Portal role/ group provisioning via CUP

HI Gurus,
We are planing to perform portal role (EP 7 )provisioning via CUP. Is there any config guide available for this which we can follow.
Thanks
Ani

This guide might be of help:
http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/502a14db-6261-2c10-22b5-95117ab0e5ed
Regards,
Luis

Similar Messages

  • Error when clicked on "Existing roles/groups" button in CUP

    Can you guys please help in resolving the following issues I am facing currently.
    CUP reports an error saying " Action failed" when clicked on  "Existing Roles/Groups" button in CUP request form.
    Below is the log
    2010-03-25 10:21:16,762 [SAPEngine_Application_Thread[impl:3]_2] ERROR com.sap.mw.jco.JCO$Exception: (127) JCO_ERROR_FIELD_NOT_FOUND: Field EXP_ROLES_FLAG not a member of INPUT
    com.sap.mw.jco.JCO$Exception: (127) JCO_ERROR_FIELD_NOT_FOUND: Field EXP_ROLES_FLAG not a member of INPUT
         at com.sap.mw.jco.JCO$MetaData.indexOf(JCO.java:9566)
         at com.sap.mw.jco.JCO$Record.setValue(JCO.java:14956)
         at com.virsa.ae.service.sap.RoleProfileDAO.findRoleProfByUser(RoleProfileDAO.java:110)
         at com.virsa.ae.search.bo.SearchRolesBO.searchExistingRoles(SearchRolesBO.java:580)
         at com.virsa.ae.search.actions.SearchRolesAction.loadExistingRolesHandler(SearchRolesAction.java:1610)
         at com.virsa.ae.search.actions.SearchRolesAction.execute(SearchRolesAction.java:372)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

    Hi Anand,
    "Action Failed" error for "Exisitng Roles/Groups" comes up when Support Pack level of frontend(JAVA) and backend(ABAP) RTA are not synchronized. It happens mostly with HR RTA.
    Please follow the SAP Note below to make sure your SP's are in Sync.
    Note 1352498 - Support Pack Numbering - GRC Access Control
    Best Regards,
    Sirish Gullapalli.

  • Duplicate Roles in USMR (provisioning via CUP)

    Hello everyone,
    We are using GRC CUP 5.3 SP8
    How can we avoid or prevent CUP from assigning Roles which already exist for the User master record ?
    we have some default Role  mappings ( some basic role being tagged to main role)
    if the user already has this basic role assigned , by requesting the main role he is getting the basic role again  and again
    and I see duplicate entries of the same role in USMR I want to prevent this happen.
    Any ideas ?
    Thanking in advance
    Olivier

    I agree with Olivier but this is not only the problem with CUP. It is a problem with SU01. Try to add an existing role to an user account and SAP will add a duplicated entry if the role validity dates are different.
    When the request is created, CUP just takes the valid from date as current date and no-one is going to check that this role is already assigned to user and someone needs to match the valid from date.
    I don't see any resolution to this issue. Can you check with SAP?
    Alpesh

  • Error while trying to assign a role via CUP in Portal

    Hello Experts,
    I am trying to  create a request to assign a role in EP via CUP ( 5.3)
    EP Connector is working fine as I have imported Portal roles etc
    SPML service is working fine
    I have done the  mapping in the Provisioning tab for Portal system
    logonname in portal is email address of an employee
    So the I have done the following mapping
    AC Field                             Application field
    email addres-Stndard       logonname
    And I have the following error while trying to create a request which I grabbed form the log
    ERROR Exception during EJB call, Ignoring and trying Webservice Call
    LinkageError: loader constraints violated when linking com/virsa/cc/xsys/webservices/dto/WSRAInputParamDTO class
    ERROR com.virsa.ae.core.BOException: Exception from the service : Invalid System
    com.virsa.ae.core.BOException: Exception from the service : Invalid System
    ERROR : BO Exception in Save request
    Any suggestions would be really appreciated
    Regards
    Kev

    Kevin,
    I was able to replicate your issue and there is a setting in the CUP that you have to disable, Goto the config tab in the CUP and select NO for the "Risk Analysis On Request Submission " under risk analysis.
    Issue here is you did not create a connector for your EP in the RAR, I believe you have the above mentioned parameter to yes and so when you are submitting a request CUP is trying to do the risk analysis but RAR was not able to find any System, so it is thowing an error.
    You can resolve this issue in two ways, one is to create a connector in RAR or the other is to disable the setting in the CUP.
    Hope this helps.
    Naveen

  • Provision Unix accounts/roles/groups to Directory server using OIM

    Hi,
    I have a requirement to integrated large number of Unix servers with LDAP (OID or Sun Directory Server) for Centralized Authentication and Authorization and to provision Unix accounts/roles/groups to Directory server using OIM, I have following queries.
    1. If using PAM_LDAP then what are the schema changes required in ldap to support it ?
    2. Does OIM's out of box connector for OID or Sun Directory Server supports Unix accounts/roles/groups provisioning to Directory server ? If not, can it be extend ? or do I need to write a custom connector ?
    3. If I use Oracle Authentication Services for OS for centralized unix account management then OIM provisioning is same as #2 or different ?
    Thanks
    Nitin

    yes. iPlanet connector support for multivalued attribute. Go through the connector doc. It will let you know how to extend its functionality.
    --nayan                                                                                                                                                                                                                                                                                                               

  • GRC CUP - How to add a custom field in "Select Roles/Groups" form

    Hi Forum,
    I created a custom field "REGION" in CUP configuration. I used this field in "Role Attributes"
    In "New Account" workflow, when i click on Select Roles/Groups" a screen for Select Roles/Groups will display to select the roles by different combinations.
    I need this "REGION" field in the above selection creria to select roles by REGION.
    How to make this field "REGION" appear in above selet cretiria.
    Thanks,
    RAM
    Edited by: Ram.Sathish on Apr 21, 2011 3:46 PM

    you can not add custom fields in the search, have you thought about using the company field as the fied for location?
    Regards,
    Chinmaya

  • How to transport Associated Group in a Portal Role?

    Hi,
    I created a portal role which is contained in a folder X under Portal Content.  This portal role is associated with a particular ABAP menu-role by means of Assigned Groups.  When I transported the folder X with all dependent objects from Dev to QA, the portal role appeared but the Assigned Groups is empty.  Another words, the association between portal role and the ABAP menu-role could not be transported.  How can Associated Groups in a Portal Role be transported?
    Thank you in advance.
    Best regards,
    Zabrina

    Hi,
    I have tried to do it in two steps:
    1. Export and import portal contents which include the whole structure with folders, roles and iviews under each role.
    2. Export and import the same roles as user management data
    The result from 1 was that the whole structure including the roles is imported; however none of the portal role contains the associated assigned group.
    The result from 2 was that the UME roles with assigned group are imported as separat objects.
    Now, the same role appears both as portal role without assigned group and the UME object with assigned group. But, there is no connection between 1 and 2.  That means that I cannot use 2 anyway.
    Is there any other way to do than to export 1 and manuelly modify 1 with assigned role once again after transport?
    Thank you in advance for any helpful advice.
    Best regards,
    Zabrina

  • Portal Roles added to the LDAP group is not showing up for users

    Hello expert,
    I have implemented SSO for Enterprise Portal and MS LDAP.  It is working fine but when I assigned roles to the LDAP group instead of UME group, they are not taking effect when I refresh the browser.  My service account that I set up in the keytab file is a read only account for the LDAP.  Is there some permission issue that I have to do to be able to add Portal roles or groups to LDAP groups?

    Hi,
    By default the LDAP integration configuration file is readonly.
    In this case, is not possible to modify data in LDAP.
    You must to connect in read-write mode; and I think that, furthermore, you need to configure SSL between Portal and LDAP in order to use read-write mode.
    regards,

  • Portal Roles Intial load and Provisioning through IDM UI

    Dear All,
    I am trying to assign portal roles to Users in IDM 7.1 SP5.
    For this two activities needs to be performed:
    1) Portal roles Initial load in IDM Identity store
    2) Provisioning of Portal roles to Users through IDM UI
    Please suggest about the configuration guide or steps required for both points mentioned above.
    Thanks
    Honey

    Dear Christoph,
    Thanks for the reply.
    Now I am able to assign Role / Privileges to Users from IDM to UME.
    Require one clarification on  User / Identity creation:
    Where can I can set initial password for all the new user created from IDM UI ?
    I am able to create new User and assign roles as well from IDM UI and all is available in EP UME also.
    But when I am logging in with new user it is not taking the default password mentioned in Global Constant in IS.
    Do I need to mention the password somewhere else.
    Pls suggest.
    Thanks
    Honey
    Edited by: Honey Gyanani on Oct 6, 2010 9:10 AM

  • Portal roles and AD-groups

    Hi,
    anyone that can fill me with info on mapping between portal roles and Active Directory groups.
    Thankful for config.help!
    Kind regards,
    Hilde Bakkemyr

    hi,
    look at this document.
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266893
    hope it helps.
    regards,
    rohin

  • CUP v5.3 SP11.1 - CUP Request button "Existing Roles/Groups"

    Hi!
    Re: CUP v5.3 SP11.1 - CUP Request button "Existing Roles/Groups"
    Can anyone explain why some of our CUP users will see this CUP button in the CUP Request and others will not? Are they missing a UME "ACTION"?
    The button works fine, but it only shows up for some users and not others.
    Thanks for your help!
    -john

    Hello ,
    For Approvers , the button "Existing Roles /Groups" will be visible only when the following "stage" level setting is set
    Change Request Content = Yes
    Add Role =Yes .
    Regards
    -Ranjiv

  • AC CUP 5.3 - Error approving a portal role request

    Followed instructions to configure portal provisioning in CUP in our sandbox environment but when approving a test request,  I am getting the following error message:
    Error provisioning your request, Request no: 10327 error occurred in the provisioning systems, error details :
    GRC_PORTAL-TEST001-USER CREATE-malformedRequest      **
    GRC_PORTAL-customError
    TEST001 is the userid of the requester
    Has anyone encountered this error while tyring to get the CUP portal provisioning to work?
    Thanks!

    Hi Jane,
    I have seen similar messages but not that one.
    Have a look in the System Log (Config tab --> Monitoring) and see if that gives any further information about the source of the error message.
    Simon

  • J2EE roles vs Portal roles vs ABAP roles

    (I also posted this on portal implementation, but i hope i receive more reactions here )
    Dear all,
    I have a question about the information on the following link:
    http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
    It says the following:
    "These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
    1. These "...certain functions..." they talk about, can someome give an example of these functions?
    2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
    3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
    4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
    From what I've read on help.sap.com, you always need to do certain actions in both places.
    A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
    I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
    Kind regards,
    Joren

    Hi Jorem
    Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
    Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
    Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
    Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

  • Page w/3 Iviews will not display all iviews thru Portal Role?

    Hello All,
    I am having a problem with getting 2 of 3 iviews to display through my portal role(s). 1 of the iviews is a copy (generated thru the wizard with same properties) of the SAP Bank information iview and the other 2 I created in the KM content (1 is an image and the other is html). If I preview the page, I see all 3 of my iviews with no problem.
    Just a little history, I created a new area page called payments which I tied Bank Information and w-4 to via config in the back end. I z copied all my resources and tied the correct PCD to them.
    It almost seems that it is still calling the SAP delivered Bank information? But, I checked all my config and nothing that is configured is pointing to there iview/page?
    Any suggestions would be greatly appreciated.
    ESS 1.0 - EP7.0
    Thanks,
    Mike

    Hello Priya,
    Thank you for getting back to me so quickly on this. I did create a z copy of the bank information service and called it z_employee_bank_us_serv05. I created the iview with application name 'per_bank_us' and as for the 'Application Parameters', I did not fill anything in which leads me to my next question.
    I know when I create a new area, that I need to fill in the application parameters of the path to the 'Area group pages'
    (Example: sap.xss.menuarea=Z_EMPLOYEE_BENEFITPAY_ERP2005&sap.xss.menuargrp=Z_SAPDEFAULTESS_ERP2005&sap.xss.menuhdr=SAPDEFAULT),
    What would the verbage that would need to be added to the application parameters for this just to point to the service?
    THX

  • CUP 5.3 (SP9) Role search in a CUP request

    Dear Experts,
    I have a problem. I cannot select roles by company selection in a CUP request. I believe I am not associating companies to roles correctly...I don't know what went wrong and what additional procedures that I have to follow to fix this problem.
    I need this selection feature since we are going to give a set of roles to users (or let them select) according to the company that they belong to.
    Here is what I did basically:
    1. Under Configuration>Role Attributes>Custom Filed in ERM, I set up a custom filed "COMPANY" and put some values (COMP1, COMP2, etc).
    2. Under Configuration>Roles>Attributes in CUP, I also set up companies that are exactly the same as those in ERM.
    2. Then, I created a role (ROLE1) in ERM and gave a company attribute (COMP1) to that role. Now, ROLE1 should be associated to COMP1, theoretically, right?
    3. However, when I crate a new user in a CUP request and then search for a role (ROLE1) by selecting company attribute (COMP1), the role (ROLE1) does not show up. This is my problem.
    PS: I have no problem getting a role by functional area, business process, or other predefined attributes in CUP.
    Please save me if you can.
    HM

    Hi Frank,
    1. The company ID is identical in ERM and CUP, and properly assigned to roles?
    =Yes (double checked).
    2. You have imported the roles from ERM to CUP?
    =Yes (CUP>Roles>Import Roles/Groups, and the role source is ERM).
    3. Do the roles show up with the correct company assigned in CUP Role Search?
    =No (please see below commnets).
    When I search roles in ERM (Role Management>Role>Search), I can see the company ID under the tab "Custom Attributes".
    When I search roles in CUP (Config>Roles>Search Roles), I don't see the company ID anywhere including the tab "Company" and "Custom Attributes".
    Does this give you any clue?
    Thanks,
    HM

Maybe you are looking for

  • G530-44463​8U Sleep/Hibe​rnate issue with windows7 Ultimate 64Bit with 4GB ram

    I have a problem with Lenovo G530-444638U. I upgraded to 4Gb ram and installed a fresh copy of Windows 7 Ultimate 64bit and I'm facing sleep and hibernation problems. When I try to put laptop to sleep mode and I try to resume from sleep, it restarts

  • Choice displays only the first option.

    hi, I am having problem with the "Choice" menu i created. It is displaying only the first choice option, though i select other choices...Meaning, it's displaying only "23.0" whatever other values i select...any suggetions? Thanks in advance. public c

  • SAP Content Server error 405    Method Not Allowed

    Hello Everyone We have installed SAP Content server 04s with SAP DB 7.6 build on Solaris platform.  We are trying to connect it through ECC. We have configured Apache web server on content server, and we are able to access it through http url. On ECC

  • Edit PSA results in CAPITAL letters

    We import data from non-SAP systems and occasionally they contain erroneous data.  We edit the PSA to make the correction and then reload.  Unfortunately we have encountered a side-effect - the character string fields are all converted to capital let

  • Can't connect to Express

    I just set up a new Aiport Extreme base station. I had an old Extreme that was about five years old and had it wirelessly connected to an Aiport Express that I have connected to my stereo. I got this new Express from my son-in-law and did a factory r