Default Role configuration in CUP
Hi Experts,
We are on GRC 5.3 SP9 and I am trying to assign default roles based on the request type
I want default roles to be assigned only for certain request type
these are the parameters I have configured
Consider default roles: YES
Request Type: NEW Hire
Default roles level: request
user attributes: Company
So I am forced to choose default role user Attribute Company.
I was expecting that whenever a request is created for a new hire I wanted such and such role to be assigned by default!
but now whenever a company( for which i mapped the default roles) is selected its putting default roles in all the request types
I would expect its only puts default roles for my request type NEW HIRE
for the respective company !
Any thought? I am missing something?
Regards
MK
Hello Alpesh,
SAP has come back saying that the application is designed that way always works with the comibation of user attributes
to me its clearly user attributes are taking over the request type ( clearly ingorning ) i dont see a point why they have field in default role configuration for request type ( Request type might as well be simply CUP)
they have asked me try with user attribute as system instead of company , looks like it works !
I will give you more info
Best Regards
MK
Similar Messages
-
RE: Default role config in CUP
Dear Experts,
I got a problem with default role configuration. Please help me in resolving the issue.
I want to configure defaults for all request types like new account and change account as well. Also I what the option "Create if user does not exist" to YES.
This means when ever change account workflow is executed for the existing users, default roles are getting assigned redundantly. is there any way to fix this problem.
My solution is to schedule "PRGN_COMPRESS_TIMES" job so that system will delete all redundant roles. Please advise if there is any other alternative. Client is insisting to have the option "Create if user does not exist"in Auto provisioning enabled.
I appreciate your help.
Thanks,
RajHi
Set the below parameters it never assign the role for change request.
it is working in our system.
CUP---->Configuration->Roles>Default Roles-->Request type = New Hire -
Hello,
I would like to configure CUP to add default roles for one specific system when Request Type is Create User but for another system when Request Type is Assign Role. Is that possible?
I am using GRC 5.3 SP 16.3.
Vanervcrilho,
I´ll give you an option. Maybe someone figures out a different one.
You can create two new request types under configuration->request configuration->request type:
Change_account_system1
Change_account_system2
You´ll be able to configure default roles independent for each one of this request types.
Regards,
Diego. -
Hi,
We are on AC5.3, SP11. I have configured default roles in CUP. Configuration is as follows:
u2022 Consider default roles: Yes
u2022 Request Type: New Account
u2022 Default role level: Request
u2022 User attributes: System
u2022 I have also linked the system to the role
When I create a request (attributes: new account and relevant system) I would expect the role that I have configured to pull through to my request under u201Cselect rolesu201D. This does not seem to be the case.
Any idea what I am doing wrong? Or how the system is expected to behave?
Any help will be appreciated.
Thanks
MoHi Mo,
The scenario can be achieved by
--In the request form customization make Role as non mandatory
--In the Configuration ->stage -> additional configuration -> make Add Role =Yes
--Create a custom Text field where the end user who doesnt not know the exact role name can enter some text description.
Based on this description the 1st approver can add the required role to the request.
And users who know the role can add the same during request creation also.
Regards
-Ranjiv -
GRC AC 10.0: Info about rejected roles in the CUP Email
Hello all,
the GRC componetent CUP seems to be technically mature in comparison to Role Management component, but there is one thing where I am not sure, is it an error or did I miss some config parameters:
When the CUP Request ist closed, the user gets an email (Template ID: GRAC_AR_CLOSE). Not all of the roles were approved, some of the roles were rejected. But the user gets an email where only the approved roles are listed:
We would like to inform the user about the status of all roles in the CUP requests: which roles were approved and which roles were rejected. Is it possible to configure in MSMP Workflow?
Right now we have the following setting:
Thanks,
regards SabrinaHi Sabrina,
To notify the requester for the roles which got rejected, you can try with Email notification template: GRAC_MSMP_ERM_REJECTED for the for the message class.
You can create custom version of this template. For more understanding on how to customize the Email notification template, you can refer to: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3?QuickLink=index&…
Hope this helps, Let us know if you face any issues.
Regards,
Ameet -
ARQ: Default Role Provisioning Problem in Access Request???
Hi,
This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
MSMP Issue - GRC 10
I have also followed the note#1616092 for configuring the Default Roles.
I have performed below activities:
1. Param#2009 = YES
2. Param#2010 = 001
3. Param#2011 = REQUEST
4. Param#2013 = SYSTEM
5. Param#2038 = YES
6. Imported a test role and NO ROLE OWNER is maintained.
7.In NWBC->-AM->RM, I maintained a test role as a default.
Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
May I know what I am missing here? Why I am getting error and how can I resolve it?
Please advise.
Regards,
FaisalHi Faisal,
sorry for late resposne I was away traveling.
default roles are being added by default to access request
Yes, these roles are added to the access request.
FN: OK
and this roles are following your normal paths which I guess assumes manager and role owner.
How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
- request is going to detour path
Does it answer my question?
FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
Deafault roles can have separate path (in my case) where only supervisor is approving it.
Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER" I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
FN; correct
It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
correct
If you do not have separate path - this role like any other will follow standard path you have.
Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
FN: good
My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
Are you asking for default roles?
Please advise.
Regards,
Faisal -
Reg:Howq to set Default role on SSO Authentication
We have a scenario where Default roles should be set to Contributor on SSO Authentication(not using LDAP). I have the below configuration
SSO_DefaultRoles=contributor
SSO_ModifyExtraParams=true
SSO_SetAuthInfo=true
SSO_IsSimpleAuth=false
in oraclessopluginfilter_environment.cfg. But on SSO login, I see that users are assigned only guest role because of which they don't have check in option. Can you please help me out with how to set up default roles on SSO authentication.
Thanks in advance for your time and effort
PraveenHi Jon,
For any code changes in bsp components we need it's z-instance and that we get after enhancing the respective entity for eg views, context nodes etc..
In case you are not familiar with the enhancement, please refer to some thread which explain about the component enhancement concept.
Coming to this requirement..
You need to enhance bp_roles component, then enhance rolelist view and roles context node.. redefine the GET_V_PARTNERROLE method.. copy the parent class code and do the necessary changes to manipulate the entries in gt_ddlb_add
Check the statement at line no 107..
gr_ddlb_roles->set_selection_table( it_selection_table = gt_ddlb_add ).
Just before above statment call, manipulate gt_ddlb_add to keep the required role value at index 1..
Another thing in my test system i can't see any role as "Account" under SPRO customizing "Business Partner Roles" instead "Business Partner (Gen.)" is available, don't know if you are able to see Account Role in the Roles DDLB..
i would suggest debug the get_v_partnerrole method once at line no 107 see the entries in gt table you will get an idea what you need to change.
Hope this helps..
Cheers,
Sumit Mittal -
Hello,
I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.
It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
Please tell me if I'm wrong.
HMHM,
The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
The below statement is wrong.
It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
Regards,
Alpesh -
HI,
I would like to know the use of Create Role option in CUP.
We have this option Configuration -> Roles -> Create Role.
As we know we import roles form either SAP back-end system or ERM.
In this case what is the use of Create Role option.
Thanks in advanceHi ammu,
This is just an option in case you need it. Roles created in CUP are just in CUP, not in the back-end. Remember that CUP can be used for non-SAP systems also, in this case the option to create roles in CUP is important. If you just use CUP with "ABAP-based" back-end systems you shouldn't create roles in CUP directly, you usually perform a sync or import form back-end or ERM.
Cheers,
Diego. -
Hi
There are two options of choosing the source system for role import in CUP
1. Back end system
2. ERM
I am facing problems in importing roles in CUP from ERM. The system shows a successful import but the number of roles imported are Zero. However if I choose the Backend system as source system, the roles get imported in CUP.
can someone help me with this issue. I want to import roles from ERM because roles imported from ERM will have all the role attributes like Business process, Sub business process, functional area etc which are not available if we import roles from backend.
Regards,
NitinHi Sahad,
Did you look at CUP logs? Is ERM and CUP installed on same server? Have you configured Business process and sub process exactly same as in ERM?
There are 2 ways to upload roles into CUP using spreadsheet:
1) Cumbersome method, if you don't have roles maintained in Excel: You can get R/3 roles via SUIM or some other method and manipulate them to match the role import template of CUP
2) Easy method : Import all the necessary roles into CUP via Backend. Once you have all the roles in CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands. Now, delete all the roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
Both these methods require some manual work.
Regards,
Alpesh -
ESS Guided procedure Default role assignment
We are implementing ESS in EP7 with ECC 6.0
After setting up Life and Work events it seems that there are default roles Administrator and Overseer that need to be assigned to portal roles, I am just not sure what portal roles to assign. Are these supposed to be assigned to Guided procedure type roles or to MSS type roles?
Any insight would be helpfulHi Gail,
These roles are for the GP processes.
The Default Roles should be configured for each process
This is an important step as this will ensure that the process is started without the user having to assign users who have will administer and oversee the execution of the process. Typically the users who are assigned to the processes as Administrators are the HR administrators and overseers could be managers. However this is not a hard-and-fast rule and this has to be decided at the time of implementation.
hope this helps!!
Regards,
Sharadha -
Can anyone help us in configuring the default role in GRC 10?
We are on SP15.
Default role attribute is Company.Default role gets added to the request but the role needs an approver.If there is no approver, the request goes to the escape route.
Regards,
VinayalaxmiHi Vijaylaxmi,
As stated by other people, you need to configure MSMP workflow path for approvals. You can configure agent to read the approver from a BRF+ table or a function module also. It depends on your business environment. If approvers don't change often, you can use BRF+ decision table also else you can put your logic inside the function module to find the approver.
Regards,
Ravi -
Hi,
I have just installed arch and my problem might be completely trivial. I apologize if that is the case.
I am trying to configure my cups client as follows. At work I am connecting to a remote cups server and at home I have a local(host) cups server. My home printer is HP Deskjet 3520.
When setting the remote cups server in /etc/cups/client.conf I am able to print to the network printers. I was also able to install my printer using the web interface and then install hplip (as described here: https://wiki.archlinux.org/index.php/CUPS#HP_Printer). The problem is that it doesnt recognize the cups server and $ lpstat -t returns
scheduler is not running
no system default destination
lpstat: Bad file descriptor
lpstat: Bad file descriptor
lpstat: Bad file descriptor
lpstat: Bad file descriptor
lpstat: Bad file descriptor
By replacing the remote cups server with ServerName /var/run/cups/cups.sock in etc/cups/client.conf (as is suggested here: https://bbs.archlinux.org/viewtopic.php?id=185298) I have no problem printing to the installed printer.
My question is if there is a way to configure both my local printer and to connect to the cups server.
Thank you in advance and best regards,
TomerHi
I use networkmanager and have created a file owned by root in /etc/NetworkManager/dispatcher.d to do this.
This method works if the ip address numeric ranges are different between the two sites.
I called the file /etc/NetworkManager/dispatcher.d/02cupsclient (I already had a file starting with "01") with this content...
#!/bin/sh -e
if [ -z "$1" ]; then
echo "$0: called with no interface" 1>&2
exit 1;
fi
case "$2" in
up)
rm -f /etc/cups/client.conf
if [ "`ip addr | grep 192.168.`" ]; then
ln -sf /etc/cups/client.conf_work /etc/cups/client.conf
fi
down)
rm -f /etc/cups/client.conf
echo "$0: called with unknown action \`$2'" 1>&2
exit 1
esac
change "192.168." in the above to the starting ip address range of your work network and also
chmod 755 /etc/NetworkManager/dispatcher.d/02cupsclient
Also create /etc/cups/client.conf_work with this content...
ServerName {ip address of work cups server}
When network manager detects you are on your work IP address range, then it symbolic links to your custom client.conf file to use your work cups server, otherwise it doesn't link the client.conf leaving you running your own cups system.
Hope this helps.
Cheers
Paul.
Last edited by paulkerry (2015-02-11 10:01:03) -
Explanation of Process Default Roles: Administrator and Owner
HI experts,
I am having some trouble understanding the reason of the existence of the process default roles:
Administrator and Owner.
In the CAF-GP Security guide, it says that the Standard Process Role Administrator can "Maintain process instances using the GP administration tools"; what this means ?
My user has de GP Administration role and it DOESN`T have the Standard Process Role Administrator from ANY process, and I can maintain ALL the process instances from the Administration workset, I don´t need to have the Standard Process Role Administrator assigned to me.
The same happens with the Standard Process Role Owner ; the Security Guide says the person who is assigned that role can "Maintain process instances"; my question is: If i assign the "Owner" role to a user that doesn´t have the GP Administrator role and this user wants to "Maintain Process instances" where he has to go? because he won´t have the administration workset !.
Best regards,
Marco.Hi Marco,
First, check this link: http://help.sap.com/saphelp_nw2004s/helpdata/en/d9/273a4209a6ae04e10000000a1550b0/content.htm
That will explain better the role of each role.
Itu2019s important to you understand that each process may have a responsible person (admin or overseer) that will monitor the progress of the process.
And you will have a u201CBASISu201D person that will have the GP Administrator role. This role allow to maintain process (with other kind of operations like terminate, complete step, etc.), maintain background queues, archiving, transport of objects, configurations, schedule and other admin tasks for all GP infrastructure.
Regards,
Reward points if itu2019s helpful. -
Hi,
Below configuration settings have been maintained in our system.
13 Access Request Default Roles
2010
001
Request type for default roles
13 Access Request Default Roles
2011
REQUEST
Default Role Level
13 Access Request Default Roles
2013
SYSTEM
Request Attributes
In Access Management > Role Management > Default Roles, I maintained the default role based on below settings:
Attribute: System
Attribute Value: ECDCLNT100
System: ECD
Role Name: ZTEST
After processing the New User Account request, it does not assign the default role.
Is there any configuration that I am missing?
Thanks,
JayDear Jay,
as far as I see the configuration seems to be OK. There are some notes in this regard and based on your SP level it solves the problem. Can you please check or let us know what's your SP level.
http://service.sap.com/sap/support/notes/2002324
http://service.sap.com/sap/support/notes/1527211
http://service.sap.com/sap/support/notes/1616092
http://service.sap.com/sap/support/notes/2007192
etc..
Regards,
Alessandro
Maybe you are looking for
-
In the document attached the vi on the right is sub to the vi on the left. On the subvi on the right the variable "Field Reading" is continuously updated on the front panel of the subvi as the "for" loop is executed, but only the last value of the va
-
Can't upload TV Shows to new 30g iPod Video
We just purchased the new iPod Video (30g) and in Windows XP, iTunes 7 all of the songs and music videos uploaded. However, none of the TV Shows uploaded. Any ideas?
-
CJI3 is not reflecting all the accounts affected by settlement. For example; if settlement posts to 3 assets in different natural accounts CJI3 will reflect the AUC Cost Elem and the Offst. acct for only the first asset created. However, the value
-
I CAN NOT BELIEVE APPLE OFFERS NO PHONE CUSTOMER SERVICE FOR ITUNES USERS!
I have been unable to access my purchased music on my new computer (the old one crashed before I could back up my purchased itunes music). I clicked "check for purchases," and received one of several television shows I purchased and NONE of the dozon
-
I am performing patching. The patching is going fine and there is nothing wrong in that. Actually we are patching the rac environment so all the environment has got min four nodes. Actually in the instructions we are asked to patch in each and every