Dynamic calculation of privileges into business role

Similar Messages

• Increase transaction types in a Business role

  Hi Folks,
  I currently am logged into business role SALES-PRO .When I want to create a quotation I can see two transaction types(Say ZEQT,ZEQ1),If I want to include two more transaction types for example credit memo request etc in create quotation  itself can i do it functionally?
  Pls tell me what settings need to be done?
  Regards
  Jaya

  Hi Jaya,
  The transaction types you see is based on the authorizations set for your id.What you can do is,
  1. Run tcode STAUTHTRACE and set it for your user.
  2. Click on cerate quotation.
  3. Deactivate the trace.
  4. Display trace and see what authorization you are missing.
  5. Take the authorization object in the trace.
  6. Got to SUIM tcode->Roles->By authorization object.
  7. You will get a list of PFCG roles who has this authorization object.
  8.Now you can tell your basis team to assign this role to your SU01 or you can assign yourself if you have auth.
  Now you will see more transaction types.
  Thanks,
  Faisal

• ICM : Unable to login into DETECTIVE Business role

  Hi ,
  When I try to log in into DETECTIVE role ,I got issue "Security settings are not maintained, contact your system administrator" .
  I have SAP_ALL access and I copied the pfcg role which is assigned to business role and provided full authorization for all auth objects.
  Can you please assist by providing the key to access detective role in web ui. 
  Thanks,
  Naveen.

  Hi ,
  Thanks for your response.
  Fixed by self ,change the technical profile in business role to DEFAULT.
  Thanks,
  Naveen.

• Problem when we log into the Webclient with IC_AGENT business role

  Hello,
  We are facing a problem when we log into the interaction center ( with IC_AGENT business role) after the login screen ( we fill the correct user and password) then system starts the application, but a error appears.
  We dont knon why but it is happening only with IC_AGENT role, We have check the SICF and it is ok.
  Cannot display view ICCMP_HEADER/HeaderViewSet of UI Component ICCMP_HEADER
  An exception occurred during the internal HTTP communicationException Class CX_BSP_WD_HTTP_RESPONSE_ERROR
  Text:
  Additional Info: Business Server Page (BSP) Error
  Program: CL_BSP_WD_STREAM_LOADER=======CP
  Include: CL_BSP_WD_STREAM_LOADER=======CM002
  Source Text Row: 159
  Cannot display view CRM_UI_FRAME/WorkAreaViewSet of UI Component CRM_UI_FRAME
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View BPIDENT.MainWindow in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Initialization of view CRM_UI_FRAME/WorkAreaViewSet of UI Component CRM_UI_FRAME failed
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View BSPWD_BASICS/WorkAreaHostViewSet in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Cannot display view CRM_UI_FRAME/MainWindow of UI Component CRM_UI_FRAME
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View BSPWD_BASICS/WorkAreaHostViewSet in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Initialization of view CRM_UI_FRAME/MainWindow of UI Component CRM_UI_FRAME failed
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View CRM_UI_FRAME/WorkAreaViewSet in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  Cannot display view Root.htm of UI Component CRM_UI_FRAME
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View CRM_UI_FRAME/WorkAreaViewSet in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165
  An error occurred during initialization of the application
  An exception has occurredException Class CX_BSP_WD_RUNTIME_ERROR - View CRM_UI_FRAME/MainWindow in component CRM_UI_FRAME could not be bound
  Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
  Source Text Row: 165  
  Any help thanks in advance.

  hi luis,
  your error description reminds me of an inactive SICF, but you wrote, that you checked this before.
  on this forum is an excellent entry with lots of hints and tipp for the IC WebUI:
  Documentation for Interaction Center (IC) WebClient
  Documentation for Interaction Center (IC) WebClient
  maybe this will help.
  best wishes,
  hakan

• Is it possible to get into the IC using the SALESPRO business role?

  Is it possible to get into the Interaction centre when using the SALESPRO business role?.
  If so, how is this done.
  I know using specific IC* business roles, like IC_AGENT, you are thrown straight into the IC, but I can't see how you can get into it via the SALESPRO business role, which I assume you should be able to do.
  Jason

  Please check
  Using Kerberos Authentication on SAP NetWeaver AS Java - User Authentication and Single Sign-On - SAP Library (NW7.3)
  Using Kerberos Authentication for Single Sign-On - User Authentication and Single Sign-On - SAP Library (NW7.0)

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• Business Role, Technical Profile, Application, Start Page in UI for service

  Hi CRM 2007 gurus,
  I have made all the settings in accordance with C04 to use the UI for the services role (copy of business role SERVICEPRO). Created the relevant PFCG role and a position in the org model; with a user and the business role assigned to the position. But I am getting an empty page on login.
  Then I changed the technical profile from DEFAULT to DEFAULT_IC; then it started giving an error "Permission denied".
  I then changed the start application to CRM_UI_FRAME and the start page to DEFAULT.HTM; then Internet Explorer started exiting on its own after the login.
  Can someone pls tell me what is amiss. Do I need to include some specific application and page as the "Startup Application" and "Start Page" in the technical profile (these are currently blank for the technical profile DEFAULT attached to the concerned business role).
  Points to be won; kindly help asap.
  Regards,
  DP

  Hi Deepak,
  few cents that might help:
  - Your problem is definitely not related to authorization issues. (easily derived by the nature of the error message and the point where it occurs (CL_BSP_WD_STREAM_LOADER))
  - The error message you received is being raised when CRM UI runtime tries to load a runtime repository. In case a runtime repository of a component has dynamic parts (e.g. the shell part itself), the repository is being loaded by the system via HTTP or HTTPS, depending on system settings. This results in the system sending a HTTP(S) request to itself.
  Now, there are two likely reasons for this going wrong:
  a) the system cannot "see" itself on the network (hosts problem, reverse proxy sceanrios, etc.)
  b) the runtime repository doesn't exist at all (ressource doesn't exist). This sometimes happens if component enhancements are active in a client (customizing settings) but the respective enhancement component (development objects) haven't made it into the system.
  c) In your case we can rule out this one: the SICF service for the UI component is not active - in that case the response would likely have been something like "Access forbidden" and you confirmed already all SICF services being active
  To get more clarity, you might want to proceed as follows:
  - Set a breakpoint in the line mentioned in the error message. You can access the source code of the releavant method using SE38 even though the include name looks pretty scary in the message (CL_BSP_WD_STREAM_LOADER=======CM02 or so).
  - In the debugger, check the name of the URL that had been tried to access (The variable should be available some lines above the breakpoint where the request gets sent).
  - try to access the same URL directly from your browser.
  Now, if you still don't get a valid response, b) might be the case. If you get an XML file back, a) might be the case.
  Good luck!
  Peter

• Fix Business Role / Technical Role assignment in Pending or Failed status

  Hi,
  We are facing issues with few users where Business role assignment or technical role assignment is going into Pending or failed status.
  None of the jobs are failing or throwing any error related with the changes.
  We are running IdM 7.2 version with SP8.
  Is there a way to fix this issue other than removing and reassigning or recreating ID.
  Regards,
  Manish

  Hi Manish,
  If technical role (priv) in failed status, please check Tero's reply in the below post. You can set a periodic job to read users and privs in failed status and use uRetryPrivilegeAdd() function to retry the assignment.
  Failed AD privileges
  I was able to find a document on how to set up the periodic job.
  Retry failed assignments (Privilege)
  You should try searching the forum and wiki for answers. Most of the issues are addressed by our community experts already. Thanks.
  Kind regards,
  Jai
  Message was edited by: Jai Suryan

• Business Roles - Risk analysis

  Hi All,
  We are on GRC SP13.
  We are using business roles for provisioning to end users.
  When role owner is performing risk analysis for business roles, results are proper according to defined ruleset only if "SYSTEM" field is empty.
  If system is selected, then results shows that "NO VIOLATIONS".
  Is this the standard behaviour for risk analysis of business roles or Am i missing anything?
  Looking for your advise on this.
  Regards,
  Sai.

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• SAP Business Roles

  Hi,
  Has anyone ever worked with business roles. I am new to the OCM side having worked on the security side for many years. I am working on a project developing business roles and needed more details on how business roles link to security roles?

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• IDM GRC Business Role managment

  Hi experts,
  We integrated SAP IDM with GRC,
  Now our requirement is creating a business in IDM/GRC, request for business role is raised for IDM and approved by role owner in GRC after risk analysis.
  But SAP said business roles and portal groups are not supported between the systems.
  Kindly suggest how to accomplish this.
  Regards,
  Jaya

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• Unknown calculation type [0] during the dynamic calculation

  Dear Experts,
  I've received the following error when I try to run a business rule (Run on save) attached to a data form:
  "Unknown calculation type [0] during the dynamic calculation. Only default agg/formula/time balance operations are handled"
  Thanks in advance..

  Log into Oracle Support and have a read of
  "Error "1012703 Unknown calculation type [0] during the dynamic calculation. Only default agg/formula/time balance operations are handled" During Calculation [ID 744529.1]"
  "Error: "Unknown calculation type [0] during the dynamic calculation. Only default agg/formula/time balance operations are handled." [ID 593227.1]"
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Assigning Business Roles - No such task exists

  I am trying to create a user ID and assign a Business Role in the process.  The attribute that I am using is MXREF_MX_ROLE.  It is defined as a multivalue system attribute with a data type of entry reference and the reference type in MX_ROLE.
  From my workflow task, I can select the role from the selection window but when I click OK to save to the identity store, I get an error "You have tampered with the params".  From the Monitor UI, I see the message "Failed setting value for attribute Member of Role.  No such task exists"
  I have a Modify User task that uses the same attribute.  When I attempt to use it, I get the "Failed setting value for attribute Member of Role.  No such task exists".  But I do not get the "you have tampered with the params" message.
  I am only trying to set this in the identity store right now.  I am not yet ready to provision to my ABAP system.
  Any assistance is appreciated.

  Hi Lori,
  in case you have linked privileges to your role, SAP NW IdM searches for tasks in the related repository (as stated in the attribute MX_REPOSITORYNAME of your privileges). Type in the ID of some test tasks in the repository constants MX_DEPROVISIONTASK, MX_PROVISIONTASK and MX_MODIFYTASK and see if it works.
  Otherwise, there could be a missing relation the other way round from the role to the user. See if there is a MXMEMBER_MX_PERSON attribute in your role.
  Best regards,
  Nils

• Individual Account Creation in IC_AGENT business role.

  Hi,
  After system got upgraded from 6.0 to EHP1, marketing attributes are not working as expected.
  When i create an Individual Account type in ZIC_AGENT business role, it gets created successfully but its marketing attributes are not getting set when i check in the Account overview.
  There is a BADI implementation of "BUPA_GENERAL_UPDATE", i debugged and found that in FM "CRM_MKTBP_READ_KSSK_AUSP", system is trying to get the attributes from table "ausp"
        select * from ausp into table et_ausp
            where partner_guid = lv_guid
            and klart = 'BUP'.
  I think, somewhere configurations are not done correctly. But i am aware where i check all these configurations for markting attributes corresponding to BP. If you know then please let me know.
  Thanks
  Raman.

  Hi,
  You can check it in ,
  MARKETINGPRO ( business role ) -> Marketing ( work center ) -> attribute Sets
  search for the specific attribute/attribute set. go to OV page ..there will b check box for person and organization.
  Regards
  Sandeep Kumar B

• Copied SALESPRO business role in CRMC_UI_PROFILE, but odd results show.

  I have created an new role (Z_SALESPRO) using transaction CRMC_UI_PROFILE. The copied role had all objects copied and I can see that it has the Nav Bar profile of 'SLS-PRO', which is the same as the role 'SALESPRO', being the one that I copied from.
  When I log in using the WebUI I can choose the new Z role, but it does not display the 'Create' section in the Nav Bar. This is section that displays next to the 'Recent Items' section of the Nav Bar and has option like 'Appointment, Interaction log, task,E-mail. contact, Lead,Opportunity and Quotation' shown within the boxed area.
  If I use the SALESPRO role when logging into the WebUI I do get to see the 'Create' section, and yet the role and Nav Bar settings are IDENTICAL.
  Could this be some kind of authorisation issue, or is this problem down to something else?.
  Jason

  1. go to crm>ui framework>business role>efine business role
  2. select your Z business role
  3 in the left panel choose option "Adjust direct link groups"
  4. check if they are marked as visible (sometimes when coping business roles, this isnot copied)
  5. next select direct link group and click in left panel on sub node "Adjust direct links"
  6. check also for this level if they are marked as visible
  reagrds.