OIA : Assign Role Owner

Similar Messages

• Assigning role owner

  Hi,
  How can I assign role owner to business roles, I have created couple of business roles.

  Thanks Trui, It got fixed.
  I need your help on one more issue, regarding the password self service.
  I have configurred the taks for resetting the password, I am also able to provide the answers to the verification questions from the task.
  However, when I select the URL https://server:port/IDM/Pwdreset, I am directed to the login page of IDM, instead of password reset page.
  I have the anonymous role assigned to my ID and have the attribute as anonymous.
  Please help me if there is any connfiguration required for URL.
  I have configured the password reset tab with the steps and tasks ID's.

• GRC AC 10 SP13 - workflow not routing to multiple role owners

  hello
  We are experiencing issues in our production MSMP workflow where an access request with multiple business roles are not being routed to role owners after manager approval. The request contains four business roles. Three business roles have three different role owners. The fourth business role does not have a role owner assigned. After the manager approves the request, the business role without a role owner does not provision. The other three business roles do not route to their respective role owners. We have tested the same scenario in our development environment and it routes properly. I have validated our MSMP workflow settings in production and validated it was activated. I have also checked the instance monitor via GRFNMW_DBGMONITOR_WD and it does not give an indication why the request isn't routing.
  Any ideas why we are seeing this? Below is a screen shot of the audit log.

  Hi Stacey
  If DEV is working and PRD is not have you gone through and compared both and ensure latest MSMP configuration in PRD has been activated?
  Also, is the approver COCHGG00 also the Role Owner?
  Are you able to show you MSMP configuration? It's makes sense to analyse the log in the context of your configuration. E.g. does the Z_ADDTNL_ACCESS_PATH path have two stages: Manager and Role Owner of which there is a routing rule on the Manager approval to go to the NO_ROLE_OWNER path where the business role has no role owner?
  Regards
  Colleen

• Submit Button is disable for role owner

  Hi All,
  i have implement GRC BRM with workflow. but problem is then, when any role owner want to approve any role from inbox, submit button is disable. i have assigned all necessary role to the approval.
  Thanks,
  Arif

  Hi Arif,
  Can you check the task settings of the role owner stage if approve/reject checkboxes are checked?
  Thanks
  Sammukh

• Assigning roles to LDAP users through BIP API

  Hi.
  My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
  One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
  I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
  We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
  Is it possible to make that assignments through BIP API?
  If not, any other ideas? New ideas or different approaches are welcome.
  Thanks in advance.

  In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
  During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
  I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
  There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
  Let me know if that helps.

• Error in assigning role to multiple task

  Hi,
  We are using BAPI BAPI_BUS2175_ROLE_ASSIGN_ADD to assign role to task. It is working fine if we are assigning different role to different tasks. But if we assign the same role to different tasks in a project, it is giving dump while saving the data.
  We are using following sequence in the code:
  1. BAPI_BUS2172_LOAD to load the project
  2. BAPI_BUS2175_ROLE_ASSIGN_ADD to assign role to task
  3. BAPI_CPROJECTS_COMMIT_WORK to save the changes.
  So when BAPI_CPROJECTS_COMMIT_WORK is executing, it is giving dump as follows.
    The exception 'CX_DPR_FATAL_ERROR' was raised, but it was not caught anywhere
    along
  the call hierarchy.
  Since exceptions represent error situations and this error was not
  adequately responded to, the running ABAP program
    'CL_DPR_AUTHORIZATION_SERVICES=CP' has to be
  terminated.
  Could you please let me know what may be the reason for getting dump.
  Regards,
  Anil Salekar

  I can tell you the table where the the role assignments get stored . It is
  DPR_ENTITY_LINK.

• Assigning roles to users programmatically

  Hi,
  I want to programmatically create roles, assign roles to users etc.
  I saw at this thread
  ADF Security Policy Store
  the folowing scriptlet by Frank Nimphius
  try {
  IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore();
  try {
  UserManager userManager = idstore.getUserManager();
  RoleManager roleManager = idstore.getRoleManager();
  Role adminRole = idstore.searchRole(Role.SCOPE_APPLICATION,"admin");
  // create user
  //TODO check for empty username and password
  User newUser = userManager.createUser(this.username,this.password.toCharArray());
  roleManager.grantRole(adminRole,newUser.getPrincipal());
  } catch (IMException e) {
  // TODO
  } catch (JpsException e) {
  // TODO
  return null;
  this is a TP3 scriptlet, is it still working on the 11g production?
  I try it and i get a JpsException
  oracle.security.jps.JpsException
       at oracle.security.jps.internal.common.util.JpsCommonUtil.getValidIdStore(JpsCommonUtil.java:1004)
  do I have to replace "idstore.xml.provider" with something else depending on my configuration?
  thanks
  Tilemahos

  Hi Frank thanks for the answer,
  I check this functionality at WLS embeded LDAP and I shaw your "How-to configure OID for authentication in WebLogic Server" post.
  I manage to add users and assign them roles that i created at my application.
  But what if I want to have a super user that can create new roles and assign them member roles?
  eg.
  Developer created roles (policy store):
  accessPage1 ( granted all the necesery principals to access page1 )
  accessPage2 ( granted all the necesery principals to access page2 )
  Super user created roles
  Role1 member roles :accessPage1,accessPage2
  If i want my application to have that functionallity i must create roles programmatically wont I?
  If there another way?
  By the way I followed the advices at the following useful links
  Chris Muir: http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
  Frank Nimphius's How-to configure OID for authentication in WebLogic Server
  Edwin Biemond's Using OpenLDAP as security provider in WebLogic
  Andrejus Baranovskis: Practical ADF Security Deployment on WebLogic Server
  And I manage to add users of the Microsoft LDAP at the WLS
  but I could't mekae them group members of my application groups (roles)
  is this possible?
  Thanks

• SECATT for assigning roles to users

  Hi All,
  How do we make the ECATT to work for the below scenario:
  Users already have roles assigned to them. We need to add a new roles to the users which can vary in number based on the users job.
  A simple ECATT script that was developed to add a single role to a new user does not work in the above case and gives an error of invalid batch input. How do I create a ECATT to assign role to user who already has a set of roles assigned (number of roles assigned to users differ, so I cannot assume to train the ECATT to assign a role on line X). Is there something I am missing while the ECATT script creation?
  We are doing this from a CUA and its very difficult to assume how many roles a user could have.
  Thanks,
  Jay

  Thanks Alex for the insight. For some reason SU10 is slow in the CUA environment and I wanted to avoid it but yes I finally had to use SU10. Talking to one of our ABAPer I came to know that even in their BDC recordings they get the error which I receeived, but he changes his program to skip all the lines with data and then fill the empty line.
  In CUA environment, how do we create ECATT to delete a role from many users?
  Thanks,
  Jay

• What is  the purpose of assign roles to portal please describe

  what is  the purpose of assign roles to portal please describe

  Hi,
  You assign Roles to Users and not to portals.
  Check this to know about Role:
  http://help.sap.com/saphelp_nw70/helpdata/EN/45/c0d8e962336000e10000000a1553f6/frameset.htm
  So a role has contents that a user can see and also privilages that the user can have (UME Actions).
  http://help.sap.com/saphelp_nw70/helpdata/EN/fb/33f520d15f8f4092a60381365620b2/frameset.htm
  When a user is assigned certain roles which have contents and also UME Actions, this user sees them when he logs on onto the portal and also has this set of  privilages.
  Regards,
  Praveen Gudapati

• How can I change the order of list item properties in the alert email sent to the assigned-to owner?

  Using SharePoint 2010 Foundation.
  I have an Issue list configured to send an email to the assigned-to owner (List Settings | Advanced settings | E-Mail Notification = Enabled). I have since added columns to the Issue list. All of the data from my columns appear in the email alert but the
  newest additions show up at the bottom of the list in the alert email instead of in the column order I have defined (List Settings | Issue Content Type | Column Order). However, if I click the "Mobile View" in the alert email I received, the Mobile
  View does have the items listed in the column order.
  Why are these different and how do I get the email alert to match my column order?

  Actually the view which you recieve requires the column ordering to be the way you prefer. So whatever is your default view, change the column orders and then check the email alerts.
  Alpesh Nakar's Blog
  Alpesh
  Just SharePoint Just SharePoint Updates
  SharePoint Saturday India Online
  Nov 20 2010 Contributing Author
  SharePoint 2010 Unleashed
  MCTS: SharePoint 2010 Configuration
  MCITP: SharePoint 2010 Administrator

• Assigning role to role doesn't work when applying Database security model

  I applied Oracle Database security model for BI Publisher.
  then I create some roles and users and assigned roles to users in Oracle Database.
  i also assigned appropriate folders to each role in BI Publisher.
  the users with direct roles worked successfully but i got problem when i assigned roles to a super role, and assigned this role to a super user.
  the super user could only access guest folder.
  Please help me.
  thanks.
  Daniel
  Edited by: user13344498 on Jul 5, 2010 11:13 PM

  Add a Role to a Role:
  1. From the Security Center, select Roles and Permissions; this will invoke the
  Security Center page. Here you can see the list of existing roles and permissions.
  2. Select the Add Roles icon for the Role.
  3. Select the desired role from the Available Roles list and use the Move shuttle
  button to move it to the Included Roles.
  this is from "Oracle® Business Intelligence Publisher User's Guide Release 10.1.3.2 Part No. B40017-01" book, but the security model is BI Publisher Security.

• One CUP request for assigning role to multiple users

  Hi,
  We assign roles to users in production only through CUP requests.. We use GRC 5.3
  Here we have a case where we need to assign one role to  60 users in production(each user may have different  roles assigned in the back end) . I can raise one CUP request for all users using " multi-user" option in Copy request . But when we want to make a risk analysis , it will not show risks at user level as each user had different roles and may get different risks by adding new role.
  Instead it will give risks if any for only that new role which want to assign. Our manager is not accepting as this is not giving complete picture of risks for each user when we add new role.
  Please suggest me if there is any other way where I can make a risk analysis for each user when I created a CUP request for multiple users.
  Or the only solution is to create 60 CUP requests ?? this would be too manual
  Regards ,
  jaags

  Raghu,
  thanks for the reply, you are right as per the audit .But suppose if it is for 200 users ,creating 200 CUP requests will be impractical right.
  there should be some solution for this , because there will be many situations practically where we have to assign roles to N number of users.
  Is this possible in GRC 10 ? any idea ?
  Regards,
  Jaags

• GRC 10 - Business role, no role owner but associated role have owner....

  Dear All,
  In GRC 5.3 we perform the following mapping:
  Business Role A mapped with (no owner)
  - Technical Role 1 (from ECC with Owner1)
  - Technical Role 2 (from CRM with Owner2)
  - Technical Role 3 (from HR with Ownwer3)
  IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
  GRC 5.3 request is able to close and provisioned as it can see owners from child role.
  Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
  Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
  Please advice.
  Jacky

  Hi Mustafa,
  you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
  Does this answer your question?
  Regards,
  Alessandro

• Need to assign Role into step type mail in recipent type

  Hi Experts,
    I need to assign role to  for step type send mail recipent type . but in drop down there is not any role option to assign . to achive this i created organization  then position and assing job to that position then assigne to role under that job . after all in recipent type i assigned  with job . but when i execute workflow i am getting error . even i dirctally assign role to position and then assigne that position to recipent type. when executing my workflow i am getting error .
  but if a assigne user to position or job my workflow working properlay.  is there any proble to assing Role to Job or position.
  please let me know is there any  extra thing i need to take care when i assign  Role to position or Job .
  point will rewarded for right answer.

  Hello,
  Get the users assigned to the role into a container element in the previous step of 'SendMail' step and use the same as the recipient of the Sendmail step.
  This would be a better and easy option as Arghadip said.
  Hope this will help.
  Regards,
  Samson

• ARQ: Manager/Role Owner can modify request details even after submitting the request???

  Hi All,
  I have noticed that after Submitting (Approving) a request, manager or role owner can still modify the user details (field are editable) like role validity date etc in a request. This is quite weird!
  Although, after submitting a request by a requester, all field are disabled.
  Has any one encountered with this problem? How can I control this?
  Please advise.
  Regards,
  Faisal

  Alessandro,
  Thanks for your reply.
  Yes, I got it and that is why I got confused.
  This EUP I have defined and the desired fields are visible and editable and seems to be working fine.
  However, the problem is, even after submitting a request, manager and role owner is able to edit the values in the fields which is incorrect!
  Actually, once a request is submitted, I believe request should be only display mode!
  You know what, this is working absolutely fine with requester. Meaning, once a requester submits a request, then all fields are disabled and values in them can not be modified any more.
  But I am not sure why this is not happening with managers/role owners.
  Please advise.
  Regards,
  Faisal