Deleting connectors and roles in cup

Similar Messages

• CUP 5.3 SP09 - delete connector

  Running CUP 5.3 SP09...attempting to delete connector (not used in any roles or in "User Data Source") and I get the error msg "Cannot delete since referred in User Data Source".  Both items in User Data Source are listed as UME.  Is this a SP9 error?

  Jack,
    The error messages are messed up in SP9 as well as in SP10. I think the connector is being referred somewhere in CUP. Did you check if this connector information is not beding used in any workflow settings or in any open requests.
  Archive all the requests and then try to delete the connector. If this doesn't work then open a message with SAP.
  Alpesh

• Error when deleting connector in CUP

  Hi,
  When i try to delete connector I am getting message "Cannot delete because this is referenced by risk analysis"
  I tried by disabling the risk analysis and mitigation in CUP configuration,Still getting same message.I am unable to delete it.Any solution, is appreciated.
  Thanks
  Mushu

  Agree with Srinivasan. Archive all the requests and then try to delete connector. If that doesn't work then only option is to delete via database. Open a message wtih SAP and they will provide you database structure, then you can build deletion script for the respective tables.
  Alpesh

• Deleting roles from CUP

  Gurus,
  We accidently synced CUP with our EP which points to an ABAP stack (therefore tens of thousands of roles!). There are over 6,000 pages of roles in CUP that need to be deleted. Do we have to do this page by page or is there another way?
  Thanks,
  Grace Rae

  Hi Grace,
  Role deletion in CUP can be either rolewise or pagewise. However there is an easier method where you can disable the Roles in one go. The Disabled Roles do not get displayed to Users at the time of Request creation.
  The Role Upload Template which is used for importing these Roles in CUP would be needed here. There is a 5th field for Systems in the template, which had to be modified.
  If the System for these Roles is EP then just replace it with EP(D) in the Role Upload Template. After this modification import the Template again and check the Overwrite Existing Roles option.
  Hope this will minimize your efforts in deleting Roles.
  Regards,
  Nikita.

• Announcing General Availability of PowerShell Connector and Release Candidate of Generic SQL and SAP Roles/Users

  The FIM team is pleased to announce the availability of some additional Connectors for FIM2010R2.
  General Availability of PowerShell Connector
  The PowerShell Connector can be used to communicate with a system through PowerShell scripts. This allows an easy and flexible way to communicate with other systems but also to pre-/post-process data and files before handed over to the FIM Synchronization
  Service. We believe the community will help providing scripts for this Connector for various systems and will open a place where scripts can be published for reuse.
  TechNet docs:  
  http://go.microsoft.com/fwlink/?LinkID=393057
  Download:         
  http://go.microsoft.com/fwlink/?LinkID=393056
  Release Candidate of Generic SQL Connector
  The Generic SQL Connector will allow you to connect to any database where you have an ODBC driver available. It enables new features compared to the built-in MA such as support for Stored Procedures, running SQL scripts, built-in delta import support, import
  multiple object types, connect to multiple tables, and much more. This Connector is built on ECMA2.3 which allows schema discoverability to be customized in the Sync Engine UI. A pre-release of the next Sync Engine hotfix is included with the Connector download
  and is required for the Connector to work.
  Download:         
  https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52652
  Release Candidate of SAP Users and Roles/Groups
  The updated SAP templates for Users and Roles/Groups allows you to manage Users, Roles, and Groups in SAP. This also include password sync for Users to SAP. The Connector will make sure roles are represented as groups to make it possible to manage these
  with bhold. This template will require the previously published WebService Connector:
  http://go.microsoft.com/fwlink/?LinkID=235883.
  Download:         
  https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52651
  If you have participated in any other Connector preview program you will have access to the Release Candidate downloads. If you have not participated before then to get access to the preview programs on Connect either join the program “Identity and Access
  Management”, “FIM Synchronization Service Connectors Pre-release” on
  http://connect.microsoft.com/directory or follow this link
  http://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6709&pageType=1
  We have also published an update to the Generic LDAP Connector adding support for some additional LDAP directories, see
  http://support.microsoft.com/kb/2936070/. If you have additional LDAP directories you think we should support, please feel free to contact me.
                  On behalf of the FIM Sync team,
                  /Andreas Kjellman

  On Tue, 18 Mar 2014 08:09:43 +0000, David Burghgraeve wrote:
  We've been using the OpenLDAPXMA to be able to connect to ACF2 CA-LDAP (from Computer Associates) running on a IBM Z-OS Mainframe System. We've been using it for password synchronization since 2004 on MIIS. Today it's still used via the
  OpenLDAPXMA (64bit) on FIM 2010 R2.
  We had to tweak the password management component in the OpenLDAPXMA to support the error messages we get from the ACF2 System, as we support a multi-master password setup between Mainframe and Active Directory (one can change the password on
  MF and/or on Windows). by example  "LDP0406E ACF2 error modifying lid(ACF00155 NEW PASSWORD CANNOT BE THE SAME AS CURRENT PASSWORD)".
  Additionally, we cannot get the delta import to work with the CA-LDAP, there's no capability in it and we tried to use the time attribute to use in the query for recent changes, but it does not work. (I think we need it in a large integer format
  or unix time integer).
  Would be great to have Microsofts' support in this :)
  In a case like this where your follow-up has nothing to do with the
  original post you should create a new thread.
  Having said that, neither of the MAs to which you refer are official
  Microsoft MAs and as such there is no support from Microsoft available.
  Also, keep in mind that the ECMA1/XMA extensibility framework has been
  deprecated and replaced by the ECMA 2.0. You should plan on replacing
  existing ECMA1 management agents with ECMA2.0 connectors.
  Paul Adare - FIM CM MVP
  "It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
  a half a pack of cigarettes, it's dark, and we're wearing visors."
  "Hotsync." -- Paul Tomblin & Peter da Silva

• ERM & CUP and Role Status attribute

  Hi,
  Under a strategy where roles are imported into CUP from ERM, could anyone share the use / meaning / purpose for "Role Status" attribute in EMR?
  Thanks for all. Best regards,
      Imanol

  Varun,
  We have been extensively checking the sync from ERM into CUP and I can tell you that roles into CUP can be imported eventhough they have Development status value in ERM.
  Anyone has identified the same behaviour in CUP when sync roles from ERM?
  Thanks for all. Best regards,
    Imanol

• Deletion of mass roles from GRC CUP 5.3

  Dear All,
  I have requirement to delete 1000 roles from GRC CUP 5.3.
  I can see option to delete the roles individually under "search role" option but I am not able to find option to delete mass roles.
  Please advice.
  Regards
  Trinadh Bokka

  Hello Trinadh,
  It is not possible to delete all the roles at once through the User Interface. However, you can select a lot of roles at the same time by searching for a role pattern. For example, retrieve all roles starting with Z*:
  Hope it helps,
  Fernando

• Automatic Creation of Roles and Role Mappings in GRC

  Hi,
  we are planning to use SAP Identity Management and SAP GRC Access Management.
  In SAP IDM we have defined several business roles that contain privilieges in SAP systems. When a user is requesting a role, the request will first be sent to SAP GRC for approval and risk checking.
  In order to get this to work, we need to load the business roles of SAP IDM into SAP GRC and we also need to configure the role mapping between the business roles and the technical SAP privileges.
  From what I understood, this could be implemented by loading the required information via Excel filles into SAP IDM.However, this is a quite cumbersome and error-rpone approach an we would like to automate this.
  Is there a way to use e.g. web service calls to create/delete roles and role mappings in SAP GRC?
  BTW: is a documentation of all available GRC web service calls and their parameters available?
  Thanks for your help in advance!
  Best regards
  Tom

  Hi Tom,
  as stated before, the web service description is in the config guide.
  Unfortunately there is no web service to create roles or even mappings in CUP - this is one of many I would also like to se created
  I don't think in your context you will be able to directly send Business Roles to CUP. The role mapping only happens after you send the request, so I'm not sure if that's in time for risk analysis - you will need to try that.
  Are you a customer or a consultant - anyway, feel free to contact me if you need further help integrating CUP and IdM. This is an evolving interface with many possible scenarios, so it's not easy to give you good advise without seeing the full picture.
  Frank.

• Error Provisioning the Federated roles from CUP to enterprise portal

  Hi Gurus,
  Need help. I am trying to provision the roles to enterprise portal using GRC CUP. I have created the connectors and field mapping and the connection is successful. We have a enterprise portal with producer consumer relation ship. The Enterprise portal acts as consumer for the BI portal. The BI portal Roles are federated to Enterprise portal and i get an error "noSuchIdentifier" when I try to provision the federated BI Portal role on the Enterprise portal. I can successfully provision the local portal roles and UME roles on the enterprise portal. I get the error only when trying to provision the roles which are from BI portal.
  Appreciate any help, in this regards.
  Thanks,
  Pavan

  Hi Alma,
  This is one of the security issue.We had faced it sometime back.We searched some CSN's and found a solution.
  Go to Service Market palce and download the latest Cryptographic Tool kit (Service Market place---->software downloads)
  You will get a sca/sda something like tc/iaik./security(something like this)
  Deploy this on to your instance using your SDM.
  After that,Restart the Portal patching.It will go fine.
  reward points if helpful................

• Deleting connectors within CC 5.3

  While debugging my other issue, we concluded that perhaps we should delete all our JCo settings and redo them just to be sure.
  I went into Compliance Calibrator and found that I am able to create new connectors and logical systems, but not delete existing ones.
  If I select a system (e.g. SB1) and then click on the delete button, the screen blinks but nothing gets deleted.
  I checked the UME role assigned to my ID and it's the VIRSA_CC_ADMINSTRATOR role, which provides all the actions required to use the product.
  Any ideas why I can't delete connectors?

  Hello Santosh,
  You cannot delete a Connector if there is data associated with it in CC tables like
  VIRSA_CC_ACTRULE, VIRSA_CC_GENOBJ etc.
  Which include all Management data.
  For deleting connector you need to delete data in these tables, for which Script is given by SAP.
  Please create message under component GRC and ask for SAP deletions script for CC.
  Regards,
  Surpreet

• Delete all existing roles

  Hello,
  we 're using the GRC Provisioning Framework (with IDM 7.1 SP4 and GRC 5.3 SP10_1) and want to delete all existing roles from a user bevor we set new roles to him.
  Is there a general command to do this or have the existing roles to be known?
  Thanks,
  Carsten

  Hello Christian,
  thanks for the quick answer. I'm talking about privileges.
  In the To Identity Store, is it enough to set:
  MSKEYVALUE                   -
     %MSKEYVALUE%
  MXREF_MX_PRIVILEGE     -
  Or do I have to set all existing roles behind the (like priv:grc:xxxx)?
  Thanks,
  Carsten

• Remove authorization to delete Opportunities and Activities

  Hi ,
  The requirements are that the user can create and change Opportunities and Activities , but not Delete Opportunities and Activities .
  I did generate a PFCG role from the Business role , but cannot find the correct object to deactivate/remove from the PFCG role
  Thank you.

  Hi ,
  Thank you , but the "Trash Can" in the WebUI is still accessible , the user gets an error log , but is asking from the  "Trash Can" to be grayed out . Can we do that ? I was looking at Authorization Object UIU_COMP , but could not find a related activity .
  Regard's
  Edited by: Christophe Schutz on Oct 5, 2010 10:05 PM

• Difference Between Attribute Tab and Role Attribute Option

  Hi Experts,
  What is the relation between option custom fields and sub-option attribute under option roles in CUP> config.
  I am asking this because, i have created a workflow based on functional area and now i am getting two functional area options in CAD(select attribute) and in initiator.I know, from where they are coming from....
  1.Custom field>functional area.
  2.Roles>Attributes>functional area.
  Under both options different values are maintained for functional areas,for e.g.AP and AR in first and Bank and Asset in the other one.
  The strange thing to me is that i am able to view only values maintained in Custom field>functional area while creating a test request no value is coming from Roles>Attributes>functional area.
  However, while selecting role(option selct role), initially creating request, i can see the values maintained under functional area(coming from Roles>Attributes>functional area)
  Regards,
  Mukesh

  Mukesh,
      In simple words, there is no relationship between custom fields and role attributes.
  Function area under role attribute is referred as "Functional Area of Role" in CUP. The other functional area refers to the "functional area of the user". In a company, both these functional areas can be similar or different as an user from "AP" can have roles from "AP" as well as "FI".
  When you are creating CAD, do not select functional area of role and you would not see the attribute values from role FA.
  I hope this helps you.
  Regards,
  Alpesh

• User and role permissions getting reset on managed server

            Hi..
            I am not sure whether this is really a clusteing problem. I have a clusted server
            with one admin server and one managed server. I have deployed the some of my own
            applications alongwith the Weblogic Integration application on the managed server.
            I have some users and roles defined in the BPM studio to access and execute the
            workflows.
            But every time I restart the managed server, the user and role permissions are
            reset and the workflows are not executed. I get the following error.
            ####<May 13, 2003 10:01:22 AM BST> <Error> <BPM> <hwdusa08> <managed1_eai2d2A>
            <ExecuteThread: '44' for queue: 'default'> <kernel identity> <11
            1:21ad542a0d3cc527> <000000> <<wlpirequest>
            <started>2003-05-13 10:01:22.230</started>
            <requestor>wlisystem</requestor>
            <templateid>1</templateid>
            <template-name> WLI Logging Framework V2.0 Installation test</template-name>
            <templatedefinitionid>1</templatedefinitionid>
            <instanceid>2001</instanceid>
            <actions>
            <error time="2003-05-13 10:01:22.427">WorkflowException: The server was unable
            to complete your request.
            The WebLogic Integration role "logging" is not mapped to a WebLogic
            Server security group.</error>
            </actions>
            <completed>2003-05-13 10:01:22.428</completed>
            </wlpirequest>
            >
            And the only remeady I need to do here is to delete the role and recreate it with
            specific permissions every time the managed server is bounced. The same thing
            also happens for the created user also where the user loses all the permissions.
            Can anyone please help me on this issue ?
            Thanks in advance
            Mandar
            

  are you using filerealm?
            This seems like a security related question - can you please post this
            question to the security newsgroup you may get a faster answer there.
            sree
            "Mandar Gandhe" <[email protected]> wrote in message
            news:[email protected]...
            >
            > Hi..
            >
            > I am not sure whether this is really a clusteing problem. I have a clusted
            server
            > with one admin server and one managed server. I have deployed the some of
            my own
            > applications alongwith the Weblogic Integration application on the managed
            server.
            > I have some users and roles defined in the BPM studio to access and
            execute the
            > workflows.
            >
            > But every time I restart the managed server, the user and role permissions
            are
            > reset and the workflows are not executed. I get the following error.
            >
            > ------
            > ####<May 13, 2003 10:01:22 AM BST> <Error> <BPM> <hwdusa08>
            <managed1_eai2d2A>
            > <ExecuteThread: '44' for queue: 'default'> <kernel identity> <11
            > 1:21ad542a0d3cc527> <000000> <<wlpirequest>
            > <started>2003-05-13 10:01:22.230</started>
            > <requestor>wlisystem</requestor>
            > <templateid>1</templateid>
            > <template-name> WLI Logging Framework V2.0 Installation
            test</template-name>
            > <templatedefinitionid>1</templatedefinitionid>
            > <instanceid>2001</instanceid>
            > <actions>
            > <error time="2003-05-13 10:01:22.427">WorkflowException: The server
            was unable
            > to complete your request.
            > The WebLogic Integration role "logging" is not mapped to a
            WebLogic
            > Server security group.</error>
            > </actions>
            > <completed>2003-05-13 10:01:22.428</completed>
            > </wlpirequest>
            > >
            >
            > ------
            >
            > And the only remeady I need to do here is to delete the role and recreate
            it with
            > specific permissions every time the managed server is bounced. The same
            thing
            > also happens for the created user also where the user loses all the
            permissions.
            >
            > Can anyone please help me on this issue ?
            >
            > Thanks in advance
            > Mandar
            >
            

• BDC for PFCG for deletion of user roles

  I need to create a BDC for deleting users from roles in PFCG transaction and after deletion you have to click on User comparison in User tab.
  Any idea how to compare and delete theusers from role.
  It comes in Table control.
  1)delete from table control .
  I have not been able to see delete from Table programs.
  George

  Hi
  U should consider PFCG trx is enjoy trx so it's not suitable for BDC, what doesn't mean you can't do a BDC program for that trx but it won't be easy.
  Anyway you can know the users assigned to certain profile reading table AGR_USERS. I believe PFCG shows them sorted alphabetical, so you can know the position where an user should be, after u should use PAGE UP and PAGE DOWN command to scroll the table control.
  Max