CUP Provisioning workflows

Hello
We have a unique use case.
Say we have two roles A and B in a single workflow request.
We want to create a workflow in CUP, that will auto provision A and not auto provision B (just capture the approval).
Is this possible in CUP workflow?
Thanks
Prakash Sankar

Hi Prakash
It sounds like you are trying to set up portal role provsioning through GRC.  We are trying to do the same thing.  Do you have the portal setup completed is that side working?

Similar Messages

  • Post-provisioning workflow in UCS Director

    Hi
    I created a service request in UCS director (v4.1) to provision a VM.
    Additionally I created/added post-provisioning workflow to that service request with the purpose to sent the custom report upon completing the provisioning process.
    The question here: How I can access the provisioned VM details from my custom workflow task's Cloupia script without asking the user to enter them manually? I am interested to get details like assigned IP address of the VM and its hostname at least and then to build some logic around.
    Thanks in advance

    Hello Sandeep,
    Follwing  are key high point of UCSD or are better than what other vendors are  providing.
    1) Enable Automation & Self Service through Workflows,  Triggers, & Tasks.
    2) Lifecycle Management Controls.
    3)  Automated adaptive provisioning.
    4) Multi-tenant Security
    5)  Single pane of glass for continuous capacity monitoring.
    6)  Chargeback.
    7) Orchestrator & workflow designer.
    8 )CloudSense Analytics.
    9) Multi-hypervisor support.
    10) Multi-cloud  support.
    Regards,
    Shahzad

  • OIM approval / provisioning workflows

    Hi All
    I have a query about OIM approval / provisioning workflows.
    Application X (e.g. Active Directory) has an OOTB connector which can provision the user and manage his role in the application. The user can raise request for role change via OIM Admin console.
    My query - Can I configure access policy/user group for creation of a base user identity in the application X. This will create user identities for all users in application X without any roles. Later user should be able to request for roles and upon approval, his role should be updated in application X.
    Can this scenario can be implemented with any OOTB connector with provisioning and role approval workflows in place. Do you see any complexity in this. Please provide your comments.

    The base provisioning van be done using access policies.
    If you want request based role management in pre OIM 11g you would have to do it over custom ROs. There are a couple of ways to do this.
    The easiest way to do is to combine the approaches in these two postings and create a custom RO that moves the user into an OIM group that has an attached access policy that manipulates the child table on the base target system RO.
    http://iamreflections.blogspot.com/2010/09/oim-howto-one-resource-object-per.html
    http://iamreflections.blogspot.com/2010/09/oim-howto-target-system-group.html
    Please take a look and see if this is understandable. I probably should write another entry that addresses this specific use case.
    /Martin

  • CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

    Hi All,
    I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
    Here is an example of the audit trail log from Change Account:
    Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14 
    Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14 
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
    Auto provisioned for request on 06/28/2010 17:14 
       User Provisioning failed for System(s) : DEV. Error Message :
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
    Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure 
       Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
    Note: the role names were replaced with "xxxxxxx."
    The system log gives an error, but it is very vague:
    2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
    com.virsa.ae.service.ServiceException
         at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
         at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
         at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
    Any ideas or suggestions?
    Current software level AC5.3 SP12.
    -Dylan

    Hello Varun,
    Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
    Results
    New Account with User Defaults configured:
    User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
    New Account without User Defaults configured:
    User provisioned successfully, no Auto-Provision error.
    Change Account with User Defaults configured:
    User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
    Change Account without User Defaults configured:
    User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
    In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
    For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
    What about on your side? Am I the only guy using SP12 here?

  • GRC AC 10 CUP : Provisioning of Approved roles (Line Item)

    Hello Gurus,
    We have configured CUP in GRC AC 10, and mapped a workflow for the same.
    Now when a user request for new roles e.g.) 3 roles
    Role 1 , Role 2 , Role 3 each roles has a different role owner.
    When the request goes to the role owner for approval and 1 of the 3 role owner rejects the request the whole request gets rejected.
    Is it possible to have functionality where roles which are approved will go ahead and get "Provisioned" and the whole request wont completely get rejected ??
    Looking forward for your inputs !!
    Thanks in advance.
    Regards,
    Victor

    Hello Victor,
    I guess you can work with the approval/ rejection level (stage 5 in the WF configuration).
    Have a look at here: http://forums.sdn.sap.com/thread.jspa?threadID=1637574
    Cheers,
    Diego.

  • Manual CUP provisioning

    We are using CUP (BO AC 5.3 SP14) with role provisioning via SAP CUA. Whenever there is a system upgrade etc on our CUA systems, we would prefer if any role requests could be "put on hold" in CUP, ie keep all workflow functionality but just not provision the role to the user in the last step. There are also other reasons why we during certain periods would like to control when roles are provisioned from CUP to SAP
    When turning off "Auto provision at end of each path" the system completes all workflow steps without problems, but the request is closed and the role not assigned in SAP
    Just turning off "Role auto provisioning" does not fulfill our requirements, as this assigns the role to the user in SAP but do not run the last user compare step
    So, is there any way to manually trigger/import the role assignment from CUP request database that have been approved in e.g the last 12h, or since the last manual import (delta)?
    Many thanks
    Mikael

    Hello Frank, and thanks for your reply - interesting alternative solution, though you also confirm this cannot easily be "imported" from the CUP database. I think we need to test this scenario in order to find the best option.
    I assume we need to setup a specific user for the CUA connector, so that all other connectors are still available when the CUA user is disabled. We already have a Manager and Role owner approval in our CUP workflow. The SAP role is assigned following role owner approval. If possible, we could perhaps redirect all requests that fails due to technical connector issues in the last approval/role assignment step to a Basis admin. That might mean we would automatically manage all technical scenarios whithout changing workflows
    Indeed this is not a very common scenario, but due to upgrades we will have several periods with downtime on our central CUA in the next coming months. We also have regular "freeze periods" in our environment, meaning no roles are allowed to be assigned. If we can still manage to run the workflow seamless for an end-user, then that would very useful
    Thanks for your input
    Mikael

  • Process rule and provisioning workflow problem

    Hi,
    we have designed a workflow to provision groups from a database resource to ldap and AD resources. We use the process rule in the activesync process. These groups creation
    works without problem now, but the update/creation of users from database don't work. In my workflow I try to use the workflow services provision and reprovision, the result it's ok, but nothing is updated in my AD and ldap.
    I have read in an old post that, in the process rule, the activesync offer a user view variable, but I don't receive nothing, and then I need to do a getview and then pass this view to the
    reprovision rule. This don't work.
    how is the correct process to reprovision from a process rule, and when we need to create a new user, from where I could get a userview for the provision process?
    Thanks

    Why do your supervisor start giving you such works until they don't give some trainings on IDM to you ?
    Need Approval process workflow?
    Re: Approval Process
    Forum is for Freshers too but people are using it for just completing their project not for learning/sharing.

  • ERM - CUP Approval Workflow E-mails

    Hello gurus,
    We are experiencing an issue with Role Expert (ERM) to Access Enforcer (CUP) role approval workflow. When a role reaches the approval stage in ERM, an e-mail notification with a link to CUP approval is sent to the designated approver's LDAP e-mail address.  This functions properly.  Following approval or rejection of the role, another e-mail should be sent to the requester's e-mail address to inform him/her that the role has been approved/rejected.  This e-mail is not functioning.  We have the same e-mail address configured in the LDAP, UME, and back-end SAP system, but this e-mail address is not receiving any notification of approval/rejection.
    This functionality is appropriately configured in CUP with the following:
    Name: RE_APPROVAL
    Workflow Type: Role Expert
    Approval Determinator: RE_APPROVAL
    Request Wait Time (Days): 0
    Request Wait Time (Hours): 0
    Escalation Configuration: None
    Approval Type: Any One Approver
    [No e-mail group]
    Request Rejection: Yes
    Re-Route: No
    Confirm Approval: Yes
    Confirm Rejection: Yes
    Reject By Email: No
    Approve By Email: No
    Forward Allowed: No
    No additional security.
    Has anyone seen this issue before?  Any advice for troubleshooting will be greatly appreciated.
    Thanks,
    Joy

    Hi everyone,
    We are experiencing something similiar as Joy related.
    We have configured in CUP 5.3 a workflow for ERM role approval with two stages.
    In both stages, the e-mail notification with a link to CUP approval is sent to the designated approver's e-mail address, but following approval or rejection of the role, the e-mail informing the role has been approved/rejected is not sent to the requester's e-mail address.
    In the first stage, the CAD is configured to send the request to the approver defined in the role in ERM (web service). In this stage, the requester's e-mail address is not receiving any notification of rejection but do recives all notifications of approval.
    The second stage is configured with a fixed approver, and in this case the requester's e-mail address is not receiving any notification of approval nor rejection.
    Any suggestions of what can we do to make this work?? We wolud like that both (approval and rejection) notifications be sent to the requester's requester's e-mail address.
    Or, if it is possible, can CUP be configured to send e-mail notifications of approval and rejection ONLY in the LAST stage of the workflow??
    Regards,
    Pablo

  • CUP Provisioning into LDAP

    Hi Gurus,
    We are trying to figure out if we can provision a NEW user ID into LDAP (AD) through CUP? Ideally we will have a Manager enter a request into CUP that includes a user's SAP access as well as AD and have CUP autoprovision this access.
    In reading the guides it seems CUP can only write groups to existing AD users.
    Does anyone have any thoughts or experiences?
    Thanks,
    Grace Rae

    Grace,
    CUP can provision existing LDAP groups to existing IDs, but as you said, cannot create new ones.  The best method to incorporate this would be to connect CUP to an IDM system to provision the ID and access.  If this is not acceptable, the other option is to create a custom connector that would communicate with a third party application (such as a macro/script) that would create the IDs through a separate process.
    I know this isn't the news you want to hear, but I hope it helps!
    Tyler

  • CUP Provisioning Steps

    Hi,
    What is the minimum steps required to configure CUP? Brief explaiation of steps would be great.
    Thanks,

    CUP has a fair amount of work involved to get off the ground. This is a RTFM moment.
    Installation and Upgrade Guide for Cisco Unified Presence Release 7.0
    http://docwiki.cisco.com/wiki/Cisco_Unified_Presence,_Release_7.x_--_Installation_and_Upgrade
    Deployment Guide for Cisco Unified Presence Release 7.0
    http://docwiki.cisco.com/wiki/Cisco_Unified_Presence,_Release_7.x_--_Deployment_of_Cisco_Unified_Presence
    Configuration and Maintenance Guide for Cisco Unified Presence Release 7.0
    http://docwiki.cisco.com/wiki/Cisco_Unified_Presence,_Release_7.x_--_Configuration_and_Maintenance_of_Cisco_Unified_Presence
    Also, if you are a partner, there are training resources available for CUPS in PEC I believe.

  • ERM - Workflow Approval Configuration in ERM and CUP

    Hi Experts,
    I'm in the midst of configuring the workflow approval for ERM and have some queries.
    I followed the post-installation guide part 1 for ERM on the workflow configuration and have sucessfully done the following:
    1. Verified that the "AE_init_append_data_RE.xml" has been uploaded in CUP with Append option
    2. Verified that request type "RE_ROLE_APPROVAL" with workflow type "RE" exists
    3. Verified that priority "RE_HIGH" with workflow type "RE" exists
    4. Created a workflow initiator for ERM called "ROLE_APPROVAL" in CUP -> Configuration -> Workflow -> Initiator (with the said details as per the post-installation guide)
    5. Created a CAD called "ERM_ROLE_APPROVER" for ERM in CUP -> Configuration -> Workflow -> Custom Approver Determinator (with the said details as per the post installation guide, filling in the necessary URI, uname/pw for admin with UME roles)
    6. Created TWO stages , one stage for the role owner called "ERM_ROLE_APPROV", and one stage for the internal control owner called "ERM_ROLE_APPRO2", both with workflow type "RE" and Approver Determinator "ERM_ROLE_APPROVER" which was created in step 5 earlier.
    7. Created a path for ERM Role Approval Workflow in CUP -> Configuration -> Workflow -> Path, with workflow type "RE", Number of Stages "2", Initiator "ROLE_APPROVER", Active "checked" and I put Stage 1 as "ERM_ROLE_APPROV" and stage 2 as "ERM_ROLE_APPRO2".
    8. Configured the Exit Web Service (followed the details as per the post-installation guide for ERM)
    As my role approval is pretty straight forward (i.e. based on business process attribute defined, with each role owner being responsible for their business process), I did the following:
    1. Create approval criteria "Role Approver for Business Process FI"
    2. For that criteria, I based it on attribute "Business Process"
    3. I clicked on "Assign Approvers" to define who is the approver (i.e. the respective role owner responsible for Process FI)
    4. I defined the condition for this criteria, Condition = AND, Attribute = Business Process, Value = FI
    My queries:
    1. Is the approval criteria which I created in ERM, referring to 1st stage or 2nd stage of the path in CUP?
    2. I'm assuming that for query 1, the approval criteria which I created is for 1st stage (i.e. ERM_ROLE_APPROV), where can I configure the 2nd level approval for the internal control owner (i.e. ERM_ROLE_APPRO2, in the path which I defined in CUP)?
    Thanks!

    Hi Baldwin,
    All workflow paths in CUP are triggered by an Initiator.  Once the request from ERM meets "Initiator" ("ROLE_APPROVAL") requirements in CUP, the request will go to the first stage defined in the respective path. Approvers defined in each stage of the path can approve request. Once the request is approved in CUP, approval information will be sent to ERM and then the role in ERM will be moved to the next stage.
    Best Regards,
    Sirish Gullapalli.

  • Can  approval workflow in GRC  be avoided

    Hi All
    i  have  following query
    Following are the steps
    1) I am using Oracles Identity Management  .
    2) User data iam fetching from OIM
    3) Iam using SAP GRC 5.3 ( CUP )
    4)  I am using  SAPGRC_AC_IDM_SUBMITREQUEST web service  for request Type ( eg ) say New ACCOUNT
    5)  A request id is generated
    6) Now can i provision the user  into the SAP backend system without the approval process
    7) if yes then let us know how it is done
    In short can we bypass the approval workflow in GRC ( as approval has to be done at Oracles Identity Management  ) and directly provision the user  into the SAP backend system
    Thanks
    Jagan

    That's an easy one:
    - go to the stage configuration of your provisioning workflow
    - chose "No Stage" as the approver determinator
    Done.
    Frank.

  • Role Creation in CUP 5.3

    Hello,
    I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
    My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.  
    It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
    Please tell me if I'm wrong.
    HM

    HM,
      The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
    The below statement is wrong.
    It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
    If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
    Regards,
    Alpesh

  • Duplicate Resource Objects  are displayed while provisioning the resource

    Duplicate Resource Objects are displayed while provisioning the resource to organization after creating a new workflow through export and import process.
    A workfolw already exists in the environment and I am trying to replicate the work flow with a different name . So i import all the components related to provisioning workflow rename the names of the components and make the necessary changes and import it back. after this I am getting Duplicate Resource Objects being displayed while provisioning the resource to organization .plz help.its urgent

    I have tried this process thrice not able to solve this problem ......unchecking allow multiple ..i don t think matters as this is provisioning to org ...n what i am telling is the list from which u select the resources to be provisioned --that list shows duplicate resource object names at a time..Each time I import an xml the number of same resource object names being displayed in the list increases ...So If I have imported three workflows then (say Resorce Object AD) appears thrice in the list. I have not given the resource objects same name in all the workflows for this to happen
    Sahana

  • OIM-OID Provisioning - OID Group PrePopulate Approach :

    Hi,
    I am working on OID Connector 9.0.1.14 with OIM 11.1.1.5.
    I have reconciled all the Roles and Groups from OID to OIM and can successfully provision users to the OID along with membership to these specific Roles and Groups.
    I want to prepopulate the OID Group based on certain attribute from the OIM User form. My Approach so far is :
    1) Created an Entity Adapter with a variable : say Org and GroupName.
    2) Set the Logic as if Org = XYZ (+XYZ does exist on OIM+) set GroupName as = "OID Group 1" else set GroupName as = "OID Group 2"
    3) Attached this adapter to the "OID User Group" form on the "Data Object Manager" at the pre-insert stage.
    4) Mapped the Adapter variable as :
    a) Org Maps to "Organization Definition" with the qualifier "Organization Name"
    b) GroupName maps to the "Entity Field" with the qualifier "UD_OID_GRP_GROUP_NAME"
    However nothing seems to happen when I create/modify a user with Orgization Name as XYZ and manually Provision the OID Resource. I can see the form but nothing is populated in the Group Field. Upon completing the request, I get the user provisioned to OID but without any Group information..
    Is my approach right ? Am I missing something ?

    Here is what I have done for a client. My requirement was for a given department, a user must have a list of groups provisioned to them. So here is what i've done:
    1. Create a lookup that has Code Key = Department, Decode = CN of the groups in a delimited format.
    2. Create a provisioning task that will look at the department code from the user form, reference the lookup and find the decode values. Split them based on a delimiter. Then using each value, lookup the code key value from the real lookup that contains the full distinguished name of the group in the OID Group lookup. I even appened the IT Resource Key and ~ so that my search would be Decode or Code = "IT Resource Name~CN=<CN VALUE>%". This would return only the single group code key value. And then i add it to the child table. Repeat this for all the values in the delimited field.
    3. Create a provisioning task that removes the values from the child table based on the delimited value. You'll need to search through the existing child table values.
    Once you have the 2 tasks, you'll want to add a value to the your Lookup.USR_PROCESS_TRIGGERS that is your group determining field. Create your task name in this lookup. On your provisioning workflow, for the Adding of the groups task, make this unconditional, and have a preceding task of the Create User. Give it the name from your Lookup.USR_PROCESS_TRIGGERS and append " - Add Groups" to the task name. Create another task called the same, but append " - Delete Groups" to the task name. On the Add Groups task, make the preceding task the Delete groups. When you map your inputs to the adapters, on the delete, select the old value check box from the User Form so that you get the old value. Now, when the value changes on the user form, it will first remove the old groups, then add the new ones. All this will be done using the child table APIs, so that the existing Insert and Delete task triggers for your child table will run.
    -Kevin

Maybe you are looking for