Mass Role Creation
Hi All,
We have an requirement to create large number of roles in BW, is there any existing tool that we can use to create mass roles or should it be done through BDC on PFCG?
Thanks for your answers in advance.
Regards
SS
Deepu,
Thanks for your reply. Could you give more details as to, how do we do it through PFCG?
Regards
SS
Similar Messages
-
Hi all,
I am supposed to create 2000 roles in our system.
Is there any way to create roles in mass.
If there please provide me the details to do the mass roles creation.
Thanks in advance.
Regards,
Suganya> I am supposed to create 2000 roles in our system.
> Is there any way to create roles in mass.
How do you mean 'in mass'? Do you want 2000 identical copies of one role, are you talking about derived roles or do you need to create 2000 completely different roles?
Please give us some more information. (And prepare for the fact that some tasks do not have shortcuts...)
Jurjen -
Mass role creation and addition of tcodes to role menu
Hi Folks,
We've a requirement of building 1000's of single roles for an implementation. Our security matrix is ready with the role names and the list of tcodes to be embedded in each of these roles. What I would like to know is if we can automate a part of the process of role building i.e the following 3 steps only.
1. Creation of the Role
2. Addition of the tcodes in the role menu
3. Save
I'm aware of Ecatt/LSMW through which we can create the roles but i'm not sure if we can add the tcodes to the menu of the roles since the number of tcodes to be populated in each role will vary.
Could anyone of you shed some light if it is possible to automate the addition of tcodes to the role menu taking into consideration that each role will have different number of tcodes to be added to the menu and what's the best possible way to achieve this if there exists one.
Thanks in advance for your time and suggestions!
Guest...Whilst I agree that there are probably too many roles being built here, which is more of an issue with the role design / strategy, the issue of how to easily create a role for a given list of transactions is something that SAP supports via the import menu from text file option in PFCG.
Yes you may need to write a script to cycle through all the possible role names, but we have recently had to build some roles based on actual usage, so exported transaction usage history to excel and then formatted the transactions into text files that could be imported to build the role menu.
You will still then need to ensure any object authorisation object have the correct values set - i.e. not just starred in - but as one of the pains in build a role is getting the menu to look reasonable, I'd suggest having a look at this approach.
Copy Menus -> Import from File is the function in PFCG in the menu tab for the role you are building
OSS note 389675 has details of what the text file of transactions for the menu should look like.
That should answer the question posed, rather than criticising the role design being followed. -
Mass role & authorization creation
Hi all,
I have been assigned a task to create some 400+ authorizations. Using PFCG and creating one by one would take much time, so I wonder if there is a different approach.
Every role has a different number of transactions, but most of them have the same values for authorization objects (company code, purchasing group etc).
Anyone have an idea on how to do this?
Thank you,
IgorWhat about ECATT or even BAPI usage? There are ECATT procedures for mass users creation. Can that be used for roles as well?
Not as far as I know.
In any case, I will never relay in mass creation of roles as this will represent a security issue, and In my personal opinion is why SAP does not offer mass creation of roles as a standard
Regards
Juan -
Hello GRC Community,
I have a following issue:
When I use mass risk analysis the deactivated authorization objects in the role are displayed as result. At the same time, when I use Role Level Risk Analysis the role with deactivated critical authorization objects doesnt appear.
Does anybody know how to solve this issue? Is there any configuration parameter to be adjusted?
thanks
best regards
SabrinaPrasant,
here are the screenshots of the Job result:
1. Mass role Risk Analysis
2. Risk Analysis on the (Single) Role Level
Im Backend you can see that the role contains lots of deactivated autorization objects.
I have run all sync Jobs, but seemingly it doesnt help.
Thanks,
Sabrina -
Request Number is not generated for BRM "new" role creation
Hello Gurus,
I have configured BRM in SAP GRC AC 10, along with the workflow .
I have selected the following methodology
Define Role --> Maintain Auth >Analyze & Access Risk>Request Approval>Generate Roles>Maintain Test Cases
Role name : Y_TEST_BRM_FUNCTIONALITY
So i do the following steps and assign
1) Role approver as Mr. ABC & Alternate approver as Mr. QRS
2) Assign the Required transactions and do the RAR i.e i am done till step 3 of methodology
When i click "Initiate Approval request"
The approval triggers , and goes to the 1st stage as configured in MSMP
1) Power User Approval .
Here the Power User : EFG , open his workflow and see the request as
Role approval required for role Y_TEST_BRM_FUNCTIONALITY
The approver approves the request and then the request all together vanishes.
Unfortunately i am not able to search the request for that role from NWBC -->Search request by
Process Id : Role Approver Workflow
It gives blank !!
Hence neither i am able to find the request no able to do any debugging of it using
GRFNMW_DBGMONITOR_WD
Please note that the Request Id is created for any request in CUP.
Is it that i have to create a number range for BRM request ??
If so will you please let me know the objectHello All,
I was wrong in posting the cause of problem.
Please note no "Request number" is generated for Role creation Request.
The problem was i was unable to search the Role Request approval status from "Search Request" via Process Id
It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
My Issues is Resolved.
Thank You.
Regards,
Victor -
Hi gurus,
I have just upgraded my GRC 10.0 to SP18 and when I access to create a new role in the NWBC, the button is in grey, I mean, I can not start the creation of it. However, I can modify the roles without problems.
Any idea of what can be happening?
Thanks,
Regards,Hello All,
I was wrong in posting the cause of problem.
Please note no "Request number" is generated for Role creation Request.
The problem was i was unable to search the Role Request approval status from "Search Request" via Process Id
It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
My Issues is Resolved.
Thank You.
Regards,
Victor -
I just upgraded to SP11 and am trying to mass import a few roles. It doesn't give me an error on the mass input screen, but it doesn't import the role, so I put DEBUG on and looked at the system logs. I created the download file as both ANSI and UTF-8 and neither is working. Here is the system log output:
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG
-- Request dump for Action Path is cnvMassRlImport.scrMassRlImport.loadMassRoleImport
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG recordHistory:0::true#
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG -- End Request dump for Action Path is cnvMassRlImport.scrMassRlImport.loadMassRoleImport
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Current Module: |CFG| Conversation: |cnvSysLog| Screen: |scrSysLog|
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Module#CFG#Conversation#cnvMassRlImport#Screen#scrMassRlImport#Action#loadMassRoleImport#
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Changing Conversation: FROM: cnvSysLog TO cnvMassRlImport
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG com.virsa.framework.Context : clearConversationRep : : 0 entries cleared from conversation repositiory
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG com.virsa.framework.Context : clearScreenRep : : 0 entries cleared from screen repositiory
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Handler found:class com.virsa.re.configuration.action.MassRoleImportAction
2010-03-23 11:26:51,160 [SAPEngine_Application_Thread[impl:3]_39] DEBUG forwarding to:/cfg_mass_role_import.jsp
2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG
-- Request dump for Action Path is scrMassRlImport.importRoles
2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG -- End Request dump for Action Path is scrMassRlImport.importRoles
2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG Current Module: |CFG| Conversation: |cnvMassRlImport| Screen: |scrMassRlImport|
2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG Module#CFG#Conversation#cnvMassRlImport#Screen#scrMassRlImport#Action#importRoles#
2010-03-23 11:27:09,316 [SAPEngine_Application_Thread[impl:3]_28] DEBUG Handler found:class com.virsa.re.configuration.action.MassRoleImportAction
2010-03-23 11:27:09,332 [SAPEngine_Application_Thread[impl:3]_28] DEBUG dirName-->E:\usr\sap\WMS\GRC\ROLEIMPORT\1269358029332
2010-03-23 11:27:09,347 [SAPEngine_Application_Thread[impl:3]_28] DEBUG returnStatus###success
2010-03-23 11:27:09,347 [SAPEngine_Application_Thread[impl:3]_28] DEBUG forwarding to:/cfg_mass_role_import_status.jsp
2010-03-23 11:27:10,769 [SAPEngine_Application_Thread[impl:3]_31] DEBUG
-- Request dump for Action Path is scrMassRlImport.generateRolesForeGround
2010-03-23 11:27:10,769 [SAPEngine_Application_Thread[impl:3]_31] DEBUG -- End Request dump for Action Path is scrMassRlImport.generateRolesForeGround
2010-03-23 11:27:10,769 [SAPEngine_Application_Thread[impl:3]_31] DEBUG Current Module: |CFG| Conversation: |cnvMassRlImport| Screen: |scrMassRlImport|
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG Module#CFG#Conversation#cnvMassRlImport#Screen#scrMassRlImport#Action#generateRolesForeGround#
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG Handler found:class com.virsa.re.configuration.action.MassRoleImportAction
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG In LockedObjBO.getLockedObjListByType(String objType) starts.....
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG In LockedObjBO.getLockedObjListByType(String objType) ends.....
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG GET_BUS_PROC ===== SELECT BP.BPROCID, BP.BPROCNAM, BL.BPROCDES FROM VT_RE_BPROC BP LEFT OUTER JOIN VT_RE_BPROCLNG BL ON(BP.BPROCID = BL.BPROCID AND BL.LNGID=?), VT_RE_BPSPASSOC BSP WHERE BP.BPROCID = BSP.BPROCID AND BSP.SUBPROCID =?
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG bprocName ===== HR00
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG keys.size():- 42
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 1 cache statusid = 1 value = DEVELOPMENT Desc = Kehitys
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 2 cache statusid = 2 value = PRODUCTION Desc = Produksjon
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 3 cache statusid = 1 value = DEVELOPMENT Desc = ??
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 4 cache statusid = 1 value = DEVELOPMENT Desc = Development
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 5 cache statusid = 2 value = PRODUCTION Desc = �retim
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 6 cache statusid = 1 value = DEVELOPMENT Desc = Projektowanie
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 7 cache statusid = 2 value = PRODUCTION Desc = Production
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 8 cache statusid = 2 value = PRODUCTION Desc = Produ��o
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 9 cache statusid = 1 value = DEVELOPMENT Desc = Desarrollo
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 10 cache statusid = 2 value = PRODUCTION Desc = Production
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 11 cache statusid = 2 value = PRODUCTION Desc = Produzione
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 12 cache statusid = 1 value = DEVELOPMENT Desc = ??
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 13 cache statusid = 1 value = DEVELOPMENT Desc = ??
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 14 cache statusid = 2 value = PRODUCTION Desc = ??
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 15 cache statusid = 1 value = DEVELOPMENT Desc = Udvikling
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 16 cache statusid = 2 value = PRODUCTION Desc = Produkt�v
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 17 cache statusid = 1 value = DEVELOPMENT Desc = ??????????
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 18 cache statusid = 2 value = PRODUCTION Desc = V�roba
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 19 cache statusid = 2 value = PRODUCTION Desc = Productie
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 20 cache statusid = 1 value = DEVELOPMENT Desc = Fejleszt�s
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 21 cache statusid = 2 value = PRODUCTION Desc = Produktion
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 22 cache statusid = 1 value = DEVELOPMENT Desc = Desenvolvimento
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 23 cache statusid = 2 value = PRODUCTION Desc = ???
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 24 cache statusid = 1 value = DEVELOPMENT Desc = Ontwikkeling
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 25 cache statusid = 2 value = PRODUCTION Desc = V�roba
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 26 cache statusid = 2 value = PRODUCTION Desc = ????????????
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 27 cache statusid = 1 value = DEVELOPMENT Desc = Sviluppo
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 28 cache statusid = 1 value = DEVELOPMENT Desc = Utveckling
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 29 cache statusid = 2 value = PRODUCTION Desc = Tuotanto
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 30 cache statusid = 2 value = PRODUCTION Desc = Produkcja
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 31 cache statusid = 1 value = DEVELOPMENT Desc = Utvikling
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 32 cache statusid = 1 value = DEVELOPMENT Desc = V�voj
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 33 cache statusid = 2 value = PRODUCTION Desc = Produktion
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 34 cache statusid = 1 value = DEVELOPMENT Desc = V�voj
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 35 cache statusid = 2 value = PRODUCTION Desc = ??
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 36 cache statusid = 2 value = PRODUCTION Desc = Produktion
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 37 cache statusid = 2 value = PRODUCTION Desc = Proizvodnja
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 38 cache statusid = 1 value = DEVELOPMENT Desc = Entwicklung
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 39 cache statusid = 1 value = DEVELOPMENT Desc = Geli?tirme
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 40 cache statusid = 1 value = DEVELOPMENT Desc = Razvoj
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 41 cache statusid = 2 value = PRODUCTION Desc = Producci�n
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 42 cache statusid = 1 value = DEVELOPMENT Desc = D�veloppement
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 1RoleStatusName:- DEVELOPMENT
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG 2RoleStatusName:- PRODUCTION
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG MissingDescriptionHelperDAO.java@37:com.virsa.re.dao.MissingDescriptionHelperDAO.getMissingRoleDesc()missingLst.size(): 1
2010-03-23 11:27:10,785 [SAPEngine_Application_Thread[impl:3]_31] DEBUG startIndex: 0; endIdex: 1
2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] DEBUG RoleImportBO.java@1393:com.virsa.re.bo.impl.RoleImportBO.createRole()Creating Role:ZM:HR_PY_DEPT_SUPP_COMP profile:'Z:DEPTSUPP'
2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] DEBUG InsIde getLastGenerateDate(3572,11)
2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] DEBUG InsIde getLastGenerateDate(3572,11) ResultSet and got an entry
2010-03-23 11:27:10,800 [SAPEngine_Application_Thread[impl:3]_31] ERROR Cannot assign a java.lang.String object of length 389 to host variable 7 which has JDBC type VARCHAR(100).
java.lang.Throwable: Cannot assign a java.lang.String object of length 389 to host variable 7 which has JDBC type VARCHAR(100).
at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:85)
at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:124)
at com.sap.sql.types.GenericResultColumn.checkLength(GenericResultColumn.java:212)
at com.sap.sql.types.VarcharResultColumn.setString(VarcharResultColumn.java:63)
at com.sap.sql.jdbc.common.CommonPreparedStatement.setString(CommonPreparedStatement.java:511)
at com.sap.engine.services.dbpool.wrappers.PreparedStatementWrapper.setString(PreparedStatementWrapper.java:355)
at com.virsa.re.dao.jdbc.ChangeHistoryDAO.saveChangeHistory(ChangeHistoryDAO.java:318)
at com.virsa.re.bo.impl.ChangeHistoryBO.saveChangeHistory(ChangeHistoryBO.java:77)
at com.virsa.re.bo.impl.RoleBO.updateRoleWithChngeHist(RoleBO.java:469)
at com.virsa.re.bo.impl.RoleImportBO.createRole(RoleImportBO.java:1437)
at com.virsa.re.bo.impl.RoleImportBO.importRoles(RoleImportBO.java:639)
at com.virsa.re.bo.impl.RoleImportBO.importRoles(RoleImportBO.java:333)
at com.virsa.re.configuration.action.MassRoleImportAction.generateRole(MassRoleImportAction.java:597)
at com.virsa.re.configuration.action.MassRoleImportAction.execute(MassRoleImportAction.java:78)
at com.virsa.framework.NavigationEngine.execute(NavigationEngine.java:273)
at com.virsa.framework.servlet.VFrameworkServlet.service(VFrameworkServlet.java:230)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:117)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:62)
at com.virsa.comp.history.filter.HistoryFilter.doFilter(HistoryFilter.java:43)
at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:58)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:384)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)Hi All,
Two weeks ago, I have trying to load roles in ERM. The result hasn´t been than expected. I use SAP GRC AC (5.3). I need to load 6375 single roles, but only I have loaded 914 single role. Next I described to you a general context of my situation:
1. I divided the file VIRSA_RE_DNLDROLES.txt into 16 files (UTF - 8) with single roles per module (AM, PO, PS, GL, SD...)
2. Each file contains segmented roles associated to a business process and multiples sub - business process.
3. When I checked roles in ERM, I notice that just load any roles. Not all roles in template was loaded.
4. Files size varies between 18 kb y 145 kb.
5. Files concerned "Mass Role Import" have the following extensions: Bulk Download File* (.txt), Enterprise Role Management Information File (.xls) and Primary Org. Level File (.xls).
5. A error generated was "Unknown error occurred while performing operation (No space left on device (errno:28))."
Honestly, I don´t know the reason for not loading all roles from template. Any suggestions? or ideas?
Thanks in advance -
Import roles to the ERM without using the "Mass Role Import
Hello,
I want to know if there is another way to import roles to the ERM without using the "Mass Role Import.
Im'm using SAP GRC AC 5.3
Best Regards.
Pablo Mortera.Hi.
There is NO other way to import roles..
We need to use only ERM for "Mass Role Import.
Regards
Gangadhar -
Role Creation in CUP 5.3
Hello,
I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.
It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
Please tell me if I'm wrong.
HMHM,
The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
The below statement is wrong.
It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
Regards,
Alpesh -
How to raise role creation/modification request in AC 10
We are implementing AC10. I have issue more related to the process followed than technical. Please suggest from your experience.
We found that we can raise the request for new user account, role assignment to user, etc in Acess Request(formerly CUP), but we cannot raise the request for role creation, role modification. This is directly done in Role management. My question is, how the security admin will recieve the requests for creating or maintaining the roles. Is it necessary to use ticketing tool for users to raise the request for role creation and modification.
Thanks everyone for your valuable solutions.Dear Ashish,
Whatever you have mentioned is correct to have the common platform for every request, either for user creation or role creation.
But what we decided earlier, that the end users can raise the request in CUP directly, rather than involving security admin. But after realizing that there is no request type for role creation, I think we have to use our ticketing tool as a common platform.
Request will come to security admin from the ticketing tool and than he will create the request in CUP, thereafter it will follow the approval workflow. Only problem I see in this, it goes to the manager twice, once in ticketing tool and than through CUP workflow. i think we need to take out the manager stage from the workflow. -
Idm-Vaau Rbac role creations and mapping
Hi All,
I'm working on the integration between Idm and Vaau's Rbacx (role based access control) tool for role creation and provisioning...I've imported the spml.xml and SPMLGetObjectsform.xml into Idm for the SPML calls between Rbacx and Idm.
The challenge I'm facing is mapping the attributes of Rbacx roles to enable the attributes to be populated in Idm...I'm able to export roles into Idm, but they are not populating with any attributes eg. resource type, resource attribute etc. I'm uncertain as to where I have to map these properties and do any customization for this to work. I would appreciate if anyone who has worked on this or know how to do this, to pls give me some pointers/share your experience. I don't have any documentation to refer to and am doing everything on trial and error basis.
Any help is greatly appreciated!
Thank you.Hi newbie,
Were you able to solve this issue? I am facing the same problem while assigning resource attributes for a created role using a custom workflow.
This is where I set the resource attributes in my workflow:
<Action id='1'>
<expression>
<block trace='true'>
<set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].valueType</s><ref>ADGroupsValueType</ref></set>
<set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].requirement</s><ref>ADGroupsRequirement</ref></set>
<append><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].value</s><ref>ADGroupsValue</ref></append>
</block>
</expression>
</Action>
where <ref>ADGroupsValue</ref> contains the attribute value.
thanks,
Lokesh -
How to generate mass roles in SUPC
Hi All,
I have to generate mass roles at one time. There are 3000 roles to be generated. I am using tcode SUPC to do this but when give the list of roles and click on generate button it is taking only one role.
I am generating derived roles.
Please advise..
Thanks,
Masood> I am generating derived roles.
Perhaps Salman123 wrote a CATT to hit the "Adjust derived roles" function once, or dug deeper?
If you have less than 50 roles and all standard and maintained authorizations you are better off using the delete menu and import from role option in my opinion. (make sure the root node is small and use redundancy compression).
If you have more than 50 roles, then (shame on me...) try to keep them very small with only selected objects and use the option to delete their profiles completely and upload them on mass. Such roles are anyway usually best suited for BW systems and an entirely different concept (Analysis Authorizations).
You can avoid derived roles completely this way.
Cheers,
Julius -
Hi All
I need to create a WET for role creation, this is simple But I need to incorporate approval of the creation of the new MX_ROLE entry. I can only find documentation/guides on how to implement approval of role and privilege assignment. Does anyone know if it is possible to setup approval on creation on a new entry?
Kind regards,
HeidiI have tried to implement the MX_INACTIVE solution. Now it is not possible to see the role on the "Adminstrate"-tab, and there is an approval task on the "To do"-tab. When I click this task, details on the role are displayed properly, but when I try to process the request by clicking the "Show request"-button (button name translated from Danish, it might be translated differently...) I get an error: "Access denied".
I have set correct approver on the approval task, and I was able to process approval requests, before I set the role to inactive.
On the approval task, I have checked the "Use inactive entries" checkbox.
Does anyone have an idea what could be wrong?
Kind regards,
Heidi Kronvold -
Role Creation using CAT Scripts
Hi,
Step by step procedure needed.
I need role creation using scripts(SECATT),org values that needs to maintain
is full authorization.
pls help me.
ramHi Ram,
There is a SECATT tutorial here: http://www.*********************/tutorials/secatt_user_create.html
If you learn that & the principles associated with SECATT then you can apply that to creating and populating roles.
In my opinion SCAT is much easier to use, though less flexible,
Maybe you are looking for
-
ITunes TV Show Season Pass Issues - How is it working for you?
I love iTunes Season passes. I love letting a show accumulate without worrying about storms, sports messing up recording times, power outages, storage of my DVR, etc... The shows are always going to be there to watch. However for well over a year
-
my printer 6500 office jet says ink system failure help??
-
Dears, I have a database package to send an email to an employee, whole package working well except the send mail part, the error raised from java code i used says ( Can't send command to SMTP host No trusted certificate found). import java.util.*; i
-
Still no solution against choppy animations?
Hello, since Leopard came out, I am experiencing choppy dock and expose animations. Somewhere I found a solution which seems to work, its a terminal command. sudo defaults write /Library/Preferences/com.apple.windowserver Compositor -dict deferredUpd
-
Country list in Connect Admin tool (dropdown)
Dear all, It's me or the Nigeria is missed in the country list ? (In the dropdown when you create a Connect account) Please add it (and the country code for phone +234 ) Muchas gracias