IDM request grouping issue

Hi All,
We have designed our landscape to provision to SAP systems via GRC. IDM is sending add/remove role request to GRC via VDS-GRC web service but request is not properly grouped and logged in GRC. Here is the example:
There are two positions named P1 and P2 which has 2 and 4 tech roles within it.
Position-1 has tech role A and B
Position-2 has tech role A,B,C,D
User already has Position-1 and tech role A and B. Now user's Position-1 is getting replaced by Position-2. In this scenario following requests are getting logged on GRC:
1. One request to remove tech role A and B
2. One request to add tech role C and D
3. One request to add tech role A
4. One request to add tech role B
Note : All tech roles are from same GRC repository.
As per my understanding, this many requests should not be there when we are using GRC repository constant MX_PRIV_GROUPING_ATTRIBUTE = P:0
I have also observed "Write RequestId and opt. Start Polling" this job is getting executed even before "AC Submit requests" on position replacement even. This job is getting executed number of times based on number of common tech roles.
Any thought why requests are getting splited like this?
Thanks,
Dhiman Paul.

Dhiman,
The aggregation of the privileges into one request is done via custom javascript that we attached to our Prepare AC Request job in the GRC 10 workflow. It was modified so that it would look up what privileges are assigned to the IdM business role(s) prior to it being submitted to GRC and subsequently approved.
The script that should be modified is: sap_grc10_prepareRiskCheckExecution
This script can be modified to look up all the privs assigned to all roles requested, aggregate them into one object/array, then pass (return) that information along with all mskeys (privs/roles/pvo)back to the pending value for the remaining GRC tasks. This customization is required in order for AC Polling to kick off (which by the way needs to have the GRC10 repository explicitly assigned):
This explicit GRC10 repository setting must also be on the Submit AC Request:
Lastly, you MUST have the Risk Validation job (that also comes with the GRC 10 Framework) in the GRC 10 WF so that when your request comes back from GRC it will provision (or not) based upon the status returned from GRC.
One more thing, the grouping should be P:4 not P:0
There are a lot of nuances and gotchas in this integration but the above should be helpful to get you on the right path.

Similar Messages

IdM DB Space Issue

Hi Experts,
    We are facing IdM DB space issue in our PRD environment. Upon observing, it was found that the below tables are taking much space in IdM DB. Could anyone tell me what impact will my PRD system have if I truncate the below tables to free space. Please do help us out in this , if this problem is not solved, this will become the show stopper.
mc_exec_stat
MC_LOGS
MC_SYSLOG
mxi_entry
mxi_link_audit
mxi_link
MXI_OLD_VALUES
MXI_VALUES
MXP_AUDIT
MXP_Audit_Variables
MXP_Ext_Audit
Kind Regards,
Mohamed Fazil

I don't know what you mean with too much diskspace? Perhaps you can post the sizes here and the number of entries in your system so we can evaluate if it's normal or not.
Most of the tables you list should not be touched and if you truncate link and entry you will delete all your assignments and entry data, and you would possibly be looking for a new job the next day.
The log tables should be maintained by the housekeeping as mentioned, but
mc_exec_stat
MC_LOGS
MC_SYSLOG
can be cleaned but neither should have that much data, but large amounts of transactions cause logs to grow. Have you checked that your backup is cleaning the transaction logs? Also reduce loglevels to ERROR to reduce the amount logged here.
MXP_Audit_Variables should not contain audits that are not in the provisioning queue, if you delete those workflows will fail.
MXP_Ext_Audit can probably be cleaned without affecting operations (reports might be affected though) but you'll loose the detailed execution history on the entries, perhaps you can do partials, delete entries older than 3 years or similar.
For future reference:
List transaction log sizes (SQL Server):
DBCC SQLPERF(LOGSPACE)
List table siszes (SQL Server):
DECLARE @SpaceUsed TABLE( TableName VARCHAR(100)
      ,No_Of_Rows BIGINT
      ,ReservedSpace VARCHAR(15)
      ,DataSpace VARCHAR(15)
      ,Index_Size VARCHAR(15)
      ,UnUsed_Space VARCHAR(15)
DECLARE @str VARCHAR(500)
SET @str = 'exec sp_spaceused ''?'''
INSERT INTO @SpaceUsed EXEC sp_msforeachtable @command1=@str
SELECT * FROM @SpaceUsed order by CAST(REPLACE(ReservedSpace,' KB','') as INT) desc
Oracle undo, user and redofiles:
select * from dba_data_files where tablespace_name LIKE 'UNDOTB%1' OR tablespace_name LIKE 'USERS%';
select l.group#,f.member,l.archived,l.bytes/1078576 bytes,l.status,f.type
from v$log l, v$logfile f
where l.group# = f.group#
C
Message was edited by: Per Krabsetsve

Request Group options - Security

Hi all, Is there any way you can configure the request group in accordance with the responsibility? Our Scenario involves 2 responsibilities sharing the same request group. But we need to have a different list of requests for both these responsibilities for security reasons. I've gone thru the security profiles, but found none that relates to this issue. Any help is highly appreciated.
Thanks,
Naveen Gagadam.

I am not sure what you are looking for,
the simple thing you can do is, you need to create as many request group you need and attach it to the responsibility.
but if you use discoverer, the discoverer data follows the security profile attached to the person

FNDLOAD: How to remove a concurrent program from a request group

Hi,
I want to remove a concurrent program from a request group using FNDLOAD utility. Since impacted environment is Production (controlled environment) I do not want to remove concurrent program manually from the request group. Is there a way to use FNDLOAD utility for this purpose or some other means?
Environment: Oracle EBS R12.1.1
OS: Linux
Thanks,
Nitin

Hi,
Unfortunately this CP cannot be disabled as it has to be removed from certain RGs but not all. Also removing it through RG forms is always an option but production gatekeepers won't allow to do that. I would have done that in a min.
If FNDLOAD is not an option then I guess only other option is pl/sql script.
Best regards,
Nitin

Report with grouping issue

I have a report which have year(2008), Category(0-1,2-3, ALL), product(0,1,2,3,4..), % sales. I group by all the category elements and called it as All, I am not getting the right percentage sales for the Category ALL other wise for 0-1,2-3 i am getting it right. Please advise where i am doing it wrong. please find the blog for a screen shot of my issue.
http://ravibiblog.blogspot.com/2012/04/report-with-grouping-issue.html
Thanks,
RC

Pl post details of OS, database and EBS versions. Pl see if these MOS Docs can help
FARXPBSH Failing With "Program was terminated by signal 11" or "Program was terminated by signal 10"          (Doc ID 742729.1)
Publishing RXAPPYAC: The FARXPBSH Ends With 'Signal 11' Error          (Doc ID 432797.1)
RXi RX Reports Failing With Program Was Terminated By Signal 10 or 11 Errors After FA Rollup Patch 6          (Doc ID 737963.1)
Program was Terminated by Signal 11 when Running Rxi Reports          (Doc ID 559425.1)
HTH
Srini

How can we assign more than one request group to a responsibility?

Hi
Can anyone tell me how we can assign more than one request group to a responsibility?
Thanks
SS

Hi SS,
Its not possible, rather you should create a combination of Requests/RequestSets and create a new Request Group.
Regards,
Kiran

Plug-in Request Group field into the external authentication plug-in

Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491

Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491

Sorting /Grouping Issue: Single Artist Compilation Album Doesn't Group

iTunes 8 Sorting / Grouping Issue
EXAMPLE
• Album: Essential Willie Nelson
• There are 22 songs on this Disc
• 19 of them are labelled "Willie Nelson" in the artist field
• 3 of them are lebelled "Willie Nelson Feat. Waylon Jennings" in the artist field
PROBLEM
• Album will not stay grouped together when in the standard "Sort by Artist" in Grid View. A very legitimate expectation to be able to have Willie's name listed along with his pals in the artist field and have them grouped together in one album within Willie's albums section. 19 songs group within one album in the Willie Nelson section and the other 3 are placed separately either in the compilation section or as separate albums within the regular artists grid view.
I've read most if not all postings that suggest solutions but no matter what... they don't work. The only way that I know to work is to strip out all other names and leave only "Willie Nelson" in the Artist field. All other sorting and grouping options don't work for this issue... I've tied every combination. My opinion is that this is just a limitation at this time and there is no solution until future updates. I don't want a cheezy work-around either, that's very "unApple like". I assume it to be fixed in future updates.
Bueller... Bueller?
Anyone?

There's a few other "goodies" I have found also but haven't had time to check out.
If you have songs not in iTunes that you want to add to iTunes in a different format than the song is in...
(This is carried over from at least 7.4)
Set the Importing prefs to what you want the new file to be.
Hold the Option key and go to menu Advanced and select *Convert selection to* AAC (or whatever is in the Import prefs}.
This will add it to iTunes in the new format.
Previously, you had to Import the file, change the prefs, go to Advanced - *Convert selection to*, convert the file, then delete the original from iTunes.
This is new...
In iTunes 8, go to to File - > *Show duplicates*. (moved from View menu).
Now hold Option and go to to File and it now displays *Show exact duplicates*.
Don't know what it means by *exact duplicate* though.

How to use FNDLOAD to add program to request group?

Is there a way to use FNDLOAD to add a program to System administrators > security > responsilibity > request.
I have try to use the following command to downlod this information to load it to other place but no record saved in ldt file:
FNDLOAD apps/apps1234 O Y DOWNLOAD $FND_TOP/patch/115/import/afcpreqg.lct PO_RESQUEST_GROUP_2.ldt REQUEST_GROUP REQUEST_GROUP_NAME="All Reports" APPLICATION_SHORT_NAME="XXPO"
OR
FNDLOAD apps/apps1234 O Y DOWNLOAD $FND_TOP/patch/115/import/afcpreqg.lct PO_RESQUEST_GROUP_3.ldt REQUEST_GROUP APPLICATION_SHORT_NAME="Purchasing" REQUEST_GROUP_NAME="All Reports" UNIT_NAME="XXPO_PUR_REQ"
if i delete APPLICATION_SHORT_NAME="Purchasing" , it downloaded many seemingly not relevant data as follow:
Downloading REQUEST_GROUP to the data file PO_RESQUEST_GROUP_3.ldt
Downloaded REQUEST_GROUP All Reports CUN
Downloaded REQUEST_GROUP All Reports IGS
Downloaded REQUEST_GROUP All Reports PSB
Downloaded REQUEST_GROUP All Reports CSE
Downloaded REQUEST_GROUP All Reports AHL
Downloaded REQUEST_GROUP All Reports ENI
Downloaded REQUEST_GROUP All Reports OFA
Downloaded REQUEST_GROUP All Reports XTR
Downloaded REQUEST_GROUP All Reports SQLAP
Downloaded REQUEST_GROUP All Reports PO
Downloaded REQUEST_GROUP All Reports CHV
Downloaded REQUEST_GROUP All Reports QA
Downloaded REQUEST_GROUP All Reports CE
Downloaded REQUEST_GROUP All Reports POA
Downloaded REQUEST_GROUP All Reports MFG
Downloaded REQUEST_GROUP All Reports CRP
Downloaded REQUEST_GROUP All Reports WIP
How can I confine "Application"? which is under the field "Group" and how can I download all application named "custom puchasing" next to "Name"?

When migrating to another instance and want to add a concurrent program to a request group, I do it in two steps. Within a shell script, I call
1 - FNDLOAD to load ldt file (concurrent program definition)
2 - SQLPLUS to run an sql file that call FND API that install concurrent program into proper request group.
ex # 1 :
FNDLOAD $apps_user/$apps_pswd@$dbsid 0 Y UPLOAD $XDO_TOP/patch/115/import/xdotmpl.lct $XX_TOP/XX_PGM.ldt - WARNING=YES CUSTOM_MODE=FORCE >> $LOG_FILE 2>&1
ex # 2 :
sqlplus -s $apps_user/$apps_pswd@$dbsid @$XX_TOP/XX_PGM_REQ_GROUP.sql >> $LOG_FILE 2>&1
XX_PGM_REQ_GROUP.sql content.
IF NOT fnd_program.program_in_group('XX_PGM','Business Online','GL Concurrent Program Group','General Ledger' ) THEN
fnd_program.add_to_group(program_short_name => 'XX_PGM',
program_application => 'Business Online',
request_group => 'GL Concurrent Program Group',
group_application => 'General Ledger');
COMMIT;
END IF;
Hope this might help.

Report/Program added to a request group

I just noticed in my environment that whenever i add a report or program to a request group i don't get to see it when i want to run/submit the report or program.
What could be the problem?

try use
CREATE OR REPLACE PACKAGE fnd_program AS
-- Procedure
--   ADD_TO_GROUP
-- Purpose
--   Add a concurrent program to a request group.
-- Arguments
--   program_short_name - Short name of the program. (e.g. FNDSCRMT)
--   program_application - Application of the program. (e.g. 'FND')
--   request_group       - Name of request group.
--   group_application   - Application of the request group.
PROCEDURE add_to_group(program_short_name            IN VARCHAR2,
                    program_application          IN VARCHAR2,
                    request_group                 IN VARCHAR2,
                 group_application             IN VARCHAR2);for example
begin
fnd_program.add_to_group(
        'XXSHORTNAME',
        'XXPROGAPPL',
        'All Reports',
        'SQLAP'
end;

Finding the Request group of a report in APPS

How do I find which request group an oracle report or a PL/SQL procedure is attached in Oracle APPS?

Please try this
SELECT FRG.REQUEST_GROUP_NAME, FE.EXECUTION_FILE_NAME, FE.EXECUTABLE_NAME
FROM FND_REQUEST_GROUP_UNITS FRGU, FND_CONCURRENT_PROGRAMS FCP , FND_REQUEST_GROUPS FRG
, FND_EXECUTABLES FE
WHERE FRGU.REQUEST_UNIT_ID = FCP.CONCURRENT_PROGRAM_ID
AND FRGU.REQUEST_GROUP_ID = FRG.REQUEST_GROUP_ID
AND FE.EXECUTABLE_ID = FCP.EXECUTABLE_ID
AND FE.EXECUTION_FILE_NAME = <REPORT NAME>

Finding the Request group of a report

How do I find which request group an oracle report or a PL/SQL procedure is attached?

Hi
Do use the below query to get the Request Group Name and Responsibility Name...
input must be Report name
SELECT
A.RESPONSIBILITY_KEY ResponsibilityName,
B.REQUEST_GROUP_CODE RequestGroupName
FROM FND_RESPONSIBILITY A,
FND_REQUEST_GROUPS B,
FND_REQUEST_GROUP_UNITS C,
FND_CONCURRENT_PROGRAMS_VL D
WHERE A.REQUEST_GROUP_ID = B.REQUEST_GROUP_ID
AND C.REQUEST_GROUP_ID = B.REQUEST_GROUP_ID
AND C.REQUEST_UNIT_ID = D.CONCURRENT_PROGRAM_ID
AND D.USER_CONCURRENT_PROGRAM_NAME LIKE <<Report name >>
Regards
Yram

Concurrent request got deleted from a request group

Hi,
Somehow a concurrent request got deleted from a request group. Is there any way so that we can determine the person from whose login it happened.
Thanks in advance

Hi,
You can try using PSA if that request it's still there.
Otherwise, you will need to regenerate that request in source system (by filling setup tables with parameters) and update BW with a full load.
Hope this helps.
Regards,
Diego

Request group set error...

I have created an request group set to upload Master Item in inventory.
I am getting the following error when submitting Request Group request set from "India Local Inventory" responsibility in vision R12 instance :
APP-FND-01564: ORACLE error -1116 in SUBMIT: others
Cause: SUBMIT: others failed due to ORA-01116: error in opening database file 85
ORA-01110: data file 11: '/d02/vis_db/VIS/db/apps_st/data/tx_idx17.dbf'
ORA-27041: unable to open file
Linux Error: 24: Too many open files
Additional information: 3.
The SQL statement being executed at the time of the error was: &SQLSTMT and was executed for the file &ERRFILE.
How can I solve this problem??

Please refer to the following notes:
[Note: 566234.1 - Error: 24: Too many open files running initial request set|https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=566234.1]
[Note: 429760.1 - Ora-01110: Data File Error Opening Datafiles File|https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=429760.1]

Group Issue

HI Gurus,
My client is following this scenario.It has make to Order scenario and so many subcontracting process is done by the client.
The scenario is like,multiple work Orders are sent to Subcontract Vendor through single Group Issue.
For Example: 5 different work orders have the same processing work and has to be carried out by SC vendor X.
What they are doing, they donot issue the materials to the same SC vendor 5 times instead they make a group of the work Orders and issue the materials to SC at a time.
How can we map this into SAP????????
Thanks & Regards
Pranaya

Hi
In MB1B , you can club all the PO's & issue the Goods to the SC vendor.
Goto MB1B, enter movemnt type 541, Click on To Purchase order & enter the PO & item details. Now adopt the details & issue the Goods to SC vendor.
Thanks & Regards
Kishore

IDM request grouping issue

Similar Messages

Maybe you are looking for