Error in auto role assignment based on membership rule
Hi All,
Now this is a strange behavior I am finding. I had created an auto-membership rule in OIM and had assigned that to a role in my OIM. Now whenever I created an user, and based on a custom attribute that I was setting in the create user page. Now this was working totally fine. After that I did LDAP Sync and all and I am sure it was working even then. Now suddenly the auto assignment of role has stopped working and the user doesn't seem to get the role automatically at all.
And more strange is the point that when I modify any attribute in the user profile, the membership rule gets triggered just like it should during the user creation.
Can someone suggest anything for this if they have faced the same?
Thanks,
$id
I had been struggling with Role membership and access policies myself on 11.1.1.5.2.
Look at the following articles if those help:
Auto Role Membership Not Getting Evaluated On Create Event With Custom Post-Proccess Event Handler [ID 1469286.1]
Role Memberships Given, But Access Policies Not Triggered For Enabled Users [ID 1473348.1]
As for the limited release 11.1.1.5.2AK patch, it changes the way event handlers are triggered and the way access policy is re-evaluated. Also in that patch Oracle has given out new API for getting the service in event handler and that is supposed to bring order and synchronization of the event handlers. As far as confirmation from support goes, the event handlers are same from B2 to B3 and B4. Oracle is waiting to hear from customers about the results of the 11.1.1.5.2AK patch before it would be made available in GA.
-Bikash
Ref: {thread:id=2421106}
Similar Messages
-
Federation, remote role assignment based on ABAP roles on producer
Hi all,
We have implemented the federated portal solution for our ESS users. We use the ABAP stack of the producer portal as user store for consumer and have no problems in assigning portal roles on our consumer based on ABAP roles in the backend (displayed as groups in the portal).
Now we want to add some extra functionality (eg SRM and eRec) and we encounter some problems. These systems all have their own ABAP stack as user store. We have maintained the functional authorization model in the ABAP roles for instance in SRM. So an example:
System I: ABAP + JAVA --> ECC 6.0
Here we have the standard R/3 functionality and the producer portal (A) installed. Roles created on producer portal and assigned based on ABAP roles.
System II: JAVA --> NW 7.0 Portal
Our consumer portal (B) where we use roles created on the producer portal (A) on System I.
System III: ABAP + JAVA --> SRM
Our SRM system with SRM producer portal (C). In the ABAP stack of this sytem the functional SRM roles have been assigned to the users. We have created functional SRM Portal roles in order to use remote role assignment on consumer portal (B).
+PROBLEM+
We want to remotely assign portal roles created on the SRM Producer (C) to users on the consumer portal (B), based on the ABAP role assignment in the backend of system III. How can we achieve this in a fast and efficient way?
Looking forward to your ideas. Anything helpfull will be gladly awarded with SDN points.
Best regards,
Jan LarosJan,
Interesting question. Let me share my experience and hope that's of some use to you.
We started off federating corporate NetWeaver Portal (lets say B, parallel to your convention) as consumers to BI Portals (Lets say A).
- B's UME points to Active Directory
- A's UME points to BI ABAP user store
- User ids are identical in both systems
We ran into the problem of dual administration ((de)assigning portal role on both portals instead of just one) for a long time. The issue was because of different reasons at different times as we patched B's and A's. At one point we were on SP15 on both portals and we were told by SAP that RRA can be done on B for remote roles and the assignment propagates to A automatically if the following configuration is set up on both A and B.
- A's permissions are relaxed allowing "Everyone" group checked for "End User" access as per ([http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm|http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm]
However, we chose not to do the permission relaxation as enabling "Everyone" group with "End User" access can allow anyone to launch an iView (if the URL is known somehow) and the user would be able to see the layout of the iView, which can include text, etc. The user won't be able to access any data though, however, there is certain compromise on security which we decided that its not okay. So, we digressed in SAP's suggested practice because of security reasons.
Today we, manage security on B using Active Directory groups and on A using Java groups (ABAP roles).
In your case, I suggest investigating the option of relaxing the security on producer portal like in the above link. If you think its okay, all you have to do is, provision users on B by assigning remote roles from C and A.
Either my story is applicable or I must have got you totally wrong,
Kiran -
When Role is assigned to User through membership rule then it's membership is not added to OID ?
Hi All,
I have OIM 11gR2 installed with LDAPSync enabled.
When tried to assign Role to User through membership rule, Role is successfully assigned to User in OIM, but it is not added in OID.
Role membership is added in OID when User requests Role through Catalog search. Also, Role membership is added in OID after running job 'LDAPSync Post Enable Provision Role Memberships to LDAP '.
How can I add Role membership in OID as soon as Role is assigned to User through membership rule in OIM ?Hi
It sounds like you have not selected anything on the Presentation & Data tab of the Workspace Startpoint/User Service.
You need to specify:
Your Asset (the form you want to present to the user)
An associated Action Profile (tells the server how you want the form rendered...typically it is set to Default which uses the Render PDF Form process)
The variable to hold your data(typically an xml variable)
Make sure these are set.
Diana -
Hi All,
I had created an access policy in OIM 11g to work for a role EndUser. Also I created a membership rule in design console to check that a custom attribute on Create User page called UserRole had the value of EndUser. I applied this rule as membership rule in the EndUser role so that the role would be auto assigned if I selected EndUser in UserRole attribute during create user phase. Also I assigned the access policy I had created to this role in Access Policies tab. After this, whenever I created user with UserRole attribute set to EndUser the role was auto assigned to the user as well as the access policy was invoked and it was working fine.
Then I enabled LDAP Sync today and to check it worked I disabled the access policy by changing the role assignment it had to some other role temporarily so that it wouldnt get invoked. After some time I reverted back to the old role in the access policy so that it would work as before. However now the access policy has stopped working. Also user role is not getting auto assigned. And to top this, I am not even able to assign role to any user I create later on manually. The error I get is:
An error occurred. The corresponding error code is IAM-0080062 Can someone please guide me to get the solution for this unacceptable error? I dont understand how I am unable to assign roles as well. If at all there was problem with access policy then only it should have stopped working. But not being able to assign roles manually is simply amazing. Please help.
Thanks,
$idHey you are right. The role I am trying to assign doesn't exist in the LDAP server. Actually this role exists in a new category I had created specifically for my case. I see that the Administrators and other default roles that come packaged with OIM are synced to the LDAP server automatically but these are not. Can you guide me as to how to achieve that? The server diagnostic logs also show the same error:
[2012-07-30T15:15:07.651+05:30] [oim_server1] [ERROR] [IAM-3010070] [oracle.iam.ldapsync.impl.eventhandlers.membership] [tid: [ACTIVE].ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [APP: oim#11.1.1.3.0] Adding user membership failed because role EndUser is not synchronized to the LDAP directory
[2012-07-30T15:15:07.651+05:30] [oim_server1] [ERROR] [IAM-3010003] [oracle.iam.ldapsync.impl.eventhandlers.membership] [tid: [ACTIVE].ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [APP: oim#11.1.1.3.0] Failed to execute the handler.[[
oracle.iam.platform.kernel.EventFailedException: Adding user membership failed because role EndUser is not synchronized to the LDAP directory
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.grantRoleMembership(UserMembershipCreateLDAPHandler.java:216)
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.execute(UserMembershipCreateLDAPHandler.java:107)
at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:898)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:634)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:670)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeChildProcess(OrchestrationEngineImpl.java:751)
at oracle.iam.platform.kernel.impl.OrchProcessData.handleAdditionalChanges(OrchProcessData.java:540)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:802)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:675)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:705)
at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy348.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:380)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3822)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
[2012-07-30T15:15:07.651+05:30] [oim_server1] [ERROR] [IAM-3010003] [oracle.iam.ldapsync.impl.eventhandlers.membership] [tid: [ACTIVE].ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [APP: oim#11.1.1.3.0] Failed to execute the handler.[[
oracle.iam.platform.kernel.EventFailedException: Adding user membership failed because role EndUser is not synchronized to the LDAP directory
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.grantRoleMembership(UserMembershipCreateLDAPHandler.java:276)
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.execute(UserMembershipCreateLDAPHandler.java:105)
at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:898)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:634)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:670)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeChildProcess(OrchestrationEngineImpl.java:751)
at oracle.iam.platform.kernel.impl.OrchProcessData.handleAdditionalChanges(OrchProcessData.java:540)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:802)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:675)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:705)
at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy348.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:380)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3822)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: oracle.iam.platform.kernel.EventFailedException: Adding user membership failed because role EndUser is not synchronized to the LDAP directory
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.grantRoleMembership(UserMembershipCreateLDAPHandler.java:216)
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.execute(UserMembershipCreateLDAPHandler.java:107)
... 38 more
Thanks,
$id -
FPN - error trying to lookup object - remote role assignment not working
Hello everyone,
We have implemented a Federated Portal Network connection in our landscape between our portals.
We use only remote role assignment functionality.
Everything was working fine, but since 2 days we encounter the following error in the Default trace.
Error trying to lookup object: alias: <role name>
It is possible to open the producer portal in the Portal Content Administration and also searching for the Producer portal roles is possible in User administration. But when we assign the remote role the tab is not displayed in the portal only the above mentioned error is shown in the default trace. Our portals run SP 12 and BI Java SP14.
Is there a solution or workaround for this issue ?
MartinHi,
I have the same issue as you, I cannot see role tabs in Consumer portal and I get the same error in the defaulttrace as you.
What did you do to resolve this issue?
Many thanks
Gordon -
Srm User interface - change settings : Error in role assignment
Hi Gurus,
Users are facing issue when they are changing settings in the SRM user interface site .
Go to SRM user interface SIte --> Change my settings --> change date format or decimal format .
When they save it --> Gets an error - error in role assignment .
What can be the issue. It's same in Dev and qa .
Waiting for your reply.
Points will be rewared .
Thanks
Munish KumarHello Munish,
Laurent Burtaire wrote:
If you do a where-used for message number i gave you, you will find two message calls in methods from /SAPSRM/CL_PDO_MO_USER_ACCOUNT class.
Put a break-point to check if one of them is done. Problem cannot be due to missing authorization as there is no data in SU53 for concerned user.
Regards.
Laurent. -
Role Assignment Discovery Issue for Files and Folders through Sharepoint REST services
To preface, I am a decided Sharepoint newbie in every sense. I am trying to use the Sharepoint REST services (Sharepoint 2013) to walk the folder and file structure of my Sharepoint server and, determine as I go, the Role Assignments (and subsequently
Permissions) on those folders and files. I'm using an Administrator credentials and I'm actually able to successfully do it but I've run into some caveats. All the caveats begin with this; when I'm examining a folder, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/ListItemAllFields
I receive either an empty list or an error response doc when following the link supplied for ListItemAllFields. When following that kind of link for folders, I either get:
<d:ListItemAllFields
m:null="true"
/>
or an error response document that says "The object specified does not belong to a list." When I hit the /ListItemAllFields endpoint for files, I receive a response with a link for Role Assignments which subsequently also works and I get the
info I need. So, is this a bug? Why does the link returned from Sharepoint work for files and not folders? So, google, google, google, and I discover that there is another possible way to get at the Role Assignments (and that the object does, indeed, belong
to a list!).
If I know the Title (or the guid) of the folder in question, I can use the following endpoint:
/_api/Web/Lists/GetByTitle('Development')
If I use that endpoint, I get the information I would have expected to get from following /ListItemAllFields and the subsequent Role Assignments links all work and I get what I need. If there's a bug and this is how I have to work around it, that's fine
but I have yet to discover how to dynamically determine the Title of a given folder nor am I sure if all Titles are supposed to be unique within a given Sharepoint server. I'm assuming that the folder name as represented in the server relative URL and the
Title may be different and this is where my newbishness may start to shine if I'm misunderstanding what a "List" is supposed to be in Sharepoint. Anyway, I did find that I could use the Properties endpoint to perhaps get the Title, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/Properties
gives me:
<d:vti_x005f_listtitle>Development</d:vti_x005f_listtitle>
whose value I assume I could then supply to the /GetByTitle endpoint and be golden. However, "vti_x005f_listtitle" just sounds a little too deep to be something I should be relying on but maybe that's kosher. That's part of what I'm trying to
find out. Also, if there is a way to use the Sharepoint REST API to discover the guid of a given object, then I could look it up in that way.
So, in summary:
1. Am I going about getting folder Role Assignment information in the wrong way? Based on the CSOM examples I've seen, I believe I'm doing it correctly and that the answer to #2 below is a resounding "Yes!" :)
2. Is it a bug if I'm not able to use /ListItemAllFields on folders using the server relative url?
3. If I'm supposed to use GetByTitle as a workaround, am I discovering that Title correctly through /Properties? Seems quite circuitous and awkward. Are Titles required to be unique throughout a given Sharepoint server?
4. If I'm supposed to use the guid, how can I use the REST interface to discover an object's guid? Once we get down to the Role Assignments and other links, the guid appears in those links but I don't know how to discover it independently if that's the
path I should use to get the data I described above.Upon further research, I'll answer my own question for the benefit of some other potential future newbie. The answer to question number 1 above is "Not exactly.". The server relative URLs I was using corresponded to lists (which are
returned as a collection through /_api/web/lists). I was treating them mentally like regular folders. That, coupled with the fact that accessing their data as I showed above returns a ListItemAllFields link, made me think that was the way to get
the Role Assignments just as I would for files and, as it turns out, "real" folders and sub-folders created under these lists. That was the other problem with thinking of these lists as regular folders. So, ListItemAllFields works on
all files and folders in a list. However, if you want Role Assignments for the lists themselves, you can keep track of the Titles and\or Guids from the /_api/web/lists that you're interested in (in my case, all non-hidden "document library"
type lists) and then access those Role Assignments as I discussed in questions 3 and 4 above. For example, from the /_api/web/lists collection from my test server, the "Development" document library Role Assignments are accessable via /_api/Web/Lists(guid'cd242eeb-aafa-4efa-aecc-9bbdf8e3d459')/RoleAssignments
or /_api/Web/Lists/GetByTitle('Development')/RoleAssignments. -
Role Assignment does not get distributed from CUA
Hi all.
I create user and role in CUA client.
There is no error in role generation.
When I try to find my role in SU01 by pressing F4 of my role (Y*), system give me message role not found. But that's not my biggest problem.
I can assign my role by typing manually.
My biggest problem is only SAP ID get distributed into target system, not the role assignment.
So in the target system I can see my user id without role assign to it.
I checked my user id from SCUL. User and profile does not contain any error message in target client.
I tried with transaction RSCCUSND, still my user id does not contain role.
I checked my SCUM transaction, profiles and roles has Global settings.
Does someone can give me a clue why this happens and how to solve this issue.
Many thanksLets try to simplify the thing in layman language.
CUA is to manage user ids of different SAP systems (client level) centrally from one system without logging into each of those child systems. To do so, the Central system stores the information of the Roles (and their Text and Generated Profile Name ONLY) and Profiles (standard or non-generated profiles) in few of it's tables like: USLA04, USRSYSACT, USRSYSACTT, USRSYSPRF, USRSYSPRFT etc.
It doesn't mean that the Roles for the corresponding child system is present in the central system and no need of creating (or making available) such roles in the Child systems. The physical existence of the Role for each system doesn't get transferred in the Central system when you do the Text comparison rather the identity only against the corresponding system.
So the Roles has to be there in the corresponding Child systems and the Assignment (not physical assignment - only linking the name for that child system) of them to the user ids can be done from Central system.
Also you have got the idea of Text comparison and requirement of keeping or creating roles in each system based on it's nature from the other posts.
Let us know any more questions you have.
regards,
Dipanjan -
CRM: PFCG Roles restricted based on Sales Organization
Hi,
I have a requirement in SAP CRM 7.0 to create roles restricted based on Sales Organization(locations). We have two Sales Organization XXX and YYY, for which users need to be restricted. I have used the following objects for this regard.
CRM_ORD_OP, CRM_ORD_LP, CRM_ORD_PR, CRM_ORD_OE, CRM_BP_SA
Every user has assigned a sales role in which the above objects are deactivated and separate roles with values to the objects, with respective Sales Org values for the objects CRM_ORD_OE, CRM_BP_SA been provided. I have assigned these roles to respective users (User A with XXX, User B with YYY) based on their sales org locations. These users are positioned in the Organizational Model (PPOMA_CRM) under their respective Sales groups as per the requirement for the object CRM_ORD_LP, and authorization to this object is restricted to A for CHECK_LEV (Your Own Sales Organization). We use * for the objects CRM_ORD_OP and CRM_ORD_PR, as we do not control these.
After restricting all these, we do not find that the result not appearing as we expect, that is, restricting the sales organization data. We need all accounts, all activities, all opportunities, all leads, all campaigns etc. should be restricted by Sales Org, but when we search for accounts, activities, opportunities, leads, campaigns, we get result list with all data without any restrictions. I even checked the following forum, http://forums.sdn.sap.com/thread.jspa?threadID=1579211, which talks about the same kind of issue, but as I have already using the same objects for the restriction, it didnt help me much. I tried deactivating object CRM_BP_SA as it is not discussed on the forum, also tried CHECK_LEV=A,B,C,D,E for object CRM_ORD_LP, but all results the same.
Additional Info: When tried to create a project, with user A who is authorized for XXX, normally it would pick up the Sales Area Data for the project from the user (meaning User A from the XXX Sales Org.), but I get an error message: Enter a sales org, enter a dist. channel and enter an org unit etc. Even when I search for leads, it displays a list of data, when I click on any, it issues the error message: Enter a sales org, enter a dist. channel and enter an org unit (Sales) etc
Is that we miss any object restriction that is not restricting these objects properly or is it any customization missing? Please advice.
Thanks in advance.
Regards,
Shahul Hameed M
BASIS ConsultantHi Shahul,
I have a similar requirement as of yours. I have maintained auth values, in role as below:
CRM_ORD_LP
03 ACTVT
A CHECK_LEV
* PR_TYPE
CRM_ORD_OE
03 ACTVT
11 DIS_CHANNE ( the user is assigned to this dstrbtion channel in org structure)
SALES_GROU
SALES_OFFI
SO1 SALES_ORG
SERVICE_OR ( the user is assigned to this sales org in org structure)
And, when I try to display the LEADs in CRM UI ...I still get the display of LEADs belonging to all sales orgs.
And my trace record for CRM_ORD_LP is....
CHECK_LEV ' blank '
PR_TYPE LEAD
ACTVT 03
that means, it is not considering the auth value ' A ' for auth field CHECK_LEV
Could you please let me know ...how you have achieved this restriction . Is there anything , i m missing here?
Thank You -
Background job fails for BDC profile creation and role assignment
Hi Experts,
I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
Below is the process of job
1. ZMIS_AUTH_OBJECT_CREATE
Variant : auth-create
2. ZMIS_AUTH_ASSIGN_TO_ROLE
Variant : auth-assign
The problem is in second program, runs in foreground but fails in background.
Code which i have written in my second program
***BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
***Generation of Profile created
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14 .
Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
Regards,
ChetanHi Praveen,
Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
To achieve this i have written two programs
1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
"" Creation of Authorization Object
CALL FUNCTION 'ZAUTHOBJ'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
g_authname_001 = 'ZDUMMY_MIS'
g_targetauth_002 = wa_tab-auth
g_authtxt_003 = wa_tab-short_desc
g_authtxtmd_004 = wa_tab-med_desc
marked_04_005 = 'X'
g_authtxt_006 = wa_tab-short_desc
g_authtxtmd_007 = wa_tab-med_desc
tctiobjnm_04_008 = 'ZBUS_UNIT'
g_authtxt_009 = wa_tab-short_desc
g_authtxtmd_010 = wa_tab-med_desc
marked_05_011 = ''
opt_01_012 = 'EQ'
low_01_013 = wa_tab-bu
g_authtxt_014 = wa_tab-short_desc
g_authtxtmd_015 = wa_tab-med_desc
marked_04_016 = 'X'
g_authtxt_017 = wa_tab-short_desc
g_authtxtmd_018 = wa_tab-med_desc
tctiobjnm_04_019 = 'ZCONTRCT'
g_authtxt_020 = wa_tab-short_desc
g_authtxtmd_021 = wa_tab-med_desc
marked_05_022 = ''
opt_01_023 = 'EQ'
low_01_024 = lv_contract
g_authtxt_025 = wa_tab-short_desc
g_authtxtmd_026 = wa_tab-med_desc
g_authtxt_027 = wa_tab-short_desc
g_authtxtmd_028 = wa_tab-med_desc
g_authname_029 = wa_tab-auth
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
"" Creation of role
LOOP AT it_role INTO wa_role.
CLEAR wa_text.
wa_text-text = wa_role-desc.
wa_text-langu = 'E'.
APPEND wa_text TO it_text.
wa_jobrole-agr_name = wa_role-role_name.
wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
wa_method-usmethod = 'CHANGE'.
CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
EXPORTING
jobrole = wa_jobrole
parent = wa_parentrole
method = wa_method
TABLES
* RETURN =
shorttext = it_text
* LONGTEXT =
* MENU_NODES =
* MENU_TEXTS =.
ENDLOOP.
2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
""*BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message .
COMMIT WORK AND WAIT.
""*Generation of Profile created
LOOP AT it_role INTO wa_role.
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
ENDLOOP.
For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
Regards,
Chetan -
Error when running "role usage synchronization" job in ERM
I get an error in my job log when I run "role usage synchronization". Has anyone seen this before:
179 12/8/09 5:02:47 PM Ready Job created
179 12/8/09 5:03:31 PM Running Include users for user access review: A,L
179 12/8/09 5:03:31 PM Running Exclude locked users with lock codes: 32,64
179 12/8/09 5:03:31 PM Running Exclude Expired Users : Yes"
179 12/8/09 5:03:31 PM Running Job running
179 12/8/09 5:03:31 PM Running Role usage synchronzation for connector WBS is started
179 12/8/09 5:03:33 PM Running Updated records for 21 users in database
179 12/8/09 5:03:34 PM Running For 5 users there was no role assignment
179 12/8/09 5:03:34 PM Running WBS : Total number of users 21, Total number of role assignments: 71
179 12/8/09 5:03:34 PM Running Error in backend system/Web service; Input data length not a multiple of blocksize.
179 12/8/09 5:03:34 PM Completed Job completed
Thanks,
PeggyPeggy,
I have seen this kind of error more than a year back. May be the role name contains special character or somewhere in the role table there is a space or something. I will recommend you to open a message with SAP.
Alpesh -
Error while accessing role of a user
hi ,
we received an error while scrolling a role assigned for the user. kindly see error msg and details displayed during that time. kindly assist. also how to Take a thread dump of the server node to find the blocking thread that causes the problem.
Failed to process request. Please contact your system administrator.
[Hide]
Error Summary
While processing the current request, an exception occured which could not be handled by the application or the framework.
If the information contained on this page doesn't help you to find and correct the cause of the problem, please contact your system administrator. To facilitate analysis of the problem, keep a copy of this error page. Hint: Most browsers allow to select all content, copy it and then paste it into an empty document (e.g. email or simple text file).
Root Cause
The initial exception that caused the request to fail, was:
com.sap.tc.webdynpro.services.session.LockException:
Thread SAPEngine_Application_Thread[impl:3]_110 failed to acquire exclusive lock on client session ClientSession(id=(J2EE327495900)ID1757261750DB10453944603964077704End_1184973858).
Existing locks: LockingManager(ThreadName:SAPEngine_Application_Thread[impl:3]_110, exclusive client session lock: ClientSessionLock(SAPEngine_Application_Thread[impl:3]_197), shared client session locks: ClientSessionSharedLockManager([]), app session locks: ApplicationSessionLockManager([]), current request: sap.com/pb/PageBuilder).
Hint: Take a thread dump of the server node to find the blocking thread that causes the problem.
at com.sap.tc.webdynpro.clientserver.session.ClientSession$LockingManager.lock(ClientSession.java:1511)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:233)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
... 16 more
See full exception chain for details.Have you gone through this note..might be helpful
Note 1113811 - Web Dynpro error page, known error situations, error codes -
Mass Change for Indirect Role Assignment
Hi all,
I am in the process of changing the companys authorisations from a standard SU01 role assignment to a position based indirect role assignment.
At the moment I am using PFCG going to the Org Mg button under the User tab then attaching the position that way. Is there a way of assigning more than one role to a position at the same time?
Is there a Mass Assignment option in PFCG or is there a separate transaction available to make this process quicker??
Thanks for your help
Ianyou can mass-assign people and roles if you go to transaction PPOME instead of PFCG. to make role assignments from PPOME please apply note 578271 first. be careful whilst implementing this <insert nasty word here> note because some of those view-clusters tend to refuse to load your changes = you can see them, but they don't work - might be you will have to flush table buffers for the changes to take effect.
-
Event Handler not Triggered when user is assigned by Membership Rule
I have defined a post-processed event handler for RoleUser Entity.
The handler is triggered normally when a user is manually assigned a role.
However, it is not trigger, if users are assigned through membership rule.
I have tried both the single execute method and the bulk execute method.
OIM version: 11gR2Hi,
Check the list of orchestration handlers triggered for this operation in the Diagnostic Dashboard. Check whether, if your custom event handler is present in the list. If its isn't, then there must be something wrong with your Plugin.
Thanks,
RK. -
Role info not appearing once role assignment request is submitted from UI
Hi Everyone,
We have a strange problem in our project in IDM 7.2 SP8 where IDM role concept is used which contains privileges (could be role/profile) of backend systems.
Usually when ever a role (i.e IDM role) assignment request is submitted from UI, the activity with the associated info (like user details, role details, audit ID) should be stored in MXI_LINK table from where the info will be fetched and used in next stages of the processing
Even though the information is getting available for most of the cases for all users but some times for few users once the role assignment request is initiated from UI there is no info is getting available in MXI_LINK table corresponding to this activity which is strange.
Because of this problem even though user submits role assignment request no role info getting passed to IDM, set to pending state for the user which is getting meaning of user not submitted any role assignment request at all.
Can any one suggest what are the things that gets involved between these two steps and any troubleshooting hints are highly appreciable.
Regards,
Venkata BavirisettyIs this a situation you recreate at will? In other words, is it always happening on the same users? If so, you could put a trace on that user's account then try to add the role and see what that trace log shows. Additionally, you could just follow the links in the chain of the various tasks that kick off when you do a role assignment and check each task / job's job log and see what that tells you. There's got to be an error somewhere along the way that's preventing this from executing properly.
Maybe you are looking for
-
Textfields in advanced search from LOV non-editable
I have a LOV where the textfields in advanced search are always non-editable. When I look into the LOV JSP page, maxlength of the textfields is 0. One of the textfields uses following attribute: in EntityObject: attribute "Kuerzel", type "String" (da
-
Angemeldet mit meinem Account habe ich die Testversion des Acrobat XI Pro heruntergeladen. Nach der Installation aller notwendigen Zusätze wurde dann auch Acrobat XI Pro installiert. Nach der Akzeptierung der Lizenzbedingungen bekam ich dann folgende
-
I know it was down 2 weeks ago with the 5, is it down again?
-
Connect as: change default user to connect to server
Hi, I connect to my Windows Home Server which works fine, except that the default account it uses is never the same as the account I log in to my iMac. How can I change the default user it uses to log in to the server? I can, of course, keep using th
-
I can't search, so sorry if this has been dealt with before. When I create a new project, Xcode can't find the files within the project, although they are present on the file system. The same is true of all my previously created projects. I can open