Push single role to CUA

Similar Messages

• How to add/delete single role to/from CUA

  Hi All,
  I want to add/delete single role from CUA system. I found one FM to change roles i.e BAPI_USER_LOCACTGROUPS_ASSIGN , In function module documentation said that it will overwrites all existing roles with the roles in the table parameter.I dont want to do that. I need a FM to add/delete role to CUA system. Please help me with your suggestions.
  Thanks,
  Suman

  I am not aware of another BAPI based way to do it. You will need to get the details of the Roles AND manual profiles assigned, and then re-assign the new set in the call.
  Cheers,
  Julius

• Assign single role to composite role with alternate logsys assignments

  Dear gurus,
  In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
  Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
  But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
  Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
  Cheers,
  Julius

  Hi Martin and others,
  I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
  While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
  Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
  You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
  There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
  That is a bit of a bummer because it means that you also cannot ever test anything...
  Did anyone ever try to actually use this?
  Cheers,
  Julius

• Composite menu regeneration from single roles

  Hello,
  When I have to maintain (add or remove tcodes) and transport a "single" role that is part of a composite role, the role menu for the composite is out of synch with the single role's transaction content.
  The manual fix for this is to go into the composite role via PFCG in the destination system and push the Read Menu button. This will read the latest menus of the single roles.
  I would like to know if there is a job that I can schedule that can synchonize the composite role to the single roles assigned to it, or basically a refresh of the composite menus.  Is there any function that can do a mass menu update for a selection of composite roles?
  The only other way I can think of doing this is writing an LSMW or CATT script to do this, but I would like to find a better way of doing this if available.
  Thanks,
  Ryan

  I don't think this is a feasible approach because 1 single role change can be linked to many composites (as designed) in our environment.  I would not want to change every composite and transport them together with the single role.  Also, it seems that composite transports take a lot of time to import, so I don't think our basis guys would be happy with us doing that. I have found that the menus can be re-imported in the production system w/o the need for transport, etc.  I just think that manually refreshing the menus is going to be a maintenance struggle, especially since we have around 200 designed composite roles in our production environment.
  Thanks,
  Ryan

• Add a single role to different composite roles in one step

  Hello everybody,
  I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
  Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
  I don't want to believe that there is no easier way. Any ideas?
  Thank you
  Flo

  Hi Soma,
  great to find a place to be welcome..Thanks
  What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
  The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
  And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
  -> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
  or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
  -> Which again... our security manager disallowed me...
  So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
  And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
  Comments?
  Cheers
  Florian

• Create single-roles in satellite-system

  Hello everybody,
  I want to create Single-role´s in a satellite-system over RFC but the Fm´s in the Functiongroup PRGN are not remotable. Is there an alternative way to create these single-roles in a satellite-system? Up-/download and transport function isn't a alternative because my requirement is to create the single-roles an from excel-import. I considered that one way could be to copy the roles in the satellite.
  Regards,
  Christian

  You can create an RFC-able FM that is a wrapper for that FM.
  Neal

• Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

  Hello,
  I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
  1. Connected CUABOX to GRCBOX like a plug-in system.
  2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
  3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
  After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
  Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
  Any help in this regard is very helpful.
  Thank you,
  Pawan

  Hi Alessandro,
  I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
  1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
  2. Approvals provided to assign the ECC role.
  3. I see the following in GRFNMW_DBGMONITOR_WD.
             Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                 New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                 T-CUA_CHILD User does not exist in target system CUA
  GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
  However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
  So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
  Thank you for your help!
  Pawan

• GRC 10 ERM Not able to create Business/Single Role

  Hello Experts,
  In GRC 10, ERM, i have completed all the pre-requisites i.e. Maintaining Connectors, Configuration for Role Management, Maintained and generated the default MSMP workflow (methodology), maintaining role owners.
  Now when i am trying to create a business role or let's say a single role i am unable to to do so as the edit button is disabled.
  I just can't get through this.
  Have i missed anything, and for the record when i tried to Import the Role(Under Role mass maintenance) from backend system i was successfully able to do so and that way only i could get my first role in GRC via import.
  Now if i open this role and try to edit it, can;t do again, because edit button is disabled. But if i perform Role Update(Under Role Mass Maintenance) i can successfully change the attributes and other information and am able to see the new values.
  Why is it like this, i am not able to create Roles in GRC, just i am able to import and update from backend.
  This is really frustrating..what i am missing over here.
  Experts pl. Kindly help!

  Hi Triera,
  1) After opening BRM, Create button is not greyed out. Its available, and if i click on it, then i see all the possible type of Roles that i can create i.e. Business role, composite role, Group, PD Profile, Profile, Single Role, Template etc.
  2) When i try to edit a role by clicking on "Open" , and when the role opens, and then if I click on "Additional Details" (you said "More Details" , i believe you meant that only) link, then also the Edit button is not enabled. Its still greyed.
  What else could this issue be possibly about.
  Configuration- Check.
  Authorizations- Check.
  Workflow- Check.
  Should i raise it with SAP.
  Thanks.

• How to create automatically users&roles in CUA and in chlid systems?

  Hi,
  i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
  i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
  are there any standard BAPI or Funcion modules that can do this job?
  is the role created automatically in CUA can be seen automaticall in the portal child system?
  any help?
  Thanks&Best regards

  You can use one of the various ways Java EE provides you, e.g. container managed authentication.
  It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
  You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
  Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/].

• How to create automatically users&roles in CUA and child systems

  Hi,
  i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
  i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
  are there any standard BAPI or Funcion modules that can do this job?
  is the role created automatically in CUA can be seen automaticall in the portal child system?
  any help?
  Thanks&Best regards

  Thank you all. I got the solution.
  Regards
  Rajesh

• GRC 10 BRM - Approve Single Role assignment in Business Roles

  Hello,
  I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
  The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
  Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
  Do you know any way to configure this?
  Thanks,
  Fernando

  Hi Claudio - thanks for breaking it down
  @ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
  By using this role approval methodology your single role approvers are indirectly allowing  any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
  As mentioned - you are using two different workflow process ids
  Role Build - using BRM to approve the single roles being part of the business role
  Access Assignment - approving the user to receive the business role which includes the single roles
  Regards
  Colleen

• Insert multiple profiles in a single role

  Hi People,
  I am trying to insert more then 500 profiles in a new single role.
  The one solution I have is to insert manually each profile by going to EDIT - Insert Authorisations - From profiles option.
  Since I have more then 500 profiles  - can some one give me a easier way to complete this at ease.
  Thanks & regards,
  LAL

  >
  Amit Lal wrote:
  > Hi People,
  >
  > I am trying to insert more then 500 profiles in a new single role.
  > The one solution I have is to insert manually each profile by going to EDIT - Insert Authorisations - From profiles option.
  > Since I have more then 500 profiles  - can some one give me a easier way to complete this at ease.
  >
  >
  >
  > Thanks & regards,
  > LAL
  Hi Amit,
  Quick questions ....are these profiles manually created profiles having no corresponding roles ?
  If No : - Which means there are roles corresponding to each profile then ...Why don't you create a composite role with all these roles.
  If Yes :- Which means they are manually created profiles ...then use t-code SU02 to create a composite profile with all these 500 profiles of yours and then add this composite profile to your single role through the method you mentioned  
  EDIT - Insert Authorisations - From profiles option.
  Hope that helps and as Jurjen said...I am intrested too why do you want to insert these many profiles in a single role.
  Edited by: Nishant Sourabh on Feb 8, 2009 6:51 PM

• Description of single roles in Solution Manager

  Hi,
  I am creating the roles in SM 7.0 by reffering teh SAP Delivered role.
  For eg: SAP_SOL_PM_COMP.
  I can get the description of the composite role from servic but there are several single roles within this composite roles. Where can I find the description of the single roles.
  Please advise.

  Hi,
  Run transaction PFCG.
  Enter 'SAP_SOL_PM_COMP' in the field role and click display icon.
  In the new screen under 'Roles' tab you will find the list of the several single roles and description.
  Hope this helps.
  Kathir

• Role prefix for XI custom composite/single roles

  We have XI custom composite roles which start with TI_XI_* and contain single SAP roles (SAP_) and single custom roles (AAW:). Are we forced to use a certain XI role naming standard at the composite and single role levels due to Java authorizations?
  Thanks,
  Brad

  Just transport it rather than upload it.  The generated profiles will be carried through with their existing convention.
  If you need to have different profile names due to the naming constraints then LSMW or SECATT will let you do this easily.  If you are not familiar with the tools then 1. Take time to learn one of them (they are very useful) or 2. Do it manually.  60 profiles can be named in 30 minutes or less if you already have created the profile names in a spreadsheet, text file etc.

• How to assign a single role to all the 700 bi users

  Hi all,
  I have created a new roles, which needs to be assigned to all the users in the BI. I have teh list of users but i need to copy all of them manually and assign that users with this role!!
  Is there any way in which i can use any abap programs/ function module were in i can assign this single role too all the list of users in the bi system!!
  Thanks
  Pooja

  Hi Pooja,
  I guess you are lookign for  way to upload the list of 700 users into transaction Su10 instead of copying and pasting them manually (which will need many manual copy pastes since the number of users which can be pasted into SAP in one shot will be limted to 10-20).
  There is a way to upload all 700 into SU10 transaction in a few clicks. Please follow the below steps:
  1.Get the list of all 700 users in say excel or notepad. Copy all 700 users ids (copy entire column in excel using Cntrl+C)
  2. Login to system and go to SU10 tcode.
  3. Click on 'Authorization data" tab in SU10
  4. In next page you will see a tab called "User" --> select the arrow exactly to the right side for multiple selection.
  5. In new window; there is an icon for "Upload from clipboard"(second last icon in bottom of window). Click on it and you will have the list of 700 users uploaded into SAP. In next window click on "select all" and "transfer"
  Now go into change mode in SU10 and paste the role to be added under tab "roles".
  Get back if you face any issues.
  Soumya