GRC 5.3 | ERM | Best Practise Role Transport

Similar Messages

• When granting a user or a role access to a group of pages, it is best practise to grant that access to what type of file or component?

  My question is same while granting user or role in the application, what is the best practise? How to decide the level of applying role to pagedef's, xml files, or some other file that i have missed out.

  As for my concern I would go for page definition files.

• Best practise in SAP BW master data management and transport

  Hi sap bw gurus,
  I like to know what is the best practise in sap bw master data transport. For example, if I updated my attributes in development, what are the 'required only' bw objects should I transport?
  Appreciate advice.
  Thank you,
  Eric

  Hi Vishnu,
  Thanks for the reply but that answer may be suitable if I'm implementing a new BW system. What I'm looking for is more on daily operational maintenance and transport (a BW systems that has gone live awhile).
  Regards,
  Eric

• Transport landscape best practise

  I'm wondering if SAP has a best practise document on transport landscape planning.
  SAP Help has pretty clear description about a standard 3 system landscape. But not document is found describing complext transport landscape considerations --- multiple ABAP development/test systems, conflict resolution between project landscape and maintenance landscape.
  Any feedback is greatly appreciated.

  Hi. GO to http://help.sap.com/bp/initial/index.htm
  There you find all about BP.
  Regards, Award if helpful

• PFCG - Role Transport button inactive

  Hi All,
  We perform role transport as usual but notice that the button has been greyed out. Same goes for mass transport. Both the button are inactive.
  Does anyone have solution for this issue?
  Thank you
  jyaki

  Hi Jyaki,
  Are there any recent changes made in the system? If the issue is due to missing authorizations, it should display an authorization error when you click the button, but should not grey out the button/options.
  By the way, do you have GRC ERM configured in your landscape?
  Regards,
  Raghu
  Edited by: Raghu Boddu on Aug 24, 2011 11:05 AM

• Best practise for SAP users who leave the company

  Hi
  Could anyone reccommend a best practise document or give advice on how to deal with SAP user ID's when employee's/contractors/consultants leave? I am the basis admin just starting an SAP implementation and we have no dedicated authorisation team at the moment, so I have been asked to look into this :
  Currently we set the validity date in SU01 to the termination date.
  We chack there are no background jobs scheduled under that user id, if there are, we change the job owner to a valid user (we try to run all background jobs under an admin account).
  We do not delete the user as from an audit point of view I believe it restricts information you can report on and there are implications on change documents etc, so best to lock it with validity dates.
  Can anyone advise further?
  We are running SAP ECC 5.0 on Windows 2003 64 Bit/MS SQL 2000.
  Thanks for any help.

  Hi,
  Different people will tell you different versions of what they believe is best practice, but in my opinion you are already doing reasonably well.
  What I prefer is
  1. Lock ID & set validity date.
  2. Assign user to user group LEAVER or EXPIRED or something similar (helps with reporting) out of SUIM/S_BCE* reports.
  3. Delete role assignment (should you need it, the role assignment will be in the change history docs anyway).
  4. Check background jobs & act accordingly.
  For ease of getting info I prefer not to delete the ID though plenty of people do.

• Best practise to change new SUP on 6509

  Best practise to change new SUP on 6509, currently we have dual sup. is it we need to power down the switch and install ne sup?

  Hi,
  Below are few methods which you can choose:
  It really depends on which Sup you want to replace ( I mean the one which is currently Active or the Standby sup).
  Lets go step by step:
  1st-- Think you want to replace the Standby Sup in the working chasis:
  Answer: You need not have to worry, just remove the Standby Sup and install the new sup , Make sure the standby sup is running the same software version which Active has.
  2nd- Replacing the Active Sup:
  Answer: To avoid any distruption, failover to the Standby Sup so that the STandby Sup takes over the active role and then proceed with replacing the Active Sup.
  Few reference which  might help you:
  https://supportforums.cisco.com/discussion/11640021/replace-failed-sup-6500-sup32
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-virtual-switching-system-1440/109334-replace-vss-sup-proc-v1.html
  HTH

• Request for howto - error processing best practise

  Hi JDev Team. Something I would like to see in a future HOWTO would be error handling in a BC4J/JSP application. What is best practise? How do we make sure that when a database error occurs, we can trap the error and provide a friendly error message, or failing that, at least ensure the standard error is usable by a maintenance programmer. For eg. the following error occurs if a referential constraint restricts the delete:
  javax.servlet.jsp.JspException: JBO-26041: Failed to post data to database during "Delete": SQL Statement " DELETE FROM TECHTRANSFER.TTSITES Sites WHERE SITEID=:1".
  in fact the same error message is displayed for almost any database error - the programmer can't fix the problem when he has no idea what it is!! (same with update and insert)
  I wasn't going to request this until I had read all of the help available on error processing but the way this project is going I won't get time. If you think that it is adequately covered in the help, then fine, just let me know where.
  Thanks,
  Simon

  You can enclose your bc4j/jsp code with a try / catch expression. That way if a failure occurs, you can trap it, display a friendy error, and do whatever you want with the exception.
  What I have been doing for develpment purposes, is send via email a modified errorpage.jsp. Here is what gets emailed to me (*'s in potentially sensitive data) and displayed to the screen (I'm eventually going to replace all the displayed garbage with something friendly):
  An error occured in application PDC User Administration
  User Session Properties:
  Sesion ID: *********
  App ID: *********
  User Name: *********
  User ID: *********
  Priv Role: *********
  Password: *********
  Org No: *********
  First Name: skunitzer
  Last Name: ANALYST
  App Title : PDC User Administration
  Current Url: insertNewUser.jsp
  Specific error is javax.servlet.jsp.JspException: JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
  Parameters:
  LastName
  Kunitzer
  EmailAddress
  [email protected]
  FirstName
  SteveLiveTest
  OrgNo
  PhoneWorkNo
  I have no phone #
  ExpireDate
  2001-04-26
  ExpireDateString
  jRQiIsFGANIbrGlihGTl[epofZmSNgEkGqbHN@iErHNPRi
  UserID
  UserPrivs
  Exception:
  javax.servlet.jsp.JspException: JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
  Message:
  JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
  Localized Message:
  JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
  Stack Trace:
  javax.servlet.jsp.JspException: JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.<init>(Compiled Code)
  at java.lang.Exception.<init>(Compiled Code)
  ...Stack Trace goes on but I won't bother with it anymore...
  While not always as specific as I would like, I have not had too much trouble hunting down the errors.
  null

• Best Practise for rebooting ISE Nodes?

  Hello Community,
  I administer an ISE installation with two nodes (I am not an ISE Specialist, my job is just to manage the user/mac-adresses... but now I have to move my ISE Nodes from one VMWare Cluster to another VMWare Cluster.
  (Both VMWare environments are connected to our enterprise network, but are different environments. vMotion not possible)
  I would shutdown ISE02, move it to our new VMWare environment and start it again.
  Than I would do this with our ISE01 Node...
  Are there any best practises for doing this? (Shutdown application first, stopl replikation etc)?
  Can I really simply reboot an ISE Node - or have I consider something bevor I doing this? After I doing this?
  Any tasks after reboot?
  Thank you for any answer!
  ISE01    
  Administration, Monitoring, Policy Service    
  PRI(A), SEC(M)
  ISE02    
  Administration, Monitoring, Policy Service    
  SEC(A), PRI(M)

  There is a lot to consider here.  If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things.  If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment.  Then spin-up a new Secondary node and register it on the Primary.  Once this is done, you can re-host the license from your old environment onto your new environment.  You can use this tool to re-host:
  https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999
  If IP Addressing is to remain the same, it gets simpler. 
  First, and always, perform a configuration and operational backup.
  If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes.  Transfer them to the New Environment and turn them on, Primary Node first, of course.
  If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment.  Start the Secondary Node and when it is up, shut down the Primary Node.  Once services on the primary node have stopped, promote the Secondary Node to Primary Node.
  Transfer the OLD Primary Node to the New Environment and turn it on.  It should assume the role of Secondary Node.  If it does not, assign that role through the GUI.
  Remember, the correct way to shut down an ISE node is:
  application stop ise
  halt
  By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Exchange Installation Error on Mailbox role: Transport Service Step

  The error I receive occurs at 47% of the Mailbox Role: Transport Service installation.  The details of the error are as follows:
      Mailbox role: Transport service                                                                  
  FAILED
       The following error was generated when "$error.Clear();
            if ($server -eq $null)
              set-ExchangeServerRole -Identity $RoleNetBIOSName -IsProvisionedServer:$true -DomainController $RoleDomainController
          " was run: "Active Directory operation failed on DC1.xxxxxx.xxxxxx.com. This error is not retriable. Additional information: The object cannot be added because the parent is not on the list of possible superiors.
  Active directory response: 00002099: NameErr: DSID-0305109C, problem 2005 (NAMING_VIOLATION), data 0, best match of:
          'CN=EXCH-MBOX1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=AZGT,CN=
  Microsoft Exchange,CN=Services,CN=Configuration,DC=xxxxxx,DC=xxxxxx,DC=com'
  The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the
  <SystemDrive>:\ExchangeSetupLogs folder.
  Also, when opening the setup log I have this:
  [12/26/2012 17:51:25.0809] [1] [ERROR] A naming violation occurred.
  [12/26/2012 17:51:25.0809] [1] [ERROR-REFERENCE] Id=ProvisionServerComponent___a16cb82f909348d3a32b9046f3bfb9ba Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
  [12/26/2012 17:51:25.0809] [1] Setup is stopping now because of one or more critical errors.
  [12/26/2012 17:51:25.0809] [1] Finished executing component tasks.
  [12/26/2012 17:51:25.0809] [1] Ending processing Install-BridgeheadRole
  [12/26/2012 17:51:25.0825] [0] The Exchange Server setup operation didn't complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
  [12/26/2012 17:51:25.0825] [0] End of Setup
  [12/26/2012 17:51:25.0825] [0] **********************************************
  I have done a ton of searches trying to find a resolution to this error and there are two pages with a similar issue for Exchange 2007 but after trying the solutions suggested, the installation still fails with the same error.
  http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploylegacy/thread/dfa9961a-9b20-4c17-ae4d-ebf44c66c18f/
  http://exchangetroubleshooting.blogspot.com/2011/05/unable-to-run-preparead-command.html/
  Some additional information:
  This is a clean installation of Exchange 2013 in a forest that has never had exchange.
  The domain and forest preparations run without errors and are at functional level of 2003.
  The Exchange server has all prerequisites installed for a Mailbox server role and is running on a VM with Server 2012 as the OS.
  This error occurs on other VMs as well that we are trying to implement as mailbox servers in the same forest.
  I am running the installation as an enterprise, schema, domain admin.
  Thanks for your help in advance.

  Yes.  I cleaned out Exchange with ADSIEdit so I could re-run the Prepare Schema, domain and all domains and then re-ran setup to show the output here.  But the install still failed.
  PS F:\> .\setup /IacceptExchangeServerLicenseTerms /PrepareSchema
  Welcome to Microsoft Exchange Server 2013 Unattended Setup
  Copying Files...
  File copy complete. Setup will now collect additional information needed for installation.
  Performing Microsoft Exchange Server Prerequisite Check
      Prerequisite Analysis                                                                            
  COMPLETED
  Configuring Microsoft Exchange Server
      Extending Active Directory schema                                                                
  COMPLETED
  The Exchange Server setup operation completed successfully.
  PS F:\> .\setup /IacceptExchangeServerLicenseTerms /PrepareAD /OrganizationName:AZGT
  Welcome to Microsoft Exchange Server 2013 Unattended Setup
  Copying Files...
  File copy complete. Setup will now collect additional information needed for installation.
  Performing Microsoft Exchange Server Prerequisite Check
      Prerequisite Analysis                                                                            
  COMPLETED
   Setup will prepare the organization for Exchange 2013 by using 'Setup /PrepareAD'. No Exchange 2010 server roles have b
  een detected in this topology. After this operation, you will not be able to install any Exchange 2010 servers.
   For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.NoE14ServerWarning.
  aspx
  Configuring Microsoft Exchange Server
      Organization Preparation                                                                         
  COMPLETED
  The Exchange Server setup operation completed successfully.
  PS F:\> .\setup /IacceptExchangeServerLicenseTerms /PrepareAllDomains
  Welcome to Microsoft Exchange Server 2013 Unattended Setup
  Copying Files...
  File copy complete. Setup will now collect additional information needed for installation.
  Performing Microsoft Exchange Server Prerequisite Check
      Prerequisite Analysis                                                                            
  COMPLETED
  Configuring Microsoft Exchange Server
      Prepare Domain Progress                                                                          
  COMPLETED
  The Exchange Server setup operation completed successfully.
  PS F:\>
  PS F:\> .\setup /IAcceptExchangeServerLicenseTerms /mode:install /roles:Mailbox /TargetDir:"C:\Program Files\Microsoft\Exchange Server\V15"
  Welcome to Microsoft Exchange Server 2013 Unattended Setup
  Copying Files...
  File copy complete. Setup will now collect additional information needed for installation.
  Languages
  Management tools
  Mailbox role: Transport service
  Mailbox role: Client Access service
  Mailbox role: Unified Messaging service
  Mailbox role: Mailbox service
  Performing Microsoft Exchange Server Prerequisite Check
      Configuring Prerequisites                                                                        
  COMPLETED
      Prerequisite Analysis                                                                            
  COMPLETED
  Configuring Microsoft Exchange Server
      Preparing Setup                                                                                  
  COMPLETED
      Stopping Services                                                                                
  COMPLETED
      Copying Exchange Files                                                                           
  COMPLETED
      Language Files                                                                                   
  COMPLETED
      Restoring Services                                                                               
  COMPLETED
      Language Configuration                                                                           
  COMPLETED
      Exchange Management Tools                                                                        
  COMPLETED
      Mailbox role: Transport service                                                                  
  FAILED
       The following error was generated when "$error.Clear();
            if ($server -eq $null)
              set-ExchangeServerRole -Identity $RoleNetBIOSName -IsProvisionedServer:$true -DomainController $RoleDomainCo
  ntroller
          " was run: "Active Directory operation failed on DC1.XXXX.XXXX.com. This error is not retriable. Addi
  tional information: The object cannot be added because the parent is not on the list of possible superiors.
  Active directory response: 00002099: NameErr: DSID-0305109C, problem 2005 (NAMING_VIOLATION), data 0, best match of:
          'CN=EXCHMBOX1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=AZGT,CN=
  Microsoft Exchange,CN=Services,CN=Configuration,DC=XXXX,DC=XXXX,DC=com'
  The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the
  <SystemDrive>:\ExchangeSetupLogs folder.
  PS F:\>

• Need input on creating archive pool in IXos. What is the best practise ..

  In my company we are using ixos as archiving content server. I will like to know what is the standard /general configuration which is used while creating Archive POOL in ixos. What is the Best practice
  DO we create one archive for each type of document we want to archive Like for FI doc we create one FI pool, for HR we create another pool and so on. How do we handle object which contains logs  like "BC_DBLOGS" . Do we create one archive to store all type of logs.
  Or we just create one or two pool and store every type of document in there ?..
  So i would like to get some feedback , idea what people are doing in there companies to archive different type of data and what the best practice .

  I think the best way known so far for transporting Roles is through PFCG by using Customizing request.
  I dont think there is any program or smthing for roles transport.
  Last question is the transport policy different between Role menu transport and Rôle on Data transport
  I am not sure what do u mean by Role on data transport.
  Rgds
  Priyanka

• Oracle Tuxedo Security Best Practises

  Hi,
  I am new in Oracle Tuxedo. I searching about Tuxedo Security best practises. I found many informations in Tuxedo Documentation but if anybody have more informations, i am very interested.
  Such as:
  - ULOG files permissions => The Tuxedo administrator must not have write acces on this files but if I remove this right, does Tuxedo can write in this files ?
  - tlisten.pw => What is the encryption type and can i add only one user password or more ? It's true that there is no user login ?
  - tpsysadm and tpsysop => What do they serve ? and where are stored their passwords ant how can i change it ?
  - Use of LLE/SSL => What is the best practise, use of LLE and SSL or just LLE, just SSL ?
  Thanks a lot !
  Best regards

  Hi,
  welcome to the wonderful (and sometimes byzantine) world of Tuxedo!
  You have a couple of interesting questions and I'll try to shed some light on some of them. Disclaimer: I'll assume that you run Tuxedo on some flavor of Linux or Unix. If you're running on Windows, some of these thoughts won't make much sense to you, sorry about that.
  When I install the Tuxedo software, I usually let a dedicated user (e g "tuxedo") be the owner of the installed software and files (include files, FML field definitions and so on).
  When I create a Tuxedo application, I have a separate user account (e g "some_application") running each application. In this way, an application running wild cannot overwrite or delete any Tuxedo system files, neither another application's files, only its own files, due to file system permissions. In this case, "some_application" will execute your Tuxedo servers and also need to be the owner of the directory where the ULOG will reside (remember that the application need to be able to create a new file every new day).
  The tlisten.pw file is not for "user" passwords, it's primary use is to authenticate the different (physical) machines working together in a bridged (clustered) Tuxedo application. It is also used in conjunction with TSAM monitoring, although I have no first-hand experience with that (yet). I've had problems trying to have more than one secret in the tlisten.pw file, your mileage may vary...
  When it comes to tpsysadm and tpsysop, you should think of them more as roles rather than actual users. These roles may perform special actions (such as starting/stopping/re-configuring) in your application. Depending on your security settings, any user may (try to) act as tpsysadm and/or tpsysop. Any user passwords you may have are connected to the actual users rather than the roles tpsysadm or tpsysop. All this depends on your settings for SECURITY and AUTHSVC in your ubbconfig. There is no simple/easy answer here, I'm afraid... it all depends on how you have set up your security (USER_AUTH is a good start, but you need to supply an AUTHSVC in that case).
  When it comes to encryption, my experience is only with LLE. It simply works. Using SSL I suspect there will be more challenges setting up certificates and such things. The way I understand it you either use LLE or SSL for a given type of communication (i e WSL or TDOMAIN), you can't use both simultaneously.
  Hope this helps and I may be able to elaborate further if there's a particular area that seems particularly foggy :-)
  /Per

• Any best practise to archive PO's which does not have corresponding invoice

  Hello,
           As part of initial implementation and conversion, We have a lot of PO's / LTA created but their corresponding invoices were never converted into SAP from legacy system.  SAP archiving program tags those as not business complete as the invoice qty does not match with po qty (there are no invoices to start with).  Just flagging 'delivery complete and final confirmation' of PO does not help.  Anybody ran into similar situation and how did they resolve it?  I am reluctant to enhance standard SAP archiving program to bypass those checks and that is my only last option. Any SAP recommended Note / best practise etc would help.
  Satyajit Deb

  Where is the invoice posted?
  was the invoice posted in the legacy system?
  Clearance of GR/IR account with MR11 will usually close such POs.

• What is the best practise to provide a text file for a Java class in a OSGi bundle in CQ?

  This is probably a very basic question so please bear with me.
  What is the best way to provide a .txt file to be read by a Java class in a OSGi bundle in CQ 5.5?
  I have been able to read a file called "test.txt" that I put in a structure like this /src/resources/<any-sub-folder>/test.txt  from my java class  at /src/main/java/com/test/mytest/Test.java using the bundle's getResource and getEntry calls but I was not able to use the context.getDataFile. How is this getDataFile method call to be used?
  And what if I want to read the file located in another bundle, is it possible? or can I add the file to some repository and then access it - but I am not clear how to do this.
  And I would also like to know what is the best practise if I need to provide a large  data set in a flat file to be read by a Java class in CQ5.
  Please provide detailed steps or point me to a how to guide or other helpful resources as I am a novice.
  Thank you in advance for your time and help.
  VS

  As you can read in the OSGi Core specification (section 4.5.2), the getDataFile() method is to read/write a file in the bundle's private persistent area. It cannot be used to read files contained in the bundle. The issue Sham mentions refers to a version of Felix which is not used in CQ.
  The methods you mentioned (getResource and getEntry) are appropriate for reading files contained in a bundle.
  Reading a file from the repository is done using the JCR API. You can see a blueprint for how to do this by looking at the readFile method in http://svn.apache.org/repos/asf/jackrabbit/tags/2.4.0/jackrabbit-jcr-commons/src/main/java /org/apache/jackrabbit/commons/JcrUtils.java. Unfortunately, this method is not currently usable as it was declared incorrectly (should be a static method, but is an instance method).
  Regards,
  Justin

• Advice or best practise information about 1 or 2 clients in SAP R/3 DEV

  I'm searching for advice or best practise information about clients in a SAP R/3 development system.
  Reason for this is that we are up to refresh our SAP R/3 development system and up to now we have two clients on it:
  -     One customizing/development client without master data, transaction data et cetera
  -     One local test client with master data, transaction data and so on
  One of our developers suggested to only have one client on development, where we could customize, program and test. So that client would be with master data, transaction data et cetera.
  What would be your advice or what would be best practise for the development system: 1 client (with data) or 2 clients (one clean customizing and one with data). And what are the most important reasons to do it so.
  Maybe there is already some good (SAP) information about this specific subject, but up to now I havenu2019t found it yet.

  Maybe I've asked my question too broad. I'll try to narrow it down.
  Up to now we always had two clients on our SAP R/3 development system:
  - Client 200 - Customizing/development only. No other data in this client
  - Client 400 - Local test client with master data and transaction data. New customizing is copied from client 200 to test
  The reason for having those two clients are:
  - It feels someway good to have a customizing-only client
  - We've always done this before
  A developer suggested to only have one client in our SAP R/3 development system for the following reason:
  - You'll never need to copy the customizing (tr.SCC1) first to be able to test it
  - You can work in one client and don't need to login in the other client to test it (for example: ABAP reports)
  - For customizing of easy setting (for example producthiërarchie, as we don't test it everytime in client 400) it is possible to forget copying it into client 400 (test client). With one client, you can not forget it
  The reasons of this developer seems very valid and up to now we haven't found a convincing/compelling reason to make a good choice for one or two clients.
  Please, try to convince us with good reasons to choose for one or two clients.