Regarding the ACE roles

Dear Friends,
Can anybody expalin about ACE roles how it controls the system..
Ponints will be rewarded.
Thanks&Regards,
Ganesh

Take a look at the following blogs:
- /people/boris.dingenouts/blog/2006/09/18/the-concept-and-implementation-of-crm-ace
- /people/ravikiran.chittum/blog/2007/09/19/configuration-implementation-of-crm-access-control-engine-ace-part-1
- /people/ravikiran.chittum/blog/2007/10/01/configuration-implementation-of-crm-access-control-engine-ace-part-2
regards.

Similar Messages

  • A problem with ACL in the class-map on the ACE module

                      Hi all,
    I configured the following on the ACE module:
    object-group network test
      host 192.168.1.21
      host 192.168.1.22
      host 192.168.1.23
    object-group service port
      tcp eq www
      tcp eq 8080
    access-list T line 8 extended permit object-group port object-group test any
    I tried to configure a class-map for matching this ACL:
    ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
    ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
    Error: Cannot associate acl having object-group ACEs in class-map.
    So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
    Thank you
    Roman

    Hi Roman,
    I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
    Regards
    Daniel

  • How can I fetch all the PCD roles from EP!

    Hello,
    I need to fetch all the available pcd roles in EP. Right now I am trying to fetch pcd roles under Portal Content directory. I need a clarification whether this is the only place the pcd roles are available or is there any other location where rest of the pcd roles are available?
    Thanks in advance,
    Prashanth V Swamy

    Hi Prasanth,
    See the code below to retrieve all the pcd roles.
    public List getPCDContents(IPortalComponentRequest request) throws Exception{
                   try{
                        Hashtable env = new Hashtable();
                        env.put(IPcdContext.SECURITY_PRINCIPAL, request.getUser());
                        env.put(Context.INITIAL_CONTEXT_FACTORY,IPcdContext.PCD_INITIAL_CONTEXT_FACTORY);
                        env.put(com.sap.portal.directory.Constants.REQUESTED_ASPECT, PcmConstants.ASPECT_SEMANTICS);
                        InitialContext ctx = null;
                        DirContext dirCtx;
                        List roleList = null;
                        ctx = new InitialContext(env);
                        dirCtx = (DirContext) ctx.lookup("pcd:portal_content/");
                        PcdSearchControls pcdSearchControls = new PcdSearchControls();
                        pcdSearchControls.setReturningObjFlag(false);
                        pcdSearchControls.setSearchScope(
                             PcdSearchControls.SUBTREE_WITH_UNIT_ROOTS_SCOPE);
                        dirCtx.addToEnvironment(
                             Constants.APPLY_ASPECT_TO_CONTEXTS,
                             Constants.APPLY_ASPECT_TO_CONTEXTS);
                        NamingEnumeration ne =
                             dirCtx.search("","(com.sap.portal.pcd.gl.ObjectClass=com.sapportals.portal.role)",
                                  pcdSearchControls);
                        iViewList = new ArrayList();
                        while (ne.hasMoreElements()) {
                             IPcdSearchResult searchResult =
                                  (IPcdSearchResult) ne.nextElement();
                             String location = "pcd:portal_content/" + searchResult.getName();
                             //Get the full pcd path of the iview.
                             roleList.add(location);
                        return iViewList;
                   }catch(Exception e ){
                        throw new Exception(e);
    Hope it helps.
    Regards,
    Karthick

  • CUP Issue: Unable to see the expired roles

    Hi All,
    I am experiencing a problem which is explained below:
    A ticket was raised in CUP for deleting role(s) in backend system which are expired. When I accessed this ticket to do the needful, I am surprised to see that the Expired roles are not visible to me!
    However, I checked with another user and that user can successfully view thos Expired roles for that user mentioned in the request.
    Can anybody give me a tip of how to analyze and solve this?
    NOTE: My user id in CUP is having all the authorizations of administrator.  I also have access to SU01 tcode in the backend system.
    Please help.
    Regards,
    Faisal

    Hi Diego,
    Thanks for your reply.
    i copied user who can view the expired roles in cUP to a new user  via UME and checked. Still the same problem.  BAsically these user are maintened in LDAP and when I copy the correct existing user to a new user, automatically it is getting created in UME. I am quit suspicious about this.
    As far error in AE_UME, yes I have uploaded the latest copy of this after SP upgrade. I have not seen any error while uploading it. If it has any errors, then the user who can view expired roles should also have the same problem.
    Please suggest.
    Regards,
    Faisal

  • BAPI_PO_CREATE1 is not defaulting all the partner role in the PO

    Hi All,
    I am facing a problem while Purchase Uploads using  BAPI_PO_CREATE1 in the LSMW via Idoc .
    The BAPI is not behaving same as Txn ME21n .
    In the Txn ME21n when we enter the Vendor the partner tab is automatically filled with  all the  Partner roles .
    While when we use BAPI it is only filing the Partner role with a single partner  role VN.
    We are sending the sturcture partner role  as blank because we wanted it to be defaulted as it is in Txn ME21N.
    During the program analysis we found the following :
    BAPI is calling the Function Module MM_PARTNER_SELECT which try to fill the Partner function
    using WYT3 table . The table  Wyt3 has the plant field as empty for that particular Vendor.
    The BAPI is  using the plant to determine the partner roles .
    While in Txn ME21n the plant field is not used for determining the partner role .
    In txn Me21n once we change the vendor entered initially & then again re enter the  initial vendor  number
    then it behaves like BAPI & only display the single partner role .
    Kindly advice .
    Regards,
    Anurag Goel

    Hi All ,
    FYI
    We found the solution for  defaulting  partner role using   BAPI_PO_CREATE1,It is a customization issue .
    We have check the  Higher level indicator ( Search at higher level )  in the customization Txn OLME  Under Partner Determination -
    > Partner setting in Purchasing document -
    >Define partner schemas
    If this indicator is not set, the system only  transfer partner roles  that are maintained at plant level .
    Best regards,
    Anurag Goel .

  • 1)some setting missing in BI Integration to EP 2)publish the BI role to EP?

    Hi All,
    1) We almost done BI EP integration, getting error in step: Maintain User Assignment in Portal.
    - what are settings in BI connection in EP? we are using SAP Logon Tickit method(not Uid Passs method), is there any user with user name and password required in this conneciton? if yes with wich Authorization in EP & BI?
    we have defined system alias in EP, is that same alias any where need to maintain in BI?
    - when i run BI report from RSRT > Java web OR Query desinger run to portal option, its giving me some error and required to check log at portal, what authorization required for My BI developer user id in BI and EP to run the report on EP from RSRT JAVA Wev or query desinger or WAD? in BI i have FULL authorization(SAP_ALL, SAP_NEW, ..) Is there any Authorizaiton required to give in EP as well?
    2) How to Publish the BI role In EP:
    Question is our EP guy is lookin new, and not sure what all authorizaiton to give to me, and how adjuctely creat ivew on top of BI reports,
    so I have already developed one enduser role consists all required authorization to run the BI report/query/view,
    we can publish the our report in existing role, we can also publish direct developed role to EP but from where to download upload this BI role to EP need to know? what all are the Steps authorization required for that? if anyboday have already gone through this.
    Regards,
    Dushyant.

    Hi Dushyant,
    I am supposing you are doing the BI Java x BI ABAP integration, right?
    Let's go per parts... I will try to respond directly some of your questions but frst of all, I think you should have ran the Template Installer (CTC) and after that checked the configuration with the supportdesk tool as per SAP Note 937697.
    What are settings in BI connection in EP?
    You have to maintain in the portal system landscape a system with alias "SAP_BW" which would be your BI Master System for that portal. The template installer creates this automatically.
    we are using SAP Logon Tickit method(not Uid Passs method), is there any user with user name and password required in this conneciton?
    You could use assertion ticket instead. The user mapping is automatic once you configure the system on both sides with the integration process. If you have problems after, we can look deeper.
    we have defined system alias in EP, is that same alias any where need to maintain in BI?
    Kind of... You need to maintain the default portal destination for the relevant portal through SM30 -> table RSPOR_T_PORTAL and it should have a destination in transaction SM59, too.
    when i run BI report from RSRT > Java web OR Query desinger run to portal option, its giving me some error and required to check log at portal, what authorization required for My BI developer user id in BI and EP to run the report on EP from RSRT JAVA Wev or query desinger or WAD? in BI i have FULL authorization(SAP_ALL, SAP_NEW, ..) Is there any Authorizaiton required to give in EP as well?
    RSRT uses the default destination in RSPOR_T_PORTAL. Try to use J2EE_ADMIN user for the first tests, at least. At first, no special authorizations are needed to run reports in BEx Web (which RSRT calls).
    2) How to Publish the BI role In EP: Question is our EP guy is lookin new, and not sure what all authorizaiton to give to me, and how adjuctely creat ivew on top of BI reports, so I have already developed one enduser role consists all required authorization to run the BI report/query/view, we can publish the our report in existing role, we can also publish direct developed role to EP but from where to download upload this BI role to EP need to know?
    There is a tool called "Role Upload" in EP. You could search about. If you need some help, I can get from the EP guys here (I am from BW). Of course, the process must be done with an administrator id.
    I hope it helps.
    Kind Regards,
    Marcio

  • Getting the active role of an user in a trigger

    Hello forum!!
    I've been searching to find out if and how I can get the active role of an user when programming a trigger.
    Unfortunately I did not succeed in finding some information about this. Is it possible? If yes, how?
    Thanks for any hint regarding this topic.
    Sebastian

    Thanks for the answers. This helped a lot but it does not seem to work within my triggers.
    CREATE OR REPLACE TRIGGER InscriptionsInsert BEFORE INSERT OR UPDATE ON Inscriptions
      FOR EACH ROW
      DECLARE
        active_role VARCHAR2(11);
      BEGIN
        SELECT role INTO active_role FROM session_roles WHERE role != 'CONNECT';
        IF :new.ni < 1000 AND active_role = 'ind_service' THEN
          RAISE(ABORT, 'le service individuelle ne peut pas faire les inscriptions pour des sportifs');   
        END IF;
        IF :new.i >= 1000 AND active_role = 'eq_service' THEN
          RAISE(ABORT, 'le service equipe ne peut pas faire les inscriptions pour des equipes');   
        END IF;
      END;
    CREATE OR REPLACE TRIGGER ResultatsInsert BEFORE INSERT OR UPDATE ON Resultats
      FOR EACH ROW
      DECLARE
        forme VARCHAR2(12);
        active_role VARCHAR2(11);
      BEGIN
        SELECT forme INTO forme FROM Epreuves WHERE nEpreuve = :new.nEpreuve;
        SELECT role INTO active_role FROM session_roles WHERE role != 'CONNECT';
        IF forme = 'individuelle' AND active_role = 'eq_service'
          RAISE(ABORT, 'le service equipe ne peut pas enregistre des resultats pour des sportifs');
        END IF;
        IF forme = 'equipe' AND active_role = 'ind_service'
          RAISE(ABORT, 'le service individuelle ne peut pas enregistre des resultats pour des equipes');
        END IF;
      END; 

  • 'Approve' button not displaying in the Approve Role screen Inbox - AC 10

    Hello Gurus,
    I have a challenge and I'd be glad to have it fixed.
    I am configuring Role Management in GRC AC 10.0.
    I am in Approve Role phase.
    After clicking on Initiate Approval....It send the request to the Role Owner's work inbox for approval.
    However, when the role owner logs in, only the "Other actions" button shows. The "Approve" button does not show.
    The "other actions" have options for "Hold" and "Request information"
    Please note the following in the MSMP settings.
    I am using the default settings in MSMP
    Process ID - SAP_GRAC_ROLE_APPR
    Maintain Path (Path ID - GRAC_DEFAULT_PATH ) & Stage Config ID - GRAC_DEFAULT_STAGE
    Maintain Route Mapping - GRAC_ROLEAPPR_INITIATOR
    Generate Version - Version generation was successful.
    I have also assigned the following roles to the ROLE OWNER
    SAP_GRAC_BASE
    SAP_GRAC_NWBC
    SAP_GRAC_ROLE_MGMT_DESIGNER
    SAP_GRAC_ROLE_MGMT_ROLE_OWNER
    SAP_GRAC_ROLE_MGMT_USER
    Please help me...what am I doing wrong?
    Thanks

    Hi Colleen,
    Thanks for reply. I have configured the workflow with default path and with one stage (role owner approval). When we create roles, request is being sent for role owner for approval.
    Role owner is able to see the request in workplace inbox. But not able to approve it. We are getting the same kind of error when we raise requests for user access also (you can see the error screen shot for access request and the same kind of error is occurring for role approval also).
    All requests are stuck up at role owner for approval. Quick response is much appreciated.
    Regards
    Sasi

  • Regarding Enterprise Portal Role issue

    Hi,
    The system administrator  has assgined a role called "k-role"  to a user. The K-role has some  3 pages inside it. When the user view the portal with his id, he can see the role called "K-role" and the pages. But when he clicks a page to access the documents with in it, it says "ACCESS DENIED". There is no restriction kept at the document level. Restriction is only at the role level.
    What could the error be? How can i resolve this issue? How can the user access the document?
    Regards,
    Divya

    Hi Divya,
    the portal users assigned to super admin role (usually via group Administrators) do have full permissions on every document. You HAVE to add read permissions for group Everyone in order to make the documents accessible by every portal user.
    1.      Open the Details dialog box for the item (for example, for the folder).
    2.      Choose Settings ® Permissions.
    3.      Enter one or more users, groups, or roles.
    4.      Choose Add.
    5.      Select one of the following permissions: Read, Write, Read/Write, Delete, Full Control
    Best regards,
    Martin

  • Is it possible to grant datasource resume actions to the Operator role?

    Hi gurus,
    I'm trying to grant the JDBC datasource suspend/resume action to the 'Operator' role. I understand this is an admin task and the 'Operator' role cannot do this. I've tried to edit weblogic.management.runtime -> JDBCDataSourceRuntime -> suspend/resume policy Mbean via the JMX editor and added the Opertor role in a new policy, but I haven't been successful.
    Is it possible to provide a user with a script (which can run as an Admin user), without providing the admin credentials to an operator user, so that he can resume a suspended data source?
    Thanks.

    Hello,
    theoretically you could remove the domain admins from the local administrator group. BUT this you should first test in a lab to see what happens after removal on the SCOM server.
    Best regards
    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://blogs.msmvps.com/MWeber
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    Twitter:  

  • Import roles to the ERM without using the "Mass Role Import

    Hello,
    I want to know if there is another way to import roles to the ERM without using the "Mass Role Import.
    Im'm using SAP GRC AC 5.3
    Best Regards.
    Pablo Mortera.

    Hi.
    There is NO other way to import roles..
    We need to use only ERM for "Mass Role Import.
    Regards
    Gangadhar

  • How to remove the worksets from the Top level navigation for the ESS role.

    Hi All,
    I am working on enabling and disabling certain services in the ESS worksets.
    we are using EP 7.0, ECC 6.0 (NW2004s).
    When I login as a user with ESS role, I can view the changes in the overview pages. However, the worksets are still visible in the TOP Level navigation of th poral. can anyone please explain me how to remove the workset from the Top level navigation.
    Thanks for your help
    Regards
    SM

    Hi,
    Go to the ESS role via Content Admin, then double click the workset (or page or iview) and in the drop down select navigation. Then click the <i>Yes</i> radio button of the "<i>Invisible in Navigation</i>" property.

  • Impact of having the fsmo role holders not available for 14 hours...

    Hi everyone, we have a situation where we will lose power to the building for 14 hours and since we don't have a generator we'll be shutting down our main site. We have 15 sites, each has a dc and the hq site has two with the fsmo roles distributed between
    the two at hq. So two questions to start with:
    1. What will be the impact of having the fsmo role holding domain controllers inaccessible for a period of 14 hours?
    2. What will we be facing once we regain power and turn the hq dc's back on?
    Look forward to hearing back about this - the power outage is this weekend though!!

    Hi,
    Sorry for the delay reply.
    If your PDC Emulator fails, certain domain functions, security functions, can stop functioning. If anyone of the following is not happening then you should check if your PDC Emulator is working properly:
    •Time is not Syncing: PDC is the default source for the client computers to sync the time. If client computers are not syncing the time then you should always check the PDC.
    •User accounts are not locked out: PDC Emulator processes the account lockouts immediately for the entire domain.
    For more detail information, please refer to:
    FSMO - if server holding PDC Emulator fail on 2003 / 2008, what happen?
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1752b861-53d7-49f5-b066-2ca6a18070e7/fsmo-if-server-holding-pdc-emulator-fail-on-2003-2008-what-happen?forum=winserverDS
    Regards.
    Vivian Wang

  • So Can I determine the business partners linked to user based on the assigned role and org. structure?

    Hello, I am working on a SAP CRM 7 Sales implementation and we are implementing leads and opportunity scenarios. The current business organization model is that there multiple vertical and horizontal departments. This is typical matrix structure. This organization has done the segregation of its clients based on the verticals so every clients belongs to at least one or more Vertical department but Horizontal departments can contact all the clients. In the same way sales executives are also either belonging to one or more Verticals or Horizontal departments? Horizontal sales executive can create leads for any clients available in the system but a Vertical sales executive can only create lead only for the client belongs to his vertical and assigned to him. This can be achieved by creating organization structure and business partner relationship.
    Now the problem statement is that few sales executives need work for both some Verticals and Horizontals at the same time. But requirement is that they should be able to do the both roles with single user id but multiple roles. So when sales executive is creating leads his vertical department, he should only be able to select clients assigned to his Vertical only but when he is creating lead for Horizontal department, he should be able to select any clients.
    So Can I determine the business partners linked to user based on the assigned role and org. structure?
    Please let me know if this is not clear also  note we are only using CRM WebUI no SAP ePortal.
    Thanks a lot your help in advance.
    Regards
    Sudesh Sharma

    Thanks, Tahir
    my problem has solved
    Kind Regards,
    Faisal

  • Table to find the assigned Roles with my User ID

    Hello Experts,
    1.Is there any specific table to find out the assigned roles to my User ID?
    If there is no table, let me know is there any transaction to find out the assigned roles to my User ID?
    2. When I assigned Marketing Pro role to my user id in Organization Unit, I am not able to see in webui screen.
    when I click on webui transaction, it is displaying some selection screen, there it is not displaying the role I have assigned?
    Could you help me to sort out these two queries?
    Thanks and Regards
    Madhu

    Hi Madhu,
    1.Is there any specific table to find out the assigned roles to my User ID?
    If there is no table, let me know is there any transaction to find out the assigned roles to my User ID?
    Sol'n : You have so many Class Methods for finding your requirement else FM aslo.
    Go to SE84 there u will find search ClassMethods. There u type getuserRole or userRole* and press F8. Pick the one which you feel it may give you the result
    ie you have to execute the class...if it showing instance on the tool bar click on that then press execute the method which you feel relevant to you, and give input parameters.
    Sol'n for 1 point is: CL_CRM_UI_ROLE_ASSIGN->GET_BUSINESSROLES_FOR_USER.
    2. When I assigned Marketing Pro role to my user id in Organization Unit, I am not able to see in webui screen.
    Sol'n: Go and check in T-code : BP. Dispay Ur BP and check for Employee Meantaied -- Identification Tab..Did u maintained ur Userid over there or not
    when I click on webui transaction, it is displaying some selection screen, there it is not displaying the role I have assigned?
    Sol'n: Need clarification on this point.
    Regards,
    Lokesh
    Edited by: Lokesh on Mar 8, 2010 7:37 AM

Maybe you are looking for