reference and the reference type in MX_ROLE.
  From my workflow task, I can select the role from the selection window but when I click OK to save to the identity store, I get an error "You have tampered with the params".  From the Monitor UI, I see the message "Failed setting value for attribute Member of Role.  No such task exists"
  I have a Modify User task that uses the same attribute.  When I attempt to use it, I get the "Failed setting value for attribute Member of Role.  No such task exists".  But I do not get the "you have tampered with the params" message.
  I am only trying to set this in the identity store right now.  I am not yet ready to provision to my ABAP system.
  Any assistance is appreciated.

  Hi Lori,
  in case you have linked privileges to your role, SAP NW IdM searches for tasks in the related repository (as stated in the attribute MX_REPOSITORYNAME of your privileges). Type in the ID of some test tasks in the repository constants MX_DEPROVISIONTASK, MX_PROVISIONTASK and MX_MODIFYTASK and see if it works.
  Otherwise, there could be a missing relation the other way round from the role to the user. See if there is a MXMEMBER_MX_PERSON attribute in your role.
  Best regards,
  Nils

• Getting error in IC agent business role while loading components.

  The user has been allowed and access to all business role.user are using all business roles but when user click on the IC agent business role the following error arise.
  Cannot display view CRMCMP_BPIDENT/BuPaMultipleLayoutVS of UI Component CRMCMP_BPIDENT
  An exception has occurredException Class CX_CRM_GENIL_GENERAL_ERROR - Component set CRMIC_DEFAULT cannot be loaded with BP_APPL+EMPTY+IC_ACCT_ID since multiple object definitions exist for component SO2
  Method: CL_CRM_GENIL_INTERNAL_MODEL=>LOAD_COMPONENT_SET
  Source Text Row: 124
  Initialization of view CRMCMP_BPIDENT/BuPaMultipleLayoutVS of UI Component CRMCMP_BPIDENT failed
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View BPConfirmedPartners.MainWindow in component CRMCMP_BPIDENT could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Cannot display view CRMCMP_BPIDENT/BuPaMainVS of UI Component CRMCMP_BPIDENT
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View BPConfirmedPartners.MainWindow in component CRMCMP_BPIDENT could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Initialization of view CRMCMP_BPIDENT/BuPaMainVS of UI Component CRMCMP_BPIDENT failed
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View CRMCMP_BPIDENT/BuPaMultipleLayoutVS in component CRMCMP_BPIDENT could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Cannot display view MainWindow of UI Component CRMCMP_BPIDENT
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View CRMCMP_BPIDENT/BuPaMultipleLayoutVS in component CRMCMP_BPIDENT could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Initialization of view MainWindow of UI Component CRMCMP_BPIDENT failed
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View CRMCMP_BPIDENT/BuPaMainVS in component CRMCMP_BPIDENT could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Cannot display view CRM_UI_FRAME/WorkAreaViewSet of UI Component CRM_UI_FRAME
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View BPIDENT.MainWindow in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Initialization of view CRM_UI_FRAME/WorkAreaViewSet of UI Component CRM_UI_FRAME failed
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View BSPWD_BASICS/WorkAreaHostViewSet in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Cannot display view CRM_UI_FRAME/MainWindow of UI Component CRM_UI_FRAME
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View BSPWD_BASICS/WorkAreaHostViewSet in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Initialization of view CRM_UI_FRAME/MainWindow of UI Component CRM_UI_FRAME failed
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View CRM_UI_FRAME/WorkAreaViewSet in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Cannot display view Root.htm of UI Component CRM_UI_FRAME
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View CRM_UI_FRAME/WorkAreaViewSet in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  An error occurred during initialization of the application
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View CRM_UI_FRAME/MainWindow in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  I could not able to diagnose the error from where it is coming and I goggled lot but did not find anything about the above cited issue .
  if any of you can help me to solve this soon it will be highly appreciated .

  Hi,
  I am not sure if this appies here. You might check
  SPRO->CRM->crm cross-application components->
    Generic interaction Layer/Object Layer ->
       component-specific settings->
         define simple objects
  For these objects 2 rules apply:
  1. 'search object name' can only be used once.
  2. 'search object name' should not have the same name as any 'object
  name'.
  Do you have any entries, which break these rules?
  If it is related to component enhancement, note 1122248 might help.
  Best Regards,
  Sigrid

• Mapping between ICProfiles in CRM 5.0 VS Business role in CRM 7.0

  We're upgrading CRM Webclient UI from CRM 5.0 to CRM 7.0. As per Upgrade Master Guide, there is listing of Migration activities. We're working on Migration Activities for IC Profiles in CRM 5.0 to Business Role in CRM 7.0.
  Please advise us how to do mapping to set up Business Profiles on the basis of IC Profiles in CRM 5.0
  Thanks,
  Saeed

  This issue has been resolved. MAy be closed.
  This is manual mapping process

• Copied SALESPRO business role in CRMC_UI_PROFILE, but odd results show.

  I have created an new role (Z_SALESPRO) using transaction CRMC_UI_PROFILE. The copied role had all objects copied and I can see that it has the Nav Bar profile of 'SLS-PRO', which is the same as the role 'SALESPRO', being the one that I copied from.
  When I log in using the WebUI I can choose the new Z role, but it does not display the 'Create' section in the Nav Bar. This is section that displays next to the 'Recent Items' section of the Nav Bar and has option like 'Appointment, Interaction log, task,E-mail. contact, Lead,Opportunity and Quotation' shown within the boxed area.
  If I use the SALESPRO role when logging into the WebUI I do get to see the 'Create' section, and yet the role and Nav Bar settings are IDENTICAL.
  Could this be some kind of authorisation issue, or is this problem down to something else?.
  Jason

  1. go to crm>ui framework>business role>efine business role
  2. select your Z business role
  3 in the left panel choose option "Adjust direct link groups"
  4. check if they are marked as visible (sometimes when coping business roles, this isnot copied)
  5. next select direct link group and click in left panel on sub node "Adjust direct links"
  6. check also for this level if they are marked as visible
  reagrds.

• Copied Business Role in Solution Manager ITSM

  Hi All
  This is eunhwa.
  I have a question regarindg copied business role in Solution Manager ITSM.
  To copy business role, I copied technical roles Navigation profile, configuration key and PFCT Role ID. And then I copied
  a business Role. And assign copied technical roles to copied business role.
  And I changed Direct link group UI. For example, in copied business role ZSOLMANPRO, There were many
  direct links, I only left ‘incident’ and ‘problem.
  However when I selected incident’ in direct link, there was no transaction ‘zmin’ assign. I couldn’t create a incident.
  Why this error happened? Is there anything which I miss?
  Thanks.
  Best Regards,
  Eunhwa Park

  Hi,
  Well, there are multiple things you can check.
  1. If you are using IE
  You have to add the page/pop-up to the compatibility mode of your Browser.
  IE -> EXTRAS -> Settings for Compatibility Mode -> Add -> Refresh the CRM WEB UI
  2. Check if you had assign SM-CREATE in the ZSOLMANPRO Navigation profile. (In Assigning the direct link groups to Nav. Bar profile.
  3. Check whether you had authorizations for ZMIN in PFCG profile.
  4. Additionally check
  1905448 - How to restrict the suggested transaction codes when creating an ITSM
  Incident using CRM Web UI - Solution Manager
  5. In define transaction types corresponding transaction types are active. (In SPRO under solman ->Capabilities->ITSM-> Transactions)
  6. Check the copy control whether they are fine. (In SPRO under solman ->Capabilities->ITSM-> Transactions)
  7. Ensure that the transaction type's channel definition in customizing is set to 'CRM Web-Client UI'
  If your issue is still not resolved yet, please paste the error/screen you are getting.
  Regards
  Rishav

• Business roles in GRC  AC

  Hello,
  Is it possible in SAP GRC AC to create so-called business roles like in SAP IdM. This roles are not assigned to any backend system but derive backend system roles. The aim is to create set of roles that consist of roles in different backend systems.
  As I understand role mapping can't fully implement this functionality, because main role is assigned to backend system.
  Thanks,
  Yakov
  Edited by: Yakov Silin on Feb 24, 2010 7:00 AM

  Hi Yakhov,
  I was wondering if this is your dilemma.  We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Is this similar to the challenge you ar facing?

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• GRC 10 - Business role, no role owner but associated role have owner....

  Dear All,
  In GRC 5.3 we perform the following mapping:
  Business Role A mapped with (no owner)
  - Technical Role 1 (from ECC with Owner1)
  - Technical Role 2 (from CRM with Owner2)
  - Technical Role 3 (from HR with Ownwer3)
  IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
  GRC 5.3 request is able to close and provisioned as it can see owners from child role.
  Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
  Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
  Please advice.
  Jacky

  Hi Mustafa,
  you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
  Does this answer your question?
  Regards,
  Alessandro

• Transaction launcher not working for custom business role

  Hi Experts,
  I am facing a very weird problem where the transaction laucher define for BOR transaction is working for one business role(Z business role Customized one) but its not working for other business role (Z business role).
  to emphasize further we have the code:-
  case ls_attributes-object_type.
      when lc_z23 or lc_z25.
        lv_logical_link = lc_ZITISU.
      when lc_BUS2000115.
        lv_logical_link = lc_ZITERP1.
      when others.
        lv_logical_link = lc_ZITERP2.
    endcase.
    l_if_navigation = cl_crm_ui_navigation_service=>get_instance( me ).
    IF l_if_navigation IS BOUND .
  Navigate to transaction launcher using link id
      l_if_navigation->navigate( iv_link_id = lv_logical_link ).
    ENDIF.
  in this the logical link is is lc_ZITISU whenever this BSP application is called from both the business roles but in  one the window opens up for BOR transaction whereas when we login again using different business role the code is the same as given above. I mean the sam logical link id is used and navigated to but window is not opening for transaction launcher as it happens for the previous business role.
  Request your help to resolve this issue.
  Thanks,
  Rajwin

  Hi,
  I tried by applying the PFCG role id of business role which was working to the business role id of the one for which it wasn't working and then try testing whether the transaction launcher is triggering. But the transaction launcher screen is still not opening even after doing this.
  Probably there's something else too which is causing the problem. Request your inputs on this,
  Thanks,
  Rajwin

• Business roles for diffrent org positions

  Hi guys,
  I have an issue:
  I have an organization model:
  Org ABC-> Org A-> channel manager
                -> Org B-> partner manager
  I assigned channel manager role to channal manager in org A but when i assign partner manager role in org B , it overwrites the channel manager role for org A also. In short the organization model is taking only one business role. What could be the issue?
  I have assigned the required PFCG roles to both the business roles.
  Plz help!!
  Regards
  Shikha

  HI Shikha,
  i hope you are assigning the Role to the Position cretaed in your org model.
  That is by navigating thru
  GO TO-DETAIL OBJECT-ENHANCED DETIAL DESCRIPTION-By creating new infotype for Business Role
  here one can assign the Business Role with the position.
  In case you are not assigning by above mentioned way. Try to do so. Hope this will help.
  Vijayata