CUP 5.3: Automated Provisioning for UME Roles

Similar Messages

• Error Provisioning the Federated roles from CUP to enterprise portal

  Hi Gurus,
  Need help. I am trying to provision the roles to enterprise portal using GRC CUP. I have created the connectors and field mapping and the connection is successful. We have a enterprise portal with producer consumer relation ship. The Enterprise portal acts as consumer for the BI portal. The BI portal Roles are federated to Enterprise portal and i get an error "noSuchIdentifier" when I try to provision the federated BI Portal role on the Enterprise portal. I can successfully provision the local portal roles and UME roles on the enterprise portal. I get the error only when trying to provision the roles which are from BI portal.
  Appreciate any help, in this regards.
  Thanks,
  Pavan

  Hi Alma,
  This is one of the security issue.We had faced it sometime back.We searched some CSN's and found a solution.
  Go to Service Market palce and download the latest Cryptographic Tool kit (Service Market place---->software downloads)
  You will get a sca/sda something like tc/iaik./security(something like this)
  Deploy this on to your instance using your SDM.
  After that,Restart the Portal patching.It will go fine.
  reward points if helpful................

• GRC AC 10 CUP : Provisioning of Approved roles (Line Item)

  Hello Gurus,
  We have configured CUP in GRC AC 10, and mapped a workflow for the same.
  Now when a user request for new roles e.g.) 3 roles
  Role 1 , Role 2 , Role 3 each roles has a different role owner.
  When the request goes to the role owner for approval and 1 of the 3 role owner rejects the request the whole request gets rejected.
  Is it possible to have functionality where roles which are approved will go ahead and get "Provisioned" and the whole request wont completely get rejected ??
  Looking forward for your inputs !!
  Thanks in advance.
  Regards,
  Victor

  Hello Victor,
  I guess you can work with the approval/ rejection level (stage 5 in the WF configuration).
  Have a look at here: http://forums.sdn.sap.com/thread.jspa?threadID=1637574
  Cheers,
  Diego.

• E-Commerce for ERP role mapping to UME

  Experts,
  We have successfully configured the ECO module to use the UME in addition to SU01.  We are able to create users in both systems in ISAUSERADMIN.  However, the newly created users in UME have no roles assigned to them.  We found one SAP Note that seems to be relevant ([891151|https://service.sap.com/sap/support/notes/891151]).  Unfortunately, it is very vague on how to setup the user mapping.  We have tried several permutations of the role assignments to no avail.
  Has anyone done this before, and if so could you provide some examples?

  We discovered the problem.  We were updated the right file for the wrong application.  The file ume-config.xml needs to updated from the application crm~isauseradm.  Once we discovered this, the UME role mapping worked.  We are now able to assign UME roles to a new user when they are created or updated in ISAUSERADMIN.
  - Andrew

• OIM 11g-configure SoD so that it works for direct provisioning of the roles

  Dear All,
  page 23-3 of Developer's Guide (OIM 11g) provides information regarding configuration of the SoD for Direct provisioning of the resources. How to configure SoD so that it works for direct provisioning of the roles?
  Thank you for your time
  Maria

  Rajiv,
  I did not find the documentation regarding this. But I hoped I will.
  In my project we assign roles directlly, not resources.
  I suspect the integration with Role Manager is required in this case. SoD module in OIA should be used then.
  Maria

• UME Roles for PDF Actions

  Hello All,
  Can you please let me know which UME roles I need to add in NWA to enable PDF actions in MII workbench for my user. For e.g. I want to use the Generate Documentation feature and even after following SAP notes 1325997. Its still disabled.
  Thanks,
  Kiran

  Hi Jeremy,
  Thanks for your help in answering our questions. I tried adding the PDF actions XMII_PDF* to one of our roles assigned to the user and still the Generate Documentation icon is disabled. I followed the steps provided in 1325997
  Solution
  1. Download and unzip the attached pdfactions.zip file to your local
  machine.
  2. Obtain version 1.4.5. of
  the third-party iText.jar and iTextAsian.jar, from
  http://www.lowagie.com/iText/download.html and save to your local machine.
  3. Rename the files iText.jar and iTextAsian.jar making sure to match the
  noted case.
  4. Open a browser window and navigate to the SAP xMII Administration
  Menu at http://<server>:<port>/XMII/Menu.jsp.
  5. On the SAP xMII Administration Menu, choose System Management ->
  Custom Actions. The Custom Actions screen appears.
  6. To upload the .jar files to SAP xMII, click Upload. PDFActions.jar is
  the assembly .jar file, and iText.jar and/or iTextAsian.jar are the
  dependency .jar files.
  I also restarted my server to make sure the changes will be activated but so far I have been unable to make it work.
  Thanks,
  Kiran

• CUP Issue: Unable to see the expired roles

  Hi All,
  I am experiencing a problem which is explained below:
  A ticket was raised in CUP for deleting role(s) in backend system which are expired. When I accessed this ticket to do the needful, I am surprised to see that the Expired roles are not visible to me!
  However, I checked with another user and that user can successfully view thos Expired roles for that user mentioned in the request.
  Can anybody give me a tip of how to analyze and solve this?
  NOTE: My user id in CUP is having all the authorizations of administrator.  I also have access to SU01 tcode in the backend system.
  Please help.
  Regards,
  Faisal

  Hi Diego,
  Thanks for your reply.
  i copied user who can view the expired roles in cUP to a new user  via UME and checked. Still the same problem.  BAsically these user are maintened in LDAP and when I copy the correct existing user to a new user, automatically it is getting created in UME. I am quit suspicious about this.
  As far error in AE_UME, yes I have uploaded the latest copy of this after SP upgrade. I have not seen any error while uploading it. If it has any errors, then the user who can view expired roles should also have the same problem.
  Please suggest.
  Regards,
  Faisal

• GRC AE User provisioning for Portal giving error

  Hi,
  We are having GRC AC 5.3- SP9.
  While doing user provisioning for Portal, we are getting the following error:  DBCacheVerifier.java@58:isExpired(). Detailed error log is attached herewith. The back end system (EP Dev) is installed with GRC RTA. Connectors are testing OK. The CPIC user id in backend system EPDev is ED1GRC and has SUPER ADMIN Authorizations, with SPML read/write actions attached to the Role. EP Dev system is having UME as data source, not LDAP. The issue was existing even before the SP9 upgrade. We have restarted the Server several times lately. Pls help me in this.
  Thanks & Regards,
  Jagadish H S
  BASIS Team, BPCL, Mumbai.

  Jagadish,
  This type of error would normally be a data setup issue. Have you imported all of the initial data files (XML ones)?
  Otherwise, if it is just a cache issue, then restarting the server would normally solve the proplem. I would also check the Java Netweaver Admin console to ensure that the memory settings are sufficiently configured to match the hardware that is deployed.
  Simon

• How to have separate template for each role in OIM

  Hi,
  We have multiple roles on a multiple AS400 boxes. In OIM we need a separate template for each role that has to be popped up during provisioning. How do we achieve this in OIM?
  Pls help me with the solution.
  Edited by: user8963056 on May 23, 2010 7:47 PM
  Edited by: user8963056 on May 24, 2010 9:47 AM

  Thanks for the reply
  for the second question; we need on the basis of role these forrms will have different informations.
  the AS/400 guys wants the below steps to be done on OIM side
  They want to make sure below plan works with OIM plan.
  1.Per System, create templates per role.
  2.Update the AS400 User Request form to include a section for each system. Add templates for each role to each system’s section.
  3.Provide ITSA with a menu option to create profiles by selecting the template they wish to copy.
  4.Create backend programs to automate additional 400 tasks required per role.
  a.Create directory entry
  b.Add to Privilege Manager
  c.Add to Menu System
  d.Add to third party software
  e.Other as required.
  If we automate the above on the 400, in OIM , we would need to create the same templates.

• Health Report for existing role in support and upgrade documentation

  Hi Experts,
  I am looking for create a report or using existing report/FM (if any) which will show new objects been thrown for a role with there SAP suggested values when we use PFCG expert mode merge option. I think this will be very helpful for support person to health check for roles and during upgrade in step 2C documentation people can save a hell lot of time. I do not have ABAP knowledge. Can anyone help me on this?
  Regards,
  Arpan Paik

  Hi Julius,
  I have been to that wiki before and one by you as well (regarding upgrade steps). For current upgrade I have also noticed that SU25 step2B is not only left with customer related changes only. Where USOBT_C/USOBX_C has same values as of USOBT/USOBX there update to customer table automatically happened in step2A. So 2B left with very less changes where customer prefer the standard way!!!
  What I am looking for is actual authorization change delta. Step2C gives us only list of roles get affected. I am lookimg for what change actually can happen to a single piece of role due to upgrade.
  I have followed below method.
  1. Join table USOBT_CD and USOBT_C to see actual proposal for changed transaction and corresponding auth object. Here I had to perform few excel work to remove data repetation
  2. Then take old data for roles from AGR_1251
  3. Put together above 2 data and after proper sorting by object manually remove the data which SAP does by expert mode merge function.
  Can this step be automated by some ABAP code? or function module?
  Otto wrote :
  If I start/ when I start and still remember this thread, I will update it
  Please do so and thanks for sharing thoughts.
  Regards,
  Arpan Paik

• UME Role and Action

  I am developing a recursive tree in a Web Dynpro App. My tree has some nodes and subnodes. Under the subnodes i have documents. Depending to the permission of the users should be decided what can the user do with the documents, for example, create, upate, delete and so on. I need to check the authorization of users. I want to follow the conzept like the Web Dynpro tutorial RentCar APP with Actions und Permissions. If a user logs on, i can get his UME role and group. My question is: if it is possible to list the permissions behind of one specific role, which is assigned to the user or a group.
  In short I want to list the permissions and not only check if the user has it or not.
  Please help me.
  Regards
  Hairong Zhao

  Hi Sudhir,
  thank you very much for your quick answer. But it can't resolve our problem really.If we only use hasPermission() method to check if the user has right, the efford to check user in our case is too great .
  I try to describe our problem exactly. In our case, thers is possible that tausend documents can be attached to a node. we can't create a permission for every document. We create for every node a role, but for document we haven't role.  If we don't use the conzept with Actions and Permissions, how can we check the permission of the users, have you another idea?
  Regards,
  Hairong Zhao

• Different approvers for 2 roles of the same name in 2 different systems

  Hi experts,
  in our SAP landscape we have roles of the same name in different systems. I couldn't find any possibility to select different approvers for these two roles in GRC 5.3 SP08.
  For example role XYZ exists in system P1 and P2. In P1 I want to select only person A as role approver, in system P2 only person B.
  Is there any chance to select an approver for a combination role and system?
  Thanks,
  Manuel

  Hi Manuel,
  Yes. You can create a custom approver determinator. Go to CUP>>Configuration>>Workflow>>Custom approver determinators. Chose create new.
  CAD type: Attribute
  Workflow type: Access Enforcer
  Select your attributes and save.
  Go back. Select your new approver determinator in change mode.
  Click on the Approve button.
  Create logic between the attributes and approvers.
  Modify your role approval stage. Select your new custom approver determinator.
  Regards,
  Vit

• LDAP as data source for UME

  Trying to use a SSL enabled LDAP (Sun) for data source for UME.  It seems that I can't use SSL directly from GRC CUP 5.3. Followed the instructions in saphelp, but when I test the connection, it gives me "Connection test with user path failed". The following is the connection data in UME Config:
  Server Name:  10.56.17.20
  Server Port:     62636
  User:                cn=GMACApp_001,ou=Applications,dc=gm,dc=com
  Password:       <correct one entered>
  User path:        ou=People,dc=gm.dc=com
  Group path:      ou-Groups,dc=gm,dc=com
  Use SSL for LDAP Access is checked
  Use Unique Attribute is not checked
  I can connect to the LDAP using the same credentials with Softerra browser....Any ideas?

  Opened a message with SAP....the response was less than helpful..."we don't support SSL". When I pushed them with the responses I recieved from the forum, the replay was "we have never done this".  There must be a way.  I can't be the only person on the planet that has to connect to a corp LDAP with a secure port!! I have tried the trick of conencting a LDAP as a data source for UME, but with limited success.  Seems when the LDAP + db is enabled, the UME URL is not available (error 503). So that's not working so well either. 
  Any help will be appreciated.

• Provision for Approval process

  Dear Experts,
  I have a requirement  "To be able to provision for Approval process by FInance, when role of business partner upgraded from prospect to customer"
  I guess this is done through Workflow concept. but I don't have Idea in detail.
  Looking forward for reply
  Regards
  Manu

  About your questions...
  1. According to my knowleadge there is no such standard functonality. But I implemented something similar in our company in the folowing way:
  - prospect is created in CRM
  - when prospect needs to be transformed to customer, salesman issues task with filled questionary
  - finance departments receives this task and if it agrees transforms frospect to customer in ERP with VA07
  2. If you mean that only certain data should be maintained by certain companies, then only via coding this could be achieved.
  3. If you mean that in relatonship you define, to which organization contat person belongs, then I'm not sure. Never tried it. For employees I know it is possible so robably it could be done also for contact persons.
  4. You can store documents. But if you want to have special access to this documents, then this would not be the case.
  5. Yes. You can use account hierarchies for that.
  Regards.

• UME Roles/Groups problem

  UME Roles/Groups problem
  I have installed an ABAP +J2EE instance with the view of using it for Adobe Document Services.
  While following the Adobe Document Services configuration guide, Step 3.2.1.1:
  I'm creating a role in the ABAP engine, creating a user (ADSUser); creating and assigning the role (ADSCallers) to it.
  When I start visual admin, i expect the user to be shown under the 'group': ADSCallers.
  While I can see the user in visual admin, I'm unable to see the group (role in ABAP instance)
  I'm on SP19 NW2004. Any views???

  There is a delay before roles show up as groups on the Java side. The delay runs about 30 minutes. See http://help.sap.com/saphelp_nw04s/helpdata/en/45/af3ac012d32e78e10000000a155369/frameset.htm
  -Michael