Import Roles methodology @ ERM

Similar Messages

• CUP SP12: Can no longer import roles to CUP from ERM

  Hello All,
  I can no longer import roles from ERM to CUP on SP12. What is going on with SP12? Error message: "Action failed."
  Log info:
  2010-06-14 14:13:52,933 [SAPEngine_Application_Thread[impl:3]_20] ERROR
  com.virsa.ae.dao.NoRecordsFoundException:  No Records Found ..
  com.virsa.ae.dao.NoRecordsFoundException:  No Records Found ..
          at com.virsa.ae.dao.dto.LocaleFieldContainerDTO.getRecordsList(LocaleFieldContainerDTO.java:127)
  2010-06-14 14:13:52,935 [SAPEngine_Application_Thread[impl:3]_20] ERROR com.virsa.ae.configuration.ConfigurationException:  No Records Found ..
  com.virsa.ae.configuration.ConfigurationException:  No Records Found ..
          at com.virsa.ae.configuration.bo.ImportRolesBO.upsert(ImportRolesBO.java:979)
  Is anyone else running SP12 with CUP & ERM?
  Best Regards, Dylan

  SAP came back and mentioned that I had some role descriptions missing (empty value) and this was causing the issue.
  The results vary by role type:
  1. SINGLE roles CAN be imported successfully to CUP from ERM with missing role descriptions.
  2. DERIVED roles CANNOT be import to CUP from ERM if the role description is missing.
  The solution is to update the DERIVED roles with role descriptions. It's always good practice to have role descriptions for all roles, but many customers have different views on the importance/usefulness of role descriptions.
  This didn't appear to be an issue before SP11, but oh well... Also, since the Role Description field in ERM is mandatory, the mass role import should not allow roles to be imported with missing role descriptions, but it does. I've mentioned that to SAP as well.
  I'm going to close this thread as solved, with workarounds.
  -Dylan

• Error trying to Import Role

  Hi Guys!
  I want to know if some of you have this problem and what you do. .. when I want to mass import role in ERM, I complet all fields and when I press " Import" the system show "The page cannot displayed" if I were trying to work off line ....and there`s no log system for this.
  Any ideas ???
  Thanks!
  Regards

  Guys! I really need your help .... Anybody can help me with this?? This happen when I try to import from DEC.
  I could import role from QA ( I import in background in GRC), but when I try to find the role (by search) any role appears... Any ideas????
  Thanks!!

• ERM SP13: New methodology for import roles

  Hi all,
  We have created and set as active a new process for the methodology, with only 3 steps (Definition, Testing and Approval).The problem is that when we import roles from R3, the roles are import to the system within the SAP default methodology which is inactive, with 7 steps (Definition, Authorization, Derivation, Risk Analysis, Approval, Generation and Testing).
  I have two questions:
  - How can i import the roles to the new and active methodology (3 steps)?
  - How can i select that the roles imported go to the last stage of the methodology? I mean, all the steps will be in "green option"?
  Thanks in advance. Best regards,
  Sergio

  Hi R M,
  Thanks for your quickly response,
  - About the apply to existing roles option, yes, i try that. But ERM continues apply the standard process for methodology. You think wil be resolved if i delete it?
  - About the column Set Role Methodology, youre right, now i can put all the import roles in the last stage of the methodology in "green option".
  Many thanks for your help,
  Sergio

• Import roles to the ERM without using the "Mass Role Import

  Hello,
  I want to know if there is another way to import roles to the ERM without using the "Mass Role Import.
  Im'm using SAP GRC AC 5.3
  Best Regards.
  Pablo Mortera.

  Hi.
  There is NO other way to import roles..
  We need to use only ERM for "Mass Role Import.
  Regards
  Gangadhar

• ERM role methodology configuration

  Hi
  For some reason the stages in the role methodology process in the configuration tab are not in the same order as those showen in the create role screen in the role management tab.
  Does anyone have an idea how it can be fixed?
  Thank you for your help

  Hi...
  First Role definition -> Defining Authorization ->Deriving roles -> Performing risk analysis -> approval -> Generating role*
  we can use the arrow buttons to move the step up or down.
  For creating the methodology
  Login to ERM -> Configuration -> Methodology -> Process -> Create
  Regards
  Gangadhar

• OWN_LOGICAL_SYSTEM_NOT_DEFINED error while Importing Role in CMC

  Hi all,
  I'm currently experiencing the following issue while importing SAP Roles in CMC. The error OWN_LOGICAL_SYSTEM_NOT_DEFINED appears and roles are not available every time I go to the Import Role tab within the Authentication section of CMC.
  As per Integration Kit installation and configuration guide I have created a crystal user (CRYSTALUSR) and the role with the recommended authorization objects was also created and assigned to the above user. Off course, this is the user provided in Entitlement System section.
  Could you please guide in what to check to find the root cause of this issue?
  Thanks and regards

  -

• Access Enforcer(error in approving the request) and import roles

  Dear all,
  error in approving the request at security stage(last)
  manager and role owner are successfully approved.
  and also importing roles into access enforcer was not successful.
  imortstatus : 0 roles imported of 28 records found.
  please find the system log:
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.messaging.MessageFormatter : parseDesc :   : INTO the method : desc :Please specify a file to import.paramNames :paramsMap :{FIELD_NAME=#_!FIELD_NAME#_!}
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:02:28,234 [Thread-47] DEBUG

  In Addition to my previous response:
  I meant to include the following:
  Some of the fields that need to be properly defined with attributes are:
         System: must have the know SAP system defined here
         Role Approver (i presently are using most of the roles without having need for approval; I created a user called NOAPPRV in AE)
         Functional Area: need to have all the areas defined that roles will be assigned to
         Company: I only have one company so that's an easy one
  Some areas I presently do not use but found they must ne coded and coded properly:
         ResponsibilityID:   N/A  (coded as is)
         CommentsMandatory: NO (coded as is)
         Parent Role Owner:   NO
         Business Process: NA  (I believe I originally coded N/A and it did not like that)
         Sub Process: NA  (again N/A I believe error on me)
         Reaffirm Period: presently I am using 0 (zero)
         LastReaffirm: presently using 12/31/9999
  Hope this helps a bit
  I wanted to include an attachment with a sample of my Role Import spreadsheet but I'm not sure exactly how to do that; if I figure that out or someone can provide me the process I will include it
  Jerry Synoga
  Ryerson Inc.
  630-758-2021

• Delete request / role in ERM GRC 5.3

  Hi All
  I have a Role in ERM that I need to delete. Buuut, Role deletion is not possible; it has sent for approval.
  In CUP we have already deleted all request (following instructions by SAP note) and there is not any request in the system.
  The problem is that I can't delete this role from ERM because has been sent for approval, but I cant find the request in CUP or ERM, what can I do? Please, help me !!
  Thanks in Advance.
  David. ..

  Hi David,
  I was the same problem when i wanted to create a new role.
  Confirm in the Approval stage what user you assign as approver. The system doesn´t check if this user exists.
  If this user doesn´t exists, the only possibility to delete the role is create a new UME user with this user, giving the necessary roles and log in to CUP to delete the role.
  I hope this help you,
  Sergio

• Exception in JSP during import roles from BO to SAP

  Good day,
  I have installed SAP Integration Kit but during Import Role action at Authentification - SAP I have error:
  Exception in JSP: /jsp/auth/sapsec_import_role.jsp:16 13: <%@ taglib prefix="b" uri="com.businessobjects.webutil.jsf.controls_1.0"%> 14: 15: 16: <jsp:useBean id="secSAPR3ImportRoleBean" 17: class="com.businessobjects.clientaction.sap.auth.importrole.SAPR3AuthImportRoleBean" 18: scope="session" /> 19: Stacktrace:
  OS - AIX 5.3 64 bit
  Java Connector 2.1.8 32 bit
  Best regards, Iurii Tiunov.

  Hi,
  BOBJ 12.0.1
  BOBJ INTGR. FOR SAP XI 3.1
  I Try to install FixPack 1.3 for BOBJ INTGR. FOR SAP XI 3.1 but error is the same:
  Exception in JSP: /jsp/auth/sapsec_import_role.jsp:16 13: <%@ taglib prefix="b" uri="com.businessobjects.webutil.jsf.controls_1.0"%> 14: 15: 16: <jsp:useBean id="secSAPR3ImportRoleBean" 17: class="com.businessobjects.clientaction.sap.auth.importrole.SAPR3AuthImportRoleBean" 18: scope="session" /> 19: Stacktrace:
  Best regards, Iurii Tiunov.

• Error on Import Roles Tab (org.apache.jasper.jasperexception)

  Hi all,
  We have installed Edge Standard with SAP IK and create systems for SAP. When I switch over to Import Roles tab, following error is fired:
  org.apache.jasper.jasperexception
  We have copied the relevant JCo sapJCo 2.1.8 files in relevant directories, still the error persist.
  Please advise.
  Regards.

  Hi Ingo,
  Yes, it's tomcat running on Oracle.
  However, the issue is now resolved after installing oracle patch. However, it took us re-installation of oracle since previous oracle installation didn't support the (x86) path, subsequently BOE was also reinstalled along with SAP IK. The issue disappeared this time.
  Regards.
  Mohammad

• Issue While Importing Roles in SAp Authentication

  Hi Experts,
  I have installed BO XI 3.1 SAP Integration Kit.
  While Configuring SAP Authentication in CMC  i have enetered all the details of SAP system under  entitlement system.
  Howevere when i click on Role Import tab , i am not able to see any roles avilable.
  I see an error messge over there -   Name or password is incorrect (repeat logon)
  Howevere i am using the correct username and password.
  Thanks
  Edited by: Ashwani Sharma on Jul 9, 2009 11:18 AM

  Hi, Thanks for reply -
  I am connecting to BI 7.0 system.
  Before entering username in CMC its working fine with BI 7.0 system and with frontends also.
  When i will enter that username and password in CMC and click on Import Roles , Suddenly it shows me error message that -
  Name or password is incorrect (repeat logon)
  And also that user id got locked in SAP System.
  I have tried this with alomost 10 ids..... and same result with all...

• Error in accessing imported roles

  Hi All,
          I am facing a problem while i am accessing roles which are imported from one portal to another.These roles are already assigned to iviews.I created a new user into a portal and assigned a imported role to that user.So while i am logging to the portal as the specified user then the iview related to that role should be visible to the user.But i couldnt find anything except a blank iview with portal desktop.
  Is there any changes which i need to do specially for the roles which are imported from a epa file?
  Please put your suggessions.
  Thanks you in advance.
  Chaitali

  I am facing a problem while i am accessing roles which are imported from one portal to another.These roles are already assigned to iviews.
  Did you tranport the iviews and roles or just the roles ? Do you already have the iviews with the same object id and object prefix on the target portal ?
  Just click on the imported role on the target portal and check if you can see those iviews attached to this role ?
  Hope this helps.
  Cheers,
  Sunil
  PS: Reward points for helpful answers.

• Error: Creation new role in ERM

  Dear all,
  When I create a role in ERM, specifically when I try to add Object, is generated the following error message:
  Unhandled error; Message Code is 077 Message Details You are not authorized to use transaction PFCG Message Type is E.
  My version is SAP GRC AC 5.3 and Support Package: 16.
  Thanks all for any suggestions!
  Liliana!

  Hi ,
  User id which is used for connector doesnu2019t have sufficient privileges .
  Kindly ask your admin to assign sufficient access to connector user and then try .
  Thanks & Regards
  Asheesh

• OIA Import roles NullPointerException

  Hi,
  I need to import roles into OIA and constantly face failed import attempts.
  The roles.rbx looks like:
  rolename<use=mandatory>,parentRoleName,roleDescription,policies,statusKey
  The import file (filename: roles12) looks like:
  "AD PROD","","Root Role for Windows","","1"
  "Domain Computers","AD PROD","All workstations and servers joined to the domain","Domain Computers","1"
  The installed OIA version is 11.1.1.5.1.
  I previously imported users, business structures and even policies without hassles. But why does it suddenly fail to import role information?
  The error message in rbacx.log is pretty much useless and doesn't help at all. You'll find it below.
  Does anybody of you know this behavior? (or even better: how to fix it?:-)
  Thanks in advance and regards
  Nicolas
  The only log information I get, is the following excerpt:
  15:51:53,099 DEBUG [CacheModel] Cache 'SchedulerExecutionLogRecord.schedulerExecutionLogRecordResultCache': flushed
  15:51:53,099 INFO [VaauSchedulerEventListenerImpl] Job executed: in roles12, IAM
  15:51:53,099 INFO [VaauSchedulerEventListenerImpl] Job run time: 0s
  15:51:53,100 INFO [VaauSchedulerEventListenerImpl] Next Run: null
  15:52:01,966 ERROR [RoleFileReader] ---> Error occured file reading file:
  java.lang.NullPointerException
  at com.vaau.rbacx.util.NameIdMap.put(NameIdMap.java:100)
  at com.vaau.rbacx.core.support.RbacxDataImporterImpl.getUserNameIdMap(RbacxDataImporterImpl.java:1791)
  at com.vaau.rbacx.core.support.RbacxDataImporterImpl.importRoles(RbacxDataImporterImpl.java:1054)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  at $Proxy127.importRoles(Unknown Source)
  at com.vaau.rbacx.iam.file.csv.RoleFileReader.importRoles(RoleFileReader.java:278)
  at com.vaau.rbacx.iam.file.csv.RoleFileReader.readCSVFileInternal(RoleFileReader.java:203)
  at com.vaau.rbacx.iam.file.csv.AbstractCSVFileReader.readInternal(AbstractCSVFileReader.java:84)
  at com.vaau.rbacx.iam.file.support.AbstractFileReader.read(AbstractFileReader.java:160)
  at com.vaau.rbacx.iam.file.support.AbstractFileReader.run(AbstractFileReader.java:82)
  at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
  at java.lang.Thread.run(Thread.java:619)
  15:52:41,025 DEBUG [CacheModel] Cache 'IdentityAuditPolicyViolation.identityAuditPolicyViolationCache': retrieved object '0'
  15:52:41,029 DEBUG [CacheModel] Cache 'IdentityAuditPolicyViolation.identityAuditPolicyViolationCache': retrieved object '0'
  15:52:41,032 DEBUG [CacheModel] Cache 'IdentityAuditPolicyViolation.identityAuditPolicyViolationCache': retrieved object '0'
  15:52:41,036 DEBUG [CacheModel] Cache 'IdentityAuditPolicyViolation.identityAuditPolicyViolationCache': retrieved object '0'
  15:54:30,597 INFO [DefaultRemoter] Exec: dwrIAMService.getOIMIAMSolutionVersion()
  15:54:31,818 INFO [DefaultRemoter] Exec: dwrIAMService.getConnectionSpecs()
  15:54:45,290 INFO [DefaultRemoter] Exec: dwrSchedulerService.isValidCronExpression()
  15:54:45,316 WARN [BasicObjectConverter] Missing java bean property to match javascript property: null. For causes see debug level logs:
  15:54:45,316 INFO [DefaultRemoter] Exec: dwrSchedulerService.addSchedulerIAMJob()

  The error message mentions NullPointerException and something about NameIdMap. So far it didn't make any sense, because assigning users to roles during an import process was AFAIK not feasible.
  It turned out, that during the users import process there were some corrupt records, which caused two users to not have a username (in the table: username was NULL) and one user with a invalid username containing dash signs... So far the system never complained about it, when browsing thru the users or doing something else.
  SOLUTION: Deleting the users from table GLOBALUSERS and BU_GLOBALUSERS and afterwards importing the roles again.... Hooray! It works!
  Lessons learned:
  1) Make sure, absolutely sure, that import files do match the structure, e.g. number of columns even when column values are empty.
  2) Most importantly make plausibility checks whether the content of the columns appear correct.
  3) Check rbacx.log (tail -f rbacx.log) to see what the system does.
  3) Use a SQL Browser to analyze the content of the tables afterwards. The column structured view allows you to quickly find rows which do not match with the general visual impression. (e.g. username having a certain length but there are some which have much longer strings -> Suspicious!)
  4) Do not bang your head on the table... it's just not worth it ;-)
  Regards
  Nicolas