"Refresh" of development Access Enforcer system

Our Access Enforcer system is now in production. Our development system is quite a mess, with old requests and configuration.  We would like to make the dev system look more like the production and test systems and get rid of all of the old requests, initiators, stages, etc. Does anyone know how to clean up AE so we can start over with a clean slate? We are on 5.2 with SP3, running on an AIX box with Netweaver only.

I am not sure on the reasons for system refresh. Look at the below points:
1. The RAR data c(Rules, Functions, Risks etc) an be downloaded and uploaded in the Development environment. Why you need the production user data in Development?
2. The SPM users are intended for production. Why you are planning to copy/simulate them in development?
3. The ERM and CUPs are workflows, where the systems and other settings have to be created manually. What is your intention in getting them to development?
As per my knowledge, no system refresh is performed for GRC systems? May be you need to educate the client on these things. Please look for the ideas from the other experts too before you go back to your client.
Hope this helps!!
Warm Regards,

Similar Messages

  • Full production refresh to development systems and Charm?

    Hi SDN Community,
      Where I work we have a policy of refreshing the development systems (ECC, CRM, APO, BI, SRM) on an annual basis with full production system data, HR data is subsequently wiped clean from the development system. 
    For each of our systems we have a development system, a QA system and a production system.
    The decision to do these full refreshes was taken to ensure that developers and configurers can do decent testing in the Dev environments - prior to transporting to our QA system - to ensure that we have a reasonably stable QA system. Prior to the refreshes - QA was considered too unstable by our business to be used as a good test platform - the full D refreshes solved this problem.
    We have recently installed SAP Charm (Change request management) which is a solution manager based product that manages the transportation of objects in change requests - attached to maintenance cycles.
    During our first development system refresh we discovered that all open Charm projects (maintenance cycles) were placed into an unuseable status due to the refresh. This means we had to rebuild all of the Charm projects after the refresh - which took a considerable amount of time + resources and delayed project work. We don't want to be in this situation again for our next refresh.
    SAPs response to us has been that they have no other customer that does full Development system refreshes - and also has Charm. I wonder if this is accurate, I think what SAP are saying is that they don't have many Charm customers... Is refreshing Development so uncommon?
    We are considering products like SAPs TDMS - and alternatives (eg gold client) - but most of these appear a little immature - for refreshing complex system landscapes - such as ours and keeping everything in synch after the refresh.
    My questions to SDN -
    What do you do - do you do full refreshes to your D systems?
    If not - what are the arguments against refreshing D systems (is this considered bad practice)?
    Are there any other Charm customers out there in a similar situation to us?
    How do you manage the stability of your QA environments and stop the transport into QA systems of untested changes - if your D systems are not similar to you production system
    (note we have some 300 active users in just our ECC development system)?
    Any suggestions / recommendations as to how to best proceed would be greatly appreciated.
    many thanks in advance,
    Julian Phillips
    Edited by: Julian Phillips on Nov 11, 2008 2:33 PM

    Thanks Naushad for your reply,
      I wonder if D refreshes are less common - more due to the additional hardware costs incurred (disk space needed to store full production data is usually pretty large) to do them - than due to avoiding disrupting development - probably a bit of both.
      I did not mention this - but in our refresh we do reimport all transports that we open prior to the refresh - which used to solve our problems - in terms of restoring active changes - but with SAPs Charm system - this approach does not work as the Charm projects are left in an inconsistent status.
    We are now leaning towards introducing a 4th set of systems into our landscape - so that we have the following platforms:
    Development --->  Pre QA  ---> QA  ---> Production
    This approach will allow us to keep both the Pre QA and QA systems refreshed every 6 months or so - and our new Dev system - we will refresh very infrequently (every 5 years perhaps) if at all. We will tie the Charm system to our new development - and this system will then not be impacted by refreshes. This approach means additional hardware cost - but as it happens we have a few spare boxes - so this maybe our best bet.
    The core reason for our refresh is so that we will be able to preserve the stability of our QA test platform - which for us is the critical factor here. If QA has poorly tested work in it - we run a higher risk of disrupting other testing and also of this poorly tested work reaching production.
    When we used to have a development system as you described and just the single QA box - we experienced frequent instability in our QA box - due to poorly tested working reaching it - and this delayed numerous projects.
    Does anyone else have a 4 box setup like this? Anyone else encountered this on an SAP project anywhere? Pros / Cons of this approach?
    Edited by: Julian Phillips on Nov 12, 2008 8:08 AM
    Edited by: Julian Phillips on Nov 12, 2008 8:18 AM

  • Is there an IDES system of "Access Enforcer" internally at SAP?

    Hi expert,
    Is there an IDES system of "Access Enforcer" in SAP so that we can access it internally from SAP network?

    Very well.
    <b>This information is only applicable within SAP's corporate network.</b>
    Access Controls 5.1 - compliant user provisioning (Virsa Access Enforcer for SAP)
    ERP Backend: Application Server: idphl932.phl.sap.corp, System Number: 50, system ID: G13, Client: 870
    Updated Demo Scripts are located here:

  • ESW: how to enable developer access to the ES workplace systems

    I received the access from ES workplace for ECC . But I dont have any authorization create any object , the role S_DEVELOP is not assigned to me ,
    How to get developer access for the ES Workplace systems ( unable to creat new object ) ?
    is it like that P users dont have developer access in all systems ?
    How to get assign my user ID with the required roles ?
    Experts Pls guide me on the same .
    Chinnaiya P
    Edited by: chinnaiya pandiyan on Nov 27, 2010 6:01 PM

    it requires a userid and password to get authorization for developping object.
    i already had these information but  i don't know where should i use it to get authorization.
    can anyone who already have passed through this problem can guide?

  • CUA still necessary/recommended with Access Enforcer?

    Hello forum members,
    we are planning to implement SAP GRC Access Control for one of our clients. There are 5 R/3 Systems in the landscape, one of them a HR System. Currently there is no CUA in place an all users and roles are maintained separately in each system. Now with the introduction of GRC Access Control there is the question, if we should at the same time also have a CUA introduced or if it is better to directly provision the Users and Roles from Access Enforcer to the target systems.
    What are the pros/cons to have a CUA in between? Does Access Enforcer also provide overview on all users in all system and the assigned roles?
    Thanks for your replies.

    This is a question that I'm asked all the time.  For some environments, using CUA with AE is really nice.  For other environments, it's just not feasible to have CUA as the security authorisation strategies are too inconsistent across systems.
    For example:
    a. There are three systems (ECC, BI, and SRM) implemented with a consistent top-down (job) approach to defining roles.  So, a AP clerk will receive the 'AP Clerk' role in ECC, 'AP Clerk' role in BI, and 'AP Clerk' role in SRM (for simplicity).   Obviously, the roles are different as they are for different systems, but the point is, it is easy to categorise the authorisations for a particular job across each of the systems.  If security is consistent like this, then CUA can be implemented and the three single roles for the three systems can be grouped together in a cross-system composite role called 'AP Clerk'.  When AE is implemented over the top of this, a user only has to request the 'AP Clerk'  role (composite).  AE performs the workflows, risk analysis etc and then finally passes the request to CUA, which then provisions out to the other two systems.  Very easy from a user point of view as they only have to request one role, which is their job.
    b.  If however due to inconsistency between the systems, it is not feasible to group access into cross-system composites, it may just be better to go with AE without CUA.  In this scenario, a user must request the applicable roles from each of the three systems.  It is more flexible, but a little more difficult for the end user.
    I normally spend quite a bit of time developing the Access Controls strategy during the blueprint phase of the implementation just to make sure that I'm coming up with the optimal design.  A bit of prototyping helps also!

  • Access Enforcer(error in approving the request) and import roles

    Dear all,
    error in approving the request at security stage(last)
    manager and role owner are successfully approved.
    and also importing roles into access enforcer was not successful.
    imortstatus : 0 roles imported of 28 records found.
    please find the system log:
    2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.messaging.MessageFormatter : parseDesc :   : INTO the method : desc :Please specify a file to import.paramNames :paramsMap :{FIELD_NAME=#_!FIELD_NAME#_!}
    2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
    2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
    2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
    2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
    2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
    2008-09-05 13:02:28,234 [Thread-47] DEBUG

    In Addition to my previous response:
    I meant to include the following:
    Some of the fields that need to be properly defined with attributes are:
           System: must have the know SAP system defined here
           Role Approver (i presently are using most of the roles without having need for approval; I created a user called NOAPPRV in AE)
           Functional Area: need to have all the areas defined that roles will be assigned to
           Company: I only have one company so that's an easy one
    Some areas I presently do not use but found they must ne coded and coded properly:
           ResponsibilityID:   N/A  (coded as is)
           CommentsMandatory: NO (coded as is)
           Parent Role Owner:   NO
           Business Process: NA  (I believe I originally coded N/A and it did not like that)
           Sub Process: NA  (again N/A I believe error on me)
           Reaffirm Period: presently I am using 0 (zero)
           LastReaffirm: presently using 12/31/9999
    Hope this helps a bit
    I wanted to include an attachment with a sample of my Role Import spreadsheet but I'm not sure exactly how to do that; if I figure that out or someone can provide me the process I will include it
    Jerry Synoga
    Ryerson Inc.

  • ICH : SXMB_ADM - F7 Check says "No access to system landscape at present"

    When I perform following :
    tcode sxmb_adm -> Integration Engine Configuraion -> Check (F7)
    I get "No access to system landscape at present"
    This on our ICH-server.
    Same check on the PI-server (X) is successful.
    The SLD used is the same for both servers. I.e same url-address in "corresponding integration server".
    Role of business system for ICH = Application system
    Role of business system for PI  = Integration server
    Anyone that knows how to correct this? Some refresh, cache update or similar that must be performed?

    please run transactin sldcheck on the abap to see where the problem is.
    Did you :
    - run and configure transaction sldapicust
    - the rfc connection pointing to the sld server
    Kind regards,

  • Access enforcer and User Data Source for HR

    We are on Access Enforcer 5.2 - service pack 2:
    My problem is that when creating a new request in AE, I able to get a list of all users when I point my User Data Source to either SAP or UME. However when I attempt to create a request whilst pointing the User Data Source at the SAPHR system, I do not get any users back (and we have user set up in the SAP HR system).
    I’ve changed the connector to ‘YES’ under the HR System box, I’ve changed the Data Source Type and Details Source Type to point at the SAPHR and still it fails to fetch any users.
    I've tried looking at the log, but can't get much out of it.
    I would appreciate it, if anyone could provide any assistance.
    Thanks you in advance.
    Message was edited by:
            amarjit singh

    Hi Micheal,
    Thanks for your reply.
    I'm pointing both Data Source Type and Details Source Type to the same system SAPHR and to the same system name (which is our dev system)

  • Connector problem with access enforcer

    Hi Guys,
    I am facing a really strange problem with my connectors.
    We have a test installation of GRC which was down for about 3 months.
    During this time we migrated our central SLD to another system so I needed to change the connection after getting the system up again.
    Anyhow I still can't modify, test or even create a new connector for access enforcer.
    The only error I get is "Action failed".
    I tried to analyze the logs but found no help there too.
    2007-06-18 20:41:56,833 [SAPEngine_Application_Thread[impl:3]_4] ERROR java.lang.NullPointerException
         at com.virsa.ae.dao.sqlj.SAPConnectorDAO.iterToDTO(SAPConnectorDAO.sqlj:75)
         at com.virsa.ae.dao.sqlj.SAPConnectorDAO.findByConnectorName(SAPConnectorDAO.sqlj:15)
         at com.virsa.ae.configuration.bo.ConnectorsBO.findSAPConnectorDetails(ConnectorsBO.java:76)
         at com.virsa.ae.configuration.actions.ManageConnectorsAction.testConnection(ManageConnectorsAction.java:163)
         at com.virsa.ae.configuration.actions.ManageConnectorsAction.execute(ManageConnectorsAction.java:66)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:229)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:412)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code))
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
         at java.security.AccessController.doPrivileged1(Native Method)
         at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
    Did anybody here face a problem like that?
    Kind regards,
    Message was edited by:
            Bastian Schneider
    Message was edited by:
            Bastian Schneider

    I had a simular problem with CC and I had to contact SAP. They gave me a script to run against the database that remove the connector. The problem seemed somewhat common for CC 5.1. Not sure if this applies to AE.

  • Auto Email generation in multiple language in Access Enforcer 5.2

    Hi All,
    We have configured workflow in Access Enforcer 5.2 for autoprovisioning of users in the system. Requestor gets an email in english with the userid and password once the user is provisioned in the system. Now the requirment is to send these emails in different language, which is specific to the user. Like a spanish user should receive the email in spanish language.
    Whether this has anything to do with language setting while user creation.
    Please suggest.
    Thanks & Regards,

    Hi Pravin,
        It has nothing to do with the language settings for the user. This configuration has to be done in closing section of Email reminders under workflow. As per my experience with AE 5.2/CUP 5.3, I don't think this is possible as of now. This could be a good functionality, so you can open an enhancement request with SAP.

  • Integrating with external access control system

    I am new at the network but have read a lot recently about the above subject as much as I could. However, I am a bit mixed up at something. I understand in order to update SAP HR module with employees time and attendance logs I need to interface with a certified PDC interface => (SAP ECC - PLANT DATA COLLECTION - TIME & ATTENDANCE AND EMPLOYEE EXPENDITURES (HR-PDC)
    I wish to develop a system that updates the the SAP HR with employee attendance logs. In addition I also wish enroll new employees into my access control system database by polling the SAP HR database.
    Now my question is if I use .NET connector:
    1. Does the connector it include functions that can help with the above requirements?
    2. Is the use of PDC interface here still a must?

    For time management with the help of transaction pt80 you can download the information about employees with the help of idoc. And there are some programs a.k.a connectors that link access control systems and SAP so that you do not hire the same employee in the access control problem. You hire the employee in SAP and SAP sends the information (HR Minimaster DATA) to the related program.
    It is also do the same thing for the employees who resign. I mean if an employee is fired or resigned from the company than it is sent to the related system.
    These can be found under PDC integrated systems. You can find information about the systems from Ecohub. http://ecohub.sap.com/
    I hope this answer will help.

  • FRM-92220: access to system clipboard is denied

    Within a customer's application Error FRM-92220 "access to system clipboard is denied" is returned when the customer switches between screens within the application.
    I have not been able to find a reference for this error nor am I experienced with Forms.
    Can anyone help and give a solution or point into the right direction to help the customer with this error?
    Thanks in advance.

    As found in the Internal Support Portal:
    Ideally, the error FRM-92220 will be thrown due to the the reason that there is a security check introduced by the JRE in one of their updates/upgrades sometime around JRE 1.5 was released. If the System clipboard is accessed by another OS application, then JRE cannot access the clipboard hence resulting in the error. If no OS application (like word or anyother tool ) then you wont have this error. Avoiding this error is not in the hands of Forms, its a question of whether JRE can access the clipboard at that particular moment
    In earlier versions like 9.0.4 and 10.1.2, this new security measure by Sun JRE has resulted in Java exceptions and abrupt termination of the JVM in the client machines resulting in Forms disconnection. Hence Forms development introduced the new applet parameter to capture and re-route the messages to the java console
    Setting it to false, will not show these errors and will sent to jre console.
    There is very little you can with respect to Forms coding. I would recommend you to set the following
    at the moment when the error comes, the forms process will capture and send it to console. Later, if the System clipboard is released by other processed which were holding it, then the clipboard can be accessed again, there is nothing that you need to do specifically.

  • No read access to system tables

    i try to migrate access db to oracle and when testing connection it gives me error message says "no read access to system tables modify access db before retrying"
    what to do?
    thanks in advance.

    Access tab
    For a connection to a Microsoft Access database, click Browse and find the database (.mdb) file. However, to be able to use the connection, you must first ensure that the system tables in the database file are readable by SQL Developer, as follows:
    Open the database (.mdb) file in Microsoft Access.
    Click Tools, then Options, and on the View tab ensure that System Objects are shown.
    Click Tools, then Security, and, if necessary, modify the user and group permissions as follows: select all tables whose names start with Msys, and give the Admin user at least Read Design and Read Data permission on these tables. Save changes and close the Access database file.
    Create and test the connection in SQL Developer.

  • Upload of role in Access Enforcer 5.2.

    Hi All,
    I need to upload roles in Access Enforcer from SAP ECC system. Actually i have uploaded the roles in Access Enforcer, but all unwanted roles have also got uploaded.
    Now i need some way, first to clean entire uploaded roles & then upload selected roles.
    Please suggest.
    Thanks & Regards,

    Hi Pravin,
       Here are the steps:
    1) Download all the roles into an excel spreadsheet:
    Go to configuration -> Roles- Search roles -> Click on 'Export' button. This CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands.
    2) Delete all the roles from CUP: Now, in the same screen as above, select all the roles and delete them.
    3) Delete not needed roles from spreadsheet and upload it into CUP:
    Now, delete all the unwanted roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
    SAP GRC Manager (PwC)


    Hello Experts
    I am Atush Rohan, I have done my "SAP Certified Development Associate - ABAP with SAP NetWeaver 7.0" on 3rd April 2009.
    I want to appear for "SAP Certified Development Professional - ABAP System Interfaces with SAP NetWeaver 7.0". I have about 3 and half years or experience in SAP ABAP. And I plan to give this certificate exam in the coming 6 months.
    Could you please tell me how i apply for this exam, and whether SAP provides the certificate material for the exam "P_ABAP_SI_70". Waiting for a positive reply.
    Atush Rohan
    Edited by: Atush Rohan on Jul 30, 2009 1:21 PM

    actually you can find your sid on your certificate itself ... your sid will start with SXX .. ok now along with this you will receive an envelope in which there would be an letter where detalis regarding your sid and password for login access in sap market place will be stated... so you can login with that in server market place.... usually you get this along with the certificate and is being provided by the centres authority...   now if you have not received it so you need to contact your centre and tell them to give it to you... if they dont barged then you can ask them for the concern guy's email .... this guy is the one who receives all the documents relating with your certificate .. now this guy is someone from sap labs banglore ...  also if you have not received your id card so you can mail him or tell your centre authority in that case now usually the centre guys take the matters lightly ...
    ok and as far as your certification exams goes i did search the pearson website they really dont have that professional certification for the abap guys but they do have one for functionals and some other....
    ok now you need to approach yout nearest certification centre in that case and simply ask them that you need to appear for level 2 certification also you can contact the sap labs banglore in that case but i know that they are not responding .....
    so in that matter you tell your centre that you need to schedule the certification they will charge you the certification amount and then will  schedule the date..... yes they can do that.
    hope this will surely help you!!!
    thanks & regards,
    Punit Raval.

Maybe you are looking for

  • Logical and physical rowid datatypes

    hiii can i know how logical and physical row id be helpful to a developer. if i am not wrong than physical row id remain constant and logical is on IOT and can change but what is its use how can i use this concept and where can i apply it ??? thks

  • Modify PO approval notification

    All, I need to add some extra information to the PO approval notification. I have downloaded the PO Approval item but I am not sure which process/ message I should change. Can you please tell me how to find out what needs to be changed or where I sho

  • Need help with CF8 Javascript error dealing with cfdiv

    Ok, so I'm currently working with CF8 because that is what my employer has...I'm having a problem with this error in IE: Error pocessing Javascript markup in element xxxxx. I had the error on two pages, but I fixed the first page by adding bindonload

  • Campsites are not oriented properly on a michigan dnr campground map

    <blockquote>Locking duplicate thread.<br> Please continue here: [/questions/777707]</blockquote><br> When I access a michigan dnr campground map, the campsite numbers are displayed high and off the sites. Are my browser settings incorrect or do I nee

  • To retrieve taxation details

    hello everyone.       I have a scenario  where i have to retrieve and display BED  and VAT values from database.      Where i am finding the same fields and tables for the above two values!. Can anyone please explain the procedure to retrieve those v