Portal Roles Intial load and Provisioning through IDM UI

Similar Messages

• GP difference between Portal Role GP Administrator and Process Role Admin

  Please explain the difference between the Portal Role "GP Administrator" and the Process Role  "Administrator"
  In the CAF-GP Security guide, it says that the Process Role "Administrator" can "Maintain process instances using the GP administration tools".  What does this mean?
  If a user has the Portal Role "GP Administration" and he DOES NOT have the Process Role "Administrator" for ANY process, he can still maintain ALL of the process instances from the Administration workset.  He doesn't need to have the Process Role "Administrator" assigned to him.

  All three have the same Admion rights.
  They are the default users created when you are creating a domain.
  If not used or edited they are a major security risk!
  If you just use say weblogic or portaladmin and do not take care of changing the password or security privilige (changing the group from Admin, or deleting this user if not required) of yahooadmin then anyone knowing the admin url can login with this default username and its default password.
  I would personally prefer creating custom users and remove the default users.
  Regards,
  Rommel Sharma

• Initial Load and Reconcile of IdM accounts vs Resources. Any advices?

  Hellos.
  Time is now to begin the initial startup of Idm where target resources already have entries.
  Is there anywhere an idiots guide explaining to a novice IdM user the steps involved in loading and linking IdM accounts for the first time? I have to stress the guide has to be designed to meet novices needs i.e. those doing it for the first time.
  We are fairly confident in running IdM from day 1. What I am unsure about is the best techniques to employ on day 0 so that the first FF Async run on day 1 will update IdM accounts rather than attempt to reinsert them.
  We have 3 target resources: 1 AD 2 LDAP and 1 input FF Async source (plus a form for manual adds/mods)
  The targets hold a mix of contract staff and employees. The FF source holds just employees, the contactor's data is entered by hand.
  Am I being stupid if I do the following:
  1. Load IdM Accounts from latest FF source (employees)
  2. reconcile matching AD accounts by name.
  3. reconcile matching LDAP1 accounts by name.
  4. reconcile matching LDAP2 accounts by name.
  5. from unmatched AD accounts since an AD account must exist for current staff make 2nd load file for contractors and load these accounts into IdM.
  6. reconcile matching AD accounts by name
  7. reconcile matching LDAP1 accounts by name
  8. reconcile matching LDAP2 accounts by name
  9 examine the leftovers and manually correct the mispelt or erroneous ones treating the rest as ghosts.
  I am unsure just what the reconciliation is doing, I hope it builds the links between IdM and the resource.
  What I am trying to achieve is a situation where I end up at the end of day0 where I have all the Idm accounts in my repository and are correctly linked to resource accounts so that the FF async can manage the bulk of them
  I believe this has to be done for every IdM implementation. What I am after is advice and pointers to guidance from those who have had the experience of going though the implementation cycle at least once.

  I had a similar problem although I was doing a load from file and I was linking the account to the resource.
  I noticed you had:
  <Field name='accounts[ISA].created'>
  <Default>
  <s>true</s>
  </Default>
  </Field>
  Try using the following instead:
  <Field name='waveset.accounts[GrandSlamXML].created'>
  <Expansion>
  <Boolean>true</Boolean>
  </Expansion>
  </Field>     
  That is what worked for me.

• Can I load and skip through multiple playlists on iPod shuffle 2nd gen?

  For the sake of this discussion, let's assume I have a workout playlist and a dining jazz playlist in iTunes.
  Q1: I understand that I can manually select "a" playlist in iTunes and move that to my iPod shuffle. And I understand how to manually order the songs to be stored in that same order on the shuffle. Can I move both playlists and have both ordered they I way I choose in iTunes? I am assuming yes.
  Q2: Once both playlists exist on the shuffle, can I skip between playlists? Is there a short cut key or key sequence on the shuffle to do this? I understand the shuffle button to use shuffle or not shuffle. I want to play only workout songs while working out and jazz while dining. Or do I have to download songs from iTunes before I workout and then again before dining to only get the playlist I want for that activity?
  Thanks.
  mac os   Mac OS X (10.4)   iPod shuffle 2nd generation
  mac os   Mac OS X (10.4.8)  
  mac os   Mac OS X (10.4.8)  

  For the sake of this discussion, let's assume I have
  a workout playlist and a dining jazz playlist in
  iTunes.
  Q1: I understand that I can manually select "a"
  playlist in iTunes and move that to my iPod shuffle.
  And I understand how to manually order the songs to
  be stored in that same order on the shuffle. Can I
  move both playlists and have both ordered they I way
  I choose in iTunes? I am assuming yes.
  Assuming is always dangerous... the answer is NO. ONLY if you combine BOTH lists by dragging the contents of teh second one onto the Shuffle will you have ALL the songs on the Shuffle.
  Q2: Once both playlists exist on the shuffle, can I
  skip between playlists? Is there a short cut key or
  key sequence on the shuffle to do this? I understand
  the shuffle button to use shuffle or not shuffle. I
  want to play only workout songs while working out and
  jazz while dining. Or do I have to download songs
  from iTunes before I workout and then again before
  dining to only get the playlist I want for that
  activity?
  You can't skip to a different "playlist" directly... you can only go to the beginning of teh Shuffle's stored songs by 3 quick presses of PLAY. Otherwise you can skip back and forth with the |<< and >>| buttons.
  Thanks.

• Abap+java abap-user and portal-role PROBLEM?? help

  We have the ABAP+java add-on install.
  The UME is by default ABAP engine.
  From Portal:
  1 I create a portal user, it ALWAYS creates ABAP user in ABAP engine.
  2. I create a portal role, it creates a role in the Portal.
  3. When I assign the user this portal role,
  having worksets and pages,
  I get no pages or worksets shown in the portal page as soon
  user logs in.
  Can you help configure this so that I could see the pages and iviews inside this workset when user logs in.
  Thanks  a lot.

  Hi Mike,
  You did right,
  Just check the Entry Point Property of your iView, page and workset to YES
  there are two radio buttons yes and no select the yes one,
  you can see your pages afte rlogin with the new user.
  Regards
  Abhimanyu L

• Abap+java stack, users not mapping to portal role.

  We have the ABAP+java add-on install.
  The UME is by default ABAP engine.
  From Portal:
  1 I create a portal user, it ALWAYS creates ABAP user in ABAP stack of WAS.
  2. I create a portal role, it creates a role in the Portal.
  3. When I assign the user this portal role,
  having worksets and pages,
  I get no pages or worksets shown in the portal page as soon
  user logs in.
  Can you help configure this so that I could see the pages and iviews inside this workset when user logs in.
  Thanks  a lot.
  PS:  posted this in webdynpro-ABAP.  no reply came.  Sorry to double post.

  Hi Mike,
  can you check into your WorkSet (or Pages) if you have setting up the <b>Entry Point</b> flag?
  PS: Award points for good answers.
  Best regards,
  Gianluca Barile

• Web/UME Services to fetch list of Portal Roles??

  Hi All,
  Are there any out of the box Web or UME services available which can fetch list of Portal Roles based on certain criteria.
  Basically I am looking for a service that will fetch list of all Portal Roles (PCD & UME) and will take couple of input parameters, a Role Name/ID & the permission property "Role Assigner"
  Thanks
  Sandip

  Thanks for your reply.
  But I guess these forums shows how to retrieve roles & its sub-ordinates for a particular user. Where as I am trying to retrieve all PCD roles for which I have "Role Assigner" permission.
  Basically I am building a delegated admin functionality on Portal using custom coding. It is the same as Portal out of box Del User Admin but I am not using it because of some other enhancements.
  I will have many user admins and the roles they can assign to users are determined by the "Role Assigner" permission. So its like, User_Admin_RoleA has access to 5 Portal Roles, User_Admin_RoleB has access to some other 5 roles and so on.
  So just wanted to know if there are standard Portal service (like we have for KM) available to do this.
  Thanks
  Sandip

• Error " no portal roles are assigned"

  hi experts,
  i am getting Error while opening portal page with user J2EE_ADMIN
  it is netweaver 2004ssr2.Error is "no portal roles are assigned".
  and this user has role "sap_j2ee_admin"o
  Just after completed installation i tried to open portal page.but this error i am getting.
  Please help me.
  i will reward points for help.
  thanks in advance,
  regards,
  raju.

  Hi,
  Please make sure it has super admin role and objects are added to role and define entry points and portal permissions are defined which enables the delegation of administrative tasks and content in the portal environment.
  Hope it helps.
  Regards,
  Mona

• Allowing Airwatch MDM access to the Captive-Portal guest users in pre-auth role for android and BB?

  Requirement:
  How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?
  What is Airwatch MDM?
  Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.
  Solution:
  Why we need to allow access to Airwatch MDM?
  The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.
  Configuration:
  Below is the configuration
  Configuration steps:
  1. Create the following netdestinations
  netdestination Airwatch
    name *.awagent.com
    name *.awmdm.com
    name air-watch.com
  netdestination Google-Play
    name android.clients.google.com
    name .ggpht.com
    name gstatic.com
    name accounts.google.com
    name clients1.google.com
    name clients2.google.com
    name clients3.google.com
    name clients4.google.com
    name i.ytimg.com
    name google-analytics.com
    name .1e100.net
    name android.l.google.com
    name mtalk.google.com
    name clients.l.google.com
    name googleapis.com
    name gvt1.com
  netdestination BlackBerry
    name *.blackberry.com
  2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.
  ip access-list session Airwatch_Access
    any   alias Airwatch svc-http  permit
    any   alias Airwatch svc-https  permit
  ip access-list session Google-Play-Store
                 any   alias Google-Play any permit
  ip access-list session BlackBerry-Access
                 any   alias BlackBerry any permit
  3. Now map the session ACLs to captive-portal pre-authentication Role as follows
  user-role Guest-Pre-Auth-Role
   access-list session Airwatch_Access
   access-list session Google-Play-Store
   access-list session BlackBerry-Access
   access-list session logon-control
   access-list session captiveportal
  4. Now whitelist the list of domain names in the Captive Portal profle
  aaa authentication captive-portal Airwatch-Captive-Portal-Profile
  white-list Airwatch
  white-list Google-Play                                                                                ------------>Netdestinations where you defined the Domains.
  white-list BlackBerry
  Verification
  Now the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.

  Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris

• Profile Type Privilege Assignments through IDM roles are stuck in Pending State

  Hi Everyone,
  We are getting a strange problem in our project in IDM 7.2 SP8. We use IDM role based concept where backend system specific technical roles, profiles (called as privileges in IDM) combined into IDM roles and these IDM roles are assigned to users.
  Events are configured on the privileges level (i,e backend system specific technical roles, profiles) in IDM so that once a IDM role is assigned to a user the corresponding privileges are assigned to user in IDM and these assignments triggers provisioning to associated backend systems.
  Now for role type privileges the provisioning is working fine. But for profile type privileges the provisioning status is always showing as pending and nothing happening and even no logs are showing in job log.
  I tried with execution of the mc_analyze_assignments stored procedure that came with SP08 to find the logs at least but still no information appearing. Looks like the triggering itself is not happening.
  I also compared the member events definition for the profile type privileges with the role type privileges (for which the provisioning is working fine) and looks like the settings are exactly same.
  Can any one suggest any other things that we are suppose to check? Any help is highly appreciable.

  Hello Venkata,
  did I understand correctly: You have business roles, that have SAP-profiles & SAP-roles (both privileges in IDM) assigned. Now you assign such a business role to a user, but only the SAP-roles are provisioned to the backend system and the SAP-profiles are not?
  Since you can see them in the UI for the user as pending, it looks like at least the provisioning is triggered, just not completed.
  You could check with the following SQL-statement, if they are waiting for the sucessful completion of another task and work your way from there:
  select * from mxp_provision where msg like 'Wait for%'
  The MSG-column gives you the audit-id of the "blocking" task and you can find more information about that one via
  select * from mxp_audit where auditid=<auditid>
  to see, what is going on there.
  Also do you have access to the Monitoring-tab via http://<portalurl:port>/idm/admin? In the provisioning-audit you might find some clues for those operations, too.
  Regards,
  Steffi.

• Role Mapping For Portal Role Assignment and ABAP Role Assignment

  Summary:
  - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
  - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Problem Description:
  Our Scenarios we tested:
  Scenario 1:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
  *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
  Scenario 2:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
  *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
  Questions:
  1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
  2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
  Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

  I tested this set up.
  1.  Defined ABAP role as Manin role
  2.  Defined Non-ABAP role as dependednt role
  3. ABAP role  is set up in initiator requiring business approval.
  4.  Non-ABAP role is set up in initiator with no approval required.
  Results Where Business Approver approves the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
  Results Where Business Approver rejects the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
  Thanks again for your help.

• Browsing Portal Roles and it's mapping details

  Hi Friends,
  I am developing one webdynpro application displays portal roles in a drop down. Once I click on any of the role it need to display the Users, Worksets, Pages, iViews assigned to that role.
  I am using IRole API for that and able to get the portal roles but not the mapping details. I gone through one weblog which browses roles,pages etc from a Dynpage component. But it was not helpful for this application.
  Could you guys please tell me how to get the users,worksets,pages,iviews assigned to a particular role.
               Thank you in advance.
  Sandeep Kumar Bonam

  Hi
  Could you please let me know the below things.
  (1) How you get the object of IPortalComponentRequest and IPortalComponentResponse object inside webdynpro.
  (2) How you get the Workset details of the role?
  Your quick response would be highly appreciated.
  Regards
  Anbu.K

• Since upgrading to FF6 and now through FF7 web pages need repeated refreshing to load this does not happen with other browsers. I have tried many solutions. None have worked. Any ideas?

  Problem began after a Firefox 6 update (i do not remember which one) and has continued through current use of Firefox 7.0.1. Almost all '''web pages load only through repeated refreshing'''. If I do not refresh the web page it will just continue to try to load (as seen by the green rotating ring continually revolving) in a new window with a new tab (as I have set it to do). Nothing stops, nothing crashes. Once the web page completes and opens (after the refreshings) I can close the window click on the bookmark icon or originating link and the web page will load and open quickly (as it should). I have searched for solutions on the Mozilla site and have done many of the possible solutions (deleting history and caches, etc.) Problem seems to be communication in origin (my FF browser talking to web page server). I do not use a proxy. My set up to the internet is: laptop thru Verizon USB modem to internet. Operates as a wireless dial-up with speeds averaging 55 kbs (fast enough for me). I have used this set up for years with no previous trouble. Anyone have similar trouble, ideas or solutions?

  Thanks for your reply cor-el. I had never heard of nor seen the pref network.http.max-connections until I read about it in some of the replies in this support forum. People were saying 256 was the old setting and a new setting of 48 would correct my problem. When I followed the instructions to get to - see - and change the setting I discovered that my network.http.max-connections was already set to 48. I never did this. The only way I can think of that this setting was changed is that it happened by an automatic update to my Firefox browser. So, the problem I have was probably happening while this setting was at 48 all along. It is still set at 48 and I am still having the same problem. I will try as you suggest and set it to 30 and see what happens. I'll let you know the results. That's again for your response.

• Remote location, 7kbs d'load speed, 10 days to d'load Lion, only software updates are through the App Store. Why can't we d'load and install outside the Cloud anymore? Some of us can't use the cloud.

  Remote location, 7kbs d'load speed, 10 days to d'load Lion, only software updates are through the App Store. Why can't we d'load and install outside the Cloud anymore? Some of us can't use the cloud and never will be able to.

  That is true - I apologize for not being specific - what I was mainly referring to is iLife applications. I have a notice on the App Store that says 3 apps need updates, I look at the apps and they are huge so since my connection is so slow I use my work connection and d'load the files from support to my Windows machine and carry them home, once d'loaded my MacAir states it cannot install, the update must come from the App Store.
  I do the same thing for large Leopard and Lion files and I can install them without error, it is just the App Store files that the system stops.

• Loading through Process Chains 2 Delta Loads and 1 Full Load (ODS to Cube).

  Dear All,
  I am loading through Process chains with 2 Delta Loads and 1 Full load from ODS to Cube in 3.5. Am in the development process.
  My loading process is:
  Start - 2 Delta Loads - 1 Full Load - ODS Activation - Delete Index - Further Update - Delete overlapping requests from infocube - Creating Index.
  My question is:
  When am loading for the first am getting some data and for the next load i should get as Zero as there is no data for the next load but am getting same no of records for the next load. May be it is taking data from full upload, i guess. Please, guide me.
  Krishna.

  Hi,
  The reason you are getting the same no. of records is as you said (Full load), after running the delta you got all the changed records but after those two delta's again you have a full load step which will pick whole of the data all over again.
  The reason you are getting same no. of records is:
  1> You are running the chain for the first time.
  2> You ran this delta ip's for the first time, as such while initializing these deltas you might have choosen "Initialization without data transfer", as such now when you ran these deltas for the first time they picked whole of the data.Running a full load after that will also pick the same no. of records too.
  If the two delats you are talking are one after another then is say u got the data because of some changes, since you are loading for a single ods to a cube both your delta and full will pick same "For the first time " during data marting, for they have the same data source(ODS).
  Hope fully this will serve your purpose and will be expedite.
  Thax & Regards
  Vaibhave Sharma
  Edited by: Vaibhave Sharma on Sep 3, 2008 10:28 PM