OIM 11.1.1.5 BP2 Roles removed from users automatically
Hi All,
We are using OIM 11.1.1.5 BP02 and facing issues with event handlers, role membership and access policy. We have a custom post create user handler and a custom user post update event handler. We are creating users through trusted reconcilication by using EBS Employee Recon connector and provisioning users to AD & Exchange by using the 11.1.1.5 ICF connectors.
The issue we are seeing is with the Roles of the users, the behavior we are seeing is that, on user creates through trusted recon, the users are getting roles correctly and then the resources are assigned correctly, but after sometime, the roles are removed from the user. We donot have 'Revoke if no longer applies' on the access policy and thus the resources are appearing fine for the user, but we donot want roles to be removed from the user since the rule membership rules criteria is still holding good for the user.
We are seeing this issue only with trusted reconcilication and not when we create users through the UI. Our custom event handlers have the same logic for both the execute methods; with the difference that the bulk execute method is working on the array of identities received from trusted recon while the normal execute method working on just one identity through the UI.
We are doing complex computation in the event handlers (& setting multiple fields of the user) and are forced to use UserManager API to set the fields in the create user handler (Following article: 1469286.1); this we believe is effecting the ordering of the custom event handler and the OOTB Role ChangeCalculator event handler.
We have already checked the bugs(14075985 & 14221435) and wanted to confirm if we are hitting the same and/or how can we debug this more. We have already checked the UPA_USR table but that does not tell us as to why the role is revoked from the user.
Anyone faced similar issue?
Thanks,
Bikash
The patch we were given was 14226386, also called 11.1.1.5.2AK. The readme has the following overview:
This patch addresses the concurrency issues encountered in 11g R1 PS1 as described below
1. Unlike in OIM 11g R1 PS1, when a user's role membership changes policy evaluation doesn't
kick off immediately. Instead the user is flagged for policy evaluation in the future.
'Evaluate User Policies' scheduled task then triggers policy evaluation for such users.
The scheduled task ensures that there is only one policy evaluation for a user at any
given time. So, duplicate accounts or entitlements wouldn't be provisioned to a user.
With this fix, access policy based provisioning events will be triggered only when
'Evaluate User Policies' scheduled task runs. Hence, the frequency of this scheduled
task needs to be tuned for the customer's deployment. The recommendation is to set it to
10 minutes.
In addition to binary changes, this fix involves data model and metadata changes as
described below.
2. In a custom event handler, use Platform.getServiceForEventHandler() instead of
Platform.getService() to get a handle to a Service available in OIM before making an API
call. This ensures that the API completes in its entirety (including any post processing)
when it returns. Also, this brings in predicability in the order of execution of OIM
events on the same entity created from one another.
3. When trusted source reconciliation brings in multiple events on the same user these events
are processed by OIM sequentially.
But since then BP03 and BP04 have been released, I would suggest you find out if BP04 has resolved this from support before applying anything.
-Kevin
Similar Messages
-
Workitem is not removed from User Inbox
Hi,
There is requirement, when the PR is created by user, first it has to go his department Head and then to Manager, AGM, GM, etc. There are different departments.
I'm maintaining organizational structure and giving positions in Release Strategy. Now how can i know who has created and to whom it has to go first. Shall i create different release strategy for that ?? Or is there any other way ??
And i tried to create custom workflow and using two release steps instead of one. And giving Rule in my first release step. And in second release step i'm using the strategy. When i create the PR and release, it is not removing from User Inbox.
Do anyone know what could be the problem ??Hi,
From your requirement, its not a good idea to have all department heads assigned to a single position.
But, you can have different positons for different departments and the association between department and the corresponding position number can be maintained in ztable. Then have a custom rule based on function module which will make a call to this ztable and find the corresponding postion given the department of user, get this position out and use it as agent assignment in step. However to use above first you should be able to find the Deparment to which a given user belongs to.
the position that you are talking about in your question, is it a position with relevance to HR structure or is it just that you have created for workflow purpose. In general its a good idea to have bit strong dependency with HR structure rather than going for workflow specific positions. If your position is a HR position then probably with bit of reengineering the HR organization structure with respect to your departments would be good and with a good design of org structure you can also get rid of any new custom table to maintain the relation between department and corresponding position.
Good Luck !!
Regards
Krishna Mohan
ooops !! many replies came in while drafting this mail itself, i guess rule using custom table already tried !!
Edited by: Dubbaka Krishna Mohan on Jan 29, 2008 9:20 AM -
Role removal from Multiple users
Hi All
I have a query related to removal of roles from user profile.
I want to delete a particular role from a set of users (say more than 600 users)
is it possible with su10 you to remove the role from the users at a stretch or is it the right way to get it removed from the user tab in PFCG and get the user- master record adjusted?
Please SuggestHi,
Preferably, you should use PFCG for your need...
It will be a easiest way to perform this task...
After that dont forget to do "user comparison"...
Regards.
Rajesh Narkhede -
Hi Guys
How do we remove the role Y.R3.IS-XX.xxxxxx from all test users (T-) and assign the role Y.R3.IS-XX.RPT_FI_XXXX to all test users (T-) in Q
Any input on this is highly appreciated
Thanks
SVHi,
I am just sending you a sample of how to delete role using SCAT. you can modify to delete User from Role.
Use T-Code SCAT.
You will be prompted with initial screen
Test case enter some name ex: Z_MASS_ROLE_DELETION
Click on Create (Blank page icon)
In the initial screen on left corner button TCD click on this for recording a transaction.
Enter T-code in PFCG
Click on -> arrow button to continue
In the next screen you will be displayed with PFCG screen
Enter the role Name which you want to delete
Click on the Delete button (Bin icon)
You will be prompted with message box with yes or no and cancel
Click on Yes
You will be prompted with information acknowledge it by click on continue
Now the role is deleted.
Click on Back button (F3)
You will prompted with Intial screen where you have enter T-code in the pop-up box (PFCG)
Click on RED small button to stop of recording the transaction
You will be prompted with next screen for Title.
Enter the Title ex: Mass Role Deletion
Click on SAVE button
Save as local object (click local object button)
Go Back by click F3 (Back arrow button on the menu)
Pop up box with save option appears save
Click on YES
You are ready with recording of T-Code PFCG
To create a variable click on the edit (Pencil icon)
In the next screen you will be prompted with
C Funct. Object Text
TCD PFCG Role Maintenance
Double click on TCD column
In the next screen you will have the following information
Test case Z_MASS_ROLE_DELETION PFCG Role Maintenance
Transaction PFCG Role Maintenance
Permitted msg.
Processing Mode
In the above screen click on FILED LIST button which is on top left menu bar.
In the next screen you will find the list of values check for the Variable part (ie role name what we have mentioned at the time of recording (TEST123 ROLE)
Role AGR_NAME_NEU 030 TEST123
Replace TEST123 with & (this is done for the variable to be replace in future for new values)
Go back (F3) twice into initial screen and save
In the initial screen SCAT first screen
Go to the menu
GOTO -> Variant -> Export
Export will create a Text file (Z_MASS_ROLE_DELETION.TXT) save it on your desktop for easy editing
Open with EXCEL above text file (Z_MASS_ROLE_DELETION.TXT)
You will find below values
[Variant ID] [Variant Text] &AGR_NAME_NEU
--> Parameter texts Parameter contents
--> Default Values TEST123
Changes to the default values displayed above not effective
Place the list of roles which you have decided to delete under the column TEST123
Just Save file for any message just click on yes button.
Come back to SCAT initial screen click on execute (F8) clock icon on the right corner of menu tab.
In the next screen you will have option to choose
Log Type Processing Mode Variants
Long Errors External From file Choose
Choose the file (Z_MASS_ROLE_DELETION.TXT) which was edited with new values
Then Execute all the roles which are in file will be deleted.
I hope this helps
Try this with test roles first then on the Actual roles
If you have any problems let me know
Cheers
Soma -
Exchange server 2010 Hub-Cas server role remove from organization
Dear all,
I am going to remove my one of my hub-cas(both the roles installed in same server)server from my organization.
Cas server configured into cas array. So anyone please guide me to remove safely.
Parthiban selvarajHi,
From your description, I would like to clarify the following thing:
If you use NLB, you need to remove the CAS server from your NLB cluster and then remove this CAS&Hub server. If you use other sort of load balancer, you need to use it to remove the server from the CAS array and then remove the server.
Hope it helps.
Best regards,
Amy Wang
TechNet Community Support -
OIM 11g-How to restrict the role administrator from seeing "other" roles
Dear All,
How to restrict Administrator from seeing roles he is not suppose to administer?
My administrator is suppose to assign only Role A. When he logs in He can see every single role. How to correct it so that he can see only Role A?
Thank you for your time
MariaModify "All User Role Management Policy"
-
OIM 11G-prepop adapters not able to read from User form
When I try to auto provision ldap account for users after creation of OIM record using GTC, the ldap provisioning doesnt happen. Basically the prepop adapters not able to read from Xel user form. I am stuck with this issue for a while now .
I tried remapping..ect etc..ntng helped.
None of the process form fields are getting prepopulated, when I hard coded avlue in prepop adapters for all the reqd fields in process form, proviosioning gets completed successfully.
Pls. help me with this.
Thanks.
~VSN
I get the below errorr:
<BEA-000000> <Class/Method: tcAdapterExecuter/executeRuleGenerators encounter some problems: java.lang.Exception: Error retrieving user info: User Login
java.lang.Exception: java.lang.Exception: Error retrieving user info: User Login
at java.lang.Throwable.<init>(Throwable.java:67)
at com.thortech.xl.dataobj.rulegenerators.tcAdapterExecuter.executeRuleGenerators(tcAdapterExecuter.java:205)
at com.thortech.xl.dataobj.util.tcPrePopulateUtility.setDataFromAdapter(tcPrePopulateUtility.java:1020)
at com.thortech.xl.dataobj.util.tcPrePopulateUtility.prePopulate(tcPrePopulateUtility.java:346)
at com.thortech.xl.dataobj.util.tcOrderPackages.computeProcessFormData(tcOrderPackages.java:901)
at com.thortech.xl.dataobj.util.tcOrderPackages.createOrder(tcOrderPackages.java:423)
at com.thortech.xl.dataobj.util.tcOrderPackages.orderPackageForUser(tcOrderPackages.java:177)
at com.thortech.xl.dataobj.tcOIU.provision(tcOIU.java:563)
at com.thortech.xl.dataobj.tcOIU.eventPostInsert(tcOIU.java:303)
at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2905)
at com.thortech.xl.dataobj.tcUserProvisionObject.insertImplementation(tcUserProvisionObject.java:283)
at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:591)
at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:104)
at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:35)
at sun.reflect.GeneratedMethodAccessor1831.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:600)
at oracle.iam.platform.kernel.impl.EventHandlerDynamicProxy.invoke(EventHandlerDynamicProxy.java:30)
at $Proxy284.execute(Unknown Source)
at oracle.iam.platform.kernel.impl.OrchProcessData.runActionEvents(OrchProcessData.java:1035)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:644)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeChildProcess(OrchestrationEngineImpl.java:751)
at oracle.iam.platform.kernel.impl.OrchProcessData.handleAdditionalChanges(OrchProcessData.java:537)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:802)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:686)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.notifyParentProcess(OrchestrationEngineImpl.java:828)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:771)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeChildProcess(OrchestrationEngineImpl.java:751)
at oracle.iam.platform.kernel.impl.OrchProcessData.handleAdditionalChanges(OrchProcessData.java:537)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:802)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:674)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:705)
at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
at sun.reflect.GeneratedMethodAccessor2150.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:600)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:148)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy382.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:466)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:371)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:327)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)Kevin,
For manual Proviosioning - It works fine.
It fails when I create user in OIM using flat file GTC . I have an access policy to auto proviosion that user with ldap.
As mentioned before, I notice none of the prepops on Ldap process form are able to read value from Xel user form.
Steps I tried Already:
1- Checking access policy
2-remapping process form adapters
Pls. let me know ur thoughts.
~VSN -
Traffic-shape removed from intrface automatically
Hi all,
I came a cross issue on one of my Csico 1841 router.
We have configured more than 10 traffic shapes on both fastethernet0/0 and fastethernet0/1 . When I tried to removed a one traffic shape line it'll remove all the othe traffic shapes. Is any one faced this same issue ???
no traffic-shape group 140 512000 12800 12800 1000
c1841-advipservicesk9-mz.124-12.binAny help !!!!
-
OIM 9.1.0.2 Group Membership Removal for Disabled Users
Hello
In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
Thanks
NickToday, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
Thanks
Nick -
I am having an issue with one of my email accounts where email are being removed from inbox automatically. They go to the inbox and then they just disappear. If i forward the email to another user the mail is not deleted....
Any ideas?From the Mail menu bar, select
Mail ▹ Preferences ▹ Accounts ▹ Advanced
and from the popup menu labeled Keep copies of messages for offline viewing, select
All messages and their attachments
If there's no improvement, you may have to switch from IMAP to POP access. -
GRC 10.0 Mass Role removal
Hello all,
we are using GRC AC 10.0 (SP14). Today I found out that the access removal for multiple user is not working. The role removal for one User is working fine. But for multiple user who all have the same role it is not possible to select this existing role. Is it a standard in GRC AC or did I miss some config parameters?
The button "ADD" (yellow) is not working, and there is no button "Existing assignements". Please let me know, whether this settings are standard or not.
Many thanks,
regards
SabrinaSabrina,
Multi user requests have been quite problematic. I encourage you to search for corrections; we had to implement numerous corrections for multi-user requests. Right now, though, multi user requests for role removal using the "Existing Assignment" function are working for us (SP12 with a lot of corrections from SP13 and SP14).
I should mention that our Provisioning Log in the closure notification only lists the first user, but all three accounts in my test request just now had the role removed as requested. We have treated that as a training issue with our request submitters for the time being. We implemented Note 1727135 to correct that issue and it made matters worse, so we had to revert.
Good luck!
Gretchen -
SCCM 2012 SP1 - SUP role removal or reinstall issue resolution
Hello all,
I just want to share a fix regarding SUP removal (re-install) issue.
I think I found a bug regarding SUP role removal/re-install.
When I try to re-install secondary SUP on a site system, when I remove SUP via AdminUI – Administration – Site - Site Systems, it gets removed from the list but I get the following errors, which makes (re-)installation fail.
Severity
Type Site code
Date / Time
System Component
Message ID
Description
Information
Milestone PS1
4/12/2013 10:28:09 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
1021 Site Component Manager detected that this component should be deinstalled from this site system. Site Component Manager will attempt to deinstall the component every 60 minutes. Site Component
Manager will abort the deinstallation if it fails to succeed after 1440 minutes.
Information
Audit PS1
4/12/2013 10:27:58 PM
sms02ss401.icbcagent.net
Microsoft.ConfigurationManagement.exe 30038
User "ICBC\ll1v3" deleted the role of the Windows NT Server "\\SMS02SS401.ICBCAGENT.NET" as a Software update point in the site control file at site PS1.
Error
Milestone PS1
4/12/2013 10:15:45 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
1020
Site Component Manager failed to reinstall this component on this site system.
Solution: Review the previous status messages to determine the exact reason for the failure. Site Component Manager will automatically retry the reinstallation in 60 minutes. To force Site Component Manager to immediately retry the reinstallation, stop
and restart Site Component Manager using the Configuration Manager Service Manager.
Error
Detail PS1
4/12/2013 10:15:45 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
580
Could not delete the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER"
on computer SMS02SS401.ICBCAGENT.NET. The operating system reported error 997: Overlapped I/O operation is in progress.
Information
Milestone PS1
4/12/2013 10:15:40 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
1018 Site Component Manager is reinstalling this component on this site system.
Error
Detail PS1
4/12/2013 9:14:39 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
580
Could not delete the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER" on computer SMS02SS401.ICBCAGENT.NET. The operating system reported error 997: Overlapped
I/O operation is in progress.
In fact, the registry is under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER
When I trigger uninstall via AdminUI, it failed to remove, thus it think that it is already there when I try to re-install it.
The fix was to manually remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\
SMS_WSUS_CONTROL_MANAGER registry key then re-try.
Thanks,
Young-
YPaeYes!!! this worked for me. I have SCCM set up with a number of untrusted forests with a firewall in between my SCCM servers and the untrusted forests. The firewall went down and half of my site servers in the untrusted forests were giving
the "operating system reported error 997: Overlapped I/O operation is in progress" on a number of their components. Finally found this, deleted the reg keys under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads"
and that allows SCCM to reinstall. -
Hi,
I created a role and added an approver, I would like the same approver/approvers to be required to approve not only when the role is granted but also when the role is removed from a user, what is the easiest way to implement this?
Thanks in advanceHi,
thanks for your reply, I thought about that too but the remove button is pressed before the save, so the admin removing the role can still cancel the action.
Any other idea? My idea is to create a subprocess called "approve removal" where I select the approvers and then call the native "approval" process (here though I still need to figure out the parameters values); once this is done I will add the subprocess to the "create user" and "update user" workflows (cloning and renaming them)
Thanks
Sergio -
Initiater for Role removal.
Hi,
I need some update/input w.r.t Role removal Initiator. While configuring the role removal is it possible to use the role status in the initiator? If not how to identify this role is only for the role removal.
Normally we use to put only one stage for Role removal. In the config, no where we are having automatic check for the request is only for the Role removal. So we have to trust that particular stage owners. As per the CUP automation check is it possible to validate this?
Thanks in advance.
Regards,
Vasantha Kumar.Hi Justin
I'm assuming you are involved in or victim of a security access review. I'm usually one of those security guys asking for role or transaction removal and you are the main contact in the business coordinating the changes.
The process of remediation will possibly consist of checking which transactions are causing segregation of duties conflict, if they are used or not and removing one side of the conflict by removing an unused transaction.
It shouldn't require the entire contents of a role to be removed - rather swapping role A for role B without a transaction or two.
Removing transactions that aren't used can have more subtle implications which hopefully are found during UAT but is usually missed until used in anger. This what support is for after go live.
Saying all that and depending on your time and skills, you could ask for access to the security person's test user in dev or qas where they are working to run transaction SUIM on transaction for user following the proposed changes and compare that to the actual access of the real affected user in prod. If you can get access to the informer tab in virsa you can use the standard simulation reports to also check the resulting conflicts which will help you talk to the business and advise on actions available. There should be role owners involved in all this as they have to owner the result: expect a request for these for CUP later on
If you can retain control and approval of the (controlled) changes being made to users you will have a better understanding of what is happening, catch potential errors and mediate between security and the business - you have an important task!
Ask for some basic training in standard SAP reports - the security team should be more than grateful for your input
Crikey that was hard typing on an iPhone!
Cheers
Edited by: David Berry on Jan 11, 2011 8:17 PM -
Hi all,
We have a new requirement to remove ALL roles from users in group TERMINATED.
I have used SU10 in the past to remove a specific role X from a group of users. But I cannot seem to simply remove all roles from every user in the group. Is there a way to do this without using ECATT?
There are about 2200 users in the group, as it was not previously maintained, and I would rather not do this manually if I can avoid it.
ThanksHi
Run SUIM to give you a list of the user ID's in the TERMINATED user group.
Record LSMW - you'll need to create a project/sub-project/object and then go to recordings, running tcode SU01, enter one user ID, go to the roles tab, select all roles icon and save.
That will end your LSMW recording.
Check the variables in the recording - all you need are the user ID - make sure you remove the default tested user ID or all you'll get wlll be a recording that does nothing but delete nothing from the same user
Create a .txt file with another of user ID's from the user group (barring the one you just changed) and save it somewhere easy to find.
Go back to your LSMW project and maintain each of the steps up to specify files - you'll need to browse for the saved .txt file and also change the delimiter section to tabular.
Assign the files and work your way through the next steps until you generate a batch input session, run the batch input in foreground and step through the recording you are now running for real. Make damned sure it does only what you expected it to do!
If the trial one works then mayby try a couple more unitl you feel confident before going for the big one.
Oh - and don't forget to check that you aren't in the TERMINATED user group or you'll lose your access during the LSMW script. That bit is embarrassing but renaming 670 users to Theresa is worse (I did that once because I forgot to remove the default entry in the recording)
Maybe you are looking for
-
Usage "FREE" in Free Goods Configuration
Hi, Please give me the name of the Program or Function Module where the Hard Code is being used for detering the itemcategory of Free goods as "FREE". We want to copy this "FREE" and use it but it is not working as it is hard coded. I know the Usage
-
How to unlock iPhone 6 with fingerprint I.D. without first deactivating Siri?
-
Issue in F-26(Incoming Payments Fast Entry) Transaction
Hi all, I am using f-26(Incoming Payments Fast Entry) tcode. In this for each customer with the company code and the payment term, depending on the document date, the cash discount is been calculated on the Gross amount for the line items of that cus
-
CFMAIL -- How to send an e-mail to a network folder
Guys, I am using Cold Fusion 7.0 and I have the functionality in the website where an e-mail is generated (i.e based on some changes or actions) and that e-mail goes to a folder in the Outlook right now. Instead of sending the email (which is generat
-
Can I get a different modem for my verizon service?
Hello, I am wondering if Verizon offers a modem with a wireless router built in? I would like to know if I could exchange my current modem for one without having to upgrade my service to something more expensive. Right now I have the basic Verizon ds