Inconsistent behavior of user-role assignment

Similar Messages

• LDAP user role Assignment

  Hello All,
  I have integrated the Corporate LDAP with EP 7.0 ,and then assigned portal roles to the LDAP users. The users still exist in the LDAP and we are not importing them , but then how's the role assignment done on the portal and where is the information for each user's assigned roles stored int he UME Database, is there any specific table for that ,some profile or what?
  Any help would be really appreciated
  Thanks

  Hi,
  I have not tried this, but there are logical attributes with which you can also store
  User-->Role assignment into LDAP.
  PRINCIPAL_RELATION_MEMBER_ATTRIBUTE
  PRINCIPAL_RELATION_PARENT_ATTRIBUTE
  Check this:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/e6/d75d3760735b41be930f2dddae3126/frameset.htm
  <nameSpace name="com.sap.security.core.usermanagement.relation">
                <attributes>
                  <attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
                </attributes>
  </nameSpace>
  So it depends on your UME datasource configuration, where this assignment information is saved.
  Greetings,
  Praveen Gudapati

• Urgent: User Roles assigned to Sales Orgs and document types

  Dear Guru's :
  I have job user roles one side and sales orgs on otherside. We are trying to find out which sales orgs are using what sales document types.
  All i am trying to achieve is connect those two and make a report. it needs to be done by SE16
  First step is :
  PFCG- Enter Role u2013Click glasses-Authorizations-Display Authorization data
  you need to identify the authorization objects for each T-code and then assign the appropriate values for each authorization object. these authorization objects assigned to a Role and then, allowed T-codes are assigned to Role and
  My Basis Person to Create one AUTHORIZATION OBJECT      V_VBAK_AAT  Sales Document: Authorization for Sales Document Types  and assign your required transaction codes to that authorization and assign them to the users.
  User IDs which can use this Role (set of authorizations) can be assigned to this role.
  Second step is achieved through SE16 ;
  Execute this two table :
  There is no one-shot for this However there is a way out for this outside SAP.
  You can download AGR_1251 and AGR_1252 for the selected roles and use MS Excel or Access to do this compare for you. Its a bit more tricky than said, however once you get a hang of it, I think its a good way of reducing the efforts of making use of individual compare reports.
  Any one knows how to do this i am kind of lost here.  Could you help me to organize this process / steps.
  Full points will be given to who helps me answer my question.
  Thank you in advance.

  Dear Raghu and all:
  I am very much thankful to you for your answer Raghu. This is exactley what i was looking for. Could you throw more light on this topic. Or do you know where can i get more info.or  more tcodes related to this topic. I am using SUIM and PFCG. I dont know much about this transactions. Could you please help me to understand this topic.
  I have Authorization object through which i found out which sales documents are attached to users. I dont know next step in this process. Or does any one know any thing about this subject.  Any help will be grateful.
  Van bills.

• Role assignment API

  Hi,
  Does anyone know the API for user - role assignment ?
  Thanks,
  Elad.

  Hi,
  Run thru,
  https://media.sdn.sap.com/javadocs/NW04/SPS15/um/index.html
  and the blog,
  User management API in WebDynpro
  and the thread,
  Re: Getting Portal Runtime information from webdynpro
  Regards
  Srinivasan T

• ESS- User Roles

  Hi Experts
  I am using ECC 6.0 and ESS 7, for SAP Gui (R/3) also we are using Portal, means as per the user roles assigned in R/3, user is able to view different services of R/3 in portal with ESS.
  For ESS I am using all the three standard roles of ESS i.e.
  SAP_ESSUSER
  SAP_ESSUSER_ERP05
  SAP_ESSUSER_ERP
  but when I had assigned all these roles to a user and accessing the ESS I am facing the following error:
  com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: ComponentUsage(FPMConfigurationUsage): Active component must exist when getting interface controller. (Hint: Have you forgotten to create it with createComponent()? Should the lifecycle control of the component usage be "createOnDemand"?
  Plz help me in this regard
  Thanks in advance
  Sheetal Gupta

  Hi Sheetal,
  try to give....only one role..i.e SAP_EMPLOYEE_ERP or SAP_ALL  and check it..
  it could also may be poss thatt user is locked in backend....
  u also need to assign ESSUSER group to user..
  regards
  Jigar Oza

• AD user with no role assignment cannot login

  We have created AD users that are being authenticated through OBIEE 11g. In the AD we currently have the user, password and group information associated with all the users created.
  As per system behavior if an user's group is not mapped to a role within the EM, it should automatically be tagged with the authenticated-role which being a part of the 'BIConsumer' role will give the corresponding privileges to that user. This does not seem to be happening. Any insights on why this would be the case?
  Additionally - If there is a group associated with a AD user within the active directory itself, is it mandatory that the AD groups be associated with a role? What I mean by this is, if we have RPD level init block to map authenticated users to custom database roles imported within the RPD and EM, would they not work unless there is a direct AD group to role assignment?

  The RPD had no access set for "Authenticated Users" and "BI Consumer Role" for all subject areas as part of the presentation layer permissions, hence unless a user was assigned to a role that could access either one of the subject areas the default authentication would not work.

• Making users available for OpenSSO realm group and role assignment?? Help.

  Here is the situation. We have 3 Open SSO realms set up. One we have called OpenSSO-Admin, a second called OpenSSO-Provider and a third OpenSSO-Internal. We are having issues provisioning and managing the OpenSSO-Internal OpenSSO-Provider realms, but OpenSSO-Admin seems to be fine.
  Here is the behavior that is manifest.
  In the 2 'broken' realms, when we create users and assign them to the appropriate Open SSO realm, they appear to be provisioned correctly in IDM as well as the realm (We have validated user creation in LDAP and everything about the user appears to be fine). When we view the groups and roles in the specific resources, we are presented with a list of users that are in Brackets and appear to be provisioned. The brackets indicate that the users are not found as available users. The bracketed users can not be unassigned, nor can any others. note, our bracketed users in the list of assigned users are created from a workflow which assigns them directly to the appropriate group and role based on their business role.
  The third realm, OpenSSO-Admin works fine and we can add, and manage users in the groups and roles within the realm.
  We have ruled out the workflow as a source as the problem persists when we use the tool to manage users. We can create a user from scratch and add them to the realms. In the 'Broken' relms, the users do not appear in thelist of available users to be assigned to the groups or roles. Yet in the 'good realm, everything appears fine. We can move users from one realm to another and the problem persists in the broken realms, but when a user is added to the 'good' realm, everything is fine.
  I have tried reconciling and get no different results.
  Question is, We have isolated that the issue seems to be in the generation / management of the left hand "Available Users" list. How and where is this generated from and how can we check/fix or regenerate this list?
  Thanks.
  Joe

  I should clarify. We are using Sun IDM 8.1

• Report to see user type and roles assigned to users in EP?

  Hi,
  a) Is there any reporting mechanism in EP? Any specific report which throws up user types and roles assigned to the users? There is an option of 'Export' in the user management role but unfortunately it does not give information on User Type.
  b) If  the group is assigned a role, How can we see ( in any report) the roles assigned to a group? In the 'export' option of the 'User Management' this information does not come.

  By default Portal UME comes along with the installation of portal.
  Sometimes we may integrate external users using LDAP. At that time users come from ABAP stack or some active directories.  But you can also create users in the portal UME.  The purpose of using LDAP is to maintain the users centrally rather than creating again in portal.
  You can check them in user administration->identity management and search for the users.
  THere you can see some users will be from UME and some from LDAP.
  User Admin tool is nothing but User Administration only.
  Raghu

• How to get the list of roles assigned to a user in all the child systems

  how to get the list of roles assigned to a user in all the child systems from CUA SYSTEM

  Try transaction SUIM in your CUA system. Go to user, cross-system information, users by roles. If you run it wide open, you'll get all users and all roles assigned for all systems managed in your CUA.
  Krysta

• Problem assigning internet user Role through portal

  Hi All,
  Please could someone help me with the following:
  I am creating a registration process that creates a new CRM Business partner with contact person and internet user roles. When i run the Bapi from with in CRM everything works fine however when i run my jsp dynpage application and call the same bapi, the internet user that i create does not have any of the logon details or roles. Does anyone know why this is? i am using the same user when running in crm and the portal.
  Many thanks in advance
  Calvin

  Hi Sunil,
  Thanks for your reply. answers to your questions:
  1. Yes, all portal users are maintained and have the same roles as CUA users. Portal authenticates against CUA.
  2. Yes the user is created correctly on the backend. i have created a BAPI that creates users, BP's and assigns roles. This Bapi works perfectly when run in CRM but as soon as it is accessed via the portal the internet user role does not have all the required information.
  Many thanks
  Calvin

• How to Disply the List of Roles assigned to a  selected user ?

  Hi all,
  I have a specific requirement to develope using Webdynpro. I want to programically display the list of roles assigned to a selected user. Could some one help me . I promise to award points for the solution.
  Thank you in advance
  Regards
  Maruti

  Hi Maruti,
     Iterator rit = null;
  try
  IWDClientUser clientUser = WDClientUser.getCurrentUser();
  IUser user = clientUser.getSAPUser();
  rit = user.getRoles(true);
  IRoleFactory rfact = UMFactory.getRoleFactory();
  while (rit.hasNext()) {
  String roleName = (String) rit.next();
  IRole role = rfact.getRole(roleName);
  }catch(Exception e)
  e.getLocalizedMessage();
  check this thread too
  /message/1565111#1565111 [original link is broken]
  Regards, Suresh KB

• OBPM 10gR3 Dynamic Role Assignment at user login

  Hi,
  For all the great integration with LDAP in 10gR3, unfortunately, the system is unable to deal with dynamically-defined LDAP groups.
  Our goal is to apply a BPM Role to ALL humans defined in our LDAP.
  All humans happen to already be defined by a dynamically-defined LDAP group called 'AllPeople'.
  It would have been perfect if we could simply assign our BPM Role, 'Employee', to the LDAP group, 'AllPeople'. Sadly you can't (one for the next release pls).
  So as a workaround, what we want to do instead is assign the BPM Role 'Employee' to each individual user dynamically when they first login.
  Since the FDI library is useless outside of a BPM context (you'll find that some of the familiar methods of RoleAssignment are missing), We opted to create an actual BPM process to conduct role assignments, and we would then trigger it via PAPI.
  The question then was, where/when do we invoke the process such that it does the role assignment quickly and soon enough for the appropriate views and applications to appear in their workspace straight after login?
  We opted for a customised implementation of the SSOWorkspaceLoginInterface class.
  However, we tried making the invocation in the setupAuthenticatedSession() and the processRequest() methods but, although the role assignment was successfully done in either case, sadly the user's session was loaded without the new changes - perhaps loaded quicker than the role assignment could be fed back through the directory.
  Therefore, we dumped the invocation in the actual constuctor - and this seems to work for the most part. Yet on the odd ocassion, the role assignment is not quick enough to be realised in the user's workspace session - the user has to logout and back in before the changes are realised.
  We've even tried to get the execution to sleep for a second or two, while the PAPI thread goes about doing the role assignment - again not much success.
  So I really have 2 questions:
  1. Where during login can we make a PAPI call to do a role assignment so that it should be picked up by the time the session is created? perhaps we already are doing it in the right place.
  2. How could we refresh/request a new session cookie without explicitly logging out and back in again? Note, page refresh is not enough.
  Thanks for reading.

  Sorry for the belated response - I don't get notified of replies.
  The code for my custom SSOLoginModule class is:-
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import java.io.FileInputStream;
  import java.io.IOException;
  import java.util.Properties;
  import fuego.workspace.security.SSOWorkspaceLoginInterface;
  import fuego.papi.Arguments;
  import fuego.papi.CommunicationException;
  import fuego.papi.InstanceInfo;
  import fuego.papi.OperationException;
  import fuego.papi.ProcessService;
  import fuego.papi.ProcessServiceSession;
  import fuego.sso.SSOLoginException;
  import fuego.sso.SSOUserLogin;
  import fuego.jsfcomponents.Util;
  import fuego.workspace.model.common.WorkspaceApplicationBean;
  public class CustomSSOWorkspaceLogin extends SSOUserLogin implements SSOWorkspaceLoginInterface {
  private ProcessService pService;
  private ProcessServiceSession pServiceSession;
  private Properties properties;
  public SSOWorkspaceDBLogin() {
  //Do the role assignment here because it works, and does not work in the ideal location of setupAuthenticatedSession method
  pService = createProcessService();
  pServiceSession = createProcessServiceSession();
  assignDefaultRole(Util.getHttpServletRequest().getRemoteUser());
  private ProcessService createProcessService() {
  return WorkspaceApplicationBean.getCurrent().getProcessService();
  private ProcessServiceSession createProcessServiceSession() {
  return pService.createSession("yourdirectoryusername","yourdirectorypassword",null);
  //This method is used to remotely invoke a BPM process to do the role assignment - no external API to do this directly!
  private void assignDefaultRole(String email) {
  try {
  String processId = "myRoleAssignmentProcessId";
  String argumentName = "argumentName"; //the name of the input argument to feed in the participant
  String argumentValue = email;
  Arguments arguments = Arguments.create();
  arguments.putArgument(argumentName, argumentValue);
  InstanceInfo instance = pServiceSession.processCreateInstance(processId, arguments);
  Long waitTime = new Long(1000);
  Long timeLimit = new Long(5000);
  boolean roleAssigned = false;
  boolean timeLimitExceeded = false;
  Long startTime = System.currentTimeMillis();
  //Allow role assignment thread to complete
  while (!roleAssigned && !timeLimitExceeded) {
  try {
  Thread.sleep(waitTime);
  if (pServiceSession.processGetInstance(instance.getId()).isCompleted()) {
  roleAssigned = true;
  if (System.currentTimeMillis() - startTime > timeLimit) {
  timeLimitExceeded = true;
  } catch (InterruptedException e) {
  e.printStackTrace();
  //close process service session
  pServiceSession.close();
  //Do not close the service itself as it is shared with the Workspace itself!
  //pService.close();
  } catch (Exception e) {
  e.printStackTrace();
  public void setupAuthenticatedSession(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  //Unfortunately, the below does not work here because the role assignment is not fast enough
  //The result is that the user logs in but cannot see any applications because the role assignment has not been made in time.
  //Therefore, we run the below statements from the constructor - ugly but functions.
  //pService = createProcessService();
  //pServiceSession = createProcessServiceSession();
  //assignDefaultRole(httpservletrequest.getRemoteUser());
  public void processRequest(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  }

• How to create SR Queue and Custom User Role for technician only see which SR assigned Him/Her and Resolve

  Hi 
  I have created workitem SR advance and Criteria with ID [Assigned To ME] and created user role in Advance operators.
  But in technician Console showing which SR he/she created not service desk assigned to him/her.
  Please suggest...
  Regards
  Sheetla Maurya

  I have find out Solution .......Create Queue with Service Request Advance and we not need to create any criteria option, After that create custom User role on Advance
  operators with View "Assigned To ME"
  Regards
  Sheetla Maurya

• User details in respect of roles assigned to them

  Hi Experts,
  Sorry if i am posting thread on wrong category.
  Can you tell me any table that contains the list of users against roles assigned to them?
  Or just guide me to post the thread to correct category if I am wrong.
  Thanks and regards,
  Shikha Gupta.

  I think a download of table AGR_USERS will provide you with the desired information or at least with enough info to filter on in Excel..

• Function module to Delimit the roles assigned to the user

  Hi All,
  I am working on security role automation process abap report.My requirement is to delimit the roles assigned to the user on account of employee termination or retirement. I have used the function module "BAPI_USER_ACTGROUPS_ASSIGN"  to delimit the role assigned to the user.
  Passing the importing parameter "username" and in the Tables parameter"ACTIVITYGROUPS"  passing the respective parameters AGR_NAME(Role), FROM_DAT(Start Date),TO_DAT(termination date - 1). When I passing the parameters as mentioned above,the role assigned to the user is getting deleted,instead of delimitation of the role assigned to the user.
  Is there any other function module we can use to delmit the roles assigned to the user?  Please help.
  Regards,
  Krishnan

  hai,
  please try this.
  /VIRSA/RE_BAPI_CREATE_ROLE- Create Roles
  /VIRSA/ROLE_ASSIGN_CUA_NH
  /VIRSA/RE_BAPI_ROLE_TO_USERS
  ASSIGN_USERS_HIERARCHY - User Assignment to Role - this is a Normal FM
  try this bapis this may work
  BAPI_USER_LOCK
  - BAPI_USER_PROFILES_ASSIGN
  - BAPI_USER_LOCPROFILES_ASSIGN
  - BAPI_USER_LOCACTGROUPS_ASSIGN
  - BAPI_USER_CHANGE
  - BAPI_USER_UNLOCK