Migrating Role Assignments

Hi Everyone,
I would like to migrate the role assignments from an SP7 Portal to an SP17 Portal but when exporting the users from the SP7 Portal, i only get the users that have company numbers.  As well, the roles are not migrated if the roles are attached to groups (only roles that are directly attached to the user are exported)
Any ideas how to get all the users/role assignment migrated?
Thanks

Hi Amit,
As your new Portal is SP 17 and you need move your roles from SP 7 so for that u need to first transport Portal Content(Roles).
For which below wiki which is written by me will be helpful to you:
https://www.sdn.sap.com/irj/scn/wiki?path=/display/ep/process%252bof%252bmigrating%252bportal%252bcontent%252bfrom%252bportal%252bto%252banother%252bportal
Regards
Pooja
Edited by: Pooja Gehani on Dec 10, 2008 7:43 AM

Similar Messages

  • SAP R/3 : Indirect Role assignments - Is position unique to every user?

    Hi.
    While am exploring /learning SAP R/3 roles and auth, I would appreciate if I could get clarity on the following :
    This  link on SDN on Indirect role assignments are very informative.
    http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f03e6f6c-8c16-2a10-1581-ed8812e2effe
    This link is also more explanatory : http://my.affinitext.com/public/book/5442/-1/1423831
    So if my understanding is correct, it is better to assign roles - indirectly by position, so that if an employee's position changes, his role can be removed, based on position again ??? And somewhere we are linking with infotype 105.
    My only doubt is : if we are going to assign roles by position and remove the roles by position, so that as the position of an employee changes, the previous roles become null and void and new roles can be assigned as per new position.
    So would like to know :
    as to whether this position number which we see from PA20, is unique to every user on the system ?
    So that, if there is a need to remove a role based on postion, we could remove the role from PO13;
    BY doing that, then will it not affect other users ?
    Can somebody help me understand this.
    Because if i want to see the effect immediately, if i go to PFUD and put the role name and say execute, i see that the role which was removed from PO13 is gone immediately from the user.
    Many thanks
    Indu
    Edited by: Indumathy Narayanan on Nov 22, 2011 9:25 AM

    GOT IT THANKS.
    Hi Prashant.
    Good morning and wishes.
    Can you please help me understand this.
    I understand from HR person that position is uniquely defined (from hire to retire)
    and roles are generally given based on position.
    However, I see a person : whose roles have been assigned as per position all these years.
    He had 2 roles in project A. He now moved into a different project B.
    But. when i check, i still see the roles - reflecting on SU01  & well as in the tab of user of the role X under pfcg.
    BUT when i check PO13 - and put the position / relationship and say overview.
    I dont see the roles at all there.
    Why this is so.  Why the discrepancy on different screens.
    Also How can I get a confirmation that - these roles are actually removed and is not there for the user.
    Rather.
    How could the removal of roles based on position become completely effective on the system.
    So that all screens display the same information.
    Also would like to know - whether it is ok to remove the role expiry date directly from PFCG/ROLE Display/user tab/select user/
    and then make the role invalid or expired / or extend the expiry.
    Many thanks.
    Indu
    Edited by: Indumathy Narayanan on Dec 7, 2011 12:09 PM
    Edited by: Indumathy Narayanan on Dec 7, 2011 1:42 PM
    Edited by: Indumathy Narayanan on Dec 7, 2011 5:17 PM

  • Migrate Roles failes when migrating VMs with legacy network adapters (2008R2 - 2012)

    I'm working on a upgrade of Hyper-V 2008R2 cluster to Hyper-V 2012 cluster. I am using the "migrate roles" feature of failover clustering to migrate the CSV's and VM's. The wizard ask to which switch the VMs need to be connected on the target cluster.
    All VMs with network adapters can be started in the new cluster without any issues. If you look at the XML file of the migrated VMs with normal network adapters, a new XML has been generated in the proper 2012 format. However, all VM's with a legacy
    network adapter fail to start. Also there is no migrated XML file in the VM directory. It is impossible to check or adjust the settings of the migrated VMs with legacy network adapters using the failover clustering console.
    I have reproduced the issue in my lab several times, and it seems like a bug.
    There are several workarounds, but I am looking for a real solution.

    Hi,
    We recommend that you use the legacy network adapter only to perform a network-based installation or when the guest operating system does not support the network adapter.
    If the virtual machine continues to use the legacy network adapter it will not be able to leverage many of the features available in the Hyper-V virtual switch. You may want
    to replace the legacy network adapter after the operating system is installed.
    The related KB:
    Building Your Cloud Infrastructure: Converged Data Center without Dedicated Storage Nodes
    http://technet.microsoft.com/en-us/library/hh831829.aspx
    Configure Networking
    http://technet.microsoft.com/en-us/library/cc770380.aspx
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • How to find the user - role assignments in the database for EP6 SP9?

    L.S.,
    We have a quite specific requirement: to see which users have access to our portal environment (EP6 SP9). It does not immediately matter (though would probably still be nice to know if possible) which roles users have exactly.
    I've been looking in the database to find user-to-role assignments there, but I'm unable to find any. The closest I got is the PID filed in the UME_STRINGS table, but users remain listed there even when all their portal roles are revoked afterwards. Any ideas?
    Kind Regards,
    Steven Dijkman

    hi Steven,
         Sorry but you will have to write some code. the following lines of code will work for you.
    IRoleSearchFilter rolefilter = UMFactory.getRoleFactory().getRoleSearchFilter();
              ISearchResult result = UMFactory.getRoleFactory().searchRoles(rolefilter);
              while (result.hasNext()) {
                   String rolestr = (String) result.next();
                   IRole r = UMFactory.getRoleFactory().getRole(rolestr);
                   response.write(r.getDisplayName());
                   response.write("<br>");
                   Iterator users = r.getMembers(true);
                   while (users.hasNext()){
                        String userstr = (String)users.next();
                        IUser user = UMFactory.getUserFactory().getUser(userstr);
                        response.write(user.getDisplayName());

  • ABAP Role Assignments stored in MSAD

    Hi all,
    unfortunately I have only found contradicting information in relation to the possibility to manage ABAP role assignments using a MS Active Directory.
    We plan to implement a WAS (ABAP) 6.40 SP14, synchronise data between the WAS and the corporate MSAD. While WAS (ABAP) is not capable of MSAD based authentication I suspect it is possible to manage the user/role assignments in MSAD. Am I right in my assumptions (see list below) that the following data entities can/cannot be managed and synchronised/stored with the WAS (ABAP) out of the box?
    WAS ABAP
    1. possible - user master data (e.g. userName, address, etc.)
    2. possible - user/role assignments
    3. not possible - user passwords (however, can be bypassed through SSO based on NTLM)
    Portal UME
    1. possible  - user master data
    2. possible - user password
    3. possible - role/group assignments
    4. possible - group/user assignments
    5. possible - user/group assignments
    6. possible - user/role assignments
    Thanks for the help!!
    Cheers Stefan

    Hi,
    Thanks for the suggestion. But ours was a different problem.
    The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
    During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
    Best regards,
    Ashok

  • Participant 'userx' does not have role assignments in process '/ProcessP

    I am using Oracle BPM 10.3 MP2 Enterprise Edition
    Version: 10.3.2
    Build: #100486
    Have a process ProcessP and role RoleR.
    User 'userx' is assigned to role 'RoleR', when he tries logging into the workspace,
    getting exception message in page as below:
    "Participant 'userx' does not have role assignments in process '/ProcessP#Default-1.0'. This error usually takes place when the Process Execution Engine has not re-synchronized with the Directory Service. Try re-logging and executing the task again. If the problem persists, contact your Administrator"
    Tried deleting the user 'userx' from process admin and re-creating the user and gave role 'RoleR' but still the issue persists.
    This is working for other user 'usera', 'userb', 'userc' etc.
    Any suggestions.
    Thanks in Advance.

    Is restart of the engine server on which ProcessP deployed is the only solution since the error messages shows up as 'Process Execution Engine has not re-synchronized with the Directory Service. '

  • Delete Role Assignments directly from an ABAP System

    Hi folks!
    I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
    Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!
    However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
    I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
    I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
    Thanks for your help!
    Matt

    Hello Matt,
    so you want to remove local administrated role?
    If the object really is to undo the local administration, I would do this:
    Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
    At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
    The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
    Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
    Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
    Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
    Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
    Best regards
    Dominik

  • AD LDAP for Authentication but ABAP or IDM for Role Assignments

    Hi Portal Gurus,
    Is it possible to configure the UME in such as way so that it connects to the AD for authentication purposes but uses the CUA or SAP Identity Manager for role assignments?
    Thanks,
    Vibhu

    Hi,
    Thanks for the suggestion. But ours was a different problem.
    The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
    During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
    Best regards,
    Ashok

  • Provisioning of roles to ABAP system deletes role assignments in backend

    Hi all,
    following scenario:
    user has role A in an ABAP system which is connected to IDM. Assignment of role A to the user is not in the identity store.
    Now you assign role B via workflow to the user and IDM provisions this new assignment to the ABAP system.
    What will happen is that the user will get role B but assignment of role A will be deleted.
    This happens because in the job "SetABAPRole&ProfileForUser" the connector attribute "roles" will only consist the role assignments which are in the identity store. All assignments in the ABAP system which are not yet in the IDS will be overwritten.
    This behaviour can be very critical. If you still allow role assignments directly in the backend system and you read these assignments e.g. once a day to the IDS - but in the meantime assignments have been done via workflow - you will lose data.
    My customer wants to assign roles both directly in the system and also by workflow. Every night an ABAP update job runs which writes new assignments to the IDS.
    Do you have any idea how I could solve this? Is there a way NOT to overwrite assignments with the ABAP connector field "roles"? I tried to use multivalue operator but this didn't do the trick.
    I hope I was able to describe my problem properly and you have answers...
    Best regards
    Jörn Kaplan

    No, there is not a way to avoid that IdM replaces the role assignment in ABAP with the current assignments as know by IdM. IdM is the master!
    This is not directly an issue of IdM: The standard BAPIs in ABAP (up to release 7.0) offer "replace all role assignments" but not "add role assignment" or "remove role role assignment".
    However, there exist an exception: Role assignments in ABAP which are created indirectly by an HR-ORG assignment are not touched by IdM. (There role assignment are viewed in blue in transaction SU01.)
    See  http://help.sap.com/saphelp_nw70/helpdata/EN/50/e9683c5de8676fe10000000a114084/frameset.htm for details.
    Kind regards
    Frank Buchholz

  • Role assignments not set in ABAP but IdM indicates OK status

    Hi,
    We went live with IDM 7.2 SP8 last month. We have started to see issues with Business Role assignments in target systems. Generally, BR assignments are parsed to respective privileges and assigned correctly. Sometimes privileges in one target will get assigned but not in another target. Occassionally assigning privileges to one target does not get through either. In all cases the IdM assignment is marked as 'OK', but when we check the backend the assignment is not there. Log entries don't show any jobs triggered for the target that failed to update (and consequently there is no log entries in that target either). But why would IdM mark the specific privilege as 'OK' status -- it should either remain 'Pending' or 'Failed' but certainly not 'OK'.
    This effect is inconsistent -- it works correctly at times and fails at others -- increasingly more failures. There is nothing different about the users or environment. We see this in ECC, BW, GTS, etc. We have 36 prd and non-prd systems linked systems. Initially we thought this only affected prd systems as BR's only have prd privileges and the PRD targets are load-balanced. For non-prd systems the assignments are direct privileges, not BRs, and they are not load-balaced. We are now seeing this in behavior in all environments for BR's or direct privilege assignments, in prd and non-prd targets.
    Since BR's have appovers we cannot remove BR's and re-assign in production. So for non-prd targets we have removed the privileges, those that indicated 'OK' but did not get set in the target, and reapplied -- the privileges get deleted successfully without any corresponding job being triggered and then when we re-add it the assignment goes into 'OK' status without any job being triggered.
    When we tried assigning another user the same privileges it went through fine to the target and IDM marked 'OK' -- exactly as it is supposed to work (non-prod privileges have no approvals).
    We are not able to re-produce this in our DEV environment -- the targets are non-load balanced. The assignments work consistently, both BR's and privileges.
    Has anyone seen such behavior by IdM?
    Thanks for your thoughts.
    Ashok

    Hi,
    Thanks for the suggestion. But ours was a different problem.
    The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
    During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
    Best regards,
    Ashok

  • Finding out role assignments with CUA per system

    Hello experts,
    For user administration we use the CUA.
    can anybody tell me were the role assignemts per user and per system are saved in the central system.
    I have to find out which roles are assigned to an user in which system for reporting reasons and I cannot find this information in database tables.
    Table AGR_USERS doesn't help me because it contains only the role assignments of the local system.
    Thanks in advance
    Johannes

    Hi,
    you can get this information in the transaction SUIM in your CUA system. Simply start this transaction an go to User -> Cross-System Information -> Users by Roles. Than you can make selections of usernames und roles in recieving systems.
    The table, which has this information is USLA04.
    Kind regards
    Andrei
    Message was edited by:
            Andrei Borissov
    null

  • What roles assignments for Rights Management?

    System: Adobe LiveCycle Server ES3 system.
    Question and Issue: I need to create a user that is able to manage the settings via the web administrator (adminui) for:
    1. Policies
    2. Documents
    3. Events
    4. Watermarks
    However this user must not have the abiltiy to change the server configuration, key management, etc that is most of the stuff in the "LiveCycle Rights Management->Configuration" page except for "Watermarks".
    I had assigned this user the following Role Assignments:
    1. Rights Management Policy Set Administrator
    2. Rights Management Invite User
    3. Rights Management End User
    4. Rights Management Manage Invited and Local Users
    The above lists works for most part except this user is unable to configure/manage the Watermarks.  The ability to configure/manage Watermarks is critical in our scenario.
    I found that by assigning this user the "Rights Management Super Administrator" role, it would allow this user the "Watermark" capability; however it also allows the user other capabilities that we do not want the user to manage/configure.  I believe the "Rights Manage Configuration" permission gives this role the ability to configure all aspects of the Rights Management. 
    So is there a permission that just allows the user the ability to configure just the "Watermark"?  Is this configuration even possible?
    Regards,
    TS

    Watermark is in the Configuration part of RM UI so as per current implementation there is no such role defined by which an user can configure the Watermark only.
    It is designed as such because only an administrator can change such configuration and create or modify Watermark.

  • Exporting groups including role assignments

    Hello experts,
    we are using EP 7.0 and CRM 5.0.....
    I facing the following problem in the portal regarding the export / import of groups:
    1) I go to USER ADMINISTRATION > IDENTITY MANAGEMENT
    2) I search for GROUPs by typing in "Z_*" in order to find all our relevant groups.
    3) I get the search result list of our groups and I press SELECT ALL
    4) Now I press export and a little window appears .... just like the process of exporting of groups is described in the SAP Netweaver library.... I can ex-/import the group and the user-assignments...
    But what we would like to do is export and later on import the groups inluding the role-assignments belonging to the group.
    Perequisite: The roles and groups already exist in both the target system and in the source system. Only the content of the groups is different.  So we actually want to make a refresh of the groups from one to the another System so that the groups will have the same content in both systems again...
    How can I download the groups including the role assignment data so that the assignment information is exported (and later on imported) as well and not lost during the export? This would save us a lot of work and be a lot easier instead of having to adapt the roles contained in the groups manually...
    Thanks for your help in advance!
    Kind regards,
    Hauke

    Hi,
    Think of the Group structure in the Object Oriented way. Employee is the parent of Group1/2/3. Group1/2/3 inherit the properties of Employee, but Employee does not inherit anything from its children.
    Users assigned to the Group Employee have only the properties that Employee has. If Employee does not have the role that Group1/2/3 have, the users assigned to Employee will never get the role assigned to Group1/2/3.
    Correct me if i am wrong if someone has a better idea.
    Teecheu Loh

  • Transport/Export/Import Role Assignments

    Hi all,
    it´s possible to transport, export or import role assignments from one portal to another?
    we implement a testsystem for our customer and want to copy all role assignments from all users from productive to testsystem.
    best regards
    Christian

    Here´s the guide to transport permissions
    http://help.sap.com/saphelp_nw04/helpdata/en/a9/76bd3b57743b09e10000000a11402f/frameset.htm

  • Missing user role assignments

    Hello Gurus,
    We have a strange issue in our ECC production environment. The role assignments for a few users are missing. The roles were assigned to these users almost a year back. The change documents do not show any record of the role assignment being deleted.
    In SU01 in display mode the profiles for the roles are still assigned to the user, but when one tries to edit the user master data the profiles also get deleted from user and the change is shown against the name of the admin who has tried to edit the user master.
    This problem is seen to happen randomly for various roles and various users.
    What could be causing such an issue?
    Thanks in advance for your replies.
    Regards,
    Subbu

    Hi Subra,
    Prgn_compress_time removes the expired roles .Also check USH* tables like USH02, USH04 ...for Change history.
    The role assignments for a few users are missing. The roles were assigned to these users almost a year back.
    Did you transport the roles to the production properly after making changes. (if any).
    re-transport the roles once again.
    Thanks,
    Sri

Maybe you are looking for

  • Sql query to identify all the responsibilities attached to a form

    (oracle - apps) Can anyone help me by giving a sql query to identify all the responsibilities attached to a form and corresponding menu should not be in the menu exclusion. Thanks in advance Venki

  • Migration object for Aggregated Invoice

    Hi Experts, Just wanted to know if there is any object to migrate Aggregated Invoice in deregulated market scenario in a distributor's system which updates field DFKKTHI-BCBLN. We are able to migrate the open individual invoices of final customers as

  • Problem with Dataguarg   ORA-01102: cannot mount database in EXCLUSIVE mode

    Hi, I'm trying to create a physical standby database on my Oracle9i DB runing on WinXP. Note: I have both Primary and Standby on the same system. Actually everything went well .... I did created the standby DB but the problem is I can not start my pr

  • Online support for text field triggers

    hi everyone..... is there an online documentation for the various kinds of triggers that exist for a text field/checkbox/etc.. ? If so, where can you find it? thanks

  • How to Run Export and Make Dump and Log File with Dates on NT

    Hi Gurus, set ORACLE_SID=ORCL set ORACLE_HOME=D:\ORACLE\ora92 for /f "tokens=2,3,4 delims=/ " %%a in ('date /t') do set fdate=%%a%%b%%c exp userid=userid/password@connectstring file=exp%fdate%.dmp log=exp%fdate%.log full=y I am using above script for