Provisioning roles in UME with CUP workflow

Similar Messages

• Integration of IDM with CUP workflow/

  can CUP and IDM be integrated with to have same workflow?
  Thanks,
  derek

  Hi Derek,
  Access Control supports following three ntegrations with IDM.
  - Using the IdM system as the leading provisioning system where requests are submitted to Access Control for SoD compliance and provisioning to one or more ERP systems.
  - Using Access Control as the leading provisioning system where requests are submitted to the IdM system for provisioning to one or more non-ERP systems.
  - Using Access Control as the leading provisioning system where requests are submitted to other supported systems via SPLM SOAP provisioning requests.
  For more details on how to configure, please refer to "Configuration Guide" of AC 5.3 at the following location.
  https://websmp103.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000718172&
  Click on Access Control --> SAP GRC Access Control 5.3
  Hope this helps.
  Best Regards,
  Sirish Gullapalli.

• Need help with a CUP workflow scenario

  Dear Experts,
  I'm sure it is not just me encountered this required scenario (or something similar).  I would like some pointers how to transcript it to a CUP workflow:
  Application admin logs a provisioning request.
  Security creates a user account and provisioning the roles on QA.
  Application admin ensures that the user undergoes training on QA.
  Upon passing the training, security replicates the user account and role assignment on PRD.
  The esoteric solution would be one request, two paths, two provisions. Is it somehow possible?
  Client doesn't use CUA.
  The security requirements are higher on PRD, where SoD handling will be required.
  Kind Regards,
  Vit Vesely
  Edited by: Vit Vesely on Apr 29, 2010 3:29 PM

  Hii Vit,
  If you want to have two paths for a single request than only possible solution will be to create role based initiator's.
  Role Based Initiatator's can be created by following Configuration -> Workflow-> Initiator-> create.
  Here Select the attibute as roles.
  For example create two Initiator
  Intiator1 -> having Role1 attribute -> Path1
  Intiator2 -> having Role2 attribute -> Path2
  Now in the request if u select Role 1 & Role 2, than request will follow the parallel path ( path1 & path 2)
  Else it is not possible to have parrallel workflow path for any other attribute.
  In Case you can have provisioning at end of the paths as well as end of the request.
  Kind Regards,
  Srinivasan

• Automatic upload of roles from ECC to portal (UME with LDAP)

  Hi experts,
  This thread reopen the question asked on the following message : automatic upload of roles from BI to portal
  However, it concerns this time "UME with LDAP".
  Problematic :
  SAP Library 04s tells us that is not yet possible to automate role replication (or role assigment replication) from ABAP Based back-end to Netweaver Portal. Only manual process for initial upload is possible.
  Source = http://help.sap.com/saphelp_nw04s/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm
  Questions :
  1 - Did anyone ever try to implement such an automatic tool ?
  2 - What if I'm not able to write on the Active Directory ? I am still able, at least, to automate role assignment replication from ABAP Based back-end to Netweaver Portal (ie. UME with LDAP) ? Directly from SAP R/3 to EP through UME, without passing through Active Directory since the group field is not maintained in AD.
  Many thanks for your inputs
  Alexis MARTIN

  Hello,
  As I did not read the previous thread I don't know what exactly you are trying to achieve, but I can tell you about what we have done - as far as it is not too late yet.
  We use the portal with integration to a BI system. In the ABAP stack we have lots of roles with menu items for hundreds of reports. We want the users to see these roles in the portal.
  First we have used the role migration tool of the portal to upload these roles. There is a Java API for executing role uploads from code. You need to create a webservice in the java stack to call this api, and can call the webservice from ABAP.
  However it is just a question of time and role size until this will not work at all. Standard role migration is more or less crap, stability is a problem. It also creates a lot of logs in the PCD and thus fills the database with trash. (After a few OSS messages there is now a program for deleting logs + you can turn of logging.) Also upload of larger roles takes up to an hour, and you alwasy have the problem that your portal roles are not up to date during the day.
  When I got completely fed up, I have implemented an own navigation connector. When you log on to the portal it will connect to the ABAP stack via RFC, load the role, and generate the portal menu from it. It uses caching, but on every logon it checks whether the role has been updated in ABAP since the last time it was loaded. It is up to date, faster then PCD navigation, and you need absoluetely no periodical synching at all. I cant even understand why this is not offered by SAP per standard!
  Drawback is that it will of course only work for the menu items, and only menu items with an "URL-type" are supported. I'm prettry sure however that it would be possible to implement a few other types as well.
  Let me know if you are interested in the solution, I can give you a few additional details: oliverDOTsvisztATwienerbergerDOTcom
  Oliver

• Does the role Provision Manager must combine with Planner or Reviewer?

  When I login the Planning application with only the 'Provision Manager' role, the system will display the error message below:
  An error occurred while processing this page. Check the log for details.Please close the current tab and open application again
  Failed to sync with user provisioning. Check Planning log for details
  I tried to sychronize manually using the command UpdateUsers.cmd, it still showed like this:
  Loaded Version of Essbase RTC: 0xb1221
  Cannot login to application: XXXX
  However, if adding a Planner or Reviewer role, it will go well without any error.
  BTW: Where can we find the error code(like 0xb1221) annotation?
  Thanks
  Derek

  It wont work, you cant use Provisioning Manager Role alone to login to Planning Application, Its a Shared Services Role to provision users.To identify the actual use to the role have a look at:
  Provisioning Users and Groups with Planning Application Roles
  Cheers..!!
  Rahul S.

• SPM integration with CUP 5.3

  All the issues regarding SPM integration with CUP is resolved, with the exception of one which is mentioned below:
  Any user can go and raise a request for the FF ID from CUP Super User Access workflow, and are created in the backend, but they do not get the access to FF ID when trying to Login.
  My query: is there any means to capture the user detail much in advance while the request is processed in the workflow and reject the request before it could be created and stored in backend.
  Ideally The user not having minimum privilege of u201C/VIRSA/Z_VFAT_FIREFIGHTERu201D should not Login with the FF ID, which is met here, but this is checked only after the user get the access to FF ID and try to LOG into FF ID using his Login detail.
  Please put some clarity on this.
  Thanks,
  Abhimanu Singh

  Hi Sabita,
  Thanks for the reply but this do not answer my question. Let me come in detail on this topic:
  SAP Backend:
  We have FF ID Owner, FF ID Controller, FF ID and Firefighters in the Backend.
  FF ID owner has the minimun role required for becoimng the owner is /VIRSA/Z_VFAT_ID_OWNER.
  FF ID Controller created with the minimum role /VIRSA/Z_VFAT_ID_OWNER for the monitoring purpose of all the reports.
  FF ID is defined with the defined task in the role being assigned to it.
  Firefighter is created with the minimum role /VIRSA/Z_VFAT_FIREFIGHTER to get the access to FF ID for the limited period as defined by the FF ID Owner.
  For example:
  FF ID Owner: User ID is FFO
  FF ID Controller: User ID is FFC
  FF ID: User ID is FID
  Firefighter: User ID is FFS
  Now the Question is from
  SAP Frontend Java stack
  I can see that the users(other than FFS) who are not defined as firefighter in the backend can still go and put a request for the FF ID access and gets provisioned.
  When you go and check in the backend with the firefighter Owner ID/FF Administrator ID you can see the requested user listed there with the limited time period in the firefighter list.
  Now comes the real picture: when this user(other than FFS) tries to login using his user ID he will not get the FF ID Login link on the page which is ideally correct. This is because any user not defined as firefighter in the backend with the minimum role /VIRSA/Z_VFAT_FIREFIGHTER should not get the access to FF ID.
  My question comes here:
  Is there any option in the frontend which could inform the user (other than FFS) much in advance and stop him requesting for the FF ID which has no meaning since it is finally not going to get the access in the backend to the FF ID.
  Please get back to me if you require some more information.
  Thanks,
  Abhimanu Singh

• Deleting roles from GRC AC CUP

  Hi
  We had GRC 5.3 installed with SP05. We have archived all our existing requests and are trying to delete some of the roles from CUP. However when trying to delete the role it is giving a message "Cannot delete because this is referenced by request". Is there something else which i need to take care of? Will application of latest support packs help in this situation?
  Appreciate your help regarding the same.
  Thank you.
  Anjan Pandey

  Hi Anajan,
  I feel some requests are still exist in GRC CUP for that particler role. Please follow the below steps and try to delete the Role  again.
  Go to  CUP configuration tab  > click on Request option under the workflow> choose deleting requests > next> then its asks to delete all requests and then choose Submit option.
  once you click on submit button, you will get the message all existing requests are deleted with Job id.
  finally go to the Roles and delete the required roles form the GRC CUP.
  Regards,
  Arjuna.

• CUP Workflow issue

  Hi guys,
  First - this isn't my issue but an issue that my colleague is having. 
  Their workflows have been setup and they've been working for sometime now.  I wasn't involved in their setup.  However last week, their BASIS team did some change (details aren't available to me as yet) and now, their CUP workflows are having a specific issue.
  The path that I've examined is as follows:
  Start > Manager > Role Owner > Security > Finish
  The only custom approver is under Security.  The rest are as delivered in CUP.
  What used to happen would be that the manager would get an email with a link that, upon clicking, would go directly into the request.  Now, that link takes them to a login box.  My colleague said that the tool hasn't been reconfigured by him and that the only major change has been some BASIS changes.
  I'm not sure where to tell him to start looking, since everywhere I've looked seems to be ok.
  Thanks,
  Santosh

  Hi Alpesh,
  That's what I had also said, that perhaps the SSO config was broken.  However, my colleague insists that SSO wasn't enabled.  I have my doubts about this but I have no way to validate that it was working prior to this issue.
  I know that when I look at the stages, the email templates for Approved, Rejected, etc., don't have any URL in the template, only the message.  As far as I know, this is how it should be.  Do you agree?
  Thanks,
  Santosh

• CUP 5.3 - Blank e-mail with CUP link

  Dear All,
  We are in CUP 5.3 SP 9.
  The approvers are receiving blank e-mails with CUP as View link without any message. Apart from this all other e-mails for submission, closing are appearing.
  a) Is there a way to avoid this separate blank e-mail with CUP link ?
  b) Also we had a stage where in after rejection of the request the request will get closed. Due to this the user is receiving both rejectiion e-mail and also closing e-mail. The closing notification is set as "User role provisioned and closed" which is giving a total different picture.
  Is there a way where we can avoid this closing e-mail notification whenver there is a rejection of the request.
  Thanks and Best Regards,
  Sri

  Sri,
  can you please let me know how you had the stage to close the request if its rejected.
  Thanks..
  Rao

• How to send the 3rd email in the MSMSP CUP workflow?

  Hello GRC community,
  at first thank you all for your great support during the last months. Four month ago I started the implementation of AC in our department without any GRC experience. But now, four months later we are just about to implement the AC 10.0. Thank you all.
  Now we are working on the following issue, where we need your help. Let me explain what the issue is:
  After the finishing the last step in CUP workflow (WS76300056) the workflow sends out 2 emails: (method CL_GRFN_MSMP_WF_TEMPLATE_BASE --> UPDATE_PATH_FINISHED sends out these 2 emails)
  1.to the USER
  2.to the REQUESTER
  But due to our presystem which is a part of the Access request workflow we want to send out a 3rd email to a 3rd recipient. Getting the 3rd recipient is not the issue. The issue is: where do we have to implement the sending of the notification? Our own Investigation comes up to an enhancement point which seems to be the right place to add ABAP code which sends out the 3rd email.
  Has anybody similar issue or the experience with the following enhancement and could help us? Or maybe there is an alternative solution? Any hints are welcome.
  Package: GRFN_MSMP_WORKFLOW
  Enhancement: GRFN_MSMP_END_OF_PATH_NOTIF
  Thanks, and best regards
  Sabrina

  The send mail function will send mail to the users and or alias in the workflow step where you invoke it. The IDOC script guide will help you with implementing these kinds of things.
  http://download.oracle.com/docs/cd/E10316_01/cs/cs_doc_10/sdk/idoc_script_reference/wwhelp/wwhimpl/js/html/wwhelp.htm
  IDOC script by usage / Workflow
  wfNotify is the one you want to look at specifically.
  Workflow
  The following Idoc Script variables and functions are related to workflows.
  Configuration Variables
  isRepromptLogin
  IsSavedWfCompanionFile
  PrimaryWorkQueueTimeout
  WorkflowDir
  WorkflowIntervalHours
  Global Functions
  getValueForSpecifiedUser
  Workflow Functions
  wfAddActionHistoryEvent
  wfAddUser
  wfComputeStepUserList
  wfCurrentGet
  wfCurrentSet
  wfCurrentStep
  wfDisplayCondition
  wfExit
  wfGet
  wfGetStepTypeLabel
  wfIsFinishedDocConversion
  wfIsNotifyingUsers
  wfIsReleasable
  wfLoadDesign
  wfNotify
  wfReleaseDocument
  wfSet
  wfSetIsNotifyingUsers
  wfUpdateMetaData
  Other Variables
  AllowReview
  dWfName
  dWfStepName
  entryCount
  IsEditRev
  IsWorkflow
  lastEntryTs
  SingleGroup
  wfAction
  wfAdditionalExitCondition
  wfJumpEntryNotifyOff
  wfJumpMessage
  wfJumpName
  wfJumpReturnStep
  wfJumpTargetStep
  wfMailSubject
  wfMessage
  wfParentList
  WfStart

• Error while provisioning roles (SetABAPRole&ProfileForUser)

  Hi Experts
  While provisioning roles in IDM 7.2, I see this error in the Job logs:
  Failed running function in string "$FUNCTION.sap_abap_getNameOfAssignedPendingPrivileges(mskey!!repname!!role!!true)$$". Marking entry as failed. Exception was: undefined: "sap_abap_convertToABAPValidFromDate" is not defined.
  I am getting this error only if I provision the existing SAP users. Assigning any role to a new user works fine. Went through both the above mentioned scripts, but don't see any Problem there.
  What am I missing here?
  Best regards
  Annapurna

  Hi Annapurna,
  I was just going through the setup in our landscape and noticed that we have only one script for Assign User Membership to ABAP which is "sap_abap_getNameOfAssignedPendingPrivileges"
  As mentioned by Jai earlier, we have the same script as Jai.
  Can you try by using the below script for "sap_abap_getNameOfAssignedPendingPrivileges" and delete the other two and try to execute?
  Not sure, if this could work, but maybe can give a try.
  Script below:
  ===============================================
  // Main function: sap_abap_getNameOfAssignedPendingPrivileges
  * Returns a list of all privileges with properties {validfrom, validto} of the
  * passed user for the passed repository and the passed privilege type.
  * It contains all already assigned privileges plus/minus the delta of the
  * current pending added and/or removed privileges.
  * Note: Needed by connectors that always send the complete list of privileges
  *       to the backend, e.g. ABAP, BusinessSuite, JAVA
  * @param {Par} Format:
  * MSKEY of user!!repository name!!privilege type<!!includeValidityProperty>
  *              e.g. 172645!!BQQ001!!PROFILE!!TRUE
  * @return {String} List of Privilege (backend) names in format:
  * if includeValidityProperty is defined as true, then
  * {VALIDFROM=<date>!!VALIDTO=<date>}<priv>|{VALIDFROM=<date>!!VALIDTO=<date>}<priv>|{VALIDFROM=<date>!!VALIDTO=<date>}<priv>
  * else
  * <priv>|<priv>|<priv>
  function sap_abap_getNameOfAssignedPendingPrivileges(Par) {
  importClass(java.lang.StringBuffer);
  // enable this flag (tracingEnabled) only for debugging purposes as this will impact the performance
  var tracingEnabled = false;
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: is called with " + Par);
  var parameters = Par.split("!!"); 
  var mskey = parameters[0];
  var repositoryName = parameters[1];
  var privilegeType = parameters[2];
  var addValidityProperty = false;
  if (parameters.length > 3 && parameters[3] != null && parameters[3].toLowerCase() == "true") {
  addValidityProperty = true;
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: mskey: " + mskey);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: repositoryName: " + repositoryName);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: privilegeType: " + privilegeType);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: addValidityProperty: " + addValidityProperty);
  var nolock = "";
  if("%$ddm.databasetype%" == 1) { //MS-SQL
  nolock = "WITH (NOLOCK)";
  if (tracingEnabled) {
  sap_debug_logUserAssignments(mskey);
  * - get only assignments (mcLinkType = 2)
  * - get all assignments of current entry X (mcLinkState = 0, mcExecState = 1 & mcDisabled = 0)
  * - and with assignments in state "pending add" (mcLinkState = 1 & mcExecState = 512 or 513,
  mcDisabled can be 1 e.g. if the user gets reactivated)
  * - assignments with mcExecState 2 (Rejected) and 4 (Failed) are not included. If a failed
  * assignment gets retried, the state changes immediately to pending.
  * - for specfified repository Y
  * - and privilege type Z
  * - add member task must have been running for the privilege (mcAddAudit IS NOT NULL)
  -> no future assignments
  -> no assignments for which an approval will be done but approval task is not yet running
  * - no privileges for which an approval is needed/running
  * mcValidateAddAudit < mcAddAudit <- approval is already done
  * or mcValidateAddAudit IS NULL <- if no approval is necessary
  * - no duplicate privilege names (-> SELECT DISTINCT) in case of contexts
  var sql = "SELECT DISTINCT privilegename.mcMSKEYVALUE, assignment.mcValidFrom, assignment.mcValidTo \
  FROM idmv_value_basic_all repositorynames " + nolock + " \
  INNER JOIN idmv_value_basic_all privilegetype " + nolock + " ON privilegetype.mskey = repositorynames.mskey \
  INNER JOIN idmv_entry_simple privilegename " + nolock + " ON privilegename.mcMSKEY = repositorynames.mskey \
  INNER JOIN mxi_link assignment " + nolock + " ON assignment.mcOtherMskey = repositorynames.mskey \
  WHERE assignment.mcThisMskey = " + mskey + " \
  AND assignment.mcLinkType = 2 \
  AND (\
  (assignment.mcLinkState = 0 AND assignment.mcExecState = 1 AND assignment.mcDisabled = 0) \
  OR (\
  assignment.mcLinkState = 1 AND assignment.mcExecState  IN (512,513) \
  AND ( \
  (assignment.mcAddAudit > assignment.mcValidateAddAudit) \
  OR \
  (assignment.mcAddAudit IS NOT NULL AND assignment.mcValidateAddAudit IS NULL) \
  AND repositorynames.attrname = 'MX_REPOSITORYNAME' AND repositorynames.SearchValue = '" + repositoryName + "' \
  AND privilegetype.attrname = 'MX_PRIVILEGE_TYPE'  AND privilegetype.SearchValue = '" + privilegeType + "'";
  //result looks like privMskeyValue!!privMskeyValue!!privMskeyValue
  var result = uSelect(sql);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: SQL Query:\n" + sql);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Result: " + result);
  var allPrivsStringBuf = new StringBuffer();
  var firstElement = true;
  if (result != null && result != "") {
  var resultArray = result.split("!!");
  for (var i = 0; i < resultArray.length; i++) {
  var columns = resultArray[i];
  var columnArray = columns.split("|");
  //privMskeyValue is like PRIV:<type>:<repository>:<privilegeName>
  var privMskeyValue = columnArray[0];
  var repTemp = privMskeyValue.split(":");
  var repstring = repTemp[0] + ":" + repTemp[1] + ":" + repTemp[2] + ":";
  var privName = uReplaceString(privMskeyValue, repstring, "");
  if (!firstElement) {
  allPrivsStringBuf.append("|");
  if (addValidityProperty) {
  var validfrom = columnArray[1];
  var validto = columnArray[2];
  allPrivsStringBuf.append("{VALIDFROM=");
  allPrivsStringBuf.append(validfrom);
  allPrivsStringBuf.append("!!VALIDTO=");
  allPrivsStringBuf.append(validto);
  allPrivsStringBuf.append("}");
  allPrivsStringBuf.append(privName);
  firstElement = false;
  var allPrivs = String(allPrivsStringBuf); // must be casted explicitly to String
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Calculated privileges for " + Par + " are: " + allPrivs);
  return allPrivs;
  * Prints out all assignments the user has (also all assignments in pending remove state etc.)
  function sap_debug_logUserAssignments(mskey) {
  var columns = "mcUniqueId, mcThisMSKEY, mcOtherMSKEY, mcAttrName, mcThisOcName, mcOtherOcName, mcThisMSKEYVALUE, mcOtherMSKEYVALUE, mcLinkState, mcAssignedDirect, mcAssignedInheritCount, mcExecState, mcExecStateHierarchy, mcChangeNumber, mcGroupGuid, mcLastAudit, mcAddedTime, mcModifyTime, mcValidateAddAudit, mcAddAudit, mcContextMSKEY, mcContextCategory, mcContextStr1, mcContextStr2, mcOrphan, mcSoDViolation, mcNotAllowedFor, mcUnsupportedContextType, mcMissingConditionalContext, mcDisabled, mcRequestID";
  var debugSql = "SELECT " + columns + " FROM idmv_link_ext WHERE mcThisMskey = " + mskey + " ORDER BY mcUniqueId";
  var debugResult = uSelect(debugSql);
  //format output
  debugResult = uReplaceString(debugResult, "!!", "\n");
  debugResult = uReplaceString(debugResult, "\|", "\t");
  columns = uReplaceString(columns, ", ", "\t");
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Debug SQL Query:\n" + debugSql);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Debug Result:\n" + columns + "\n" + debugResult);
  Thanks & Regards,
  V!

• CUP 5.3 (SP9) Role search in a CUP request

  Dear Experts,
  I have a problem. I cannot select roles by company selection in a CUP request. I believe I am not associating companies to roles correctly...I don't know what went wrong and what additional procedures that I have to follow to fix this problem.
  I need this selection feature since we are going to give a set of roles to users (or let them select) according to the company that they belong to.
  Here is what I did basically:
  1. Under Configuration>Role Attributes>Custom Filed in ERM, I set up a custom filed "COMPANY" and put some values (COMP1, COMP2, etc).
  2. Under Configuration>Roles>Attributes in CUP, I also set up companies that are exactly the same as those in ERM.
  2. Then, I created a role (ROLE1) in ERM and gave a company attribute (COMP1) to that role. Now, ROLE1 should be associated to COMP1, theoretically, right?
  3. However, when I crate a new user in a CUP request and then search for a role (ROLE1) by selecting company attribute (COMP1), the role (ROLE1) does not show up. This is my problem.
  PS: I have no problem getting a role by functional area, business process, or other predefined attributes in CUP.
  Please save me if you can.
  HM

  Hi Frank,
  1. The company ID is identical in ERM and CUP, and properly assigned to roles?
  =Yes (double checked).
  2. You have imported the roles from ERM to CUP?
  =Yes (CUP>Roles>Import Roles/Groups, and the role source is ERM).
  3. Do the roles show up with the correct company assigned in CUP Role Search?
  =No (please see below commnets).
  When I search roles in ERM (Role Management>Role>Search), I can see the company ID under the tab "Custom Attributes".
  When I search roles in CUP (Config>Roles>Search Roles), I don't see the company ID anywhere including the tab "Company" and "Custom Attributes".
  Does this give you any clue?
  Thanks,
  HM

• OIM 11.1.1.5 provisioning role based objectclasses and attributes

  TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
  Some background:
  I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE.  At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them.  In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'.  ie. Student, Employee, Guest, etc objectclasses.  I have all of the roles identified in OIM and can map them to an objectclass in LDAP
  My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations? 
  Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
  Should I create a child form containing the objectclasses and try to provision them?
  Can/should I create a child form for each set of attributes by role?  Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc.  Would prepop and the rest of the main form functions work the same?
  Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
  Any help will be greatly appreciated and thank you in advance

  It is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
  Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
  There may be a smarter and more out of the box way to do it but this will work.
  Martin

• Role of a ABAPer in workflow

  I am very new to workflow concept.
  Please can anyone explain me ABAPer role in creating or customizing workflow.
  My doubt is ..whether ABAPer will create jobs, positions, task or Basis people?
  At what stages there will be interaction with the functional people and what are the things to be collected before starting workflow?
  Thanks in advance.

  Hi,
  1] Workflow is Simulation of Business processes automated through SAP.
  May be you can take a process for applying for leave Leave.
  In this Leave scenario we can automate it stepwise,
  1) Employee apply for leave with dates
  2) mail shoot to Manager
  3) He can accept ot reject, May be he can approve with modified dates.
  2] As you can see Applying for leave is 1st step so it can be a trigeering event for workflow. Means Workflow starts with event.
  chk these excellent links.
  http://help.sap.com/saphelp_erp2005/helpdata/en/fb/135962457311d189440000e829fbbd/frameset.htm
  http://help.sap.com/saphelp_erp2005/helpdata/en/c5/e4a930453d11d189430000e829fbbd/frameset.htm
  Workflow
  http://www.sap-img.com/workflow/sap-workflow.htm
  http://help.sap.com/saphelp_47x200/helpdata/en/a5/172437130e0d09e10000009b38f839/frameset.htm
  http://www.erpgenie.com/workflow/index.htm
  http://www.sap-basis-abap.com/wf/sap-business-workflow.htm
  http://www.insightcp.com/res_23.htm
  For examples on WorkFlow...check the below link..
  http://help.sap.com/saphelp_47x200/helpdata/en/3d/6a9b3c874da309e10000000a114027/frameset.htm
  http://help.sap.com/printdocu/core/Print46c/en/data/pdf/PSWFL/PSWFL.pdf
  http://help.sap.com/saphelp_47x200/helpdata/en/4a/dac507002f11d295340000e82dec10/frameset.htm
  http://www.workflowing.com/id18.htm
  http://www.e-workflow.org/
  http://web.mit.edu/sapr3/dev/newdevstand.html
  /people/mike.pokraka/blog/2005/07/17/sap-business-workflow-faq
  <b>Reward points</b>
  Regards

• Can I replace CUA with CUP. If not why or what will be the risks

  Hi,
  The client does not want to have two provisioning systems CUP & CUA. The sole purpose they are using CUA is the proper accounting for SAP licenses such that the user ID remains the same across the landscape. No other purpose of using CUA. In this case can I replace CUA with CUP 5.3 SP12.
  Thanks & Regards,
  Sanjeev

  There are limitations to doing that.
  CUA has a technology focus and does not take access risk into consideration at all. The long-term successor of this would be Netweaver Identity Management. If you want to consistently manage user master data and license information, that's probably the solution to look at.
  You can perfectly use CUP on top of that to manage authorizations. You can also force CUP to only allow user IDs from a central system like CUA or ActiveDirectory in order to enforce user ID consistency.
  What CUP will not do is give you an overview of where a user is maintained with which kind of information/license data. That is something that either CUA (for ABAP only) or Netweaver Identity Management will give you.
  Frank.