Idm-Vaau Rbac role creations and mapping

Similar Messages

• Mass role creation and addition of tcodes to role menu

  Hi Folks,
  We've a requirement of building 1000's of single roles for an implementation. Our security matrix is ready with the role names and the list of tcodes to be embedded in each of these roles. What I would like to know is if we can automate a part of the process of role building i.e the following 3 steps only.
  1. Creation of the Role
  2. Addition of the tcodes in the role menu
  3. Save
  I'm aware of Ecatt/LSMW through which we can create the roles but i'm not sure if we can add the tcodes to the menu of the roles since the number of tcodes to be populated in each role will vary.
  Could anyone of you shed some light if it is possible to automate the addition of  tcodes to the role menu taking into consideration that each role will have different number of tcodes to be added to the menu and what's the best possible way to achieve this if there exists one.
  Thanks in advance for your time and suggestions!
  Guest...

  Whilst I agree that there are probably too many roles being built here, which is more of an issue with the role design / strategy, the issue of how to easily create a role for a given list of transactions is something that SAP supports via the import menu from text file option in PFCG.
  Yes you may need to write a script to cycle through all the possible role names, but we have recently had to build some roles based on actual usage, so exported transaction usage history to excel and then formatted the transactions into text files that could be imported to build the role menu.
  You will still then need to ensure any object authorisation object have the correct values set - i.e. not just starred in - but as one of the pains in build a role is getting the menu to look reasonable, I'd suggest having a look at this approach.
  Copy Menus -> Import from File is the function in PFCG in the menu tab for the role you are building
  OSS note 389675 has details of what the text file of transactions for the menu should look like.
  That should answer the question posed, rather than criticising the role design being followed.

• Role creation and modification report

  Hello everybody!
  The SOX Audit requested this information:
  A list from all roles, with creation and modifications date (not when a user is added, but when the role was changed).
  How can I find this? I tried on SUIM / modification docs, but could not found.
  Thanks in advanced!

  Check this table AGR_DEFINE has the details, but you may need to write some kind of coding  or use function module  /ISDFPS/GET_AGR_DETAILS to pull the data. If I come across any standard report I'll pass on.
  rgds,
  asok

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• BAPI with RFC enables creation and mapping required settings

  Dear Experts,
  My client is having their old legacy system in .Net .
  Now their requirement is whenever they will create Vendor in their system that created vendor entry should be created automatically in SAP.
  I dont know about BAPI and RFC and how it will work.
  I will try to go up to the creation of BAPI with RFC enabled.
  But to map their requirement what Steps and Setting need to be done in SAP as well as in their Legacy system (.Net).
  Please guide me to solve the issue.
  Regards,
  Sanket.

  closed

• Role Creation and Copying.

  Hello All,
  I have 3 different queries.
  1) In our landscape, we have CUA and a client system (X1). I need to create some dialog users in X1 with customized profile. In which system do I need to create customized roles so as I can create users in CUA and can assign them the customized roles?
  2) When I trying to copy roles with option "copy all" in X1 system, as CUA is active in the landscape, I am getting an error saying "CUA is active, User is not copied". But on my left hand side of the screen I can see the action as Role Copied. I am trying to copy them using Copy Selectively and not selecting User assignments. Here my questions is why its saying users not copied first but still I can see Role copied..and what is the difference between user assignment and copy all in this scenario?
  3) In some different situation, I am not able to use the customized roles for Dialog users. According to my limited knowledge, it is possible to customize the roles as per our company standards. But I am not able to use dialog users with customized roles?
  Thanks in Advance.
  Regards,
  Farooq.

  Hi,
  1) coming to the first question
  The roles should always be maintained in your child system to which they belong.
  But CUA controls the way the assignments are maintained, whether they are maintained globally or locally or everywhere.
  You can see the details in SCUM Tcode.
  In short maintain the roles in X1 and then text compare in CUA and then assign the the roles to users in CUA
  2) You might be getting the error because the SCUM setting for role assignments are set to Global i.e they can be maintained only through CUA . But since the roles are created and maintained locally in ur child system the role is copied.
  The copy all is for copying a role with all its characteristics including the user assignments but user assignment is adding this role to a user for giving some access rights which are packaged in this role
  3)I am not clear as to what you meant by custom roles
  If you referred to assignment of roles created specific to ur company then make sure you are trying to assign the roles in CUA and not directly in child system X1.
  It might not be the problem of Dialog Users.
  hope this helps

• PFCG role creation and input from users

  I know that when you create a new role and add transactions to the menu you will get some default authorization objects in the role.
  After that you will need to fill out activities for transactions;
  For ex: display, create, change
  I also know that during testing when you run /nsu53 you will need to add some additional objects in the role.
  If the user does not know which activites he/she need or even for example for order types
  OR, ZNON, KE
  How can i help if the user does not know what he/she needs.
  The way I'm doing this currently is by giving the user the transactions he/she needs and then have them run /nsu53 and I fix the problem.
  Thanks
  jo

  Jo,
  As I have worked in situtations similar to the one you describe where the user performing the testing doesnt know which activites/values they need access to contribute to productive role build/testing sessions. Some of the things I have done to help them are:
  1) Educate the user on the Authorization Object and Fields. You can typucally hit (F1) for more information related to the object/field.
  2) Tie the object values back to actual SAP Tables with data to show user configuration of the system and values that are options.
  3) Find someone from the process/business side who understands the requirments or has done the configuration to support the process and have an educational/testing session together.
  Thanks.
  Matt

• AC ERM : role creation and how to delete ungenerated roles

  Hi,
  When you work on a role from ERM, the role is created in the back end. It will be generated only at the generation phase. But what if finaly it is decided not to generate the role, is there a way to delete the role in the BE from ERM?
  It seems the only way is to go in PFCG and delete the role manualy?
  Regards

  Hello Vincent,
  There are different tables in which the roles for RE (in frontend RE, frontend tables) and where the roles in R/3 are stored. That is, it might be that even if you are generating all the roles from RE, at a particular time the list of roles in RE is greater than number of roles in R/3 Backend. This is because:
  RE roles = Generated roles (which exist at backend as well)+Ungenerated roles (which are in RE only till that particular time).
  Here ungenerated roles would mean the roles which you have not yet generated in RE.
  Thus, __deleting roles from R/3 and RE are two separate things__.
  1. To achieve the deletion the role from Backend (R/3) you should create a request in RE to remove this role from all the users currently attached to it as there is no way possible to delete the role from R/3 by creating a request from RE. Doing this would still have the role in R/3 but with no user assigned.
  2. To delete the role from RE tables, so that you do not see it again, you can Search for the role, select it and then click on the "Delete" TAB. This will delete the role from the RE tables.
  Now, for the clenliness of your R/3 system, in case you do not want to see these roles in R/3 too, you can schedule a BG job to delete this or do a mass delete of all these roles say every fortnight or at whatever frequency as desired by your management.
  Regards,
  Hersh.

• IDM roles creation / updation and deletion via workflows

  Hi,
  We are in IDM 7.1. I wanted to know if there is any way to create / update / delete IDM roles using in the workflow / rules on a data driven logic rather than using the IDM admin page (Roles tab) and creating them with LDAP group attributes assingned and making them pre-defined.
  I've read in most of the postings that most of the time it has been retreived but no other options being done.
  Anyone having ideas???
  Regards
  Krishna

  Hi,
  check these FM , i dont know it will work for u or not.
  BAPI_USER_ACTGROUPS_ASSIGN     User: Change entire activity group assignment
  BAPI_USER_ACTGROUPS_DELETE     User: Delete entire activity group assignment
  BAPI_USER_CHANGE               Change User
  BAPI_USER_CLONE                Create User with Template in Another System
  BAPI_USER_CREATE
  BAPI_USER_CREATE1              Create a User
  BAPI_USER_DELETE               BAPI to Delete a User
  BAPI_USER_DISPLAY              Display Users
  BAPI_USER_EXISTENCE_CHECK      Check a user exists
  BAPI_USER_GETLIST              Search for Users
  BAPI_USER_GET_DETAIL           Read User Details
  BAPI_USER_INTERNET_CREATE      Create a user in the Internet
  BAPI_USER_LOCACTGROUPS_ASSIGN  Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_LOCACTGROUPS_DELETE  Delete Activity Group Assignments in the Dependent Systems
  BAPI_USER_LOCACTGROUPS_READ    Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_LOCK                 Lock User
  BAPI_USER_LOCPROFILES_ASSIGN   Change Profile Assignment for Dependent Systems from Central System
  BAPI_USER_LOCPROFILES_DELETE   Delete Profile Assignments for Dependent Systems
  BAPI_USER_LOCPROFILES_READ     Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_PROFILES_ASSIGN      User: Assign profiles
  BAPI_USER_PROFILES_DELETE      User: Delete All Profile Assignments
  BAPI_USER_UNLOCK               Unlock user
  Reward points if useful..
  Regards
  Nilesh

• Background job fails for BDC profile creation and role assignment

  Hi Experts,
  I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
  Below is the process of job
     1. ZMIS_AUTH_OBJECT_CREATE
         Variant : auth-create
     2. ZMIS_AUTH_ASSIGN_TO_ROLE
         Variant : auth-assign
  The problem is in second program, runs in foreground but fails in background.
  Code which i have written in my second program
  ***BDC for Profile creation and assignment to Roles
      CALL FUNCTION 'ZROLE'
        EXPORTING
         ctu                     = 'X'
         mode                    = p_mode
         UPDATE                  = 'L'
  *   GROUP                   =
  *   USER                    =
  *   KEEP                    =
  *   HOLDDATE                =
         nodata                  = '/'
          agr_name_neu_001        = wa_role-role_name
          text_002                = wa_role-desc
          text_003                = wa_role-desc
          text_004                = wa_role-desc
         value_01_005            = 'T-ML330881'
          h_fval_low_01_006       = wa_role-auth
          profn_007               = lv_profile
          ptext_008               = lv_text1
  * IMPORTING
  *   SUBRC                   =
       TABLES
         messtab                 = temp_message.
  ***Generation of Profile created
  CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
       EXPORTING
         activity_group                      = wa_role-role_name
  *     PROFILE_NAME                        =
  *     PROFILE_TEXT                        =
        no_dialog                           = ' '
        rebuild_auth_data                   = ''
        org_levels_with_star                = ' '
        fill_empty_fields_with_star         = 'X'
        template                            = ' '
        check_profgen_tables                = 'X'
        generate_profile                    = 'X'
        authority_check_pfcg                = 'X'
     EXCEPTIONS
       activity_group_does_not_exist       = 1
       activity_group_enqueued             = 2
       profile_name_exists                 = 3
       profile_not_in_namespace            = 4
       no_auth_for_prof_creation           = 5
       no_auth_for_role_change             = 6
       no_auth_for_auth_maint              = 7
       no_auth_for_gen                     = 8
       no_auths                            = 9
       open_auths                          = 10
       too_many_auths                      = 11
       profgen_tables_not_updated          = 12
       error_when_generating_profile       = 13
       OTHERS                              = 14  .
  Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
  Regards,
  Chetan

  Hi Praveen,
  Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
  To achieve this i have written two programs
  1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
  "" Creation of Authorization Object
  CALL FUNCTION 'ZAUTHOBJ'
          EXPORTING
           ctu                    = 'X'
           mode                   = p_mode
           UPDATE                 = 'L'
  *   GROUP                  =
  *   USER                   =
  *   KEEP                   =
  *   HOLDDATE               =
           nodata                 = '/'
           g_authname_001         = 'ZDUMMY_MIS'
            g_targetauth_002       = wa_tab-auth
            g_authtxt_003          = wa_tab-short_desc
            g_authtxtmd_004        = wa_tab-med_desc
           marked_04_005          = 'X'
            g_authtxt_006          = wa_tab-short_desc
            g_authtxtmd_007        = wa_tab-med_desc
           tctiobjnm_04_008       = 'ZBUS_UNIT'
            g_authtxt_009          = wa_tab-short_desc
            g_authtxtmd_010        = wa_tab-med_desc
           marked_05_011          = ''
           opt_01_012             = 'EQ'
            low_01_013             = wa_tab-bu
            g_authtxt_014          = wa_tab-short_desc
            g_authtxtmd_015        = wa_tab-med_desc
           marked_04_016          = 'X'
            g_authtxt_017          = wa_tab-short_desc
            g_authtxtmd_018        = wa_tab-med_desc
           tctiobjnm_04_019       = 'ZCONTRCT'
            g_authtxt_020          = wa_tab-short_desc
            g_authtxtmd_021        = wa_tab-med_desc
           marked_05_022          = ''
           opt_01_023             = 'EQ'
            low_01_024             = lv_contract
            g_authtxt_025          = wa_tab-short_desc
            g_authtxtmd_026        = wa_tab-med_desc
            g_authtxt_027          = wa_tab-short_desc
            g_authtxtmd_028        = wa_tab-med_desc
            g_authname_029         = wa_tab-auth
  * IMPORTING
  *   SUBRC                  =
         TABLES
           messtab                = temp_message.
  "" Creation of role
  LOOP AT it_role INTO wa_role.
        CLEAR wa_text.
        wa_text-text = wa_role-desc.
        wa_text-langu = 'E'.
        APPEND wa_text TO it_text.
        wa_jobrole-agr_name = wa_role-role_name.
        wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
        wa_method-usmethod = 'CHANGE'.
        CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
          EXPORTING
            jobrole          = wa_jobrole
           parent           = wa_parentrole
           method           = wa_method
         TABLES
  *   RETURN           =
           shorttext     = it_text
  *   LONGTEXT         =
  *   MENU_NODES       =
  *   MENU_TEXTS       =.
      ENDLOOP.
  2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
    ""*BDC for Profile creation and assignment to Roles
      CALL FUNCTION 'ZROLE'
        EXPORTING
         ctu                     = 'X'
         mode                    = p_mode
         UPDATE                  = 'L'
  *   GROUP                   =
  *   USER                    =
  *   KEEP                    =
  *   HOLDDATE                =
         nodata                  = '/'
          agr_name_neu_001        = wa_role-role_name
          text_002                = wa_role-desc
          text_003                = wa_role-desc
          text_004                = wa_role-desc
         value_01_005            = 'T-ML330881'
          h_fval_low_01_006       = wa_role-auth
          profn_007               = lv_profile
          ptext_008               = lv_text1
  * IMPORTING
  *   SUBRC                   =
       TABLES
         messtab                 = temp_message .
     COMMIT WORK AND WAIT.
  ""*Generation of Profile created
    LOOP AT it_role INTO wa_role.
      CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
       EXPORTING
         activity_group                      = wa_role-role_name
  *     PROFILE_NAME                        =
  *     PROFILE_TEXT                        =
        no_dialog                           = ' '
        rebuild_auth_data                   = ''
        org_levels_with_star                = ' '
        fill_empty_fields_with_star         = 'X'
        template                            = ' '
        check_profgen_tables                = 'X'
        generate_profile                    = 'X'
        authority_check_pfcg                = 'X'
     EXCEPTIONS
       activity_group_does_not_exist       = 1
       activity_group_enqueued             = 2
       profile_name_exists                 = 3
       profile_not_in_namespace            = 4
       no_auth_for_prof_creation           = 5
       no_auth_for_role_change             = 6
       no_auth_for_auth_maint              = 7
       no_auth_for_gen                     = 8
       no_auths                            = 9
       open_auths                          = 10
       too_many_auths                      = 11
       profgen_tables_not_updated          = 12
       error_when_generating_profile       = 13
       OTHERS                              = 14
      IF sy-subrc <> 0.
        MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
                WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
      ENDIF.
    ENDLOOP.
  For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
  i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
  Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
  Regards,
  Chetan

• Tool/Utility/Method to retrieve roles and mapping of those roles.

  Hi friends,
  We are running SAP EP6 SP2 on WEB AS 6.20.
  I want name and description of all roles created and mapping of those roles ( Roles -> groups and Roles -> Users ) in this system. The one way to do it is using User Administration -> Roles but it'll take a lot of time. Is there any tool/utility/shortcut method available for the same?
  Regards,
  Nilz
  Message was edited by: nilz

  Hi nilz,
    I don't think there is any tool as such to do this. U need some programmatic approach for this. U can get the roles using pcd search but I am not sure if u can get the mapping details.
  Regards,
  Harini S
  [ <b>Don't forget to reward points for helpful answers</b> ]

• How to raise role creation/modification request in AC 10

  We are implementing AC10. I have issue more related to the process followed than technical. Please suggest from your experience.
  We found that we can raise the request for new user account, role assignment to user, etc in Acess Request(formerly CUP), but we cannot raise the request for role creation, role modification. This is directly done in Role management.  My question is, how the security admin will recieve the requests for creating or maintaining the roles. Is it necessary to use ticketing tool for users to raise the request for role creation and modification.
  Thanks everyone for your valuable solutions.

  Dear Ashish,
  Whatever you have mentioned is correct to have the common platform for every request, either for user creation or role creation.
  But what we decided earlier, that the end users can raise the request in CUP directly, rather than involving security admin. But after realizing that there is no request type for role creation, I think we have to use our ticketing tool as a common platform.
  Request will come to security admin from the ticketing tool and than he will create the request in CUP, thereafter it will follow the approval workflow.  Only problem I see in this, it goes to the manager twice, once in ticketing tool and than through CUP workflow. i think we need to take out the manager stage from the workflow.

• How to create a security role to delegate package creation and deployment?

  Hi,
  I am new to SCCM 2012 and I would like to delegate packaging and deployment based on an AD container and user. For example, I have a US-SCCM-Admin account created in the US OU in Active Directory. I also have computers in the US Computers OU in AD. I am
  not sure what settings I need so that the US-SCCM-Admin account only has rights to create and deploy packages to the US OU and no where else? I added US-SCCM-Admin security group from AD to the "Administrative Users" group in SCCM. But now I need
  to configure a role for this group but I am not sure which one to copy or import? I tried copying the "Application Deployment Manager" role and renaming it appropriately but when I login to SCCM as this user, they dont have the option to create or
  deploy packages? Does anyone have a simple step by step on this or explanation on what to do to delegate package creation and deployment based on the user in an AD group? TIA

  The Application Deployment Manager role is only allowed to deploy an already existing application. You would have to use the
  Application Administrator role instead.
  Torsten Meringer | http://www.mssccmfaq.de

• RAP and MAPs change the channel and Radio Role

  I have a WLC 2504 with version  AIR-CT2500-K9-7-5-102-0, LAPs are AIR-CAP2602E-A-K9
  I set serveral LAPs for working in mesh mode, I set three Bridge Group Name, the first group has one Root AP and three MAPS working in channel 157, every MAP has a switch connected to its ethernet port.
  the second group has 2 LAPs one Root and one MAP, all working in channel 48. The MAP  is connected to a switch.
  the third group has  2 LAPs, one root and one MAP, all working in channel 149. The MAP  is connected to a switch.
  The issue is the next:
  At the beginnig every LAPs were associated to its bridge group and in the channel defined but suddenly all LAPs of group 1 move to channel 48 (second group) includind the ROOT AP. This happend after the switch that connect to the RAP was disconnect from  LAN.
  In order the associate once again LAPs of the first group  to the channel I defined previously I connected RAP to the switch once again I notice the channel shown was 48 and in downlink role mode.I change to channel 157 reset the LAP and wait several minutes; after the first reset the RAP remains in channel
  48 (it must be 157), I reset once again and wait severeal minutes. Finally the RAP was up and working in channel 157.
  After this I reset the MAPs that corresponde to BGN 1 , after severasl minutes finally just one MAPs for BGN 1 was show in the correct channel and in the correct Radio role, I have to reset several times  the other MAPs until they were shown in the channel I set previously and in the correct radio role.
  I would like to know the reason the RAP and MAP move to a differente channel eventhough I define de Bridge Group Name in every one and the specific channel.
  regards

  Hi scott ,
  Thanks for your explanation, very clear.
  In my scenario  every RAP connet to a switch where I define VLANs and specific VLANs are allow to pass. If RAP and MAP join to a different RAP (different BGN)
  it will allow to pass traffic or maybe don't allow traffic I needs to .  That's why I worry about the keep the MAPs join to the correct RAP and the RAP keep in the BGN and channel set previously.
  is there any option to this  avoid this issue?
  Thanks a lot for your time
  regards

• OIA : Import Users, Accounts, User Role Memberships and Entitlements

  Hi,
  I have intgrated OIM 11.1.1.5 with OIA 11.1.1.5. I am trying to execute scheduled job in OIA " Import Users, Accounts, User Role Memberships and Entitlements"
  which in turn invokes scheduled job some of them are :
  OIM Staging Tables Collection Status Failed with following exception
  Accounts imported from OIM staging table : Status In progress for more than 2 hours
  Please provide pointer to resolve this :
  11:06:15,915 DEBUG [RbacxDataImporterImpl] --> imported 28 metadata items StopWatch 'import Attribute Value Metadata': running time (millis) = 0
  11:06:15,917 INFO [IamDbEntitlementImportHelperImpl] Imported 28 entitlements
  11:06:15,917 DEBUG [DBIAMSolution] publishing import completed event...
  11:06:15,917 DEBUG [AuthenticationEventsListener] Listening application event
  11:06:15,917 DEBUG [DefaultIAMListener] Queuing IAM Event.com.vaau.rbacx.iam.IAMEvent[source=com.vaau.rbacx.iam.db.DBIAMSolution@133e9a5e]
  11:06:15,917 DEBUG [IamDbEntitlementImportHelperImpl] Completing import run id ---> 31
  11:06:15,917 DEBUG [DefaultJobMonitor] MonitorMap{status=3, totalCount=28, currentCount=28, iamType=ENTITLEMENTS IMPORT}
  11:06:15,917 DEBUG [DefaultJobMonitor] MergedMap{status=3, totalCount=28, currentCount=28, iamType=ENTITLEMENTS IMPORT}
  11:06:15,917 DEBUG [DBIAMSolution] Importing Users
  11:06:15,918 DEBUG [DefaultJobMonitor] MonitorMap{status=6, totalCount=0, currentCount=0, iamType=DATA IMPORT}
  11:06:15,918 DEBUG [DefaultJobMonitor] MergedMap{status=6, totalCount=0, currentCount=0, iamType=DATA IMPORT}
  11:06:15,918 DEBUG [IamDbUserImporterImpl] DBUsers Import Start ...
  11:06:15,918 DEBUG [DBIAMSolution] publishing import starting event...
  11:06:15,918 DEBUG [AuthenticationEventsListener] Listening application event
  11:06:15,918 DEBUG [DefaultIAMListener] storing new ImportRun
  11:06:15,918 DEBUG [SequenceGeneratorServiceImpl] Getting MemorySequence for sequence name com.vaau.rbacx.iam.domain.ImportRun
  11:06:15,918 DEBUG [SequenceGeneratorServiceImpl] Returning count for sequence name com.vaau.rbacx.iam.domain.ImportRun, count = 32
  11:06:15,920 DEBUG [SequenceGeneratorServiceImpl] Getting MemorySequence for sequence name ImportRunStepId
  11:06:15,920 DEBUG [SequenceGeneratorServiceImpl] Returning count for sequence name ImportRunStepId, count = 32
  11:06:15,924 DEBUG [IamDbUserImporterImpl] Starting import run id ---> 32
  11:06:15,987 ERROR [IamDbUserManagerImpl] Problem retrieving IAM userIds from db
  *org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [null]; error code [0];*
  --- The error occurred in com/vaau/rbacx/iam/db/dao/ibatis/maps/IamDbUser.xml.
  --- The error occurred while executing query.
  --- Check the select id from oia_staging_users .
  --- Check the SQL Statement (preparation failed).
  --- Cause: java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException:
  --- The error occurred in com/vaau/rbacx/iam/db/dao/ibatis/maps/IamDbUser.xml.
  --- The error occurred while executing query.
  --- Check the select id from oia_staging_users .
  --- Check the SQL Statement (preparation failed).
  --- Cause: java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource
       at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:83)
       at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:80)
       at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:80)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.execute(SqlMapClientTemplate.java:212)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.executeWithListResult(SqlMapClientTemplate.java:249)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:296)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:290)
       at com.vaau.rbacx.iam.db.dao.ibatis.SqlMapIamDbUserDao.findAllUserIds(SqlMapIamDbUserDao.java:48)
       at com.vaau.rbacx.iam.db.manager.IamDbUserManagerImpl.getUserIds(IamDbUserManagerImpl.java:48)
       at com.vaau.rbacx.iam.db.helpers.IamDbUserImporterImpl.readUsers(IamDbUserImporterImpl.java:78)
       at com.vaau.rbacx.iam.db.DBIAMSolution.doDataLoad(DBIAMSolution.java:547)
       at com.vaau.rbacx.iam.db.DBIAMSolution.loadData(DBIAMSolution.java:284)
       at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.dataLoad(RbacxIAMServiceImpl.java:510)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy132.dataLoad(Unknown Source)
       at com.vaau.rbacx.scheduling.executor.iam.DbIamJobExecutor.execute(DbIamJobExecutor.java:83)
       at com.vaau.rbacx.scheduling.manager.providers.quartz.jobs.AbstractJob.execute(AbstractJob.java:72)
       at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
       at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:534)
  Caused by: com.ibatis.common.jdbc.exception.NestedSQLException:
  --- The error occurred in com/vaau/rbacx/iam/db/dao/ibatis/maps/IamDbUser.xml.
  --- The error occurred while executing query.
  --- Check the select id from oia_staging_users .
  --- Check the SQL Statement (preparation failed).
  --- Cause: java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource
       at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.executeQueryWithCallback(MappedStatement.java:201)
       at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.executeQueryForList(MappedStatement.java:139)
       at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForList(SqlMapExecutorDelegate.java:578)
       at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForList(SqlMapExecutorDelegate.java:552)
       at com.ibatis.sqlmap.engine.impl.SqlMapSessionImpl.queryForList(SqlMapSessionImpl.java:118)
       at org.springframework.orm.ibatis.SqlMapClientTemplate$3.doInSqlMapClient(SqlMapClientTemplate.java:298)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.execute(SqlMapClientTemplate.java:209)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.executeWithListResult(SqlMapClientTemplate.java:249)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:296)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:290)
       at com.vaau.rbacx.iam.db.dao.ibatis.SqlMapIamDbUserDao.findAllUserIds(SqlMapIamDbUserDao.java:48)
       at com.vaau.rbacx.iam.db.manager.IamDbUserManagerImpl.getUserIds(IamDbUserManagerImpl.java:48)
       at com.vaau.rbacx.iam.db.helpers.IamDbUserImporterImpl.readUsers(IamDbUserImporterImpl.java:78)
       at com.vaau.rbacx.iam.db.DBIAMSolution.doDataLoad(DBIAMSolution.java:547)
       at com.vaau.rbacx.iam.db.DBIAMSolution.loadData(DBIAMSolution.java:284)
       at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.dataLoad(RbacxIAMServiceImpl.java:510)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy132.dataLoad(Unknown Source)
       at com.vaau.rbacx.scheduling.executor.iam.DbIamJobExecutor.execute(DbIamJobExecutor.java:83)
       at com.vaau.rbacx.scheduling.manager.providers.quartz.jobs.AbstractJob.execute(AbstractJob.java:72)
       at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
       ... 1 more
  Caused by: java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource
       at oracle.ucp.util.UCPErrorHandler.newSQLException(UCPErrorHandler.java:541)
       at oracle.ucp.jdbc.PoolDataSourceImpl.throwSQLException(PoolDataSourceImpl.java:588)
       at oracle.ucp.jdbc.PoolDataSourceImpl.startPool(PoolDataSourceImpl.java:277)
       at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:647)
       at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:614)
       at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:608)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at com.vaau.commons.springframework.aop.interceptor.DataSourceInterceptor.invoke(DataSourceInterceptor.java:65)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy131.getConnection(Unknown Source)
       at org.springframework.jdbc.datasource.DataSourceUtils.doGetConnection(DataSourceUtils.java:113)
       at org.springframework.jdbc.datasource.TransactionAwareDataSourceProxy$TransactionAwareInvocationHandler.invoke(TransactionAwareDataSourceProxy.java:210)
       at $Proxy118.prepareStatement(Unknown Source)
       at com.ibatis.sqlmap.engine.execution.DefaultSqlExecutor.prepareStatement(DefaultSqlExecutor.java:519)
       at com.ibatis.sqlmap.engine.execution.DefaultSqlExecutor.executeQuery(DefaultSqlExecutor.java:173)
       at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.sqlExecuteQuery(MappedStatement.java:221)
       at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.executeQueryWithCallback(MappedStatement.java:189)
       at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.executeQueryForList(MappedStatement.java:139)
       at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForList(SqlMapExecutorDelegate.java:578)
       at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForList(SqlMapExecutorDelegate.java:552)
       at com.ibatis.sqlmap.engine.impl.SqlMapSessionImpl.queryForList(SqlMapSessionImpl.java:118)
       at org.springframework.orm.ibatis.SqlMapClientTemplate$3.doInSqlMapClient(SqlMapClientTemplate.java:298)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.execute(SqlMapClientTemplate.java:209)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.executeWithListResult(SqlMapClientTemplate.java:249)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:296)
       at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:290)
       at com.vaau.rbacx.iam.db.dao.ibatis.SqlMapIamDbUserDao.findAllUserIds(SqlMapIamDbUserDao.java:48)
       at com.vaau.rbacx.iam.db.manager.IamDbUserManagerImpl.getUserIds(IamDbUserManagerImpl.java:48)
       at com.vaau.rbacx.iam.db.helpers.IamDbUserImporterImpl.readUsers(IamDbUserImporterImpl.java:78)
       at com.vaau.rbacx.iam.db.DBIAMSolution.doDataLoad(DBIAMSolution.java:547)
       at com.vaau.rbacx.iam.db.DBIAMSolution.loadData(DBIAMSolution.java:284)
       at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.dataLoad(RbacxIAMServiceImpl.java:510)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy132.dataLoad(Unknown Source)
       at com.vaau.rbacx.scheduling.executor.iam.DbIamJobExecutor.execute(DbIamJobExecutor.java:83)
       at com.vaau.rbacx.scheduling.manager.providers.quartz.jobs.AbstractJob.execute(AbstractJob.java:72)
       at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
       ... 1 more
  Caused by: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource
       at oracle.ucp.util.UCPErrorHandler.newUniversalConnectionPoolException(UCPErrorHandler.java:421)
       at oracle.ucp.util.UCPErrorHandler.newUniversalConnectionPoolException(UCPErrorHandler.java:389)
       at oracle.ucp.jdbc.DriverConnectionFactoryAdapter.createConnection(DriverConnectionFactoryAdapter.java:134)
       at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1613)
       at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.access$600(UniversalConnectionPoolImpl.java:1421)
       at oracle.ucp.common.UniversalConnectionPoolImpl.createOnePooledConnection(UniversalConnectionPoolImpl.java:488)
       at oracle.ucp.common.UniversalConnectionPoolImpl.addNewConnections(UniversalConnectionPoolImpl.java:988)
       at oracle.ucp.common.UniversalConnectionPoolBase.getInitialConnections(UniversalConnectionPoolBase.java:541)
       at oracle.ucp.common.UniversalConnectionPoolBase.start(UniversalConnectionPoolBase.java:655)
       at oracle.ucp.jdbc.PoolDataSourceImpl.startPool(PoolDataSourceImpl.java:271)
       ... 51 more
  Caused by: java.sql.SQLRecoverableException: IO Error: Invalid number format for port number
       at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:419)
       at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:538)
       at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:228)
       at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
       at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:521)
       at oracle.ucp.jdbc.DriverConnectionFactoryAdapter.createConnection(DriverConnectionFactoryAdapter.java:130)
       ... 58 more

  Hi Pallavi,
  i have the same problem, can you provide me more specific details?
  -exactly oimjdbc.properties location please?
  -which is what I have to modify?
  Thanks in advance!