CUP assignment - Role Validity

Similar Messages

• Issue while changing validity date for assigned roles: SAP IDM 7.2 SP8

  Hello Experts
  I assigned the Task on repository for validity modification for Roles as in below screenshot:
  When I modify the role validity, Task defined for Validity modification doesnt get triggered and IDM executes the tasks defined as Modify Task and fails with below errors:
  1. Could not obtain repository name from Pending object.
  2. Error ! Audit id , Variable doesnt exist in MXPT_GET_ENTRYTYPE.
  I tried checking provisioning audit logs but could'nt find any Audit ID created for validity modification and I guess due to this tasks are getting cancelled.
  Why the task defined in Modify Valdity tasks doesnt get triggered when I modify the Role assignment validity ?
  Am I doing anything wrong with the SAP Standard way of working ?
  Regards
  Deepak Gupta

  Hi Deepak/Chris,
  We are also facing a similar issue in our project where modifying validity of the role does not trigger any task. We then changed the Modify attribute(in task tab) on the priveleges to "inhereted".
  The modify task is now triggered and completes successfully. However, no changes occur in backend.
  We need unedrstand where do we maintain the setting to define which attributes(if changed) will trigger an event task in the provisioning framework. the "check attributes modification" task within the provisioning framework executes the below query:
  select COUNT(VarName) from mxpv_audit_variables where AuditID=%AUDITID% and VarValue='%MSKEY%' and VarName='MARK_EXEC_MODIFY_ATTR%MSKEY%'
  The query gives the result as "False" in case we only modify the validity of the role assigned to user. Thus no event tasks are executed for the same.
  Can anyone please share where do we define the attributes for this query to give "True" as result for role validity modification.
  regards,
  Nits

• One CUP request for assigning role to multiple users

  Hi,
  We assign roles to users in production only through CUP requests.. We use GRC 5.3
  Here we have a case where we need to assign one role to  60 users in production(each user may have different  roles assigned in the back end) . I can raise one CUP request for all users using " multi-user" option in Copy request . But when we want to make a risk analysis , it will not show risks at user level as each user had different roles and may get different risks by adding new role.
  Instead it will give risks if any for only that new role which want to assign. Our manager is not accepting as this is not giving complete picture of risks for each user when we add new role.
  Please suggest me if there is any other way where I can make a risk analysis for each user when I created a CUP request for multiple users.
  Or the only solution is to create 60 CUP requests ?? this would be too manual
  Regards ,
  jaags

  Raghu,
  thanks for the reply, you are right as per the audit .But suppose if it is for 200 users ,creating 200 CUP requests will be impractical right.
  there should be some solution for this , because there will be many situations practically where we have to assign roles to N number of users.
  Is this possible in GRC 10 ? any idea ?
  Regards,
  Jaags

• Can we assign roles with validity

  Hi
  Can we assign the validity of roles assigned to users. I know we can set the validity of user but can we set the validity of a particular role assigned and if yes then how?
  Thanks
  Rajesh

  Hi
  You have two options either set the validity for the particular  user id as su01->Logon date
  which can make the user valid till the dates been mentioned through which all the roles assigned to that wont be worked out as the user it self has the validity set
  secondly for the Roles validity as after the creation of role and assigning it to user set the validy date as go to SU01->Roles there is a column mentioned as Valid from and Valid To, there you can set the validity.
  Thx
  Shilpa

• A question about users assigned roles extraction

  Dear all,
  I have a question about users assigned roles list extraction. I need the list of the users who have already been created along with their assigned roles. According to what I found on Google, there is a table named AGR_USERS which provides the roles assigned to each user. Yet, this table provides only the SAP ID of each user along with the assigned roles. What I need more is to have also the first name and second name of each user.
  So, do you know any table providing at least the following information:
  1) First name of each user
  2) Second name of each user
  3) SAP ID of each user
  4) All assigned roles to each user.
  NOTE: I really need to have first name and second name in separate columns
  Thanks in advance,
  Dariyoosh

  >
  Shekar.J wrote:
  > Agr_users for the user ID and role assignments
  > USR02 to check the validity of the User ID
  > and USER_ADDR for the first name and last name
  >
  > You can create a Table join of the above 3 tables to retrieve the data you require
  Thanks to you and others for your attention to my problem
  I don't know anything about ABAP programming, is there any transaction allowing to create this join? As it seems to me the column "UNAME" in the table "AGR_USERS" and the column "BNAME" in the table "USER_ADDR", both refer to the SAP ID of the user. As a result the condition of the join would be "WHERE (UNAME = BNAME)", is there  any transaction/programme allowing to create this join?
  Thanks in advance,
  Dariyoosh

• Role Validity date

  Hi Guys,
  I have a role assigned to a user with a validity date (say 01/20/10 to 04/20/10). However after the expiry date the user is able to perform actions related to that role. I do have PFUD scheduled which runs every day. I understand that prgn_compress_time removes the expired roles but ideally the validity date should serve in restricting the access after the expired date.
  Please advise if something needs to be corrected in our system
  System SAP BW 3.5

  Hi Sindu,
  The automatic adjustments of roles validity can be done through running the report PFCG_TIME_DEPENDENCY.
  This report can be run on a daily basis in background.
  This compares the user master records for all roles and updates the authorizations for the user master records.
  You can run this report via SA38 if you want to use it on a daily basis or through SE38 if you wanna execute it once .
  For more details on this ,
  Goto Tcode PFCG
  click on Tab  "user"
  Next to user comparison button you will have the "i" information button. Click on it ...
  Hope it will he helpful,
  Cheers!
  Veena BJ

• Error in CUP assigning Firefighter id

  Dear All,
  I am receiving an error "Assign a valid flag I, U OR X"
  i was able to assign the firefighter before and now all of a sudden its throwing me this error.
  I am SAP GRC SP 12

  Hi Dylan,
  When this error occured we were on VIRSANH 12 and VIRSAHR 10 in the backend. But we eventually have upgraded the system to SP 13 because there were lots of issues in RAR.
  For your information another interesting thing which happened was initially when we configured firefighter ids on SP12 it worked fine for few weeks. Then all of a sudden the ids started giving an errors for which we have two SAP notes
  1143955
  1319031
  I understand that these notes have to applied from SP7 onwards for all support packs. But the reason why we are still scratching our heads is that why this error did not occur in the first place itself.
  Also, another question is it advisable to have the individual components on different support packs for eg. RAR SP13
  CUP SP12. SAP says its not advisable.
  Whats your opinion?

• Assigning roles to Queries

  I have created a query which is a look alike of a similar query. I need to assign it the same roles as the original one.
  My questions:
  1. How do I see that to what roles the original queries are assigned?
  2.How do I assign the same roles to my query now?
  3. I have created the query and right now it is in Favorites folder. I want to know whether I need to remove it from there ?
  4. Also, I have not placed the query in a workbook. Is it mandatory to place it in a workbook before assigning it the concerned roles ? If yes, then how do I place it in a workbook ?
  Please guide me stepwise. I will be very thankful to you all.
  Sufficient points will be assigned.
  Regards,
  Srinivas

  Dear Srinivas D Rao  ,
  1)Go to Metadata Repository and select "Query". Find your query with CTRL+F and click on it. Assigned roles are displayed at the bottom of the page.
  if you cannot find with that way or you need to know more than one query in 'one go', you can try
  table RSRREPDIR type in queries technical name to field COMPID (use arrow icon 'multiple selection) to get COMPUID, then go to table AGR_HIER SAP_GUID = COMPUID, AGR_NAME is the role name
  2)To assign the roles to queries you will have to query designer open query-> select the query which you want to assign and in the top there is option for the roles....it's third or 2nd from left.
  once you click it will take you to the roles already existing in your system.
  just chose the role to which you want to assign and click OK.
  Before that... if you have no roles in your system...then you will have to create through t-code PFCG.
  3)Favourite folder is your own place and it will be shown only to your groups.. so i think its not necessary to remove from favourities folder..
  4)If you place the query in Workbook,then it will be easy to assign roles and authorization to it...
  Note:
  Suppose you have to test and validate the queries that are created then , for example you can have a role named test and validation and you can assign the queries to that role and you can add the users who can access these queries in that role.
  Broadcast roles
  we can broadcast to the roles.When u do like that all the users who are in that role will receive that.In the information broadcasting screen, under receipents u have to select the value for USER IN ROLE.
  [Data Protection guide|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4b1f472a-0a01-0010-76a3-8f7b81d95c59]

• Assigning roles to LDAP users through BIP API

  Hi.
  My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
  One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
  I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
  We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
  Is it possible to make that assignments through BIP API?
  If not, any other ideas? New ideas or different approaches are welcome.
  Thanks in advance.

  In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
  During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
  I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
  There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
  Let me know if that helps.

• Error in assigning role to multiple task

  Hi,
  We are using BAPI BAPI_BUS2175_ROLE_ASSIGN_ADD to assign role to task. It is working fine if we are assigning different role to different tasks. But if we assign the same role to different tasks in a project, it is giving dump while saving the data.
  We are using following sequence in the code:
  1. BAPI_BUS2172_LOAD to load the project
  2. BAPI_BUS2175_ROLE_ASSIGN_ADD to assign role to task
  3. BAPI_CPROJECTS_COMMIT_WORK to save the changes.
  So when BAPI_CPROJECTS_COMMIT_WORK is executing, it is giving dump as follows.
    The exception 'CX_DPR_FATAL_ERROR' was raised, but it was not caught anywhere
    along
  the call hierarchy.
  Since exceptions represent error situations and this error was not
  adequately responded to, the running ABAP program
    'CL_DPR_AUTHORIZATION_SERVICES=CP' has to be
  terminated.
  Could you please let me know what may be the reason for getting dump.
  Regards,
  Anil Salekar

  I can tell you the table where the the role assignments get stored . It is
  DPR_ENTITY_LINK.

• Assigning roles to users programmatically

  Hi,
  I want to programmatically create roles, assign roles to users etc.
  I saw at this thread
  ADF Security Policy Store
  the folowing scriptlet by Frank Nimphius
  try {
  IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore();
  try {
  UserManager userManager = idstore.getUserManager();
  RoleManager roleManager = idstore.getRoleManager();
  Role adminRole = idstore.searchRole(Role.SCOPE_APPLICATION,"admin");
  // create user
  //TODO check for empty username and password
  User newUser = userManager.createUser(this.username,this.password.toCharArray());
  roleManager.grantRole(adminRole,newUser.getPrincipal());
  } catch (IMException e) {
  // TODO
  } catch (JpsException e) {
  // TODO
  return null;
  this is a TP3 scriptlet, is it still working on the 11g production?
  I try it and i get a JpsException
  oracle.security.jps.JpsException
       at oracle.security.jps.internal.common.util.JpsCommonUtil.getValidIdStore(JpsCommonUtil.java:1004)
  do I have to replace "idstore.xml.provider" with something else depending on my configuration?
  thanks
  Tilemahos

  Hi Frank thanks for the answer,
  I check this functionality at WLS embeded LDAP and I shaw your "How-to configure OID for authentication in WebLogic Server" post.
  I manage to add users and assign them roles that i created at my application.
  But what if I want to have a super user that can create new roles and assign them member roles?
  eg.
  Developer created roles (policy store):
  accessPage1 ( granted all the necesery principals to access page1 )
  accessPage2 ( granted all the necesery principals to access page2 )
  Super user created roles
  Role1 member roles :accessPage1,accessPage2
  If i want my application to have that functionallity i must create roles programmatically wont I?
  If there another way?
  By the way I followed the advices at the following useful links
  Chris Muir: http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
  Frank Nimphius's How-to configure OID for authentication in WebLogic Server
  Edwin Biemond's Using OpenLDAP as security provider in WebLogic
  Andrejus Baranovskis: Practical ADF Security Deployment on WebLogic Server
  And I manage to add users of the Microsoft LDAP at the WLS
  but I could't mekae them group members of my application groups (roles)
  is this possible?
  Thanks

• SECATT for assigning roles to users

  Hi All,
  How do we make the ECATT to work for the below scenario:
  Users already have roles assigned to them. We need to add a new roles to the users which can vary in number based on the users job.
  A simple ECATT script that was developed to add a single role to a new user does not work in the above case and gives an error of invalid batch input. How do I create a ECATT to assign role to user who already has a set of roles assigned (number of roles assigned to users differ, so I cannot assume to train the ECATT to assign a role on line X). Is there something I am missing while the ECATT script creation?
  We are doing this from a CUA and its very difficult to assume how many roles a user could have.
  Thanks,
  Jay

  Thanks Alex for the insight. For some reason SU10 is slow in the CUA environment and I wanted to avoid it but yes I finally had to use SU10. Talking to one of our ABAPer I came to know that even in their BDC recordings they get the error which I receeived, but he changes his program to skip all the lines with data and then fill the empty line.
  In CUA environment, how do we create ECATT to delete a role from many users?
  Thanks,
  Jay

• What is  the purpose of assign roles to portal please describe

  what is  the purpose of assign roles to portal please describe

  Hi,
  You assign Roles to Users and not to portals.
  Check this to know about Role:
  http://help.sap.com/saphelp_nw70/helpdata/EN/45/c0d8e962336000e10000000a1553f6/frameset.htm
  So a role has contents that a user can see and also privilages that the user can have (UME Actions).
  http://help.sap.com/saphelp_nw70/helpdata/EN/fb/33f520d15f8f4092a60381365620b2/frameset.htm
  When a user is assigned certain roles which have contents and also UME Actions, this user sees them when he logs on onto the portal and also has this set of  privilages.
  Regards,
  Praveen Gudapati

• Assigning role to role doesn't work when applying Database security model

  I applied Oracle Database security model for BI Publisher.
  then I create some roles and users and assigned roles to users in Oracle Database.
  i also assigned appropriate folders to each role in BI Publisher.
  the users with direct roles worked successfully but i got problem when i assigned roles to a super role, and assigned this role to a super user.
  the super user could only access guest folder.
  Please help me.
  thanks.
  Daniel
  Edited by: user13344498 on Jul 5, 2010 11:13 PM

  Add a Role to a Role:
  1. From the Security Center, select Roles and Permissions; this will invoke the
  Security Center page. Here you can see the list of existing roles and permissions.
  2. Select the Add Roles icon for the Role.
  3. Select the desired role from the Available Roles list and use the Move shuttle
  button to move it to the Included Roles.
  this is from "Oracle® Business Intelligence Publisher User's Guide Release 10.1.3.2 Part No. B40017-01" book, but the security model is BI Publisher Security.

• Need to assign Role into step type mail in recipent type

  Hi Experts,
    I need to assign role to  for step type send mail recipent type . but in drop down there is not any role option to assign . to achive this i created organization  then position and assing job to that position then assigne to role under that job . after all in recipent type i assigned  with job . but when i execute workflow i am getting error . even i dirctally assign role to position and then assigne that position to recipent type. when executing my workflow i am getting error .
  but if a assigne user to position or job my workflow working properlay.  is there any proble to assing Role to Job or position.
  please let me know is there any  extra thing i need to take care when i assign  Role to position or Job .
  point will rewarded for right answer.

  Hello,
  Get the users assigned to the role into a container element in the previous step of 'SendMail' step and use the same as the recipient of the Sendmail step.
  This would be a better and easy option as Arghadip said.
  Hope this will help.
  Regards,
  Samson