Mass Role Creation

Hi All,
We have an requirement to create large number of roles in BW, is there any existing tool that we can use to create mass roles or should it be done through BDC on PFCG?
Thanks for your answers in advance.
Regards
SS

Deepu,
Thanks for your reply. Could you give more details as to, how do we do it through PFCG?
Regards
SS

Similar Messages

  • Mass roles creation

    Hi all,
    I am supposed to create 2000 roles in our system.
    Is there any way to create roles in mass.
    If there please provide me the details to do the mass roles creation.
    Thanks in advance.
    Regards,
    Suganya

    > I am supposed to create 2000 roles in our system.
    > Is there any way to create roles in mass.
    How do you mean 'in mass'? Do you want 2000 identical copies of one role, are you talking about derived roles or do you need to create 2000 completely different roles?
    Please give us some more information. (And prepare for the fact that some tasks do not have shortcuts...)
    Jurjen

  • Mass role creation and addition of tcodes to role menu

    Hi Folks,
    We've a requirement of building 1000's of single roles for an implementation. Our security matrix is ready with the role names and the list of tcodes to be embedded in each of these roles. What I would like to know is if we can automate a part of the process of role building i.e the following 3 steps only.
    1. Creation of the Role
    2. Addition of the tcodes in the role menu
    3. Save
    I'm aware of Ecatt/LSMW through which we can create the roles but i'm not sure if we can add the tcodes to the menu of the roles since the number of tcodes to be populated in each role will vary.
    Could anyone of you shed some light if it is possible to automate the addition of  tcodes to the role menu taking into consideration that each role will have different number of tcodes to be added to the menu and what's the best possible way to achieve this if there exists one.
    Thanks in advance for your time and suggestions!
    Guest...

    Whilst I agree that there are probably too many roles being built here, which is more of an issue with the role design / strategy, the issue of how to easily create a role for a given list of transactions is something that SAP supports via the import menu from text file option in PFCG.
    Yes you may need to write a script to cycle through all the possible role names, but we have recently had to build some roles based on actual usage, so exported transaction usage history to excel and then formatted the transactions into text files that could be imported to build the role menu.
    You will still then need to ensure any object authorisation object have the correct values set - i.e. not just starred in - but as one of the pains in build a role is getting the menu to look reasonable, I'd suggest having a look at this approach.
    Copy Menus -> Import from File is the function in PFCG in the menu tab for the role you are building
    OSS note 389675 has details of what the text file of transactions for the menu should look like.
    That should answer the question posed, rather than criticising the role design being followed.

  • Mass role & authorization creation

    Hi all,
    I have been assigned a task to create some 400+ authorizations. Using PFCG and creating one by one would take much time, so I wonder if there is a different approach.
    Every role has a different number of transactions, but most of them have the same values for authorization objects (company code, purchasing group etc).
    Anyone have an idea on how to do this?
    Thank you,
    Igor

    What about ECATT or even BAPI usage? There are ECATT procedures for mass users creation. Can that be used for roles as well?
    Not as far as I know.
    In any case, I will never relay in mass creation of roles as this will represent a security issue, and In my personal opinion is why SAP does not offer mass creation of roles as a standard
    Regards
    Juan

  • Mass role risk analysis issue

    Hello GRC Community,
    I have a following issue:
    When I use mass risk analysis the deactivated authorization objects in the role are displayed as result. At the same time, when I use Role Level Risk Analysis the role with deactivated critical authorization objects doesnt appear.
    Does anybody know how to solve this issue? Is there any configuration parameter to be adjusted?
    thanks
    best regards
    Sabrina

    Prasant,
    here are the screenshots of the Job result:
    1. Mass role Risk Analysis
    2. Risk Analysis on the (Single) Role Level
    Im Backend you can see that the role contains lots of deactivated autorization objects.
    I have run all sync Jobs, but seemingly it doesnt help.
    Thanks,
    Sabrina

  • Request Number is not generated for BRM "new" role creation

    Hello Gurus,
    I have configured BRM in SAP GRC AC 10, along with the workflow .
    I have selected the following methodology
    Define Role --> Maintain Auth >Analyze & Access Risk>Request Approval>Generate Roles>Maintain Test Cases
    Role name : Y_TEST_BRM_FUNCTIONALITY
    So i do the following steps and assign
    1) Role approver as Mr. ABC & Alternate approver as Mr. QRS
    2) Assign the Required transactions and do the RAR i.e i am done till step 3 of methodology
    When i click "Initiate Approval request"
    The approval triggers , and goes to the 1st stage as configured in MSMP
    1) Power User Approval .
    Here the Power User : EFG , open his workflow and see the request as
    Role approval required for role Y_TEST_BRM_FUNCTIONALITY
    The approver approves the request and then the request all together vanishes.
    Unfortunately i am not able to search the request for that role from NWBC -->Search request by
    Process Id : Role Approver Workflow
    It gives blank !!
    Hence neither i am able to find the request no able to do any debugging of it using
    GRFNMW_DBGMONITOR_WD
    Please note that the Request Id is created for any request in CUP.
    Is it that i have to create a number range for BRM request ??
    If so will you please let me know the object

    Hello All,
    I was wrong in posting the cause of problem.
    Please note no "Request number" is generated for Role creation Request.
    The problem was i was unable to search the Role Request approval status from "Search Request" via  Process Id
    It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
    My Issues is Resolved.
    Thank You.
    Regards,
    Victor

  • BRM-No Role Creation

    Hi gurus,
    I have just upgraded my GRC 10.0 to SP18 and when I access to create a new role in the NWBC, the button is in grey, I mean, I can not start the creation of it. However, I can modify the roles without problems.
    Any idea of what can be happening?
    Thanks,
    Regards,

    Hello All,
    I was wrong in posting the cause of problem.
    Please note no "Request number" is generated for Role creation Request.
    The problem was i was unable to search the Role Request approval status from "Search Request" via  Process Id
    It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
    My Issues is Resolved.
    Thank You.
    Regards,
    Victor

  • ERM - Mass Role Import Error

    I just upgraded to SP11 and am trying to mass import a few roles.  It doesn't give me an error on the mass input screen, but it doesn't import the role, so I put DEBUG on and looked at the system logs.  I created the download file as both ANSI and UTF-8 and neither is working.  Here is the system log output:
    2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG
    -- Request dump for Action Path is cnvMassRlImport.scrMassRlImport.loadMassRoleImport
    2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG recordHistory:0::true#
    2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG -- End Request dump for Action Path is cnvMassRlImport.scrMassRlImport.loadMassRoleImport
    2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Current Module: |CFG| Conversation: |cnvSysLog| Screen: |scrSysLog|
    2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG  Module#CFG#Conversation#cnvMassRlImport#Screen#scrMassRlImport#Action#loadMassRoleImport#
    2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Changing Conversation: FROM: cnvSysLog TO cnvMassRlImport
    2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG com.virsa.framework.Context : clearConversationRep :   : 0 entries cleared from conversation repositiory
    2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG com.virsa.framework.Context : clearScreenRep :   : 0 entries cleared from screen repositiory
    2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Handler found:class com.virsa.re.configuration.action.MassRoleImportAction
    2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG forwarding to:/cfg_mass_role_import.jsp
    2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG
    -- Request dump for Action Path is scrMassRlImport.importRoles
    2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG -- End Request dump for Action Path is scrMassRlImport.importRoles
    2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG Current Module: |CFG| Conversation: |cnvMassRlImport| Screen: |scrMassRlImport|
    2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG  Module#CFG#Conversation#cnvMassRlImport#Screen#scrMassRlImport#Action#importRoles#
    2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG Handler found:class com.virsa.re.configuration.action.MassRoleImportAction
    2010-03-23 11:27:09,332 [SAPEngine_Application_Thread[impl:3]_28] DEBUG dirName-->E:\usr\sap\WMS\GRC\ROLEIMPORT\1269358029332
    2010-03-23 11:27:09,347 [SAPEngine_Application_Thread[impl:3]_28] DEBUG returnStatus###success
    2010-03-23 11:27:09,347 [SAPEngine_Application_Thread[impl:3]_28] DEBUG forwarding to:/cfg_mass_role_import_status.jsp
    2010-03-23 11:27:10,769 [SAPEngine_Application_Thread[impl:3]_31] DEBUG
    -- Request dump for Action Path is scrMassRlImport.generateRolesForeGround
    2010-03-23 11:27:10,769 [SAPEngine_Application_Thread[impl:3]_31] DEBUG -- End Request dump for Action Path is scrMassRlImport.generateRolesForeGround
    2010-03-23 11:27:10,769 [SAPEngine_Application_Thread[impl:3]_31] DEBUG Current Module: |CFG| Conversation: |cnvMassRlImport| Screen: |scrMassRlImport|
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG  Module#CFG#Conversation#cnvMassRlImport#Screen#scrMassRlImport#Action#generateRolesForeGround#
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG Handler found:class com.virsa.re.configuration.action.MassRoleImportAction
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG In LockedObjBO.getLockedObjListByType(String objType) starts.....
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG In LockedObjBO.getLockedObjListByType(String objType) ends.....
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG GET_BUS_PROC =====  SELECT BP.BPROCID, BP.BPROCNAM, BL.BPROCDES FROM VT_RE_BPROC BP LEFT OUTER JOIN VT_RE_BPROCLNG BL ON(BP.BPROCID = BL.BPROCID AND BL.LNGID=?), VT_RE_BPSPASSOC BSP WHERE BP.BPROCID = BSP.BPROCID AND BSP.SUBPROCID =?
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG bprocName ===== HR00
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG keys.size():- 42
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 1 cache statusid = 1 value = DEVELOPMENT Desc = Kehitys
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 2 cache statusid = 2 value = PRODUCTION Desc = Produksjon
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 3 cache statusid = 1 value = DEVELOPMENT Desc = ??
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 4 cache statusid = 1 value = DEVELOPMENT Desc = Development
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 5 cache statusid = 2 value = PRODUCTION Desc = �retim
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 6 cache statusid = 1 value = DEVELOPMENT Desc = Projektowanie
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 7 cache statusid = 2 value = PRODUCTION Desc = Production
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 8 cache statusid = 2 value = PRODUCTION Desc = Produ��o
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 9 cache statusid = 1 value = DEVELOPMENT Desc = Desarrollo
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 10 cache statusid = 2 value = PRODUCTION Desc = Production
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 11 cache statusid = 2 value = PRODUCTION Desc = Produzione
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 12 cache statusid = 1 value = DEVELOPMENT Desc = ??
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 13 cache statusid = 1 value = DEVELOPMENT Desc = ??
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 14 cache statusid = 2 value = PRODUCTION Desc = ??
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 15 cache statusid = 1 value = DEVELOPMENT Desc = Udvikling
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 16 cache statusid = 2 value = PRODUCTION Desc = Produkt�v
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 17 cache statusid = 1 value = DEVELOPMENT Desc = ??????????
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 18 cache statusid = 2 value = PRODUCTION Desc = V�roba
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 19 cache statusid = 2 value = PRODUCTION Desc = Productie
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 20 cache statusid = 1 value = DEVELOPMENT Desc = Fejleszt�s
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 21 cache statusid = 2 value = PRODUCTION Desc = Produktion
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 22 cache statusid = 1 value = DEVELOPMENT Desc = Desenvolvimento
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 23 cache statusid = 2 value = PRODUCTION Desc = ???
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 24 cache statusid = 1 value = DEVELOPMENT Desc = Ontwikkeling
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 25 cache statusid = 2 value = PRODUCTION Desc = V�roba
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 26 cache statusid = 2 value = PRODUCTION Desc = ????????????
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 27 cache statusid = 1 value = DEVELOPMENT Desc = Sviluppo
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 28 cache statusid = 1 value = DEVELOPMENT Desc = Utveckling
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 29 cache statusid = 2 value = PRODUCTION Desc = Tuotanto
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 30 cache statusid = 2 value = PRODUCTION Desc = Produkcja
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 31 cache statusid = 1 value = DEVELOPMENT Desc = Utvikling
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 32 cache statusid = 1 value = DEVELOPMENT Desc = V�voj
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 33 cache statusid = 2 value = PRODUCTION Desc = Produktion
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 34 cache statusid = 1 value = DEVELOPMENT Desc = V�voj
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 35 cache statusid = 2 value = PRODUCTION Desc = ??
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 36 cache statusid = 2 value = PRODUCTION Desc = Produktion
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 37 cache statusid = 2 value = PRODUCTION Desc = Proizvodnja
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 38 cache statusid = 1 value = DEVELOPMENT Desc = Entwicklung
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 39 cache statusid = 1 value = DEVELOPMENT Desc = Geli?tirme
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 40 cache statusid = 1 value = DEVELOPMENT Desc = Razvoj
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 41 cache statusid = 2 value = PRODUCTION Desc = Producci�n
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 42 cache statusid = 1 value = DEVELOPMENT Desc = D�veloppement
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 1RoleStatusName:- DEVELOPMENT
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 2RoleStatusName:- PRODUCTION
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG MissingDescriptionHelperDAO.java@37:com.virsa.re.dao.MissingDescriptionHelperDAO.getMissingRoleDesc()missingLst.size(): 1
    2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG startIndex: 0; endIdex: 1
    2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] DEBUG RoleImportBO.java@1393:com.virsa.re.bo.impl.RoleImportBO.createRole()Creating Role:ZM:HR_PY_DEPT_SUPP_COMP profile:'Z:DEPTSUPP'
    2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] DEBUG  InsIde getLastGenerateDate(3572,11)
    2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] DEBUG  InsIde getLastGenerateDate(3572,11) ResultSet and got an entry
    2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] ERROR Cannot assign a java.lang.String object of length 389 to host variable 7 which has JDBC type VARCHAR(100).
    java.lang.Throwable: Cannot assign a java.lang.String object of length 389 to host variable 7 which has JDBC type VARCHAR(100).
         at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:85)
         at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:124)
         at com.sap.sql.types.GenericResultColumn.checkLength(GenericResultColumn.java:212)
         at com.sap.sql.types.VarcharResultColumn.setString(VarcharResultColumn.java:63)
         at com.sap.sql.jdbc.common.CommonPreparedStatement.setString(CommonPreparedStatement.java:511)
         at com.sap.engine.services.dbpool.wrappers.PreparedStatementWrapper.setString(PreparedStatementWrapper.java:355)
         at com.virsa.re.dao.jdbc.ChangeHistoryDAO.saveChangeHistory(ChangeHistoryDAO.java:318)
         at com.virsa.re.bo.impl.ChangeHistoryBO.saveChangeHistory(ChangeHistoryBO.java:77)
         at com.virsa.re.bo.impl.RoleBO.updateRoleWithChngeHist(RoleBO.java:469)
         at com.virsa.re.bo.impl.RoleImportBO.createRole(RoleImportBO.java:1437)
         at com.virsa.re.bo.impl.RoleImportBO.importRoles(RoleImportBO.java:639)
         at com.virsa.re.bo.impl.RoleImportBO.importRoles(RoleImportBO.java:333)
         at com.virsa.re.configuration.action.MassRoleImportAction.generateRole(MassRoleImportAction.java:597)
         at com.virsa.re.configuration.action.MassRoleImportAction.execute(MassRoleImportAction.java:78)
         at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
         at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
         at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

    Hi All,
    Two weeks ago, I have trying to load roles in ERM. The result hasn´t been than expected. I use SAP GRC AC (5.3). I need to load 6375 single roles, but only I have loaded 914 single role. Next I described to you a general context of my situation:
    1.  I divided the file VIRSA_RE_DNLDROLES.txt into 16 files (UTF - 8) with single roles per module (AM, PO, PS, GL, SD...)
    2. Each file contains segmented roles associated to a business process and multiples sub - business process.
    3. When I checked roles in ERM, I notice that just load any roles. Not all roles in template was loaded.
    4. Files size varies between 18 kb y 145 kb.
    5.  Files concerned "Mass Role Import" have the following extensions: Bulk Download File* (.txt), Enterprise Role Management Information File (.xls) and Primary Org. Level File (.xls).
    5. A error generated was "Unknown error occurred while performing operation (No space left on device (errno:28))."
    Honestly, I don´t know the reason for not loading all roles from template. Any suggestions? or ideas?
    Thanks in advance

  • Import roles to the ERM without using the "Mass Role Import

    Hello,
    I want to know if there is another way to import roles to the ERM without using the "Mass Role Import.
    Im'm using SAP GRC AC 5.3
    Best Regards.
    Pablo Mortera.

    Hi.
    There is NO other way to import roles..
    We need to use only ERM for "Mass Role Import.
    Regards
    Gangadhar

  • Role Creation in CUP 5.3

    Hello,
    I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
    My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.  
    It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
    Please tell me if I'm wrong.
    HM

    HM,
      The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
    The below statement is wrong.
    It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
    If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
    Regards,
    Alpesh

  • How to raise role creation/modification request in AC 10

    We are implementing AC10. I have issue more related to the process followed than technical. Please suggest from your experience.
    We found that we can raise the request for new user account, role assignment to user, etc in Acess Request(formerly CUP), but we cannot raise the request for role creation, role modification. This is directly done in Role management.  My question is, how the security admin will recieve the requests for creating or maintaining the roles. Is it necessary to use ticketing tool for users to raise the request for role creation and modification.
    Thanks everyone for your valuable solutions.

    Dear Ashish,
    Whatever you have mentioned is correct to have the common platform for every request, either for user creation or role creation.
    But what we decided earlier, that the end users can raise the request in CUP directly, rather than involving security admin. But after realizing that there is no request type for role creation, I think we have to use our ticketing tool as a common platform.
    Request will come to security admin from the ticketing tool and than he will create the request in CUP, thereafter it will follow the approval workflow.  Only problem I see in this, it goes to the manager twice, once in ticketing tool and than through CUP workflow. i think we need to take out the manager stage from the workflow.

  • Idm-Vaau Rbac role creations and mapping

    Hi All,
    I'm working on the integration between Idm and Vaau's Rbacx (role based access control) tool for role creation and provisioning...I've imported the spml.xml and SPMLGetObjectsform.xml into Idm for the SPML calls between Rbacx and Idm.
    The challenge I'm facing is mapping the attributes of Rbacx roles to enable the attributes to be populated in Idm...I'm able to export roles into Idm, but they are not populating with any attributes eg. resource type, resource attribute etc. I'm uncertain as to where I have to map these properties and do any customization for this to work. I would appreciate if anyone who has worked on this or know how to do this, to pls give me some pointers/share your experience. I don't have any documentation to refer to and am doing everything on trial and error basis.
    Any help is greatly appreciated!
    Thank you.

    Hi newbie,
    Were you able to solve this issue? I am facing the same problem while assigning resource attributes for a created role using a custom workflow.
    This is where I set the resource attributes in my workflow:
    <Action id='1'>
    <expression>
         <block trace='true'>
         <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].valueType</s><ref>ADGroupsValueType</ref></set>
         <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].requirement</s><ref>ADGroupsRequirement</ref></set>
         <append><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].value</s><ref>ADGroupsValue</ref></append>
         </block>
    </expression>
    </Action>
    where <ref>ADGroupsValue</ref> contains the attribute value.
    thanks,
    Lokesh

  • How to generate mass roles in SUPC

    Hi All,
    I have to generate mass roles at one time. There are 3000 roles to be generated. I am using tcode SUPC to do this but when give the list of roles and click on generate button it is taking only one role.
    I am generating derived roles.
    Please advise..
    Thanks,
    Masood

    > I am generating derived roles.
    Perhaps Salman123 wrote a CATT to hit the "Adjust derived roles" function once, or dug deeper?
    If you have less than 50 roles and all standard and maintained authorizations you are better off using the delete menu and import from role option in my opinion. (make sure the root node is small and use redundancy compression).
    If you have more than 50 roles, then (shame on me...) try to keep them very small with only selected objects and use the option to delete their profiles completely and upload them on mass. Such roles are anyway usually best suited for BW systems and an entirely different concept (Analysis Authorizations).
    You can avoid derived roles completely this way.
    Cheers,
    Julius

  • Approval of role creation

    Hi All
    I need to create a WET for role creation, this is simple But I need to incorporate approval of the creation of the new MX_ROLE entry. I can only find documentation/guides on how to implement approval of role and privilege assignment. Does anyone know if it is possible to setup approval on creation on a new entry?
    Kind regards,
    Heidi

    I have tried to implement the MX_INACTIVE solution. Now it is not possible to see the role on the "Adminstrate"-tab, and there is an approval task on the "To do"-tab. When I click this task, details on the role are displayed properly, but when I try to process the request by clicking the "Show request"-button (button name translated from Danish, it might be translated differently...) I get an error: "Access denied".
    I have set correct approver on the approval task, and I was able to process approval requests, before I set the role to inactive.
    On the approval task, I have checked the "Use inactive entries" checkbox.
    Does anyone have an idea what could be wrong?
    Kind regards,
    Heidi Kronvold

  • Role Creation using CAT Scripts

    Hi,
    Step by step procedure needed.
    I need role creation using scripts(SECATT),org values that needs to maintain
    is full authorization.
    pls help me.
    ram

    Hi Ram,
    There is a SECATT tutorial here: http://www.*********************/tutorials/secatt_user_create.html
    If you learn that & the principles associated with SECATT then you can apply that to creating and populating roles.
    In my opinion SCAT is much easier to use, though less flexible,

Maybe you are looking for