Generation of Role in Role Expert

Similar Messages

• Add Role to Role Category

  Hello Experts,
  my scenario:
  1) AD Group Reconciliation Task
  2) Auto creation Role category "AD Roles" if it doesnt exists
  3) Auto creation Roles based on AD groups in "AD Roles" Role category
  Ive already done auto creation role category and roles in default category, but i still cant create roles in my category.
  I think it could be done like this in role creation:
  mapAttrs.put(RoleManagerConstants.ROLE_CATEGORY_KEY, key)
  but how can i get Role category key of my category to var "key"?
  Are there more links between role and role category?
  Pls help.
  Thanks.

  public static String getRoleCategoryKey(String categoryName)
  String roleCategoryKey = null;
  RoleManager rmgr2;
  Set retAttrs = new HashSet();
  rmgr2 = oimClient.getService(RoleManager.class);
  System.out.println("Creating....");
  String ctxFactory = "weblogic.jndi.WLInitialContextFactory";
  String serverURL = "t3://10.111.6.101:14000";
  String username = "xelsysadm";
  String password = "xelsysadm";
  Hashtable env = new Hashtable();
  env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,ctxFactory);
  env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, serverURL);
  oimClient = new OIMClient(env);
  System.out.println("Logging...");
  try {
  oimClient.login(username, password);
  } catch (LoginException e) {
  System.out.println("Log in");
  rmgr2 = oimClient.getService(RoleManager.class);
  retAttrs.add(RoleManagerConstants.ROLE_CATEGORY_KEY);
  retAttrs.add(RoleManagerConstants.ROLE_CATEGORY_NAME);
  SearchCriteria criteriaM = new SearchCriteria(RoleManagerConstants.ROLE_CATEGORY_NAME, categoryName, SearchCriteria.Operator.EQUAL);
  try
  List roleCategories = rmgr2.search(criteriaM, retAttrs, null);
  System.out.println(roleCategories.size());
  boolean found = false;
  Iterator i$ = roleCategories.iterator();
  do
  if(!i$.hasNext())
  break;
  RoleCategory roleCat = (RoleCategory)i$.next();
  roleCategoryKey = roleCat.getEntityId();
  System.out.println("FOUND!!!");found = true;
  } while(!found);
  catch(Exception e) { }
  return roleCategoryKey;
  - I just find interesting code, but it doesnt work, when i use it to my map:
  mapAttrs = new HashMap<String, Object>();
  mapAttrs.put(RoleManagerConstants.ROLE_NAME, "testrole");
  mapAttrs.put(RoleManagerConstants.ROLE_DISPLAY_NAME, "testrole");
  mapAttrs.put(RoleManagerConstants.ROLE_DESCRIPTION, "desc for test");
  mapAttrs.put(RoleManagerConstants.ROLE_CATEGORY_KEY, getRoleCategoryKey("testcat"));
  And with .browse() I even know my category key, but when i use it:
  mapAttrs = new HashMap<String, Object>();
  mapAttrs.put(RoleManagerConstants.ROLE_NAME, "testrole");
  mapAttrs.put(RoleManagerConstants.ROLE_DISPLAY_NAME, "testrole");
  mapAttrs.put(RoleManagerConstants.ROLE_DESCRIPTION, "desc for test");
  mapAttrs.put(RoleManagerConstants.ROLE_CATEGORY_KEY, "21"));
  - errors.
  Whats wrong?

• Automatic Creation of Roles and Role Mappings in GRC

  Hi,
  we are planning to use SAP Identity Management and SAP GRC Access Management.
  In SAP IDM we have defined several business roles that contain privilieges in SAP systems. When a user is requesting a role, the request will first be sent to SAP GRC for approval and risk checking.
  In order to get this to work, we need to load the business roles of SAP IDM into SAP GRC and we also need to configure the role mapping between the business roles and the technical SAP privileges.
  From what I understood, this could be implemented by loading the required information via Excel filles into SAP IDM.However, this is a quite cumbersome and error-rpone approach an we would like to automate this.
  Is there a way to use e.g. web service calls to create/delete roles and role mappings in SAP GRC?
  BTW: is a documentation of all available GRC web service calls and their parameters available?
  Thanks for your help in advance!
  Best regards
  Tom

  Hi Tom,
  as stated before, the web service description is in the config guide.
  Unfortunately there is no web service to create roles or even mappings in CUP - this is one of many I would also like to se created
  I don't think in your context you will be able to directly send Business Roles to CUP. The role mapping only happens after you send the request, so I'm not sure if that's in time for risk analysis - you will need to try that.
  Are you a customer or a consultant - anyway, feel free to contact me if you need further help integrating CUP and IdM. This is an evolving interface with many possible scenarios, so it's not easy to give you good advise without seeing the full picture.
  Frank.

• How to track the transport request number for the Role/Composit Role

  Hi,
  How to track the transport request number for the Role/Composit Role.
  Thanks,
  Ravi

  Use transaction SE03 Transport Organizer Tools
  Execute "Search for Objects in Requests/Tasks" with objects of types:
  R3TR     ACGR     Role
  R3TR     ACGT     Role - User assignment
  Regards

• GRC 10 - Business role, no role owner but associated role have owner....

  Dear All,
  In GRC 5.3 we perform the following mapping:
  Business Role A mapped with (no owner)
  - Technical Role 1 (from ECC with Owner1)
  - Technical Role 2 (from CRM with Owner2)
  - Technical Role 3 (from HR with Ownwer3)
  IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
  GRC 5.3 request is able to close and provisioned as it can see owners from child role.
  Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
  Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
  Please advice.
  Jacky

  Hi Mustafa,
  you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
  Does this answer your question?
  Regards,
  Alessandro

• Migrate 8.1 Global roles include Role Conditions

  Hi all,
  have one question. I want migrate Global Role conditions from one WebLogic 8.1 server to another. When I export DefaultRoleMapper provider, I can see in exported file list of Global Roles only. I cannot see any mapping item in this file. Please, know someone how migrate Global Roles including mapping ?
  TY very much,
  Lada

  Hi,
  I export DefaultRoleMapper through Security-Realms-myrealm-Providers-Role Mapping-DefaultRoleMapper/Migration-Export in WL console.
  In exported file I can see only list of defined Global Roles, for example:
  dn: cn=::AbortTaskRole,ou=ERole,ou=@realm@,dc=@domain@
  objectclass: top
  objectclass: ERole
  cn: ::AbortTaskRole
  createTimestamp: 201000261052Z
  creatorsName: cn=admin
  EExpr:: fALDp01DQWRtaW5Hcm91cArDp01DU3BBZG1pbkdyb3VwCg==
  wlsCreatorInfo: mbean
  modifyTimeStamp: 201000261147Z
  modifiersName: cn=admin
  dn: cn=::CancelTaskRole,ou=ERole,ou=@realm@,dc=@domain@
  objectclass: top
  objectclass: ERole
  cn: ::CancelTaskRole
  createTimestamp: 201000261053Z
  creatorsName: cn=admin
  EExpr:: fALDp01DQWRtaW5Hcm91cArDp01DU3BBZG1pbkdyb3VwCg==
  wlsCreatorInfo: mbean
  modifyTimeStamp: 201000261148Z
  modifiersName: cn=admin
  But in this file I dont see any conditions which are bound to these Roles (myrealm-Global Roles-<concrete role>-Conditions). I cannot find these conditions in any other files generated through export wholes security realm.
  TY for your help,
  Lada

• Clustered role 'Availability Role' has exceeded its failover threshold

  I am getting this alert on SQL 2012 R2 SP1. So please kindly tell me the solution of the below given alert on windows failover clustering .
  Clustered role 'Availability Role' has exceeded its failover threshold. It has exhausted the configured number of failover attempts within the failover period of time allotted to it and will be left in a failed state. No additional attempts will
  be made to bring the role online or fail it over to another node in the cluster.Please check the events associated with the failure. After the issues causing the failure are resolved the role can be brought online manually or the cluster may attempt to bring
  it online again after the restart delay period.

  Hi Syed Tauseef Ahmed,
  Please offer more information such as under what circumstances this issue occurs, what event id you have got. The failover threshold is the number of times the group can fail
  over within the number of hours specified by the failover period.
  The related KB:
  Tuning Failover Cluster Network Thresholds
  http://blogs.msdn.com/b/clustering/archive/2012/11/21/10370765.aspx
  You can refer the following similar thread for the first step troubleshooting:
  Clustered role 'Cluster Group' has exceeded its failover threshold.
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/4eb44f05-eb9b-448a-821b-359879141608/clustered-role-cluster-group-has-exceeded-its-failover-threshold
  I’m glad to be help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Publish reports to a role and roles to user

  Hi,
  What does it mean ..
  Publish reports to a role and roles to user
  can anybody give a detail what exactly it mean ? In implementation which stage it comes into picture ?/
  Thanks,
  Debasish

  Hi,
  This publishing option is available to you when you open the query in Query designer as 8th button in top panel. To publish in a role , you should have that role to be assigned to you.
  With rgds,
  Anil Kumar Sharma .P
  Message was edited by:
          Anil Kumar Sharma

• Default role + session role

  Hi,
  How do I enable a session role in addition to keeping the default role enabled. Eg. If user scott has a default role of scott_dflt, I want to enable role scott_session without affecting scott_dflt. Using dbms_session.set_role to enable scott_session semms to disable scott_dflt.
  Thank you.

  when you call DBMS_SESSION.SET_ROLE, give a comma separated list of roles that you want to set as
  parameter:
  SQL> exec DBMS_SESSION.SET_ROLE('<role#1>,<role#2>,<role#3>.....') ;

• Roles and Role List

  Hi all,
  Please explain me about the Roles and Role List used in Projects...
  Thanks
  Dinesh

  Hi
  Roles are using in Projects for two goals -
  A) a basis for project-based security. You might create roles as project roles and assign people to the role in a project. For example, project manger, project admin, project billing person, etc. You then might configure the security access to forms and functions of specific roles.
  B) when implementing Proejct Resource Management, the project roles may be scheduled on a project and serve as a template for resource demand. In that case you might configure the team member role on a project, such as competencies, job information, and security.
  You might want to review Oracle Projects Fundamentals and Projects Implementation Guide for more details.
  Dina

• How to find the T-codes that's in a Single Role & Composite Role??

  Hi all,
  Some of the user have authorization to particular t-codes. However single roles are not created for them.
  Now I need to assign authorization to that particular t-code to a new employee.
  Since the single role is not there, I do not know how to find if it is inside a composite role.
  Which table should I find all the t-codes that are assigned to a single role / composite role?
  pls help.
  Regards,
  Pri

  Rakesh Kulkarni wrote:>
  > Table AGRS_TCODES give the roles with their tcode assignment.
  Beware of AGR_TCODES, it only reports transactions entered into the role menu. If you query table AGR_1251 filtered on object S_TCODE you get the actual transaction authorizations.
  Besides that, authorizations are always in single roles, so if you cannot find them there there's no point in searching through the composites.

• Mass Generation of standard SAP roles

  IS there a way to generate & Activate SAP standard roles in mass.  We want to generate and activate following standard SAP roles so that we do not have to go through them manually for authorization changes.
  SAP_PP_BD_RTG_DISPLAY
  SAP_PP_BD_RTG_MAINTAIN
  SAP_PP_BD_WKC_DISPLAY
  SAP_PP_BD_WKC_MAINTAIN
  SAP_PP_CAPA_PLAN
  SAP_PP_CAPA_PLAN_EVAL
  SAP_PP_KAB_CONTROL
  SAP_PP_KAB_REPORTING
  SAP_PP_MATERIAL_MANAGEMENT
  SAP_PP_MP_FORECAST
  SAP_PP_MP_LONG_TERM_PLANNING
  SAP_PP_MP_MPS_PLANNING
  SAP_PP_MRP_COORDINATION
  SAP_PP_MRP_EVALUATIONS
  SAP_PP_MRP_MASTER_DATA
  SAP_PP_MRP_PLANNED_ORDER
  SAP_PP_MRP_PLANNING
  SAP_PP_PI_ALERT_MGMT_STD
  SAP_PP_PI_BATCH_RECORD_EXP
  SAP_PP_PI_BATCH_RECORD_SUPER
  SAP_PP_PI_CAPA_EVAL_STD
  SAP_PP_PI_CAPACITY_EXP

  Dev,
  It is possible to generate roles using PFCG or PFUD up to a extent of choosing 8 per a time and it won't accept more than that. So please check with it before proceeding in this issue.
  It is advisable not to use SAP predefined roles, rather than using customized roles.
  Regards,
  VeerendraKumar.

• Authorization in APO: org level concept (parent role -- derived role) ?

  Hello experts,
  we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
  Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
  My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
  Regards
  Thomas

  I got the solution - the profile generation was missing !

• BW authorizations based on assigned PPM users/roles + inherited roles

  Dear experts,
  We using PPM 5.0 SP7, and we are having trouble defining authorizations for BW reports.
  We would like to use the same authorizations as in PPM business client, so that BI would use/check the authorization from business client.
  This check would include:
  - users or roles gain access from direct assignment to an item
  - users or roles gain access that is inherited in the bucket structure, both structure and classification buckets.
  Users would have access to BW reports, but they could see data only from the same structures/classifications or direct assignments that are given to them in PPM business client.
  Can we utilize the same authorization methods, or do we need to create and maintain this in another place (BW)?
  If needed, how to create similar authorization model to BW?
  Kind regards,
  Antti Forsell

  Hello,
  Please see these docs,
  [Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
  [An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
  [Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
  Thanks
  Chandran

• Master role-derive role concept and FICO role in dev system!!!

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
  Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
  Thanks in Advance
  Regards,
  Souren

  Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
  One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
  If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
  For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.