Examples Of HSS User & Group Provisioning

Similar Messages

• Reconcile user groups to OIM (11g)

  I would appreciate it if someone may let me know how to reconcile the organization and leadership structure information from an Oracle DB based identity vault into OIM (11g) to create organizational roles, for example, into the user group and user group membership tables, i.e. the UGP and USG table series. Many thanks.

  yesy, I have defines correct search value but its again and again throwing error. I change the search values too. But its not working.

• EPM 11.1.2.1 add a MSAD user to a HSS native group via MaxL command

  Hi there
  I want to take over MSAD user as EPM (Essbase) user in a HSS native group via MaxL command:
  This works fine as long as the user is already in at least one other group (with at least server access).
  If I want to do same for a "new" user it fails.
  Is there any trick to also make it work for this case?
  see here:
  alter user 'mynewuser' add to group 'ALL_SERVER_ACCESS_ ESS1';
  ERROR - 1051012 - User mynewuser does not exist.
  or even
  alter user 'mynewuser@domain' add to group 'ALL_SERVER_ACCESS_ ESS1';
  ERROR - 1051012 - User mynewuser@domain does not exist.
  Thanks in advance!
  Regards
  Andre

  You will probably need issue a create first for example
  create or replace user 'essuser' type external;
  alter user 'essuser' add to group essgroup;
  or
  create or replace user 'essuser@LDAPNAME' type external;
  alter user 'essuser@LDAPNAME' add to group essgroup;
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Users not provisioned from OIM to OID groups

  I've created an Access policy such that when i create a user with role as consultant he is automatically provisioned to OID resource and OID group( cn=group1,cn=groups,dc=ad,dc=company,dc=com ).
  The user is provisioned to OID users(cn=users) but not to cn=group1,cn=group....
  What could be wrong?
  i have run the OID group lookup tasks to generate freshly added group lookups. Theses lookups are populated in process form when i create an access policy.
  For ex the lookup generated is cn=group1,cn=group,dc=ad,dc=company,dc=com and the decode value is group1
  The user profile and process form are not linked. That means changes in process form are not reflected to user profile. Can this be possible reason for the hassle defined above
  please help me resolve this issue.
  Edited by: Chhavi Saluja on Feb 15, 2010 1:30 AM

  Hi,
  Today I have also done the same thing of auto provisioning of OID through access policy. Only difference is that for selecting "Container DN" and "User group" we have created two user defined fields(lookup)in the user form which will refer to the lookups "Lookup.OID.Organization" and "Lookup.OID.Group" for inputs.These lookups are already reconciled once from OID.
  As far as "container DN" iam successful but while selecting "user group" iam able to select and when i click on "create user" user is getting provisioned to OID into Container DN i specified.But user is not going into that particular group i specified.Iam assuming the reason is that as User Group is a mutivalued attribute and if we observe the process form of group selection we will see the add button. But on user form we dont have the option of child form to ADD/REMOVE the groups.
  Someone pls suggest how to proceed further on this.How do i push the user into particular group/groups from the create user form itself?

• Planner provisioning for user groups lost in Shared services

  Hi All,
  Everything was fine. All of a sudden, no users were able to login in to planning.
  On investigation it was found that all the planner/planning provision to the groups is lost in the shared services.
  Digged into log for a while and couldnt find out any issues.
  What could be the reason we lost user group security provisioning only to planning?
  Could anyone please help on this?
  Regards,
  GG

  I used to have same experience every time migration happens from dev to UAT or prod etc.
  After migration, registering with shared service will be successful. When i try to sync, migrate user identities (provisionusers.cmd) from shared service all user group info vanishes in planning (Add/Edit access page). i.e hsp_access_control table is truncated or all rows are dropped.
  Then i have to set it up correctly. Guess this happens because usergroups have different id between different environments. When sync'g planning at target, it will not be able to recognize the wrong usergroup id of source system.
  My assumption:
  When provisionusers.cmd is run, planning fetches the usergroup provisioning information from shared services in to hsp_access_control planning repository table. could someone confirm the same?
  Is there any other way to overcome this issue recurring on every time migration happens?
  But the problem today was different: the provisioning is lost in the shared services itself which i havent witnessed so far. We didnt migrate recently, everything was file till 8 AM, but screwed around 8.10 AM. everything was up and running.
  Cheers,
  GG

• No provisioning of User Group for authorization field in user master

  We are implementing CUP 5.3 workflows. Both in manual proviosing and automated provisioning based on User Defaults the user group gets only provisioned to the Groups tab in SU01. The field User Group for authorization on the Logon data tab remains empty (field CLASS from system table USLOGOND, filling CLASS field in table USR02).
  In User defaults both under user default as on the user group tab the user groups have been defined. In manual provisioning the correct list of user groups get displayed for selection.
  Under field mapping in the Application field I only find User Group in user master maintenance, but not User group for authorization. However I would assume I do not need to use field mapping, as I want to automate this provisioning based on user defaults.
  Am I missing a configuration setting here? If so, where can I set it?
  I would assume the provisioning of this field is possible. RAR reports the user group also based on the User group for auhtorization and not from the Groups tab.

  S.Pados,
  I can assure you that what I said in my last response does provision the User Group For Authorization Check on the Logon Data tab; in fact, I was having the opposite issue where the Group tab was not being provisioned; however, I am ruunning AE 5.2 and you said you are running 5.3; maybe something did change or got lost in the releases; it probably is good to see what SAP has to say about this; I would hate to lose this capapbility when I upgrade to AE 5.3
  As far as using the custom field for multiple applications, would that field not be usable for any of the applications you would select in the request form?; if you are using the same table names in the different SAP systems (selectable by the application field on the request) would the drop down selections be whatever the table has defined for that system? I may not be understanding something here so I am just asking;
  It would be great to have a Group field automatically filled in by another selection to avoid the user involvement; I agree with you there; because of our concerns on users entering the AE request, our shop has decided to continue with the users submitting the request through normal email and the security administrators perform the AE entering; this way we have a better idea on something like the GROUP field; we have an option to include the original email as an attachment for justification of the request
  Sorry I could not be of more help
  Jerry
  Ryerson,Inc.

• Provisioning of User Group to BI systems

  Hello there,
  I am struggling a bit to find any documentation of how the User Group (BAPILOGOND-CLASS) can be provisioned to a BI system. We are already provisioning Valid From (BAPILOGOND-GLTGV) and Valid To (BAPILOGOND-GLTGB) so was imagining that it would be straight forward to provision the User Group as well. Any ideas?
  Best regards,
  Anders

  Can't have any more open questions

• Can I import the assginment of Essbase Filter to Users/Groups in HSS?

  Hi, I want to assign some Essbase filters to the users/groups in Shared Services. Can I do it in a batch? (Import Utility of Shared Services?)
  Thanks.

  Hi,
  I don't believe you can use the CSSImportExport utility to assign filters to users, this is because even though you assign the filters in Shared Services this information is still stored on the essbase side.
  You should still be able to use maxl to grant the access to the filters even in Shared Services mode.
  e.g. grant filter Sample.basic.exampleFilter to essUser;
  Cheers
  John
  http://john-goodwin.blogspot.com/

• To sync individual users/groups- apart from MAXL

  Hi,
  kindly provide info on the below
  1.to sync native users after creating and deleting in Essbase with HSS without using MAXL command or full sync
  2.to sync individual groups after modifying users in the group(without using MAXL or full sync)
  regards,
  Vinee

  Per John's post, you are always going to get that NONE row in the filter as that indicates the user is provisioned to that Planning application.
  Users (other than the one that want to remove) will continue to have that NONE row and then get other rows that open up access as they receive read/write rights.
  The fix here is to get that user out of your Planning application. Once gone, Planning should get rid of the filter.
  Failing Planning removing the filter, you can delete the filter manually.
  If you have deleted it, and you think you have deprovisioned the user from Planning, and the filter still comes back -- well, now you have a problem that can only be addressed by going into the HSP_USERS table and deleting the username.
  I would still quadruple check to make sure that the username is well and truly deprovisioned.
  The Planning admin guide details CubeRefresh, and for a different approach, have a look at my blog re CubeRefresh.cmd (I can't remember if you are 9x or 11x, but they're awfully close) here.
  Regards,
  Cameron Lackpour

• Is there a way to pull  User, Group , Other permissions of a file

  I wanted to know whether Java provides any API to pull up each and every permission associated with a file.
  For example: In Unix, a file has 3 sets of permissions as shown below:
  <UserPermissions><GroupPermissions><Others'Permissions>
  Example: -rwxrwxrwx
  r - for read
  w - for write
  x - for execute
  There are some methods provided in java.io.File, such as canRead() and canWrite(), which help in telling whether a file is readable or writable. But I did not find any API which tells whether a perticular user has read/write/execute permission or not. Also, I presume the canRead(),canWrite() methods pull up the permissions pertaining to the owner of the file, but not for the group and others part of a Unix File's permissions.
  Is there a way to pull up the read/write/executable permissions for all the 3 catergories namely, UserPermissions, GroupPermissions and Others'Permissions.
  I appreciate your note on this and appreciate your time too.

  In the java.io.File class, there's methods canRead() and canWrite().
  They will test the read/write permissions of the Unix user you are running your Java program with.
  They will not return a list of user names, user groups etc though.
  You'd have to get the permissions through some platform specific method, eg. via JNI.
  regards,
  Owen

• Unable to assign the user in user group through SQ03

  Hi All,
  When I tried to assign a  user to one user group from SQ03 the tick mark is disables can't assign the user.
  This is happening only to one of the employee only. Others i can mark tick.
  Please advice.
  Imran

  Hi
  Please check if the user has authorization to that query....
  For example if the user is a PA administrator & you are trying to assign this user to a user group which is Time Management ( Time Infosets), then the tick will be disabled.
  This case was encountered in our firm too.
  Please check & revert.
  Regards,
  Megha

• How to only synchronize one specific LDAP user group with SAP?

  Hi,
  Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
  Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
  Thanks, Oscar

  We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
  E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
  Then we also have a constant for the LDAP_STARTING_POINT
  For our AD Group Initial Load we filter according to these settings:
  LDAP_FILTER_GROUPS = (objectclass=group)
  LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
  The above example only reads AD groups starting at the specified OU
  Then in a Job From LDAP Pass the LDAP URL looks like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  I hope this helps
  Paul

• Restricting certain users groups to read only for certain folders

  Hi
  I'm not sure if this is the correct forum, but hey, hopefully someone might now the answer or direct me to the correct one.
  I'm writing a VB program to amend ACLs for specific user groups.
  Effectively, I make all prior year folders read only, whereas the default for the group is Modify, Delete etc.  This means they can continue to work in the "new year folders", but historic years is List/read only.
  I've got to the point the program does everything I want, i.e. stops folder creation7deletion, file & folder name changes, copying for the historic years, but does not prevent deletion of files in the folder.  Effectively I set Deny access on the
  historic folders.
  Testing using the Windows GUI would appear to resolve the problem is I change the Deny Special Permission (for the group) from "This folder only" to "This folder & files".
  Question then is how to I set this in VB, the default appearing to be "This folder only"
  Here's extract of my code
  Thanks
  IfvarDirectoryName.IndexOf("\"&
  Date.Now.Year) = -1
  Then
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.Modify,
  AccessControlType.Deny))
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.DeleteSubdirectoriesAndFiles,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ReadAndExecute,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ListDirectory,
  AccessControlType.Deny))
  Dim FileInfo3 As IO.FileInfo = New IO.FileInfo(varDirectoryName)
  Dim FileAcl3 As New FileSecurity
  If varDirectoryName.IndexOf("\" & Date.Now.Year) = -1 Then
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.Modify, AccessControlType.Deny))
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.DeleteSubdirectoriesAndFiles, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ReadAndExecute, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ListDirectory, AccessControlType.Deny))
  FileInfo3.SetAccessControl(FileAcl3)
  End If

  Ho Rohn
  Your right, when I added the flags I got the following error at execution
  {"No flags can be set. Parameter name: inheritanceFlags"}
  I've developed a work around, which gives me exactly - subject to further testing - what I want.  I simply mark each file in the relevant folders with a Deny Delete option.
  I will however explore the DirectorySecurity class option, but initial review of the www seems a little shy on VB examples.
  Thanks
  Perry
  You should be able to use FileSecurity and DirectorySecurity the same way (they have identical methods). Since this is a scripting forum, I'll provide a PowerShell example (which is fairly close to C# and VB; they all use the exact same classes):
  $varDirectoryName = "c:\folder"
  $GroupAdmin = "Admin Group"
  $FileInfo3 = New-Object System.IO.DirectoryInfo $varDirectoryName
  $FileAcl3 = $FileInfo3.GetAccessControl()
  $FileAcl3.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule (
  $GroupAdmin,
  [System.Security.AccessControl.FileSystemRights]::Modify,
  ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
  [System.Security.AccessControl.PropagationFlags]::None,
  [System.Security.AccessControl.AccessControlType]::Allow
  $FileInfo3.SetAccessControl($FileAcl3)
  I could have taken a lot of shortcuts when using the enumerations, but I think keeping it verbose helps show how similar the code can be.
  Does that make sense?

• What is the Advantage of creation of user group through SUGR?

  Hello Masters,
  As per audit requirement I have maintained user groups for different sets of users through SUGR, but I am not getting except differenciating users (based on group), is there any other advantage? Can we assign role to a user group instead of assigning to list of users  or can we do any mass changes to an user group by giving only user group name.
  Regards,
  Nilutpal.

  Dear Neels,
  Apart from maintaining user group for Differnciation purpose you can also take the advantage on the following sectors:
  1. Follow the http://help.sap.com/saphelp_nw04/helpdata/en/ce/17533e5ff4d064e10000000a114084/content.htm link . From this you will come to know the use of user group in the authorisation area.
  2. User Groups also allow segregation of user maintenance, this is especially useful in a large organisation as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team. 
  3. The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc... 
  In case any issue, please feel free to reply.
  Regards,
  Nilutpal.

• Server App not seeing external LDAP users & groups

  I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
  When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
  I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
  Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
  This is all so much more opaque than our superbly reliable Snow Leopard servers!
  TIA

  Ok, and again:
  You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
  Connect the third party ldap to your server
  Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
  When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
  Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
  To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
  Feel lucky
  And there ist ist; now you are able to use The accounts taken from an external LDAP.