HR Indirect Role Provisioning Error

Similar Messages

• Role Provisioning failed for System(s) : Connector Name . Error Message : malformedRequest

  Hi Everyone we are facing following issue in GRC-SAC-SAE 5.3_16.3. So far our CUP was connected to Enterprize portal (7.01) and auto provisioning for group to users worked. However now it is not working with below error.
  Role Provisioning failed for System(s) : <Connector Name>. Error Message :
  malformedRequest
  Failed request now
  Successful request used to provision
  Regards,
  Arpan Paik

  Arpan,
  We used to get those "malformed request" errors. We dealt with them by requesting the portal to be re-booted during the weekend maintenance window, making the portal security changes manually, cancelling the CUP request and notifying the requester. It's not a great solution, I know, but it was all we could come up with at the time. Then they upgraded the portal to NW 7.31, which is incompatible with GRC 5.3, and we have to do everything manually, so our situation went from bad to worse. Good luck!
  Cheers,
  Gretchen

• CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

  Hi All,
  I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
  Here is an example of the audit trail log from Change Account:
  Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14 
  Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14 
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
  Auto provisioned for request on 06/28/2010 17:14 
     User Provisioning failed for System(s) : DEV. Error Message :
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
  Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure 
     Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
  Note: the role names were replaced with "xxxxxxx."
  The system log gives an error, but it is very vague:
  2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
  com.virsa.ae.service.ServiceException
       at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
  Any ideas or suggestions?
  Current software level AC5.3 SP12.
  -Dylan

  Hello Varun,
  Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
  Results
  New Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  New Account without User Defaults configured:
  User provisioned successfully, no Auto-Provision error.
  Change Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  Change Account without User Defaults configured:
  User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
  In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
  For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
  What about on your side? Am I the only guy using SP12 here?

• CUA sync with child client issue for indirect role assignment.

  Hello Security experts,
  we have a indirect role assignment set up in our ECC environment. there is a syncronization issue from the parent CUA to the chlild client. The role assignments have been made to role although they are not always reaching target system without having to sync up either the role or the IDu2019s position # manually.   This has been an ongoing issue CUA has on any role or user from time to time.   any hint on fixing this issue. please help..

  Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
  CUA has its own pros -
  Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
  on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
  It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
  Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
  Rakesh

• CUP Auto Provisioning Error 260: User Comparison

  I am in the process of configuring the CUP 5.3 module within our ECC and SRM environments.  I believe the path and associated stages are established properly.  I have tested the auto provisioning functionality within both SRM and ECC.  As it relates to SRM, the auto provisioning functionality works without a hitch.  However, when I attempt to auto provision a user into our ECC environment, I receive the following error:
  Auto provisioned for request on 04/07/2010 13:41 
     New User: T00522 created on 04/07/2010 13:42 in System(s): DR4-300.
     User attributes changed for User : T00522 in System(s) :DR4-300.
     Role Provisioning failed for System(s) : DR4-300. Error Message : 260:User master comparison incomplete; see long text
  Speaking with out security team, the only time they have seen this issue was when they attempted to map a user, using PFCG, to a role.  However, I informed them that CUP uses SU01.  They have not experienced such an issue using SU01 and clicking on the user comparison button. 
  Interesting point:  The user record is created and roles assigned to user but have a red light indicator by the role within SU01.  However, when the next day rolls around the role has been changed to a Green light, profile assigned and everything is looking good.  Unfortunately, CUP can't seem to register this and when the Role Owner attempts to approve the role / user request again.  The same error occurs and until I can get around this error, the workflow is not closed out nor is the requester notifiied.
  Questions:
  (1)  How can I fix this issue, I assume it will require a security change to be made within the ECC environment?
  (2)  If this issue can't be fixed, can I get around this issue with a detour or other CUP error processing step?

  Denoted below is the log that corresponds to the 260 comparison error.  Does anyone know what access I am missing within the UME.  I have tested this provisioning process, manually, and do not run into a Comparison error within the SU01 screens:
  2010-04-27 13:44:54,748 [SAPEngine_Application_Thread[impl:3]_31] ERROR com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
  com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
       at com.virsa.ae.service.sap.SAPProvisionDAO.executeRoleOperation(SAPProvisionDAO.java:1706)
       at com.virsa.ae.service.sap.SAPProvisionDAO.assignRoles(SAPProvisionDAO.java:1458)
       at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionInNonCUA(ProvisionSAPUserDAO.java:1232)
       at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionRole(ProvisionSAPUserDAO.java:932)
       at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionUser(ProvisionSAPUserDAO.java:118)
       at com.virsa.ae.accessrequests.bo.ProvisioningBO.autoProvision(ProvisioningBO.java:216)
       at com.virsa.ae.accessrequests.bo.RequestBO.autoProvisioningForApprove(RequestBO.java:4572)
       at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:5565)
       at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5339)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5191)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  2010-04-27 13:44:54,927 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.bo.RequestAuditHelper : logMajorAction() :   : intHstId : 3068
  2010-04-27 13:44:54,972 [SAPEngine_Application_Thread[impl:3]_31] ERROR no dtos exist which are in the same state as the passing dto
  com.virsa.ae.core.ObjectNotFoundException: no dtos exist which are in the same state as the passing dto
       at com.virsa.ae.workflow.bo.WorkFlowBOHelper.getIfUnapprovedPathExists(WorkFlowBOHelper.java:2662)
       at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleWFForNewPathStage(WorkFlowBOHelper.java:2516)
       at com.virsa.ae.workflow.bo.WorkFlowRequestRerouteHelper.rerouteRequest(WorkFlowRequestRerouteHelper.java:68)
       at com.virsa.ae.workflow.bo.WorkFlowBO.rerouteRequest(WorkFlowBO.java:614)
       at com.virsa.ae.accessrequests.bo.RequestBO.rerouteRequestForAutoProvisioningFailure(RequestBO.java:6897)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5239)
       at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
       at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  2010-04-27 13:44:55,394 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : confirmRequestApproval() :   : setting context to true, ending context
  2010-04-27 13:44:55,414 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataForwardDAO : findTransactions() :   : sbQuery : SELECT REQNO, REQPATHID, STAGE_NAME, FWDED_BY, APRVRID, ITERATION, FORWARD_TYPE, STATUS FROM VIRSA_AE_RQD_WPFWD WHERE REQNO = ?
  2010-04-27 13:44:55,486 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.SAPConnectorDAO : findAllActiveSAPConnectors :   :  going to return no of records= 3
  2010-04-27 13:44:55,495 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.OracleAppsConnectorDAO : findAllActiveORACLEConnectors :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,498 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.PACSConnectorDAO : findAllActivePACSConnectors :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,502 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.WSConnectorDAO : findAllActive :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,505 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.ApplicationDAO : findAllForContext :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,532 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,535 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,540 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataMitigationDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
  2010-04-27 13:44:55,579 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() :   : INTO the method
  2010-04-27 13:44:55,580 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() :   : request number : 154
  2010-04-27 13:45:14,055 [SAPEngine_Application_Thread[impl:3]_18] INFO  com.virsa.ae.dao.sqlj.RequestTypeDAO : findAll :   :  going to return no of records= 20

• SAP R/3 : Indirect Role assignments - Is position unique to every user?

  Hi.
  While am exploring /learning SAP R/3 roles and auth, I would appreciate if I could get clarity on the following :
  This  link on SDN on Indirect role assignments are very informative.
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f03e6f6c-8c16-2a10-1581-ed8812e2effe
  This link is also more explanatory : http://my.affinitext.com/public/book/5442/-1/1423831
  So if my understanding is correct, it is better to assign roles - indirectly by position, so that if an employee's position changes, his role can be removed, based on position again ??? And somewhere we are linking with infotype 105.
  My only doubt is : if we are going to assign roles by position and remove the roles by position, so that as the position of an employee changes, the previous roles become null and void and new roles can be assigned as per new position.
  So would like to know :
  as to whether this position number which we see from PA20, is unique to every user on the system ?
  So that, if there is a need to remove a role based on postion, we could remove the role from PO13;
  BY doing that, then will it not affect other users ?
  Can somebody help me understand this.
  Because if i want to see the effect immediately, if i go to PFUD and put the role name and say execute, i see that the role which was removed from PO13 is gone immediately from the user.
  Many thanks
  Indu
  Edited by: Indumathy Narayanan on Nov 22, 2011 9:25 AM

  GOT IT THANKS.
  Hi Prashant.
  Good morning and wishes.
  Can you please help me understand this.
  I understand from HR person that position is uniquely defined (from hire to retire)
  and roles are generally given based on position.
  However, I see a person : whose roles have been assigned as per position all these years.
  He had 2 roles in project A. He now moved into a different project B.
  But. when i check, i still see the roles - reflecting on SU01  & well as in the tab of user of the role X under pfcg.
  BUT when i check PO13 - and put the position / relationship and say overview.
  I dont see the roles at all there.
  Why this is so.  Why the discrepancy on different screens.
  Also How can I get a confirmation that - these roles are actually removed and is not there for the user.
  Rather.
  How could the removal of roles based on position become completely effective on the system.
  So that all screens display the same information.
  Also would like to know - whether it is ok to remove the role expiry date directly from PFCG/ROLE Display/user tab/select user/
  and then make the role invalid or expired / or extend the expiry.
  Many thanks.
  Indu
  Edited by: Indumathy Narayanan on Dec 7, 2011 12:09 PM
  Edited by: Indumathy Narayanan on Dec 7, 2011 1:42 PM
  Edited by: Indumathy Narayanan on Dec 7, 2011 5:17 PM

• Invalid Security role-name error in Web Project

  Hi All,
  I have imported a J2EE application project built in JBOSS into NWDS 7.1.
  While building the project i get the following error
  <b>CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN</b>
  This error directs me to the following code in web.xml
  <security-constraint>
            <display-name>Default JSP Security Constraints</display-name>
            <web-resource-collection>
                 <web-resource-name>Portlet Directory</web-resource-name>
                 <url-pattern>/jsp/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <b><role-name>PEHNTAHO_ADMIN</role-name></b>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
  <b>I have tried out the following things to resolve this issue :</b>
  <b>1) Remove the role manually</b>(as suggested by various people in other J2EE forums), but then some other error came in to picture
  <b>2)Then I added the following code in web.xml</b>
  <security-role>
            <role-name>PEHNTAHO_ADMIN</role-name>
       </security-role>
  Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
  Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
       java.rmi.RemoteException:  class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
  sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
  version status: HIGHER
  deployment status: Admitted
  description:
            1. Error:
  Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
  ERRORS:
  Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
       <!-- whole web.xml-->
  </web-app>
  " is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
  WARNINGS:
  Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
  <b>3) I had also added the following code in web-j2ee-engine.xml</b>
  <security-role-map>
            <role-name>PEHNTAHO_ADMIN</role-name>
            <server-role-name>all</server-role-name>
       </security-role-map>
  but still i get the same deployment error.
  Please help me in resolving this problem.
  Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
  Thanks and Regards,
  Sruti

  Hi Malathy,
  Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
  Could you please let us know you created a roles named users in WLS ?
  Thanks & Regards,
  Murali.
  ============

• Indirect Role Assignment with HR-ORG in a system landscaper with CUA

  Hi all,
  we have 2 SAP systems:
  1) SAP ECC6 (with composite roles)
  2) SAP HR with PA and OM
  We would like to assign SAP ECC6 roles through HR-OM.
  Since HR-OM is not on the same ECC6 system, we would like to try the logic: HR-OM -> CUA -> ECC6
  There are several documents that describe this situation (ex. SCUR351).
  From PFCG point of view, we should create a composite role in CUA system which include simple roles of child system.
  If we try to create a composite role in CUA central system, we can insert only simple roles available in central system (and not in child).
  Any experience on this scenario ?
  Pros vs cons ?
  Are the different possible scenarios ?
  Many thanks...
  Andrea

  Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
  CUA has its own pros -
  Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
  on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
  It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
  Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
  Rakesh

• Mass Change for Indirect Role Assignment

  Hi all,
  I am in the process of changing the company’s authorisations from a standard SU01 role assignment to a position based indirect role assignment.
  At the moment I am using PFCG going to the Org Mg button under the User tab then attaching the position that way.  Is there a way of assigning more than one role to a position at the same time?
  Is there a Mass Assignment option in PFCG or is there a separate transaction available to make this process quicker??
  Thanks for your help
  Ian

  you can mass-assign people and roles if you go to transaction PPOME instead of PFCG. to make role assignments from PPOME please apply note 578271 first. be careful whilst implementing this <insert nasty word here> note because some of those view-clusters tend to refuse to load your changes = you can see them, but they don't work - might be you will have to flush table buffers for the changes to take effect.

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• It's posible the OID role Provisioning With OIM?

  Hi experts,
  I'm installing and configuring the OIM connector for OID. However I've found on the installation guide the next 'warnings':
  - Reconciliation of roles is supported only for ODSEE and Novell eDirecotory target systems.
  - Provisioning of roles is supported only for ODSEE and Novell eDirecotory target systems.
  then my question is: how can I provision OID roles to any user using OIM??? If I can't do role provisioning to OID, I cant see so much utility for this connector.
  My request its to provisioning roles that I've created on OID, using OIM interface.
  Has anyone done this?
  Thanks for you time.
  regards.
  Edited by: Daniel Cermeño on Sep 10, 2012 4:39 PM

  Hi Leoncio and Gyanprakash,
  Tanks for your response, thats make me feel more quiet.
  I have still one question about this. In the installation and configuration guide says:
  - If you are using the default connector configuration, for every group in the target system, create a corresponding organizational unit (with the same group name) in Oracle Identity Manager. This ensures that all groups from the target system are reconciled into their newly created organizational units, respectively.
  - You can also configure the connector to reconcile the groups under one organization.
  Then, when I run the reconciliation of OID groups in OIM. I obtain one organization with one resource representing my OID group. Or, if I prefer, I obtaion one organization with many resource that represents all my OID groups. However, I dont find how to provision this resources to my OIM users, cause I need that one user be part of one o more groups. If I put the user in the organization that represent my OID group, how I can provision more groups?
  Furthermore, the reconciliations of OID groups creates resources/organizations, but in my understending this no create OIM roles isn't?
  I'm sorry for my ignorance. This maybe is a trivial question, but I hope you can clarify this concepts to me.
  Thanks for your time.
  regards.
  Edited by: Daniel Cermeño on Sep 11, 2012 8:08 AM

• Indirect role assingment restricted only to Positions?

  Hello All,
  i have this doubt:
  While using indirect role assignment, can we assign roles to Work Center, Job, Org unit, Person also?
  (My understanding was that we could assign this only yo posistions...)
  Can anybody who has worked on HR security answer my doubt?
  Many thanks for your help.
  Warm Regards,
  Pradeep

  Hi Pradeep:
  Indirect role assignments are not restricted to only positions. You can make role assignments to other objects such as Job or Org. Such as where you can assign roles onto the position via PO13, a role to Job assignment can be made through PO03 and a role to Org unit can be made via PO10.
  That's the beauty of position-based security. By assigning roles to higher levels, this would reduce the load on Security folks doing role assignments. For example, if you know a role is to be assigned to everyone in a particular org unit, you might as well assign the role there. Therefore, everyone under that org would automatically inherit the role. Of course, this approach heavily depend on accurate HR data.
  Let me know if you need more clarification.
  Thanks.

• Indirect Role Assignment

  I am adding roles to positions using indirect role assignment, when adding the role to the position I am prompted to carry out a reconcilliation of indirect user assignments, receive message 'Indirect user assignments ok'  so then I've run PFUD.  When I check both the role and the user I cannot see the role attached to the user, but the role is listed in the 'Relationships' in PP01.
  A new organisation structure has been created, when I click on the drop down at the 'change agent assignment' the old organisation structure is displayed.  Any suggestions please how I can select the new organisation structure?
  Thanks

  Hello Anthea,
  to pass on a role from a position to a SAP user id I would suggest the following.
  Go to transaction SA38 and run report RHPROFL0.
  Some notes on the report and report selections.
  The report can be used to eveluate and assign roles from HR objects to SAP users. The report starts reading at a given HR object along an evaluation path. It then updates the SAP user found with authorisation roles.
  Selections:
  You have assigned the roles to a position therefore you should select object type S.
  Then put the position number in the Object ID.
  The key date is hopefully self explaining.
  The evaluation path might have defaulted to PROFL0. That would be the correct one.
  The program has a test mode. I suggest you run the test mode first. It will tell you what the program would change in an actual run.
  In the next selection box - "Generate authorization profiles"
  You might leave the ticks in the boxes:
  - Standard authorizations
  - PD authorizations
  That will generate profiles if they aren't generated yet.
  Next selection box - "Delete manually maintained authorisation profiles"
  Leave the tick boxes blank if you have any direct assigned roles.
  If you tick the boxes all roles and profiles directly assigned to SAP user ids will be deleted.
  In section "New Users"
  There is a tick box "Generate".
  If that box is ticked the report will create new SAP user IDs for all occupied positions with roles but without SAP user ID on the Employee record.
  You might leave that box unticked for the moment.
  I suggest to create the application log --> Last tick box on the selection screen.
  Some general comments at the end.
  The report RHPROFL0 might be scheduled in production systems if indirect role assignments are used. Depending on your needs make sure that the deletion of manual assigned profiles is activated or deactivated.
  If you do not enter an object id, the report will run for all object ids.
  A further note on the indirect setup.
  If roles should be passed on from a Position to a SAP user id, it is important, that the following conditions are fulfilled.
  The Position is valid/active as of the report key date.
  The position has a holder at key date.
  The holder has an assignment of a valid SAP user ID at key date. Infotype 0105 subtype 0001 for object type P.
  The Roles on the position are valid at the key date.
  I hope that helps solving your issue.
  Best regards
  Karsten

• Indirect Role Assignment Within CUA

  Hi Experts,
  Weu2019re implementing indirect role assignment in SAP HR and exploring the feasibility to include this client as part of CUA. Has anyone implemented this before? Appreciate if you could share.
  I understand that CUA able to distribute DIRECT role assignment made from central client to the child client(s), but not so sure if it is possible for INDIRECT role assignment approach. My previous project exclude client with indirect role assignment from the CUA distribution landscape and I wonder why.
  Appreciate your input in this matter and looking forward for further discussion.
  Best regards and million thanks in advance.

  Hi,
  So I worked on a CUA managed landscape that had systems that featured indirect org assignment hooked in.  The association between the User ID and the HR org based position was still maintained locally as the local system contained the HR Org structure, but direct access was still blocked by CUA The roles assigned indirectly were visible from CUA in a different colour.  You can still maintain users directly from CUA on top of this.  This may be an alternative to consider.
  If the local system does not contain the HR Org structure you are probably going to have to export the structure, so if that is the case you might as well import it to CUA if all org relevant users are maintained there and manage it centrally via the advised link anyway.
  Cheers
  Steve

• HR indirect role assignment

  If personel no is not the same as infotype 0105 assigned user, How do you check your Indirect role assignment If you are using soultion manger. We dont have PA20, PA30, PA48 t-codes in soulution mangers.our CUA a in Soultion manger . Help is greately appericiated. Thanks

  I created HR_ORG structure(HRMD_ABA) in dev (HR system-Sending system) and add filters according to help.sap document, generate partner profile using we20. After that I transfered org structure in CAU (SolMan-Non HR systems- Receving system) using ALE run (Run SA38 -RHALEINI) i think its working.
  Composite roles are reside in Dev (HR-system), For indirect roles assignment (position level security) i created composit role just only roles name and description with out tcodes and auth object in CUA (SolMan -Non HR system).
  For test position assigment, I run pfcg in CUA(SolMan) click on organization management  select position and click indirect roles assignment after that i did user comparsion but i cant not see users id in user assignment. Please let me know any helpful Suggession. Thanks for ur quick response..