Provisioning of roles to ABAP system deletes role assignments in backend

Similar Messages

• CUP unable to provision FF id in ABAP system

  Dear Experts,
  I have integrated SPM in CUP for Superuser Access Provisioning. Here while testing as requester I am able to create a request by Superuser Access and selecting all necessary field like system, Manager Firefighter id and after submit request was created and send for approval.
  Here as Manager i am able to see the request with details and after clicking on approve request was closed.
  But in backend ABAP system selected Firefighter ID was not provisioning. As requester when i am login in backend system and executing transaction /VIRSA/VFAT I am unable to see any Firefighter ID was linked to me.
  So anyone has clue why its not happening, as in CUP there was no any error while creating and approving request everything works very fine.
  Thanks,
  With Regards,
  Soman

  Soman,
     Go to Configuration -> workflow -> autoprovisioning and make sure that ' Auto Provisioning - Provisioning Options' is selected to 'Auto-provision at end of request'. If this is selected then look at the logs. If this was not then change the value and go through the request submission/approval process again.
  Regards,
  Alpesh

• RE: use of SAP_J2EE_ADMIN Role in ABAP while having no permission in UME

  Hi,
  i know that if we are using ABAP+JAVA stacks we need to have SAP_J2EE_ADMIN to do administration on J2EE side. i have a question on this.
  1. Do we map SAP_J2EE_ADMIN role to a portal role or assigning a user in ABAP  with role SAP_J2EE_ADMIN will automatically gives him the ability to create a user in UME or any admin functions in J2EE
  2. what happens if user has SAP_J2EE_ADMIN role  in ABAP system with out having access to Netweaver J2EE Engine, can he create users in JAVA side without actually logging in there.
  i am little confused about this role.
  Thanks,
  SS

  >>Do we map SAP_J2EE_ADMIN role to a portal role or assigning a user in ABAP with role SAP_J2EE_ADMIN will automatically gives him the ability to create a user in UME or any admin functions in J2EE
  No mapping required. Automatically it will give administration rights
  >> what happens if user has SAP_J2EE_ADMIN role in ABAP system with out having access to Netweaver J2EE Engine, can he create users in JAVA side without actually logging in there.
  if user has SAP_j2ee_admin in abap side, he can loging to Java URL. He can do all administration tasks, like user creation, role assignment etc in UME.
  I hope it clears your doubt.
  Best Regards
  Imran

• Delete Role Assignments directly from an ABAP System

  Hi folks!
  I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
  Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!
  However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
  I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
  I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
  Thanks for your help!
  Matt

  Hello Matt,
  so you want to remove local administrated role?
  If the object really is to undo the local administration, I would do this:
  Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
  At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
  The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
  Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
  Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
  Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
  Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
  Best regards
  Dominik

• Unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest

  Hi,
  For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
  I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
  But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
  Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
  BR,
  Mangesh

• Business Role change made password deactivated or reset in ABAP systems.

  Hi,
  We recently made changes Business role by adding technical role but this changes has deactivated or reset password for assigned users who had Productive password in connected ABAP system.
  We have two type of users, one who access SAP Portal and ABAP with Single Sign on and second who login into Portal and ABAP with password.
  This BR change has impacted second type of users who had Productive password.
  Regards,
  Manish

  Hello Manish,
  you have marked the thread as "Assumed answered". Could you please share with the community the outcome of your OSS ticket with SAP, so that others can benefit, too? Then you can mark the post as answered. Right now the thread isn't really helpful to anyone (neither you nor the community).
  Also, if you answer Jai's questions, maybe we can help in solving your problem?
  Having several irons in the fire can't be bad, right?
  Regards,
  Steffi.

• J2EE_ADMIN has no Port Role in ABAP+JAVA stacks system

  I installed 2004s BI IDES SR2 with ABAP+JAVA on Win 2003 + Oracle, default client 800.
  I find the J2EE runs fine, I can log into SDM, configtools. And I can launch
  http://host:50000/index and http://host:50000/irj/portal, which mean the portal is up.
  But with http:host:50000/index.html, I can't goto http://host:50000/useradmin, nor http://host:50000/nwa
  The error message is:
  Application cannot be started.
  Details:        com.sap.engine.services.deploy.container.ExceptionInfo: Naming error.
  with http://host:50000/irj/portal, both j2ee_admin and sap* can log in, but without any portal role. Thus
  only logoff link available, and I can't do anything else.
  I read through all the related post and can't figure out a way to assign the portal role to j2ee_admin or create additional portal user, anyone can help my situation.
  I also can not log into Visual Admin with j2ee_admin, connect error:
  Error while connecting
  com.sap.engine.services.jmx.exception.JmxSecurityException: Caller J2EE_ADMIN not authorized, only role administrators is allowed to access JMX
  (which I checked sap_j2ee_admin role is green on su01 role tab with correct valid period.)
  what should I do?
  Thanks

  Thanks for prompt reply, Debasis.
  Could you please elaborate the steps I need to take? Thanks.
  eg. how do I "Assign a user a role that has the permission for the UME action JMX.JmxManageAll"
  I don't have any portal tools working properly yet, I don't have useradmin, and I don't have nwa. I don't even have visual admin. Everything I do in ABAP, pfcg, su01, seems have no effect to those portal functionalities.
  The fact that I enable emergency sap* from configtool also doesn't make useradmin / nwa work...
  Any idea? Thank you.

• Hot to get the deleted Standard Role in ABAP Stack ??

  Hello All,
  When I was testing a role in PFCG, unfortunately I deleted a standard SAP role. Now I need to bring it back or recreate the same one. Can any one advice me who can I get it back please. And one more thing here that when I am trying to copy the standard role from the temperory copied role, I am getting an error saying that "A namespace Conflict has occurred". please advice.
  Thanks in Advance.
  Sardaar.

  Hi Sardaar,
  You can download the role from quality server and upload the same into development as you said its a satandard SAP role you will find the same in Quality or Production server.
  If you need further help let me know
  Cheers
  Soma
  Message was edited by:
          soma pradeep

• Roles for Testing ChaRMs for Non-Abap Systems

  Hi,
  Can you please suggest what all authorizations  are required for Testing the ChaRM functionality for non-abap systems
  Thanks in advance
  Regards,
  Reddi

  hi
  check the link
  Check the Configuration guide for the prerequisites.

• Deleting roles from CUP

  Gurus,
  We accidently synced CUP with our EP which points to an ABAP stack (therefore tens of thousands of roles!). There are over 6,000 pages of roles in CUP that need to be deleted. Do we have to do this page by page or is there another way?
  Thanks,
  Grace Rae

  Hi Grace,
  Role deletion in CUP can be either rolewise or pagewise. However there is an easier method where you can disable the Roles in one go. The Disabled Roles do not get displayed to Users at the time of Request creation.
  The Role Upload Template which is used for importing these Roles in CUP would be needed here. There is a 5th field for Systems in the template, which had to be modified.
  If the System for these Roles is EP then just replace it with EP(D) in the Role Upload Template. After this modification import the Template again and check the Overwrite Existing Roles option.
  Hope this will minimize your efforts in deleting Roles.
  Regards,
  Nikita.

• CUP - Unable to assign and delete role at the same time

  Hello everybody,
  I have an issue with CUP.
  Regarding a change account request, if I assign roles, it works. In the other hand, if I delete roles (also with a change account request) it works too. But if I mix both of them in the same request (assigning and deleting roles) it doesn't works. Only the deletion works. Some times we have no error message and some times we have:
  Error provisioning your request. Request no: 94. Error occurred in the system(s) : n/a, error details :
  DR1CLNT200-ZTEST01-USER CREATE-Function template /VIRSA/BAPI_USER_CHANGE could not be retrieved from DR1CLNT200
  Do you have please an idea to solve this issue?
  For information the CUP used is a 5.3 SP 5.0 version.
  Thanks in advance for any help.
  BMW

  Hi Ben,
  There may be a possibility of such a behaviour in SP05 as many of the changes in code has been done
  till now which may result into such issue and we can't confirm your findings by re-creating it. However, you can check few things functionally which may resolve this issue:-
  1) This error usually comes when the role selected is already assigned to the user or user doesn't exist in the system for which change request is created.
  2) when this error encounters the system, please take the system logs for that time from 'Monitoring' tab under configuration in 'English' and there the error cause can be found out or please paste the logs so that we can analyse.
  3) Also, you can refer to SAP Note:- 1168508 where many of the role related issues have been resolved after SP05, therefore, for smooth functioning of GRC-CUP 5.3, it's better to upgrade to the latest SP i.e. SP18.11(available at SMP).
  Best Regards,
  Akhil Chopra

• J2EE roles vs Portal roles vs ABAP roles

  (I also posted this on portal implementation, but i hope i receive more reactions here )
  Dear all,
  I have a question about the information on the following link:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
  It says the following:
  "These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
  1. These "...certain functions..." they talk about, can someome give an example of these functions?
  2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
  3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
  4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
  From what I've read on help.sap.com, you always need to do certain actions in both places.
  A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
  I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
  Kind regards,
  Joren

  Hi Jorem
  Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
  Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
  Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
  Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

• Role of abaper's in ALE/IDoc's

  Hell all
  I am new for ALE/Idoc's . can anybody tell what is the role of abaper's in ALE/Idoc's.

  Hi,
  Message types (required for sending the data across participating systems)relate to the structure of the data called an IDOC (Intermediate Document).Message types provide the format of the data, which can be exchanged betweenSAP and non-SAP systems. ALE supports over 200 message types in R/3.
  Also check the below links
  http://www.thespot4sap.com/Articles/SAP_ALE_Introduction.asp
  http://www.sap-img.com/basis/types-of-idocs-use-in-ale-configuration.htm
  Thank U,
  Jay....

• What is tthe role of ABAP Engine in EP server

  Hi to All,
  do any one of u let me know the role of ABAP engine in EP server! How can i make use of ABAP Engine. I know to work with J2EE Engine, but generally what we will do in ABAP Engine.
  It looks to u all as a silly question, but i am not clear of this function, so i need a detail explanation of this.
  Regards,
  Sireesha.

  Hi,
  before there was a WAS 6.20 (Web Application Server) SAP's R/3 Applications were build up on the so called R/3 Basis System. One part of the R/3 Basis was the APAP/4 Runtime. This was true until R/3 version 4.5.
  In parallel SAP started to develop a J2EE Application Server. They founded/buyed a company in Bulgaria called InQMy. You might know that the portal version EP5.0 was based on the InQMy J2EE engine.
  Since R/3 4.7 the old R/3 Basis is called "Web Application Server" (WAS 6.20). Additional to the ABAP/4 Runtime this WAS contains the former ITS (Internet Transaction Server" and the BSP's (Business Server Pages). The old ABAP/4 Runtime is now called "ABAP Stack".
  The old InQMy J2EE Server is now called "J2EE Engine" or "JAVA Stack".
  With Release 6.40 of the WAS it contains both the ABAP Stack and the JAVA Stack.
  Now to Your Question. A standarad EP installation just contains the JAVA stack of the WAS. The ABAP stack normally is not installed, because it is not used by the EP. You could install the ABAP stack in addition. But for what purposes ? Well if You would like to develop a webapplication based on BSP.
  If You are allread running an R/3 System it contains an ABAP Stack but normally no JAVA stack.
  The Java Stack of the EP Server can call the ABAP Stack of an R/3 System via RFC (remote function call).
  More confused now ?

• IDM roles creation / updation and deletion via workflows

  Hi,
  We are in IDM 7.1. I wanted to know if there is any way to create / update / delete IDM roles using in the workflow / rules on a data driven logic rather than using the IDM admin page (Roles tab) and creating them with LDAP group attributes assingned and making them pre-defined.
  I've read in most of the postings that most of the time it has been retreived but no other options being done.
  Anyone having ideas???
  Regards
  Krishna

  Hi,
  check these FM , i dont know it will work for u or not.
  BAPI_USER_ACTGROUPS_ASSIGN     User: Change entire activity group assignment
  BAPI_USER_ACTGROUPS_DELETE     User: Delete entire activity group assignment
  BAPI_USER_CHANGE               Change User
  BAPI_USER_CLONE                Create User with Template in Another System
  BAPI_USER_CREATE
  BAPI_USER_CREATE1              Create a User
  BAPI_USER_DELETE               BAPI to Delete a User
  BAPI_USER_DISPLAY              Display Users
  BAPI_USER_EXISTENCE_CHECK      Check a user exists
  BAPI_USER_GETLIST              Search for Users
  BAPI_USER_GET_DETAIL           Read User Details
  BAPI_USER_INTERNET_CREATE      Create a user in the Internet
  BAPI_USER_LOCACTGROUPS_ASSIGN  Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_LOCACTGROUPS_DELETE  Delete Activity Group Assignments in the Dependent Systems
  BAPI_USER_LOCACTGROUPS_READ    Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_LOCK                 Lock User
  BAPI_USER_LOCPROFILES_ASSIGN   Change Profile Assignment for Dependent Systems from Central System
  BAPI_USER_LOCPROFILES_DELETE   Delete Profile Assignments for Dependent Systems
  BAPI_USER_LOCPROFILES_READ     Change Activity Group Assignment for Dependent Systems from Central Sy
  BAPI_USER_PROFILES_ASSIGN      User: Assign profiles
  BAPI_USER_PROFILES_DELETE      User: Delete All Profile Assignments
  BAPI_USER_UNLOCK               Unlock user
  Reward points if useful..
  Regards
  Nilesh