Manual CUP provisioning

Similar Messages

• CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

  Hi All,
  I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
  Here is an example of the audit trail log from Change Account:
  Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14 
  Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14 
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
  Auto provisioned for request on 06/28/2010 17:14 
     User Provisioning failed for System(s) : DEV. Error Message :
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
  Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure 
     Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
  Note: the role names were replaced with "xxxxxxx."
  The system log gives an error, but it is very vague:
  2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
  com.virsa.ae.service.ServiceException
       at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
  Any ideas or suggestions?
  Current software level AC5.3 SP12.
  -Dylan

  Hello Varun,
  Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
  Results
  New Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  New Account without User Defaults configured:
  User provisioned successfully, no Auto-Provision error.
  Change Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  Change Account without User Defaults configured:
  User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
  In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
  For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
  What about on your side? Am I the only guy using SP12 here?

• GRC AC 10 CUP : Provisioning of Approved roles (Line Item)

  Hello Gurus,
  We have configured CUP in GRC AC 10, and mapped a workflow for the same.
  Now when a user request for new roles e.g.) 3 roles
  Role 1 , Role 2 , Role 3 each roles has a different role owner.
  When the request goes to the role owner for approval and 1 of the 3 role owner rejects the request the whole request gets rejected.
  Is it possible to have functionality where roles which are approved will go ahead and get "Provisioned" and the whole request wont completely get rejected ??
  Looking forward for your inputs !!
  Thanks in advance.
  Regards,
  Victor

  Hello Victor,
  I guess you can work with the approval/ rejection level (stage 5 in the WF configuration).
  Have a look at here: http://forums.sdn.sap.com/thread.jspa?threadID=1637574
  Cheers,
  Diego.

• CUP Provisioning workflows

  Hello
  We have a unique use case.
  Say we have two roles A and B in a single workflow request.
  We want to create a workflow in CUP, that will auto provision A and not auto provision B (just capture the approval).
  Is this possible in CUP workflow?
  Thanks
  Prakash Sankar

  Hi Prakash
  It sounds like you are trying to set up portal role provsioning through GRC.  We are trying to do the same thing.  Do you have the portal setup completed is that side working?

• CUP Provisioning into LDAP

  Hi Gurus,
  We are trying to figure out if we can provision a NEW user ID into LDAP (AD) through CUP? Ideally we will have a Manager enter a request into CUP that includes a user's SAP access as well as AD and have CUP autoprovision this access.
  In reading the guides it seems CUP can only write groups to existing AD users.
  Does anyone have any thoughts or experiences?
  Thanks,
  Grace Rae

  Grace,
  CUP can provision existing LDAP groups to existing IDs, but as you said, cannot create new ones.  The best method to incorporate this would be to connect CUP to an IDM system to provision the ID and access.  If this is not acceptable, the other option is to create a custom connector that would communicate with a third party application (such as a macro/script) that would create the IDs through a separate process.
  I know this isn't the news you want to hear, but I hope it helps!
  Tyler

• CUP Provisioning Steps

  Hi,
  What is the minimum steps required to configure CUP? Brief explaiation of steps would be great.
  Thanks,

  CUP has a fair amount of work involved to get off the ground. This is a RTFM moment.
  Installation and Upgrade Guide for Cisco Unified Presence Release 7.0
  http://docwiki.cisco.com/wiki/Cisco_Unified_Presence,_Release_7.x_--_Installation_and_Upgrade
  Deployment Guide for Cisco Unified Presence Release 7.0
  http://docwiki.cisco.com/wiki/Cisco_Unified_Presence,_Release_7.x_--_Deployment_of_Cisco_Unified_Presence
  Configuration and Maintenance Guide for Cisco Unified Presence Release 7.0
  http://docwiki.cisco.com/wiki/Cisco_Unified_Presence,_Release_7.x_--_Configuration_and_Maintenance_of_Cisco_Unified_Presence
  Also, if you are a partner, there are training resources available for CUPS in PEC I believe.

• Role Creation in CUP 5.3

  Hello,
  I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
  My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.  
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  Please tell me if I'm wrong.
  HM

  HM,
    The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
  The below statement is wrong.
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
  Regards,
  Alpesh

• Is it possible to create a CUP request initiated from the ECC backend?

  Hello GRC experts,
    I am hoping to solve a problem by interrogating the HR and SAP users tables in the ECC backend, and then in some cases, creating CUP provisioning requests to delimt specific user roles.  I am not aware of any functionality that allows creation of requests other than HR triggers or manual data entry.  (HR triggers do not satisfy our need as we are doing direct provisioning, so we must explicitly specify roles in the request. ) 
  Has anyone done this before?  Any ideas.
  Thanks,
  Yvonne Davis

  Start with the test option in web service explorer to find out which items you need in the request.
  Roles must still be imported in CUP. You'll need about the exact same configuration in CUP like for manual requests, the web service will basically just fill out the request form.
  Frank.

• Withholding tax provision on Po's at year End

  Hi Experts
  TDS has been deducted at the time of making provision on Po's at the year end but actual invoice receipt after payment of TDS in the next year , how the system will take care of TDS on differential amount , and what will happened if TDS has been deducted on provision entry and period has been closed but invoice is received before TDS deposited and corrective entry for differential amount is made in additional period.
  On processing of those PO's invoices system will issue any msg that TDS on Provision is already deducted/deposited or not
  I have made below config -
  SPRO --> Financial Accounting (New) --> Financial Accounting Global Settings (New) --> Withholding Tax --> Extended Withholding Tax --> Posting --> India --> Provisions for Taxes on Services Received.
  but while doing t_code j1inpr a error msg is coming-
  Maintain Accounting configuration for W.Tax code 1000
  please help
  Regards
  Kuldeep Dubey

  Hi Kuldeep,
  For this issue we were doing the invoices in current month which is pertaining to last year and make it the manual jv provision in local books and reverse in current month first. while updaing the challans we are excluding the previous invoices and posted seperate challan. certificates are issuing manually for old invoices while taking the current year certificates we are going to excluding the challan numbers in J1INCERT.

• EAP-FAST, local Authentication and PAC provisioning

  Hi everybody,
  I have a litte understanding problem with the deployment of EAP-FAST.
  So here's the deal:
  I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
  When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
  Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
  But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
  Would server sided certificates resolve my concerns here?
  I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
  Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
  Thanks in advance!

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• Reversal on Import Duty Provision posted thru MIGO

  Hi All,
  I have a issue on reversal of Import Duty provision..when GR is done for Imports the Import Duty Provision is posted to GL..there are some old provisions in this GL which needs to be reversed because there is no requirement of these provisions in the books..
  For these GR's already MIRO has been done, payments to vendors are also been done and also materials has been consumed..therefore we are not in a position to reverse Material documents..
  Now the issue is how to reverse these provisions? Is there any T Code for reversing automatically/manually these provisions..
  Appreciate quick response on this since it is an Audit issue..
  Thanks in advance.
  Regards,
  Sree

  Hi D.K.Lakshmi Narayana,
  This will have effect on vendor (Dr. Vendor), which we cannot give becuase vendor is already paid..can we give credit to COGS Account through this transaction? or is there any other T Code?
  Appreciate your response..
  Regards,
  chakravarty

• [CUP 5.3] Error while email validation

  Hello all,
  Anyone seen this before in CUP 5.3 SP15?
  I have an access request form in which I allow user lookup. The user lookup is linked with an SAP HR system.
  When I search users on name, only the users that have an emailaddress filled in in the infotypes show up in my list. Users without an emailaddress are not shown. I can only get them in my search results when I specifically search for them on user ID.
  When I then select the user without emailaddress and insert him/her into my access request form, I always receive the "error creating request" message. The log tells me:
  2011-09-20 15:29:28,326 [SAPEngine_Application_Thread[impl:3]_24] ERROR  EUCreateRequestAction.java@224:loadHandler() : Error while email validation = E-mail address
  Users with an emailaddress are no problem.
  Even when I fill in an emailaddress manually, CUP apparently keeps using the emailaddress from the infotype.
  Anyone know how to resolve this?
  Thanks in advance,
  Edited by: Lanssens Tom on Sep 20, 2011 6:09 PM (spelling)

  Hello Srihari,
  User Email Address is a Mandatory field which cannot be changed. The only option to change is to turn off "Editable". However, if I do that I receive the warning "It is better to make the field editable, because the end user cannot submit the request, if the field value is not available in the user's data source".
  I know that the best solution/workaround is to make sure that all users in the HR list have an emailaddress, so we are going to follow up on this with a script. Still, I would like to know why I can't find nor work with users that don't have an emailaddress, and why I can't update their emailaddress myself manually via the CUP.
  Best regards,
  Tom

• Auto Update of Resource form

  In my OIM I have configured AD User resource for provisioning and I've provisioned about 100 users.
  Then I've updated AD User resource form to version 2 and made this version active.
  But when I view resource profile (for AD User) for any of users that were provisioned before form update, I can still see the old version of form. And I have to revoke and then re-provision these users before I can see 'version2' in their resource profile.
  For any user that was provisioned AFTER form 'version2' was made active, I can see the new version of resource form.
  I need that all users to have the new version of form automatically after it's made active (without manual re-provisioning them)
  Is there any other way, such as using Xellerate API to assign the new version of form to all users that have AD User resource?
  I guess first I have to retrieve the list of all AD Users and then make a loop for re-assigning the form...

  There is a utility available for changing form versions.
  http://download.oracle.com/docs/cd/B32479_01/doc.903/b32453/appc.htm#sthref389
  I haven't used it myself, but i know i've seen other posts regarding it.
  -Kevin

• USER EXIT/ BADI (The price should not be changed in the billing document)

  Hi all,
  We have given manual entry provision for pricing in Sales order level. But as per the company requirement, the price should not be changed in the billing document. Also the point to be considered is, it is a delivery based billing. 
  Kindly help me for finding USER EXIT/ BADI to achieve my requirement.
  Thanks.

  Hi,
  Please refer to OSS notes:
  105621 - Authorization check for the condition screen - you can use following user-exit includes for changing the condition tab to display only:
      USEREXIT_FIELD_MODIFICATION
      USEREXIT_PRICING_CHECK
      USEREXIT_FIELD_MODIFIC_LEER
      USEREXIT_FIELD_MODIFIC_KZWI
      USEREXIT_FIELD_MODIFIC_KOPF
  1165078 - Authorization check for conditions or subtotals - from ECC6.0 EHP4 there is a dedicated BAdI for authorization check, however if the user is not aurhorized to change the conditions, the conditions are not visible for the user as well.
  Regards,
  Marcin

• PO complete indicator at PO line item

  Hello Gurus,
  We have a requirement where business wants one indicator in PO line item itself as "PO complete" and business wanrts that this indicator needs to be flagged automatically depends on below conditions fullfillment:-
  - Indicator Delivery completed is set: EKBE- ELIKZ=X
  - Invoice exists (for example, u201CInvoice amountu201D is greater than 0).
  - Invoice(IR) amount is different from Actual delivery(GR) amount & the difference is not more than 5%.
  If business wants to set this indicator manually then provision should be there.
  Also, business wants one report which will show for which POs, this "PO complete" indicator set automatically & POs for which it has been set  manually.
  Thanks, Ravindra.

  I think you will confuse the busines with such an indicator, latest when you start archiving documents and SAP tells you that the document is not complete and cannot be archived.
  A PO is not completed just because a user puts a X into a new invented field.
  A PO is completed if the goods receipt was within delivery tolerances and invoiced quantity is equal to goods receipt quantity.
  (this is just valid for inventory managed items in a PO)
  if there was a difference between invoice and goods receipt, then business has to run GR/IR clearance with MR11, and not just put an X in an own field.
  if the GR quantity is not within the tolerances, but business is okay with the receipted quantity, then they have to put their X into delivery completed indicator, not into an own developed field.
  Such own developed field will be misleading for the process. After a while when you have the mess in your system with thousand of orders that have the Z-indicator for complete but are not really complete in SAP sense, then they will point the finger to you and say that they have set the indicator for complete but you have not taken care that SAP understood it.
  So you would need to add a lot coding to perform all the checks that are executed for data archiving to allow setting of completeness or refuse it with a certain error message. Or coding to trigger BAPIs to set delivery compete indicator and to adjust order quantity  or run MR11 clearing etc when this indicator is activated.