Matching ABAP Roles with UME Groups

Similar Messages

• Transport roles (with assigned group) containing folders and iviews

  Hi,
  This message was in the BI forum before and I think that it suits here better.
  I created a portal role which is contained in a folder X under Portal Content. This portal role is associated with a particular ABAP menu-role by means of Assigned Groups. When I transported the folder X with all dependent objects from Dev to QA, the portal role appeared but the Assigned Groups is empty. Another words, the association between portal role and the ABAP menu-role could not be transported. How can Associated Groups in a Portal Role be transported?
  Then I also tried to do the following steps:
  1. Export and import portal contents which include the whole structure with folders, roles and iviews under each role.
  2. Export and import the same roles as user management data
  The result from 1 was that the whole structure including the roles is imported; however none of the portal role contains the associated assigned group.
  The result from 2 was that the UME roles with assigned group are imported as separat objects.
  Now, the same role appears both as portal role without assigned group and the UME object with assigned group. But, there is no connection between 1 and 2. That means that I cannot use 2 anyway.
  Therefore, I still have to manuelly modify 1 with assigned role once again after importing step 1. Is there a way to import 1 with the associated assigned group without any manuel modification?
  Thank you in advance for any helpful advice.
  Best regards,
  Zabrina

  hi,
  check the following threads
  http://help.sap.com/saphelp_nw04/helpdata/en/6d/7c8cfd410ea040aadf92e1f78107a4/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/6d/7c8cfd410ea040aadf92e1f78107a4/frameset.htm
  Re: Transport management in BW 2004s
  let me know uneed any further info
  bvr

• Associating roles with LDAP Groups

  I see in a number of places where I can define roles using a "principal-name".
  Can I use a realm group here as well as a single user? What I'm looking for is
  a method where I can set up my roles in my web appps and ejbs and then on the
  fly grant users rights by adding them to a group. Certainly seems possible but
  I must be missing something.
  Consider the following example (from the weblogic documentation) and let me know
  if I can use realm groups for the section attributed to the weblogic.xml file.
  (I marked it with ***).
  <security-constraint> <web-resource-collection> <web-resource-name>SecureOrdersEast</web-resource-name>
  <description> Security constraint for resources in the orders/east directory </description>
  <url-pattern>/orders/east/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method>
  </web-resource-collection> <auth-constraint> <description>constraint for east
  coast sales</description> <role-name>east</role-name> <role-name>manager</role-name>
  </auth-constraint> <user-data-constraint> <description>SSL not required</description>
  <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
  <security-role> <description>east coast sales</description> <role-name>east</role-name></security-role>
  <security-role> <description>managers</description> <role-name>manager</role-name></security-role>
  weblogic.xml entries *** Can these come from the realm????????***
  <security-role-assignment> <role-name>east</role-name> <principal-name>tom</principal-name>
  <principal-name>jane</principal-name> <principal-name>javier</principal-name>
  <principal-name>maria</principal-name> </security-role-assignment> <security-role-assignment>
  <role-name> manager </role-name> <principal-name>peter</principal-name> <principal-name>georgia</principal-name></security-role-assignment>

  See my answer to your question:
  Simple (dumb) role/group question
  Yong
  "Ilango Maragathavannan" <[email protected]> wrote:
  >
  I see in a number of places where I can define roles using a "principal-name".
  Can I use a realm group here as well as a single user? What I'm looking
  for is
  a method where I can set up my roles in my web appps and ejbs and then
  on the
  fly grant users rights by adding them to a group. Certainly seems possible
  but
  I must be missing something.
  Consider the following example (from the weblogic documentation) and
  let me know
  if I can use realm groups for the section attributed to the weblogic.xml
  file.
  (I marked it with ***).
  <security-constraint> <web-resource-collection> <web-resource-name>SecureOrdersEast</web-resource-name>
  <description> Security constraint for resources in the orders/east directory
  </description>
  <url-pattern>/orders/east/*</url-pattern> <http-method>POST</http-method>
  <http-method>GET</http-method>
  </web-resource-collection> <auth-constraint> <description>constraint
  for east
  coast sales</description> <role-name>east</role-name> <role-name>manager</role-name>
  </auth-constraint> <user-data-constraint> <description>SSL not required</description>
  <transport-guarantee>NONE</transport-guarantee> </user-data-constraint>
  </security-constraint>
  <security-role> <description>east coast sales</description> <role-name>east</role-name></security-role>
  <security-role> <description>managers</description> <role-name>manager</role-name></security-role>
  weblogic.xml entries *** Can these come from the realm????????***
  <security-role-assignment> <role-name>east</role-name> <principal-name>tom</principal-name>
  <principal-name>jane</principal-name> <principal-name>javier</principal-name>
  <principal-name>maria</principal-name> </security-role-assignment> <security-role-assignment>
  <role-name> manager </role-name> <principal-name>peter</principal-name>
  <principal-name>georgia</principal-name></security-role-assignment>

• Mapping ABAP roles and assignments to EP UserGroups and EP Roles

  Hello.
  I have set up my EP7 UME to upload ABAP roles as Portal Groups . Im expecting the ABAP role to user assignment to also reflect as EP Group to User assignment.
  All my roles that 'exist' in the ABAP source system are created in EP7 correctly as expected. However, only "direct" user to role assignments are uploaded. NONE of my "indirect" user to role assignments (ie: Via HR Org in ABAP system) are reflected in EP.
  Qtn: Is there a way I can encorporate indirect user-role assignments into the upload into EP as well ??
  Thanks
  Andrew
  ps: I have played with HR org active switch in vain in ABAP syst

  Hi Kumar,
  Have you tested the connection of your R3 system?
  Do you want to connect to the ABAP UME?  If so do the following:
  1.     Logon to the portal as administrator
  2.     Go to:
  1.     System Administrator
  2.     System Configuration
  3.     UME Configuration
  4.     Click Modify Configuration
  5.     From the drop down select ABAP system
  Fill in the details for your system. 
  Click on the User Mapping tab
  Click on the reference system combo box and select the relevant system
  (in this case R3)
  Click on the ‘Test Connection button’.  If the test has been successful you should get a ‘Connection test successful’. ~<b>It is important to test the connection before saving otherwise this could cause you lots of problems!</b>
  Thanks,
  Nick

• ABAPer role in upgrade project

  Hi,
  Please let me know the ABAPer role with upgrade project. When Std programs updated by support packs what are the responsibility of ABAPers?
  Thanks,
  Praneeth

  Hi,
  Automatic- It means that there will be a green icon. You will have to just click it and it is done.
  This is because the changes to the SAP Object have been done either via SNOTE for some note application or you have used the modification assistant. So SAP does not have any problem in determining the changes. So the adjustment is automatic.
  Semi-Automatic - In this case there will be a yellow icon. This means that you have to make some manual adjustments. This is because SAP considers that the adjustments are proper but still there is some discrepancy.Probably this is because you have made some note changes and additionally inserted some comments like begin of changes by xxxx on yyyyy for note zzzzz.
  So in this case SAP will give you a split screen editor in whihc your existing code and the one coming from support pack will come. So you have to adjust accordingly.
  Manual Adjustment - In this case there will be a red icon. This means that you have to make the chnages manually. This is because SAP finds a lot of discrepancy in your program and the one coming via support pack. The reason can be either the earlier note was incorrectly applied or you have added your own code for some custom requirment. So again SAP gives you the split screen editor to make the adjustments.
  Your assumptions about Reset to Original and Adopt Modifications are correct.
  I hope it solves your queries.
  Regards,
  Ankur Parab

• Identity Service LDAP with dynamic grouping

  Hi all,
  We are developing an enterprise application with oc4j and bpel.
  First we managed to handle user management with XML based JAZN tool.
  After that,we managed to connect identity service with iPlanet LDAP server and get users and roles(with static groups defined.)
  But our client wanted static and dynamic groups together in their LDAP server,because of the complexity of their current user base.
  When we try this,we cannot get the roles that are assigned with dynamic groups.But we can get the roles that are statically defined.
  We check the roles from the worklist application (integration/worklistapp... thing..) and we se the static groups where we cannot see dynamic one's.
  There is a section in is_config.xml like:
  <roleControls>
  <property name="nameattribute" value="cn"/>
  <property name="objectclass" value="groupOfUniqueNames"/>
  <property name="membershipsearchscope" value="onelevel"/>
  <property name="memberattribute" value="uniquemember"/>
  <search searchbase="ou=Groups,dc=dummy,dc=com,dc=tr" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120"/>
  </roleControls>
  I think the property uniquemember has an effect in this situation but I cannot find any sample configurations using dynamic groups in LDAP.
  Hope somebody has already done that..

  I find a solution here:
  http://download.oracle.com/docs/cd/E15523_01/integration.1111/e10226/hwf_config.htm
  I am currently using weblogic's defaultAuthentication to test BPM 11g.
  I do not know if this approach works in production environment.

• How to create Roles in UME (ABAP+JAVA stack)

  Hi,
  I have created roles earlier on JAVA stack alone. However, this time I am working on JAVA+ABAP stack. When I am trying to create role in UME, I am getting only two tabs:
  General Information
  Assigned Groups
  I am not getting Assinged Actions tab here.How do I assing actions ?
  Can any one please help me in creating roles in ABAP+JAVA stack.
  That would be  a great help!
  Regards
  Faisal

  HI Faisal,
  When ABAP is the UME, you can only edit users / groups that are J2EE only. Any group that is defined in ABAP is read-only for the Java Server to prevent conflicts (there is no synchronization) and has to be changed in ABAP.
  Please take a look at this link, which has a great graphic describing this.
  http://help.sap.com/saphelp_nw04s/helpdata/en/7c/36dcd59865b246b993c471199ba37a/content.htm
  So, if the Java group was created in ABAP, the ABAP user has to have the ABAP role assigned to him, so that he is in the group on the Java server. make sense? The graphic in the link above really explains it well I think.
  If you a new / custom Java group (not in ABAP) then you should be able to assign users to it from the Java server.

• UME problem - ABAP roles not showing up in UME

  Hello,
  I'm having a problem where the ABAP roles (UME groups)  for my PI system are not showing up as assigned to a user in the UME.  The roles assigned to the user are not reflecting the roles (UME groups) that are in the ABAP side.  But, other users are showing up fine.    The user is shown to have only the standard basic roles.
  This works fine on my development and AS system.  Any help would be greatly appreciated. Thanks.

  Hi George,
  There is a 30 minute delay before these roles/groups show up in the Java system. Could that be the problem in your case?
  See the [documentation|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/45/af3ac012d32e78e10000000a155369/frameset.htm].
  -Michael

• Portal Groups vs. ABAP Roles

  Hi,
  We have the following scenario:
  SAP EP (6.0 SP19) with content from BW and HR (ESS&MSS).
  The backend systems and the portal use CUA.
  The problem is that for example when a new user(employee) is created in HR, we would like that the user automatically gets a certain role in the portal (employee or manager, depending on the role given to him in the backend system).
  At the moment we first have to give the user a role in the backendsystem + assign the user to a group in the portal. Is there a better solution for this ?
  Regards,
  Kristian Rantakoski

  You can import backend roles in portal. After importing these backend roles in portal, these roles appear as Groups in portal.  As users are automatically part of these group in portal, You can assign manager roles of portal to Manager group ( which is actually a role in the backend) in Portal.
  The above approach worked for me in case when I configured Portal UME to ECC6.0 user database. I am not sure if the same approach will work in case of CUA.
  You can give it a try.
  Best Wishes
  Prabhakar

• ABAP'ers role with MM and SD

  Hi all,
  I am new to ABAP.
  Can anyone explain what is the role of ABAP'er with SD and MM with simple examples ?
  thanks in advance
  raghul

  Actually to understand the relation you need to know what is sap modules and what is abap??
  ERP package is a collection of various integrated application areas known as modules like SD(Sales), MM (Material Management) etc/.
  Now SAP gave these modules in a generic form to all of its customer. One need to customized this generic form of SAP according to their business requirements. Now, as these generic form of modules written in ABAP language, so the customizing are done using abap language only through various reports(R), interface(I), conversion (C), Enhancements (E), Forms (F) which is known as RICEF work.
  So one abapers role will be customizing a new sap instance ( Implementation) or modifying already existing sap instance (Upgrade, production supprot) or migration from lower version to higher version ( as for example sap 4.6 to ECC 6.0) .
  Reports(R) contains: Classical report, alv report.
  Interface ( i) cvontains : Idoc, ABAP Proxy, RFC.
  Conversion ( C) contains : BDC, BAPI, LSMW, CAT Scripts
  Enhancements(E) contains: User exits, customer exits, BADI, Enhancements points and sports, Carnel BADI.
  Forms(F) Contains: Sap scripts, Smartforms, Adobe Forms etc.

• Associate automatically a partner role with a partner group

  Hi Gurus,
  I have as a requirement to associate automatically a partner role with the corresponding group (through a Ztable) when creating a Busines Partner of a determined role. Now the default group is shown on the screen, and If you forget change it, you would save this partner role within a wrong range number.
  My question is: there is a spot enhancement where I can associate it? any badi? someway to do it without leaving the standard way?
  Thanks in Advance.
  Rosa Ferrando

  Hi...
  Call area menu BUPT
  Business Partner->Control->Events
  Check the BDT Events...DSAVC...inside this you can call your own function module and put a check here...You can see the import and export parametrs for your FM from any of the above standard FMs....
  Try it
  Mithlesh

• UME ABAP PORTAL WITH MULTIPLE DB INSTANCES

  Hello xperts, there is a subject i would like to expose, we have a portal with UME ABAP, and we are integrating no-sap portals to the sap portal, in order to make single sign on we know is necessary todo a user mapping , using only one sap backend system,and several local portal users (ume java).
  I know it is not possible get back to ume java which is the default installed in a fresh portal installation, but what if we install a new instance with another system id and and using the same database instance? it is possible? (or some thing like that?)
  Thank a lot!!!
  Edited by: NWrscr on Jul 14, 2011 1:17 PM

  Hi,
  Hope you are doing good.
  I am not sure if i have understood the issue correctly, but you can give MCOD a shot.
  [http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/80d0613c-b806-2a10-2891-aae5bbcd1a79]
  This is still supported by SAP.
  Thank you and have a nice day :).
  Kind Regards,
  Hemanth
  SAP AGS

• J2EE roles vs Portal roles vs ABAP roles

  (I also posted this on portal implementation, but i hope i receive more reactions here )
  Dear all,
  I have a question about the information on the following link:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
  It says the following:
  "These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
  1. These "...certain functions..." they talk about, can someome give an example of these functions?
  2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
  3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
  4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
  From what I've read on help.sap.com, you always need to do certain actions in both places.
  A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
  I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
  Kind regards,
  Joren

  Hi Jorem
  Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
  Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
  Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
  Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

• ABAP Role Assignments stored in MSAD

  Hi all,
  unfortunately I have only found contradicting information in relation to the possibility to manage ABAP role assignments using a MS Active Directory.
  We plan to implement a WAS (ABAP) 6.40 SP14, synchronise data between the WAS and the corporate MSAD. While WAS (ABAP) is not capable of MSAD based authentication I suspect it is possible to manage the user/role assignments in MSAD. Am I right in my assumptions (see list below) that the following data entities can/cannot be managed and synchronised/stored with the WAS (ABAP) out of the box?
  WAS ABAP
  1. possible - user master data (e.g. userName, address, etc.)
  2. possible - user/role assignments
  3. not possible - user passwords (however, can be bypassed through SSO based on NTLM)
  Portal UME
  1. possible  - user master data
  2. possible - user password
  3. possible - role/group assignments
  4. possible - group/user assignments
  5. possible - user/group assignments
  6. possible - user/role assignments
  Thanks for the help!!
  Cheers Stefan

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• Replacing Standard-Groups like SAP_J2EE_ADMIN with customized groups

  Hello everybody!
  I'd like to give a group of users access to our XI-Java-stack with permissions that are a bit more differenciated than the standard SAP-groups. For example, I want users to be able to view all messages, but not all of their payloads (we use different namespaces for different departments, so this might be an approach to differentiate).
  I have a bit of experience with the UME of Enterprise Portal and I've been able to assign Permissions (i.e. Roles) to users using the groups based on mapped ABAP-Roles. In XI I couldn't find any possibility to do something like this up to now. In the XI-User-Administrator I can view Roles and Groups, but all I get is a note that they are write-protected and can't be edited. I also haven't found a possibility to assign UME-Actions to my ABAP-mapped groups.
  Who can help me? Thanks in advance!

  Looks like there is no possible solution for this. I asked the teacher at my ADM200 course about this and he also didn't know anything