ERM / composite role gener. / Function parameter "Authority_check" unknown
Dear All GRC AC Women and Men,
I have a problem to generate a composite role with sap grc ac erm. My GRC version is a 5.3 sp5
For single roles, it s ok.
For composite roles, I to a first generation in GRC AC ERM . The error message is: "Function parameter "AUTHORITY_CHECK" is unknown."
The role is generated in the back-end and the status in GRC AC ERM is "in progress" (Yellow colour).
I do a second generation in GRC AC ERM, and the status is "done" (green colour); the role is generated one more time in the back-end.
The message error in ERM logs is:
"2010-03-18 15:48:48,393 [Thread-140] ERROR com.sap.mw.jco.JCO$Exception: (104) RFC_ERROR_SYSTEM_FAILURE: Function parameter "AUTHORITY_CHECK" is unknown.
java.lang.Throwable: Function parameter "AUTHORITY_CHECK" is unknown.
at com.sap.mw.jco.MiddlewareJRfc.generateJCoException(MiddlewareJRfc.java:516)
at com.sap.mw.jco.MiddlewareJRfc$Client.execute(MiddlewareJRfc.java:1514)
at com.sap.mw.jco.JCO$Client.execute(JCO.java:3980)
at com.sap.mw.jco.JCO$Client.execute(JCO.java:3417)
at com.virsa.re.service.sap.dao.GenerateRoleDAO.generateRole(GenerateRoleDAO.java:564)
at com.virsa.re.bo.impl.GenerateRoleBO.generateRoleAsBackGroundOnMultipleSystems(GenerateRoleBO.java:484)
at com.virsa.re.backgroundjobs.RiskAnalysisAndRoleGeneration.execute(RiskAnalysisAndRoleGeneration.java:238)
at com.virsa.service.backgroundjobs.BackgroundTask.run(BackgroundTask.java:53)
at java.util.TimerThread.mainLoop(Timer.java:432)
at java.util.TimerThread.run(Timer.java:382)"
Do you know the origine of this problem? I am "quite" sure that it is not a back-end problem like authorisations missing for the user rfc (used in Jco).
Best Regards,
Ronan.
Hi Ronan,
This is an issue identified and resolved in SP07.
Please refere to Note # 1290039 if you don't want to upgrade to SP07.
Best Regards,
Sirish Gullapalli.
Similar Messages
-
ERM - composite role is requiring profile name
I am configuring ERM (AC 5.3 SP8) and have imported all single and composite roles. I have naming standards set up for all Single roles, composite roles, derived roles, and profile names. However, when I try to create or change a composite role, it thinks a profile needs to be there (I blank it out on the create). Composite roles don't require profile names.
If I delete the naming standard for profile, it doesn't require a profile for composite. But then when I create a single role, it isn't there either. I really want to maintain a naming standard for profiles for single and derived roles. How can I do this without needing it for my composite roles?
Thanks!It is a bug with SAP.
You can have naming standards for profiles as long as you have ENFORCED=disabled. So, basically, as long as you don't enforce your (profile) naming standards you can delete the profile name when you are creating a composite role. It sort of defeats the purpose of enforcing naming standards but at least it's a work around. SAP has this in development right now and it is being looked at.
Regards,
Peggy -
Error while calling FM : Function parameter "PE_LFA1" is unknown
Dear Experts,
I am trying to call a FM in my code, but somehow I am getting the following error .Please help !
My code is :
DATA : VENDOR_NO TYPE WSRS_SHVDST_RES-VENDOR_NO,
PE_LFA2 TYPE LFA1,
PE_ADDR2 TYPE BAPIADDR1,
PE_ADRPRT2 TYPE WISO_ADRPRT,
PE_RETURN2 TYPE WSRS_RETURN,
PE_LFM2 TYPE LFM1,
PE_LFB2 TYPE LFB1.
DATA:
node_vendor TYPE REF TO if_wd_context_node,
elem_vendor TYPE REF TO if_wd_context_element,
stru_vendor TYPE if_vendor_view=>element_vendor ,
item_vendorinp LIKE stru_vendor-vendorinp.
navigate from <CONTEXT> to <VENDOR> via lead selection
node_vendor = wd_context->get_child_node( name = if_vendor_view=>wdctx_vendor ).
get element via lead selection
elem_vendor = node_vendor->get_element( ).
get single attribute
elem_vendor->get_attribute(
EXPORTING
name = `VENDORINP`
IMPORTING
value = item_vendorinp ).
VENDOR_NO = item_vendorinp.
CALL FUNCTION 'WSRS_O_VENDOR_GET_DETAIL'
EXPORTING
PE_LFA1 = PE_LFA2
PE_ADDR1 = PE_ADDR2
PE_ADRPRT = PE_ADRPRT2
PE_RETURN =PE_RETURN2
PE_LFM1 = PE_LFM2
PE_LFB1 = PE_LFB2
IMPORTING
PI_VENDOR_NO = VENDOR_NO.
My Error is :
Note
The following error text was processed in the system HE6 : Function parameter "PE_LFA1" is unknown.
The error occurred on the application server hsdnt24s11_HE6_00 and in the work process 5 .
The termination type was: RABAX_STATE
The ABAP call stack was:
Method: ONACTIONFETCH_VENDOR_DETAILS of program /1BCWDY/A8XPPCRFM5I0CTSGLFDT==CP
Method: IF_WDR_VIEW_DELEGATE~WD_INVOKE_EVENT_HANDLER of program /1BCWDY/A8XPPCRFM5I0CTSGLFDT==CP
Method: INVOKE_EVENTHANDLER of program CL_WDR_DELEGATING_VIEW========CP
Method: IF_WDR_ACTION~FIRE of program CL_WDR_ACTION=================CP
Method: DO_HANDLE_ACTION_EVENT of program CL_WDR_WINDOW_PHASE_MODEL=====CP
Method: PROCESS_REQUEST of program CL_WDR_WINDOW_PHASE_MODEL=====CP
Method: PROCESS_REQUEST of program CL_WDR_WINDOW=================CP
Method: EXECUTE of program CL_WDR_MAIN_TASK==============CP
Method: IF_HTTP_EXTENSION~HANDLE_REQUEST of program CL_WDR_MAIN_TASK==============CP
Method: EXECUTE_REQUEST_FROM_MEMORY of program CL_HTTP_SERVER================CP
Please help.Hi,
I will ask this way, from where did you get list of parameters for this FM? Try using pattern to call this FM, than you will be proposed with correct interface.
EDIT:
After checking it in system you should switch IMPORTING and EXPORTING
CALL FUNCTION 'WSRS_O_VENDOR_GET_DETAIL'
EXPORTING
PI_VENDOR_NO = '99'
* PI_ACCEPT_NOTFOUND =
* PI_PURCH_ORG =
* PI_COMP_CODE =
IMPORTING
PE_LFA1 = lv
* PE_ADDR1 =
* PE_ADRPRT =
* PE_RETURN =
* PE_LFM1 =
* PE_LFB1 =
Best regards
Marcin Cholewczuk
Edited by: Marcin Cholewczuk on Apr 12, 2011 1:20 PM -
PFCG composite role copy issue
'morning!
A colleague of mine is facing a strange problem at her customer site:
On copying composite roles with PFCG you should receive a dialog box with the question "Should the Single Roles Be Copied and Reentered?". This gives you the opportunity to just enter the original singles or to copy them and enter the copies.
Unfortunately this pop-up is missing on their ECC 6.0 system and the singles are always copied as well. This is not the required way.
Is there any system setting/parameter that steers this popup? We would really like it back....Hmm... I am not logged on so I confess that this is guessing.
Next option is that the message is displayed using a popup function which is obsolete in ECC 6.0 but still using in the coding - which now simply defaults what the function module would have returned.
Activate the ABAP debugger immediately ahead of where the popup should have appeared and look at the call stack to see what the name of the function is?
Particularly keep an eye out
a) CALL FUNCTION 'POPUP_TO_CONFIRM_WITH_MESSAGE'
b) CALL FUNCTION 'POPUP_TO_CONFIRM_STEP'
c) CALL FUNCTION 'POPUP_TO_DECIDE'
d) CALL FUNCTION 'POPUP_TO_CONFIRM' -
Get child users of composite role
Hello
There is FM (ESS_USERS_OF_ROLE_GET ) which bring all user of roles but what i want it's more complicated
IF there is composite role i want to get all the user that in the roles under the composite role .
Let say i have composite role with two roles inside (in the role tree ) .
Composite role
user1"this is the users of the composite role
user2
user3
Role number 1
user4
user7
user9
Role number 2
user 8
user 5
user7
user6
What i want is to get all the users of the composite role and the child role (which is parent ) .
which is .
users 1 - 9.
I read some previous post on this issue in the forum but what I need is to use just this FM without access to the DB
table such as T_AGR_AGRS and COLL_ACTGROUPS_GET_ACTGROUPS ,
What i need to do is recursive call on the FM ESS_USERS_OF_ROLE_GET .
Regards
Joy
Edited by: Joy Stpr on Aug 23, 2009 8:50 AMHello Joy,
How is it possible to use just function module ESS_USERS_OF_ROLE_GET to get data without DB access?
I mean this function module takes input as Simple/Composite ROLE so you have to have some list maintained
which will be input for this function module.
I think you can load composite and simple role in table and loop at it to make calls to function module ESS_USERS_OF_ROLE_GET to get users for compsite/simple roles.
Some input has to be there, That's what I feel.
Check if this helps!
Thanks,
Augustin. -
Static function parameter help
Hi,
I have two functions in the same file, how can I use the first function as default value in the second function.
public static function get decimalFormatter1():NumberFormatter{
I try this:
public static function secondFunction(param1:String, param2:Int=0, param3:Function=decimalFormatter1):Array{
Getting error: -1047: Parameter initializer unknown or is not a compile-time constant.
Any ideas?
Thanks!Thanks for you reply and help Gordon.
I am getting this error at the decimalFormatter1 line:
-1067: Implicit coercion of a value of type mx.formatters:NumberFormatter to an unrelated type Function.
Here is my simple get function:
public static function get decimalFormatter1():NumberFormatter{
var decimalFormatter:NumberFormatter = new NumberFormatter();
decimalFormatter.rounding = "nearest";
decimalFormatter.precision=1;
decimalFormatter.useNegativeSign = false;
return decimalFormatter;
Any other way? -
CUP 5.3, Risk test of all roles in a Composite Role - possible?
We want to use a Function (Dummy) Role in CUP, that shall have Composite Roles connected in CUP.
But when I do this - I only see the composite role when I make a SoD / Risk check in my cup WF.
Can I somehow also check the single roles in the composite roles?
Thank you
KristianHi Kristen,
It should definitely be possible to analyse the composite role via GRC.
Either through simulation of the assignment of the additional single role into the composite or by the assignment of the composite role into the user's authorisations.
The composite role itself will not have any authorisations but it should read through the single roles contained within it as it is those authorisations which end up with the user.
Have you tried analysing the composite role directly in RAR to isolate it away form the CUP functionality as a unit test? If that works, you should then be able to prove that the risk analysis is indeed working. Then you can concentrate on the configuration of the workflow processes through CUP without being distracted from primary objective.
Simon -
Hi Experts,
I have been trying to modify the Composite role SAP_EMPLOYEE_ERP for some functionality on portal. In tx OOAC, P_PERNR switch is activated (changed to 1) before this. First of all, I do not know whether the switch should be activated for ESS. But activation worked for me, and was able to get rid of one error. I followed this document for activating <a href="http://help.sap.com/saphelp_erp2005/helpdata/en/94/b8b83b5b831f3be10000000a114084/frameset.htm">P-PERNR</a>.
I followed the guide lines in the help link, and made some changes in the
<b>HR Master Data Personal number Check</b> in the role Z_SAP_ESSUSER_ERP. I added the following profile:
<b>Authorization Level: W (write access)
INFOTYPE: 167 (Health plans)
Interpretation of Assigned Authorization: E (excludes the right access)
Subtype: BMER</b>
I feel that should do trick: the user should not edit the Health Plan BMER on portal. Is it the right approach? It should overwrite the standard profile
<b>Authorization Level: *
INFOTYPE: 0002, 0005, .............., <b><i>0167</i></b>, 0168, 0169, ......
Interpretation of Assigned Authorization: I
Subtype: *</b>
Any suggestions will be greatly appreciated.
Thanks!Christopher,
Ok.
I managed to achieve the requirement. I am keeping the thread here as I do not know how to move threads.
This is what I did.
1. Authorization Level: W (write access)
INFOTYPE: 167 (Health plans)
Interpretation of Assigned Authorization: E (excludes the right access)
Subtype: BMER
2. Authorization Level: *
INFOTYPE: 0002, 0005, .............., 0167, 0168, 0169, ......
Interpretation of Assigned Authorization: I
Subtype: *
Profile 2 is overwriting the profile 1. What i did was in profile 2
I removed the 0167 under INFOTYPE. made the profile 1 as follows.
<b>Final </b>
<b>1. Authorization Level:R (read access)
INFOTYPE: 167 (Health plans)
Interpretation of Assigned Authorization: I (incldue )
Subtype: BMER
</b>
I did the trick. The user is able to view the benefit plan not edit. the system throws a message "you are not authorized to do this" if he tries to edit. However it is one way of restricting the user. might be not elegant. but quick.<i></i> -
Role of functional consultants in GRC Process Control
Can anybody provide his/her thoughts on the role played by functional consultants (especially FI, MM) in GRC Process Control assignments/projects?
Hi Abhijeet,
Process Control means controls to be implemented in a given Process.
Now what is the Process?
Flow of activities which can be tracked one end to other. Best example:: Procure- to- Pay or Order- to- Cash.
Procure to Pay is one process which starts with Procurement and involves MM-Purchase, and FI-AP mainly. Similarly , Order to Cash cycle starts from SD and stops at FI-AR.
Controls in these processes has to be built at several stages,i.e., at sub-process levels. For Instance, in Procur-to-Pay , more controls are required for Vendor related Transactions.- Person allowed to create vendor should not be allowed to process the Vendor. Internal control on Duplicate Invoices . Payment maintenace of vendor like Bank details changes in Vendor Master should be cross checked by two tier Authorisation or Composite Role method via Basis.
Henceforth the functinal consultants has more role to identify/design/implement the controls.
There is no readymade tool so far to guide us as to what are the Processes where we need the Controls in SAP. It calls for pure expertise in the domain and vast exposure in building the controls.
Most of the people are embedding controls today to Comply with various Regulations (SOX/J-SOX/COSO guidelines, etc.). Few are exercising it to avoid Frauds.
Let me know what is <i>your</i> actual concern and where exactly you are looking for the GRC Process Controls? Is it for Audit or for Implentation ? May be then this forum can be more helpful.
Regards,
Sudhanshu
My points....
Message was edited by:
Sudhanshu Shekhar Tiwary -
FM Assigning of Single Roles to Composite Roles
Hello everybody,
I spend the whole day to a find a solution using any source I know and I couldn't find an solution. So sorry if this question has been asked before.
My Question is:
Can you tell me a Function Module which assigns/removes a Single PFCG Role to a Composite PFCG Role.
Regards MaxHi,
You can add the as many single roles but you cannot add the Composite Roles in Composite Role. -
Add a single role to different composite roles in one step
Hello everybody,
I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
I don't want to believe that there is no easier way. Any ideas?
Thank you
FloHi Soma,
great to find a place to be welcome..Thanks
What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
-> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
-> Which again... our security manager disallowed me...
So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
Comments?
Cheers
Florian -
Post EhP4 Upgrade - SUIM does not show Composite Role report
Hi
I'm having trouble in SUIM after we upgraded to EhP4. Specifically in the Roles by complex criteria selection.
When a list of single roles is displayed, I select a role and click on Contained in Composite roles (3-arrow button)
Instead of showing me the list of comp role that selected single role is found in, I get a collective list of all the single roles that are located in the same composite roles as the selected single role is found in.
Any help out there?
Regards,
YergatHi,
Refer the below SAP Notes:
SAP Note 1393940 - SUIM| Incorrect results when searching for profile and roles.
SAP Note 1543140 - SUIM|RSUSR070 long text, USER_COMMAND_AGR
Regards,
Raghu
Added a new SAP note, which is also relevant -
Can I pass a table function parameter like this?
This works. Notice I am passing the required table function parameter using the declared variable.
DECLARE @Date DATE = '2014-02-21'
SELECT
h.*, i.SomeColumn
FROM SomeTable h
LEFT OUTER JOIN SomeTableFunction(@Date) I ON i.ID = h.ID
WHERE h.SomeDate = @Date
But I guess you can't do this?... because I'm getting an error saying h.SomeDate cannot be bound. Notice in this one, I am attempting to pass in the table function parameter from the SomeTable it is joined to by ID.
DECLARE @Date DATE = '2014-02-21'
SELECT
h.*, i.SomeColumn
FROM SomeTable h
LEFT OUTER JOIN SomeTableFunction(h.SomeDate) I ON i.ID = h.ID
WHERE h.SomeDate = @DateHi
NO you cant pass a table function parameter like this?
As When you declare @date assign value to it and pass as a parameter it will return table which you can use for join as you did it in first code
But when you pass date from some other table for generating table from your funtion it doesnt have date as it is not available there
Ref :
http://www.codeproject.com/Articles/167399/Using-Table-Valued-Functions-in-SQL-Server
http://technet.microsoft.com/en-us/library/aa214485(v=sql.80).aspx
http://msdn.microsoft.com/en-us/library/ms186755.aspx
https://www.simple-talk.com/sql/t-sql-programming/sql-server-functions-the-basics/
http://www.sqlteam.com/article/intro-to-user-defined-functions-updated
Mark
as answer if you find it useful
Shridhar J Joshi Thanks a lot -
Hi,
Can anyone please tell me whats the role of functional area in projects.
This is defined in the project profile and flows down to the project objects.
Thanks
N.SomeshHi,
In my opinion, functional are has nothing to do with which costs are to be picked but once there is some cost, functional area is recorded in FICO documents. On the basis of the functional division, cost of sales accounting displays where costs occur in the organization.
In your case, functional area in project will be considered for postings. Refer this:
[Link 1|http://help.sap.com/saphelp_47x200/helpdata/en/5f/b77616a0f811d39755006094b969cf/frameset.htm]
[Link 2|http://help.sap.com/saphelp_47x200/helpdata/en/b4/afd3b2353e11d496c50000e835339d/content.htm]
Regards -
How to pass "EnterpriseManagementObject" Type as Function parameter?
Hello, dear Colleagues.
I'm trying to pass "EnterpriseManagementObject" as Function parameter.
Here is the piece of code:
$SCSM = 'SERVER_NAME'
function Add-Comment {
param (
[parameter(Mandatory=$true,Position=0)][Alias('Id')][String]$pSRId,
[parameter(Mandatory=$true,Position=1)][Alias('Comment')][String]$pComment,
[parameter(Mandatory=$true,Position=2)][Alias('EnteredBy')][String]$pEnteredBy,
[parameter(Mandatory=$true,Position=3)][Alias('IsAnalyst')][Bool]$AnalystComment,
[parameter(Mandatory=$true,Position=4)][Alias('IRObject')][EnterpriseManagementObject]$IRObject
if ($IRObject) {
$NewGUID = ([guid]::NewGuid()).ToString()
if ($AnalystComment)
$Projection = @{__CLASS = "System.WorkItem.Incident";
__SEED = $IRObject;
AnalystComments = @{__CLASS = "System.WorkItem.TroubleTicket.AnalystCommentLog";
__OBJECT = @{"Id" = $NewGUID;
Comment = $pComment;
DisplayName = $NewGUID;
EnteredBy = $pEnteredBy;
EnteredDate = (Get-Date).ToUniversalTime();
IsPrivate = $false
New-SCSMObjectProjection -Type System.WorkItem.IncidentPortalProjection -Projection $Projection -ComputerName $SCSM -ErrorAction stop
} else {
Write-Host $pSRId "could not be found"
$IncidentClass = Get-SCSMClass -name System.WorkItem.Incident$ -ComputerName $SCSM
$Incident = Get-SCSMObject -Class $IncidentClass -Filter "name -eq $c" -ComputerName $SCSM
Add-Comment -Id $c -Comment $text -EnteredBy $name -IsAnalyst $False -IRObject $Incident -ErrorAction stop
With GetType() I watched $Incident is "EnterpriseManagementObject":
IsPublic IsSerial Name BaseType
True True EnterpriseManagementObject Microsoft.EnterpriseManagement.Common.EnterpriseManagementObjectBaseWithProperties
But PS script returns error TypeNotFound:
Add-Comment : Unable to find type [EnterpriseManagementObject]. Make sure that the assembly that contains this type is loaded.
At C:\script.ps1:146 char:13
+ Add-Comment -Id $c -Comment $text -EnteredBy $name -IsAnalyst $True ...
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (EnterpriseManagementObject:TypeName) [], RuntimeException
+ FullyQualifiedErrorId : TypeNotFound
Is there a way to pass "EnterpriseManagementObject" as Function parameter?
Thanks.First of all the error indicates that you haven't loaded the assembly which contains the class you're trying to load.
Try loading the assembly by running:
[Reflection.Assembly]::LoadWithPartialName("Microsoft.EnterpriseManagement.Core") | Out-Null
Secondly if you want to use type based parameters restrictions you should use full type name, which can be found with the command:
$SomeObject.GetType().FullName
You should end up with: Microsoft.EnterpriseManagement.Common.EnterpriseManagementObject
Maybe you are looking for
-
Since I updated my itunes I can no longer burn a playlist to disc using MP3 format. I clicked on converting the songs to mp3 format but they still won't burn to disc. The computer says it is checking media and then stops.
-
Mouse over labels similar to IE toolbar
I'd like to have a couple of labels, say B(bold), I(italic) and U(underline), when you put mouse over, it will raise and when you press or click, it will sink, but the label position should remain SAME all the time. I have my sample codes below which
-
Bursting - OUTPUT sends one big report, instead of multiple individual ones
Bursting - OUTPUT sends one big report, instead of multiple individual ones: Data File below - shows report has the proper tags for the PP_NUMBER; which should split the job into individula files to be email, instead it creates one large file and ema
-
I have been asked to test a user id in BW D , which will the same profile to be used later on in BW Q. I know I have to make sure that there is no change / delete / create authorization . What are the other things I need to make sure of for this prof
-
Removing Stats improves query performance
Hi, Today i have got a rare question regarding Stats collection, In some cases removing existing stats will improve the query performance... What is the reason behind this? After a rigorous search i have landed here to here from you all. Thanks in-ad