Reg SAPJSF User role issue

Dear Experts,
I'm trying to disable password based log on for certain users in Portal and Portal uses the ABAP Stack as the repository (IT is a dual stack system).
But when i log in as j2ee_Admin user and try to do this in the "Identity Management" section, i get the following error message
"An error occurred in the persistence. The original message (possibly not translated) was: "Cannot update user UACC.R3_DATASOURCE.USER3 in ABAP backend system. Reason: The UME/ABAP adapter has recognized that the communication user is only assigned to the read-only role SAP_BC_JSF_COMMUNICATION_RO (or no role at all) in the backend system. Therefore UME was set to read-only mode for users from the backend system. See SAP Note 908911 for further information.". Contact your system administrator"
I have checked the SAPJSF Roles too and i see the following there under "Assigned groups"
Everyone
SAP_BC_JSF_COMMUNICATION_RO
SAP_BC_JSF_COMMUNICATION
Authenticated Users
Please let me know the way to overcome this problem.
Regards,
Karthik

Hello Karthik
According the SAP note 905188 - "Password change for ABAP users fails"
"If the communication user (default name: SAPJSF) has the 'read-only'
role (SAP_BC_JSF_COMMUNICATION_RO) in the ABAP system, users are no
longer able to change their own password.
This error is corrected with the following Support Packages:
o NetWeaver 2004: Support Package 16
o NetWeaver 2004s : Support Package 07
Until the corrections are available, the following workaround is
possible: Assign the additional role SAP_J2EE_GUEST to the communication
user in the ABAP system and restart the J2EE Engine.
This does not affect the authorizations of the communication user in the
ABAP system."
Please try to apply the note quoted above. I hope to help you!
Álvaro Ferreira Raminelli

Similar Messages

SAPJSF user role - does it have to be SAP delivered name ?

Hi Folks,
Security question - We are upgrading to EP 7.0 . The SAPJSF user ( in ABAP system) has the role SAP_BC_JSF_COMMUNICATION_RO.
Does the Portal need this exact named role ? If so ..can it be changed in the
Portal end ?
Our policy with roles is not to use the SAP delivered - so we copy and change
to our standard . Will the portal recognize a different role on the SAPJSF user.
This note got me thinking on this 908911
Thanks for input ! Dan

Ah, yes. It does read the role. It displays this role in the UME user interfaces as a group to which users are assigned. You can then assign portal roles to this "group."
See the picture in this document:
http://help.sap.com/saphelp_nw04s/helpdata/en/ed/18cc38e6df4741a264bddcd4f98ae2/frameset.htm
-Michael

Dynamic grant user role issue

Hi friends,
I created a role in oracle 10 and can be granted to user one by one. it works.
But I try to grant the role to all users and get error.
my code as (copy and modify from OTN)
====
DECLARE
l_schema VARCHAR2(30) := 'SCHEMA_OWNER';
BEGIN
FOR i IN (SELECT USERNAME
FROM all_users
WHERE username not in ('SYS','SYSTEM','OUTLN','DMSYS','TSMSYS','XDB','CTXSYS','WMSYS','DBSNMP','DIP','OLAP','OLAPSYS','MDSYS','EXFSYS','MDSYS'))
LOOP
BEGIN
EXECUTE IMMEDIATE 'GRANT USERS_SELECT ||' TO i.USERNAME;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
ORA-06550: line 10, column 41:
PLS-00103: Encountered the symbol "TO" when expecting one of the following:
* & = - + ; < / > at in is mod remainder not rem return
returning <an exponent (**)> <> or != or ~= >= <= <> and or
like LIKE2_ LIKE4_ LIKEC_ between into using || multiset bulk
member SUBMULTISET_
The symbol "* was inserted before "TO" to continue.
SQL>
I double check syntax is OK. what is wrong?
Thanks for help!
Jim

Try:
EXECUTE IMMEDIATE 'GRANT RAC_SELECT TO '|| i.USERNAME;And remove this part, which is for 99.99% a bug:
EXCEPTION
WHEN OTHERS THEN
NULL;
ENDOnly catch errors you expect...

Imp/exp user/role issue

using 10.1.0.3 linux
Have an export file from an existing DB (full export). Need to import it into an blank DB but I get errors regarding users and roles not existing. I thought that a full export has all of that info to create in the new DB. How can I get this imported?

Hi,
That should work OK - i can only think there was a problem with the tablespaces getting created, so then the users failed to create and had a knock on effect in the rest of the export.
Can you paste the fist 50 lines or so of the import logfile?
Cheers,
Harry

I can not find sap_bc _jsf_communication role for user sapjsf user

hi Masters,
when i am trying to create user in portal, it showing error message. " an error occured in persistence .Please contact system administrator"..
i found there are no roles assigned to sapjsf user. we need sap_bc_jsf_communication role for sapjsf user.. But there are no roles assigned to sapjsf user.
how can i assing the sap_bc_jsf_communicaiton role to sap jsf user. Pease give reply.
POrtal and r3 are installed in one system only on db2 database.
Edited by: sujana mullapudi on Dec 7, 2009 4:34 PM

hi ,
I have checked the sapjsf user roles in su01 t-code- r3 side. for sap jsf user the two roles sap_bc_jsf_communication and another role sap_bc_jsf_communication_role(something Like). these two roles already exist for sapjsf user in r3 system.
but in portal side the roles are not exist . can you tell me whats the reason, and please reply me.

Security Issues with the BP Internet user role creation--SU01

Hi All,
We are implementing the B2B Internet sales scenario using CRM 4.0. we
have contact persons who logs in and chose the distributor and then
start placing orders or look at product catalog .... Now contact person
is created as a BP in CRM and relation ship is maintained to sold to
(bp). During this process the contact person should be created under
the Internet user role which uses the SU01. so we will be able to
change password or change the roles of the users while creating BP
under the internet user role -- same as what we do in SU01.
This is now a security Issue because who ever can access the BP
(create/change) will be able to do the things we can do under
transaction SU01. But we still need to access the Internet user role in-order to assign the user id to the contact person . Is there any other
way of doing this.
Please advice ASAP.
Thanks
Vasu

Hi Ashwini,
you need to modify the logon routine and then in the user management (isauseradmin application) to do this. Then there are likely changes to the catalog identification, and very likely to most processes in the shop. I really wouldn't advise doing so. As accounts usually have contact persons: Why does your client insist in providing a login for the organization and not for a person?
To achieve something that looks almost like the desired solution you, e.g., could model a dummy contact person for each account that shall get a logon, that then does the job. The contact person could be named like the company and then you are back to plain standard.
Rgds
Thomas

Issue regarding SAPJSF user

Hi all,
I got stuck with the role assignment to my SAPJSF user.I'm having some doubt on that. By default SAP_BC_JSF_COMMUNICATION_RO will be assigned to SAPJSF user. I just want to change it to SAP_BC_JSF_COMMUNICATION. But I'm not able to find any predefined Profile for SAP_BC_JSF_COMMUNICATION. Do I need to create a profile for SAP_BC_JSF_COMMUNICATION. If so, please tell me the process to do that. Looking forward for some quick response.
Thanks in advance,
Ganpati Jha

Hi Deijkers,
I just want to give read-write access from the AS Java to the ABAP system to my user. Thats why I have selected SAP_BC_JSF_COMMUNICATION (read-write) role instead of SAP_BC_JSF_COMMUNICATION (read-only) role.
Thanks in advance,
Ganpati Jha

SAPJSF user cannot log-on to the User Management Engine.

We have a newly installed PI 7.0 system.
SLDCHECK is succussful but if we go to the http://hostname:50100/sld - we are redirected to http://hostname:50100/logon/logonServlet?redirectURL=%2Fwebdynpro%2Fdispatcher%2Fsap.com%2Ftc%7Esld%7Ewd%7Emain%2FMain
When we check the default.trc file, we see the error: User "SAPJSF" is the communication user for the connection between User Management Engine and the ABAP backend system SIDCLNTxyz. This user cannot log-on to the User Management Engine.
The SAPJSF user is not locked in SU01. This user is used by the JCO providers to connect to the gateway service.
We opened Visual Administrator and navigated to Server0 -> Services -> UM Provider
We changed the password property at ume.r3.connection.master.passwd
We then restarted the ABAP and J2EE engine. But we still see this error.
Any help to solve this issue is appreciate.
Jay Malla

Hi,
Please, refer the link below. It says you cannot logon with SAPJSF user to J2EE engine for security reasons.
http://help.sap.com/saphelp_nw2004s/helpdata/en/4e/225b42eeb66255e10000000a155106/frameset.htm
Thanks
R.Murali

How can I add a user Role member that is from a different domain

We are currently building out SCOM 2012 R2 to provide monitoring as a service to some of our customers. As of now we have the RMS on our own department's domain (Domain A) which we have full control of and we have a gateway server that is on the company
wide domain (Domain B) so that we can monitor other departments devices as the leverage this system.
Monitoring is working just fine on both domains and we are just working on fine tuning SCOM so that we can roll it out as a service we offer to our customers. One of the next steps we are working on before rolling it out is giving specific users access
to view only their own devices, dashboards, and groups. So I created a Read-Only profile and went to add a user to test it out, but that user is on Domain B and SCOM is unable to resolve this account. I'm seeing Event ID 26319 with Error Code 1332.
How can I get SCOM to discover devices on a different domain so that I can give them different permissions for accessing the Operations Console and/or Web Console? Is this possible?
Here is the Error I'm seeing.
Log Name: Operations Manager
Source: OpsMgr SDK Service
Date: 2/4/2015 1:11:59 PM
Event ID: 26319
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxx.xxxx.xxxxxxxx.xxx
Description:
An exception was thrown while processing UpsertUserRolesV2 for session ID uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40.
Exception message: The creator of this fault did not specify a Reason.
Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="OpsMgr SDK Service" />
<EventID Qualifiers="49152">26319</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-02-04T21:11:59.000000000Z" />
<EventRecordID>172748</EventRecordID>
<Channel>Operations Manager</Channel>
<Computer>xxxxx.xxxx.xxxxxxxx.xxx</Computer>
<Security />
</System>
<EventData>
<Data>UpsertUserRolesV2</Data>
<Data>uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40</Data>
<Data>The creator of this fault did not specify a Reason.</Data>
<Data>System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).</Data>
</EventData>
</Event>
Thanks for any help I can get in resolving this issue.
Jake

The SCOM Management Server is in Domain A. I've tried it already and it has failed.
So just to clarify the method I used was to go to Administration>Security>User Roles. Then New User Role>Read-Only Operator. In the Create User Role Wizard I then gave the User Role a name, Clicked "Add" under User Role Members.
Then the Select Users or Groups window pops up and I changed the Locations from Domain A to Domain B and searched for the user, which it's able to find, then clicked "OK" to add it to the User Role members which it does just fine. On
the next page which is Group Scope I checked the one group I want this account to have access to and then click next. This brings me to Dashboards and Views where I click the radio button for "Only the dashboards and views selected in each tab are
approved" and chose the folder of dashboards I want this account to access and then click next. This brings me to the Summary and I click "Create". At this point it thinks for a moment then closes out the wizard but the new Read-Only
Operator does not appear. I then look in Event Viewer and see the Event I pasted above.
Am I doing something wrong here? Any guidance on how to get around this issue would be much appreciated.
Thanks,
Jake

Error while creating SAPJSF user

Hi all,
I am receiving following error despite manually creating sapjsf user in client 800. This is the trace from dev_usercheck.
Aug 31, 2010 6:05:16 AM ...eck.main() Path: Entering method
Aug 31, 2010 6:05:16 AM ...eck.main() Debug: Version: $Id: //shared_tc/com.sap.security.core.server/NW04S_09_REL/src/_compat/java/_core/com/sap/security/tools/UserCheck.java#2 $ from $DateTime: 2006/09/06 17:59:30 $ ($Change: 19873 $)
Aug 31, 2010 6:05:16 AM ...arseArgs() Path: Entering method
Aug 31, 2010 6:05:16 AM ...arseArgs() Debug: Using the following set of connect properties: {jco.client.client=800, jco.client.passwd=********, jco.client.user=DDIC, jco.client.sysnr=04, jco.client.ashost=zarrar}
Aug 31, 2010 6:05:16 AM ...arseArgs() Path: Exiting method
Aug 31, 2010 6:05:16 AM ...eck.main() Info: User management tool (com.sap.security.tools.UserCheck) called for action "checkCreate"
Aug 31, 2010 6:05:16 AM ...xception() Error: Exception during execution of the operation
[EXCEPTION]
com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: Password logon no longer possible - too many failed attempts
     at com.sap.mw.jco.MiddlewareJRfc.generateJCoException(MiddlewareJRfc.java:455)
     at com.sap.mw.jco.MiddlewareJRfc$Client.connect(MiddlewareJRfc.java:989)
     at com.sap.mw.jco.JCO$Client.connect(JCO.java:3193)
     at com.sap.security.tools.UserCheck.main(UserCheck.java:172)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at com.sap.engine.offline.OfflineToolStart.main(OfflineToolStart.java:81)
Aug 31, 2010 6:05:16 AM ...xception() Debug: Created file with error text at location "UserCheck.message"
Aug 31, 2010 6:05:16 AM ...eck.main() Info: Leaving with return code 4
Aug 31, 2010 6:05:16 AM ...eck.main() Path: Exiting method with 4
Kindly suggest.
Regards.

Issue resolved.
It was user ddic that was locked, unlocking ddic in client 800 resolved the issue.
Regards.

User Library - User Roles RoboSource 3

When using RoboHelp Server 7 and RoboSource Control 3.1,
there is a short help topic that describes the User Library - User
Roles - and each permission (what it enables or disables). This is
pretty brief information. I'm having many different issues with
getting permissions set up for each of the authors on my technical
writing team at my company. Does anyone out there have any more
information (more details) on what each permission does and
enables? I don't think I should have to assign all rights,
especially admin and subadmin to all of my users just to get
everything working the way I want it to.

Finally got an answer from Adobe customer support. Having
gone back and forth for a while with a web case and getting no
where fast, I called and talked to the customer support
representative on the telephone. A couple of things helped clarify
my issue. First of all, the difference between X5 and RH7 source
control is that the default behavior when deleting using the client
is now to "hide" topics rather than delete them from the database
permanently. You can keep users from bringing those topics back by
not giving them the unhide right. The only way to actually delete a
topic from the database permanently now is to use the RoboSource
Control Explorer, which breaks the project. Of course, I just check
out the folder fpj file, modify it myself, and check it back in to
fix that issue. But who wants to do that all the time? And not all
of us understand XML and are able to do that. OK, so that is the
first issue. One has to understand that hiding is deleting now. But
on to the second issue. Why was the topic I was deleting only being
hidden from me and not all of the other users are our team? Turns
out I should not be giving Admin and Sub-Admin rights to myself as
an authoring user. Only the "Admin" user account should have these
rights, and only for administration, only use the Admin account.
After removing these rights, I was then able to delete topics and
the topics would then not show up for any of my team. I also found
another issue resolved by taking these rights from my authoring
user account. When I had the admin and sub-admin rights, I could
not re-import topics another time. I would get a message that said
the topic already existed in the project. After removing the
rights, I could then choose to overwrite the existing topic or not.
Thus, my other post in this RoboSource Control forum about wanting
more than a one-liner on user rights is even more important. I
submitted a feature request for better documentation of user
rights. Let's hope someone listens!

GoldenGate replication of creating users, roles

System Specs:
O/S : RHEL 5 (Tikanga)
RDBMS: 11.2.0.3 (Standalone, ASM, Archivelog)
GoldenGate v:11.1.1.0 (getting ready to upgrade to v11.1.1.2 (want to utilize the ADD SCHEMATRANDATA and updated sequence support)
I have read the documentation in GG that says that DDL support Oracle restricted schemas is not supported (including sys and system). From this document a create statement is considered DDL.
However, I have to think that when a user or role is created on the Source that you want that action replicated to the Targets? So you don't have to rerun the action on the number of targets you have. This is the benefit of replication, correct?
Without this ability replication is somewhat restrictive.
Please someone shed some light on how a user/role statement could be replicated?
Thanks!
Jason

Okay, so I reviewed the documentation and need some help in replicating DDL for 2 schemas.
Here is my Extract and Replicat modules
EXTRACT EXT1
USERID ggs_owner, PASSWORD ggs_owner
RMTHOST db2, MGRPORT 7809
RMTTRAIL /home/oracle/goldengate/dirdat/gg
---ddl---
DDL INCLUDE MAPPED
---dml---
table schema1.*;
table exclude schema1.*_sq;
REPLICAT REP1
ASSUMETARGETDEFS
USERID ggs_owner, PASSWORD ggs_owner
DDL INCLUDE MAPPED
DDLERROR DEFAULT IGNORE RETRYOP
REPERROR (1403, DISCARD)
MAP schema1.*, TARGET schema1.* ;
MAP schema2.*, TARGET schema2.*;
My issue is that ddl replication is only working for schema1. No ddl is being replicated with schema2. I know there must be a something small I am overlooking.
I was successful with
DDL INCLUDE ALL, EXCLUDE "schema3.*, EXCLUDE "schema4.*", EXCLUDE "schema5.*", etc...
However, I don't want to list out every schema that could potentially perform ddl. I would think the DDL INCLUDE MAPPED and then include those schemas that you want mapped.
Any ideas?

Modify Script to Create User Role on Single Database.

Hi All,
Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
Can anyone help me to modify the script?
--===================================================================================
-- Description
-- Database Type: MSSQL
-- This script creates a role called 'gdmmonitor' for ALL databases.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
-- before runnign this script
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
-- Note:
-- If you wish to use a different login name (instead of 'sqlguard') you need to change
-- the value of the variable '@Guardium_user' in the script below;
-- (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
-- after runnign this script
-- Nothing to do, the script already creates the db user
-- User/Password to use
-- User: sqlguard (or any other name, if changed)
-- Pass: user defined
-- Role: gdmmonitor
--===================================================================================
PRINT '>>>==================================================================>>>'
PRINT '>>> Creating role: "gdmmonitor" at the server level.'
PRINT '>>>==================================================================>>>'
-- Change to the master database
USE master
-- *** If a different login name is desired, define it here. ***
DECLARE @Guardium_user AS varchar(50)
set @Guardium_user = 'sqlguard'
DECLARE @dbName AS varchar(256)
DECLARE @memberName AS varchar(256)
DECLARE @dbVer AS nvarchar(128)
SET @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
SET @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
IF (@dbVer = '8') SET @dbVer = '2000'
ELSE IF (@dbVer = '9') SET @dbVer = '2005'
ELSE IF (@dbVer = '10') SET @dbVer = '2008'
ELSE IF (@dbVer = '11') SET @dbVer = '2012'
ELSE SET @dbVer = '''Unsupported Version'''
IF (@dbVer != '2000')
BEGIN
-- This privilege is required to peform a specific MSSQL test.
-- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key)
-- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop
-- Purpose: To display provider property, not changing anything.
PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
END
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if they exist
CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the role gdmmonitor on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.spt_values TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysconfigures TO gdmmonitor
GRANT SELECT ON dbo.sysdatabases TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syslogins TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
-- Grant execute privileges to the role for MSSql Common
PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON sp_helpdbfixedrole TO gdmmonitor
GRANT EXECUTE ON sp_helprotect TO gdmmonitor
GRANT EXECUTE ON sp_helprolemember TO gdmmonitor
GRANT EXECUTE ON sp_helpsrvrolemember TO gdmmonitor
GRANT EXECUTE ON sp_tables TO gdmmonitor
GRANT EXECUTE ON sp_validatelogins TO gdmmonitor
GRANT EXECUTE ON sp_server_info TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sql_logins TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
GRANT SELECT ON sys.server_role_members TO gdmmonitor
GRANT SELECT ON sys.configurations TO gdmmonitor
GRANT SELECT ON sys.master_key_passwords TO gdmmonitor
GRANT SELECT ON sys.server_principals TO gdmmonitor
GRANT SELECT ON sys.server_permissions TO gdmmonitor
GRANT SELECT ON sys.credentials
TO gdmmonitor
--This is called by master.dbo.sp_MSset_oledb_prop.
--By defautl it should have already been granted to public.
GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR
END
-- Re-add the dropped members
IF EXISTS (SELECT 1 FROM #rolemember)
BEGIN
PRINT '==> Re-adding the role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- END of role creation on database
PRINT '==> END of role creation on: ' + @dbName
PRINT ''
-- Change to the msdb database
USE msdb
set @memberName = ''
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if it exists
TRUNCATE TABLE #rolemember
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the gdmmonitor role on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
GRANT SELECT ON dbo.backupset TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
-- Grant execute privileges to the role for MSSql 2005 or above
PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
END
IF (@dbVer > '2000' and @dbVer < '2012')
--This sp is not available in SQL 2012
BEGIN
GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
END
-- Re-add the dropped members
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the temporary table
DROP TABLE #rolemember
-- END of role creation on database
PRINT '==> END of gdmmonitor role creation on: ' + @dbName
-- Role creation complete
PRINT '<<<==================================================================<<<'
PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
PRINT '<<<==================================================================<<<'
PRINT ''
PRINT '>>>==================================================================>>>'
PRINT '>>> Starting application database role creation'
PRINT '>>>==================================================================>>>'
use master
DECLARE @databaseName AS varchar(80)
DECLARE @executeString AS varchar(7950)
DECLARE @dbcounter as int
set @dbcounter = 0
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
and not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @dbcounter = @dbcounter + 1
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
'/*find any members of the role if it exists*/ ' +
'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
'INSERT INTO #rolemember ' +
'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
'WHERE usr.uid = mbr.memberuid ' +
'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'/*Drop the Role Members If they exist*/ ' +
'IF EXISTS (SELECT * FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/*drop the role if it exists*/ ' +
'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'BEGIN ' +
'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_droprole ''gdmmonitor'' ' +
'END ' +
'/* Create the role */ ' +
'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_addrole ''gdmmonitor'' ' +
'/* Grant select privileges to the role for MSSql Common */ ' +
'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON dbo.sysmembers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysobjects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysprotects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysusers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
'/* Check if the version is 2005 or greater */ ' +
'IF (' + @dbVer + ' != ''2000'') ' +
'BEGIN ' +
'/* Grant select privileges to the role for MSSql 2005 and above */ ' +
'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
'GRANT SELECT ON sys.all_objects TO gdmmonitor ' +
'GRANT SELECT ON sys.database_principals TO gdmmonitor ' +
'GRANT SELECT ON sys.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON sys.database_role_members TO gdmmonitor ' +
'END ' +
'/* Re-add the dropped members */ ' +
'IF EXISTS (SELECT 1 FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/* drop the temporary table */ ' +
'DROP TABLE #rolemember ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT '' ''' +
'PRINT '' '''
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
-- Adding user to all the databases
-- and grant gdmmonitor role, only if login exists.
PRINT '>>>==================================================================>>>'
PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '>>> on all databases.'
PRINT '>>>==================================================================>>>'
USE master
/* Check if @Guardium_user is a login exist, if not do nothing.*/
IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
BEGIN
PRINT ''
PRINT '************************************************************************'
PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
PRINT '*** Please add the login and re-run this script.'
PRINT '************************************************************************'
PRINT ''
END
ELSE
BEGIN
DECLARE @counter AS smallint
set @counter = 0
-- This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
-- 99% of the time, this is totally unnecessary. But in some rare case on SQL 2005
-- the loop skips some databases when it tried to add the @Guardium_user.
-- After two to three executions, the user is added in all the dbs.
-- Might be a SQL Server bug.
WHILE @counter <= 3
BEGIN
set @counter = @counter + 1
set @databaseName = ''
set @executeString = ''
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
where not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'/*Check if the login already has access to this database */ ' +
'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'/*Check if login already have gdmmonitor role*/ ' +
'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'AND usr.name = ''' + @Guardium_user + ''') ' +
'BEGIN ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END ' +
'END ' +
'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
'execute sp_adduser [' + @Guardium_user + '] ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END '
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
END -- end while
-- Required for Version 2005 or greater.
IF (@dbVer != '2000')
BEGIN
-- Grant system privileges to the @guardium_user. This is a requirement for >= SQL 2005
-- or else some system catalogs will filter our result from assessment test.
-- This will show up in sys.server_permissions view.
PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
END
PRINT '<<<==================================================================<<<'
PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '<<< on all databases.'
PRINT '<<<==================================================================<<<'
PRINT ''
END
GO

Thanks a lot Sir... it worked.
Can you also help me in troubleshooting below issue?
This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
SA account with highest privileges is been used for script execution. errors received are as follow:
>>>==================================================================>>>
>>> Creating role: "gdmmonitor" at the server level.
>>>==================================================================>>>
==> Granting MSSSQL 2005 and above setupadmin server role
==> Starting MSSql 2005 role creation on database: master
(0 row(s) affected)
==> Dropping the gdmmonitor role members on: master
==> Creating the role gdmmonitor on: master
Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
The procedure 'sys.sp_addrole' cannot be executed within a transaction.
==> Granting common SELECT privileges on: master
Msg 15151, Level 16, State 1, Line 117
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 118
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 119
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 120
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 121
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 122
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 123
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 124
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 125
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 126
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
==> Granting common EXECUTE privileges on: master
Msg 15151, Level 16, State 1, Line 130
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 131
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 132
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 133
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 134
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 135
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 136
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.

No violations at user/role level

Hi All,
We are using GRC 10.1 SP04
While running the risk analysis reports on user/role level, I don't see any violations. Post running the reports, I can only see that "No rules were selected" under Action field.
Recently we added a few more systems/landscapes so created a few more connector groups and added the corresponding connectors. Strage part is that, for a few D-systems I can see the violations as expected but for the respectice Q-clients I don't see any eventhough there are violations.
Please refer to the attached screen shots for clarity.
Kindly help me with the solutions.
Thanks,
Ameet
P.S: Rule-set is successfully generated and MIME repository is maintained with the appropriate extensions.

Hi Ameet,
How were you able to resolve the issue?
Even I am now stuck with similar issue after I replaced the connector because of change of SRM sys IDs. I followed all the necessary steps after setting up the new connector. Steps like rescheduling all of the background jobs for these new connector. I also regenerated Rules and ran SOD analysis program. But still the nos of Risks differs between past and current report.
Thanks,
Kishore

SAPJSF user is getting locked

Hi,
We are using SAP BI 7.0 system on AIX and DB2 combination. I am getting one problem for the past 1 month. our BI consultant is running queries from BI Portal. while running queries from BI Portal, they are getting one error saying that " java i-view runtime error, if this error persists please contact your system administrator". while they are getting this error, I have observed that user SAPJSF is locked due to incorrect logons from ABAP level. once I unlock the user and refresh the BI portal page we are getting in and able to continue with our work.
This problem is repeating for every 3 weeks or 15 days ( but not for the constant time period). for the time being we are unlocking the user and continuing with work. but I want to know why this user is getting locked. it is only happening in DEV system but not in the remaining systems.we have run the support desk tool in BI DEV system and we made sure that we are not encountering any configuration problems.
roles attached to this uder is:
SAP_BC_JSF_COMMUNICATION
SAP_BC_JSF_COMMUNICATION_RO
profiles:SAP_ALL
please help me in this to solve this problem permanantely.
Mohan K

Hi Mohan
SAPJSF user is used for communication between UME and ABAP user management.
Please check the following links:
http://help.sap.com/saphelp_nwce10/helpdata/en/45/af3ac012d32e78e10000000a155369/content.htm
and
http://help.sap.com/saphelp_nw70/helpdata/en/45/af3ac012d32e78e10000000a155369/content.htm
I hope this helps
Regards
Chen

Reg SAPJSF User role issue

Similar Messages

Maybe you are looking for