Remote Role Assignments - Different User Base

Hi Federation gurus,
I am working on a federated portal network and my consumer's UME is connected to the corporate LDAP (i.e. AD). All the producers (BI, SRM and ECC) have their UMEs connected to the ABAP system (i.e. CUA). The user ids are identical on both the consumer and the producer portals.
I can see all the producer content in the Consumer Portal by navigating to Content Administration --> Producer Name. However, I can not see the remote roles within identity management. Obviously, it seems that there are issues related to permissions.
Has anyone done this type of configuration before and if yes, could you please let me know what was the resolution of this issue.
Thanks in advance,
Vibhu

Hi Bibhu,
Have u registered the producer in consumer portal .
maintaing users in LDAP have no problm in both portals .
Check the registration password is correct what u have given in producer and the same in consumer .
Thanks.

Similar Messages

Assigning different authorizations inside a role to different users

Hello,
Could someone please guide me to how can we assign different authorizations (authorizations field values) for an authorization object inside a role to different users; i.e. in the role maintenance transaction (pfcg) after we create a new role and add an authorization object to it, if this authorization object has several authorizations (authorization field values), and if I need to add two users to that role, how can I assign to one user an authorization different from that assigned to the other user ?
Thank you in advance.
Best regards.
Reda Khalifa
IT Department - Almansour Automotive Group - Egypt

Hi Reda,
That documentation complicates the subject slightly as it is talking about principles that are at a lower level than the usual role level.
We have 1 authorisation object - S_TRVL_BKS
Authorisations have been created for this object, called S_TRVL_CUS1 and S_TRVL_CUS2
In this context, an authorisation is an instance of an authorisation object that has been populated with data.
Before the profile generator you used to create authorisations (auth objects populated with data) and assign them to profiles which are then assigned to users.
In this example 2 profiles would be needed
Profile1: S_TRVL_CUS1 and S_TRVL_CUS2
Profile2: S_TRVL_CUS2
Miller would be assigned profile1, Meyers would be assigned profile2
The profile generator allows us to easily build authorisations and profiles and packages them up in a role. This way, we can assign transactions and authorisation objects into a role, populate the authorisations (which is what we do in the authorisations tab in the role) and automatically create the profile.
The example in the documentation is still valid because it requires 2 seperate authorisations (and therefore profiles and roles) to be assigned to different people. Unfortunately this is not explained very well in the documentation.
I hope that makes sense, roles are static and the permissions that they give do not vary dynamically. In BW we can use variables to do something similar and to some extent structural authorisations in HR work dynamically however this doesn't apply to R/3 or ECC. (it can be done in come cases but costs many, many £££/$$$'s)
Please let me know if you want me to elaborate further on this
Cheers
Alex

Assigning roles to different users in GP

Hello,
We have developed a small application using CAF.The UI part is done using Webdynpro module which is a part of CAF project. Now we have to apply Guided procedures to this application .
I have followed steps in this link to create a process (My First Process), and got result.
http://help.sap.com/saphelp_nw04s/helpdata/en/4a/d78041a17e060de10000000a1550b0/content.htm.
Now I have to do the same for our application.For eg: In "My First Process" , the role of Applicant is assigned to one user, and the role of HR Manager is assigned to another user.
In our application, many people has done modules.I want to create different roles (like applicant ,HR Manager in My Process) and assign each role to the user who has developed that module.
Actually we are not using NWDI . But we integrated all modules into one application manually.Is it possible to achieve the above mentioned goals ?
Please any one give me a suggestion or link.
With Thanks,
Vivek
With Thanks,
Vivek

Hi Ashutosh,
Thanks for response and providing link.
I have followed the documents provided by you.
Now I have to do the same for our application as in "My First Process" , the role of Applicant is assigned to one user, and the role of HR Manager is assigned to another user.
Do I require to follow the steps,
step1 :In GP design time and choose Create Callable Object Type Process Control, and select Visual Approval.
step2 :For the purposes of the process that you create, define the same input parameters as the output parameters that you have defined for the data input form.
In our application already created views(webdynpro views) are there.Still we need to create data input form and define input and output parameters ?.
In our application, many people has done modules.I want to create different roles (like applicant ,HR Manager in My Process) and assign each role to the user who has developed that module.
Please any one give me a suggestion or link.
With Thanks,
Vivek

ARD3.1 : Remote login under different user ID?

Hello,
Is it possible to remote log in using ID, say "UserA" to MacA while the someone is already logged into MacA using ID "UserB" ??
Charles

Sorry, but no.

Show Roles to end user

Hi,
My mission is to show roles to the end user and to give him possibility to make a request for one of the roles.
However I want to show different roles for different users based on their organizational place.
And my problem is that I can not find the way to do this.
For example if I use getObjectNames from com.waveset.ui.FormUtil I get nothing for end-user and I get all of the roles for configurator.
Does anybody tried to implement this?
Thank You!

why not show the exact items allowed for the login user's role? then you don't have to display the role to a specific item.

Assign remote roles with Federated portals

Hello all,
We're trying to implement a federated Portal network using the "Implementing a Federated Portal Network" in Detail document.
The steps that we have follow successfully are:
1. Connect to the user repository (Producer and Consumer).
2. Configure system settings (Producer and Consumer).
3. Define and Configure producers (consumer).
4. Set permisions (producer).
Now we want to assign remote roles to local users in User Administration -> Proxy-to-remote Roles option. But Proxy-to-remote Roles tab doesn't appear in the second level navigation...
We are working with EP7 SP10.
Any idea?
Thanks in advance

Maybe a clue: According to the Remote Role assigment question, We have a similar problem using the Remote content copy option.
In the consumer EP, Content Administration -> Portal Content, the Netweaver Content Producers contains the producer connection icon but it's empty. So, the content share can't be done...
Now... Any idea?
Thanks!
Message was edited by:
Marta Sánchez

SAP R/3 : Indirect Role assignments - Is position unique to every user?

Hi.
While am exploring /learning SAP R/3 roles and auth, I would appreciate if I could get clarity on the following :
This link on SDN on Indirect role assignments are very informative.
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f03e6f6c-8c16-2a10-1581-ed8812e2effe
This link is also more explanatory : http://my.affinitext.com/public/book/5442/-1/1423831
So if my understanding is correct, it is better to assign roles - indirectly by position, so that if an employee's position changes, his role can be removed, based on position again ??? And somewhere we are linking with infotype 105.
My only doubt is : if we are going to assign roles by position and remove the roles by position, so that as the position of an employee changes, the previous roles become null and void and new roles can be assigned as per new position.
So would like to know :
as to whether this position number which we see from PA20, is unique to every user on the system ?
So that, if there is a need to remove a role based on postion, we could remove the role from PO13;
BY doing that, then will it not affect other users ?
Can somebody help me understand this.
Because if i want to see the effect immediately, if i go to PFUD and put the role name and say execute, i see that the role which was removed from PO13 is gone immediately from the user.
Many thanks
Indu
Edited by: Indumathy Narayanan on Nov 22, 2011 9:25 AM

GOT IT THANKS.
Hi Prashant.
Good morning and wishes.
Can you please help me understand this.
I understand from HR person that position is uniquely defined (from hire to retire)
and roles are generally given based on position.
However, I see a person : whose roles have been assigned as per position all these years.
He had 2 roles in project A. He now moved into a different project B.
But. when i check, i still see the roles - reflecting on SU01 & well as in the tab of user of the role X under pfcg.
BUT when i check PO13 - and put the position / relationship and say overview.
I dont see the roles at all there.
Why this is so. Why the discrepancy on different screens.
Also How can I get a confirmation that - these roles are actually removed and is not there for the user.
Rather.
How could the removal of roles based on position become completely effective on the system.
So that all screens display the same information.
Also would like to know - whether it is ok to remove the role expiry date directly from PFCG/ROLE Display/user tab/select user/
and then make the role invalid or expired / or extend the expiry.
Many thanks.
Indu
Edited by: Indumathy Narayanan on Dec 7, 2011 12:09 PM
Edited by: Indumathy Narayanan on Dec 7, 2011 1:42 PM
Edited by: Indumathy Narayanan on Dec 7, 2011 5:17 PM

How to find the user - role assignments in the database for EP6 SP9?

L.S.,
We have a quite specific requirement: to see which users have access to our portal environment (EP6 SP9). It does not immediately matter (though would probably still be nice to know if possible) which roles users have exactly.
I've been looking in the database to find user-to-role assignments there, but I'm unable to find any. The closest I got is the PID filed in the UME_STRINGS table, but users remain listed there even when all their portal roles are revoked afterwards. Any ideas?
Kind Regards,
Steven Dijkman

hi Steven,
 Sorry but you will have to write some code. the following lines of code will work for you.
IRoleSearchFilter rolefilter = UMFactory.getRoleFactory().getRoleSearchFilter();
 ISearchResult result = UMFactory.getRoleFactory().searchRoles(rolefilter);
 while (result.hasNext()) {
 String rolestr = (String) result.next();
 IRole r = UMFactory.getRoleFactory().getRole(rolestr);
 response.write(r.getDisplayName());
 response.write(" ");
 Iterator users = r.getMembers(true);
 while (users.hasNext()){
 String userstr = (String)users.next();
 IUser user = UMFactory.getUserFactory().getUser(userstr);
 response.write(user.getDisplayName());

Missing user role assignments

Hello Gurus,
We have a strange issue in our ECC production environment. The role assignments for a few users are missing. The roles were assigned to these users almost a year back. The change documents do not show any record of the role assignment being deleted.
In SU01 in display mode the profiles for the roles are still assigned to the user, but when one tries to edit the user master data the profiles also get deleted from user and the change is shown against the name of the admin who has tried to edit the user master.
This problem is seen to happen randomly for various roles and various users.
What could be causing such an issue?
Thanks in advance for your replies.
Regards,
Subbu

Hi Subra,
Prgn_compress_time removes the expired roles .Also check USH* tables like USH02, USH04 ...for Change history.
The role assignments for a few users are missing. The roles were assigned to these users almost a year back.
Did you transport the roles to the production properly after making changes. (if any).
re-transport the roles once again.
Thanks,
Sri

Not able to find Remote roles in User Management

We are using RRA for sharing contents between two portals. In the consumer portal PCD, the contents and roles of the producer portal is showing perfectly. But when i am trying to find the roles in User management in the consumer portal, these remote roles are not showing, and subsequently we are not being able to assign these remote roles to our local users. I have checked the connection and permission. Please help.

1. Please make sure that the server clocks on the producer and consumer portal are synchronized. One of the prerequisite for FPN is that the server clocks of the producer portal and consumer portal must be synchronized at all times.
2. When you are not able to see a remote role, at that time, test your SSO between consumer and producer. You can do this by logging in first into your consumer and then changing the URL to that of the producer and then hit Enter. If SSO is correctly working, you should be logged into the producer portal without having to log in again.
Thanks,
Shanti

Same user different roles within different organizations

Hello All,
We have requirement where Same user has to have different roles within different organizations.
What will be the solution to handle this situation using SUN IDM ?
Any inputs are greatly appreciated.
Thanks,
Akeel

Let me simplify this,
We have requirement where a user can work for different organizations , which can be achieved in SIM using membership rules.
Say a user works for two organizations Say Org1 and Org2.
The user can have different roles in these 2 different organizations. For example user can have Role1 in Org1 and Role2 in Org2.
Role1 and Role2 both are available for assignment for respective admins of both Org1 and Org2.
Suppose Admin of Org1 assigns the user Role1; and admin of Org2 assigns the user Role2.
Now waveset.roles will have Role1 and Role2, but it can not tell the user has which role in which organization.
How do i specify the relationship between the role and organization ? The number of organizations are very large 70000+ and Number of identified roles around 51.
I dont think this can be implemented in Sun Identity Manger. Anybody has done this? Or any inputs are highly appreciated.
Regards,
Akeel

Trusted RFC not working for different user , working for same user

Dear All,
I have two SAP system - One Solman (7.0) and another ECC 6.0 (SR3) on HPUX box with Oracle DB (Unicode).
I want to establish Trust relationship between these system.
I have configured the same, as per the following link:
http://help.sap.com/saphelp_nw04/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/content.htm
and note 128447.
My requirement is one user X in solman client 001,
will execute some test plan (Tcode stwb_2) which will take the control to ECC 6.0 client 200, execute the tcode as user Y and come back in Solman again.
The user X (SAP_ALL) exists in Solman - client 001 and user Y (SAP_ALL) exists in ECC 6.0 - client 200.
In ECC 6.0 client 200, I have created a role ZRFCACL with the following and assigned to the user Y (as per the above help / note):
Role : ZRFCACL
Auth. Obj: S_RFCACL
Value assigned to fields are:
 RFC_SYSID : SOL
 RFC_CLIENT: 001
 RFC_USER : X
 RFC_EQUSER: N
 RFC_TCODE : *
 RFC_INFO : *
 ACTVT : 16
Whenever the user X is trying to execute the test from solman, he is getting the error : "No authorization to log on as trusted system (RC = 0)"
Each time the user is trying the above, in ECC 6.0, the following dump is occuring:
CALL_FUNCTION_SINGLE_LOGIN_REJ under username SAPSYS
I have assigned the role ZRFCACL to user X in Solman also.
Next, I have performed the following check:
created one user M in both system
created the role ZRFCACL2 in ECC 6.0 client 200 as follows and assigned the role to user M:
 Role : ZRFCACL2
 Auth. Obj: S_RFCACL
 Value assigned to fields are:
 RFC_SYSID : SOL
 RFC_CLIENT: 001
 RFC_USER : ''
 RFC_EQUSER: Y
 RFC_TCODE : *
 RFC_INFO : *
 ACTVT : 16
Assigned SAP_ALL to user M in both system (So the user M in Solman does not have ZRFCACL2).
This time, the trust relationship worked and no dump got generated.
I have also checked the thread Trusted RFC do not work
but unable to resolve the issue.
Any suggestion where the things are going wrong in this / what else I need to check or this is not possible at all?
Thanks in advance for your help.
Sudip

Hi Valdecir,
Thanks for the reply. I am providing the detail of the generated dump below:
Please check in case any clue is there.
Runtime Errors CALL_FUNCTION_SINGLE_LOGIN_REJ
Date and Time 12.08.2008 18:59:32
Short text
No authorization to logon as trusted system (Trusted RC=0).
What happened?
Error in the ABAP Application Program
The current ABAP program "SAPMSSY1" had to be terminated because it has
come across a statement that unfortunately cannot be executed.
What can you do?
Note down which actions and inputs caused the error.
To process the problem further, contact you SAP system
administrator.
Using Transaction ST22 for ABAP Dump Analysis, you can look
at and manage termination messages, and you can also
keep them for a long time.
Error analysis
An RFC call (Remote Function Call) was sent with the invalid user ID "98819 "
. Or the calling system is not registered as trusted system in the
target system.
How to correct the error
The error code of the trusted system was 0.
Meaning:
0 Correct logon as trusted system mode
1 No trusted system entry for the calling system "SOL " or the
security key entry for the system "SOL " is invalid
2 User "98819 " does not have RFC authorization (authorization object
(S_RFCACL) for user "98819 " witl client 001.
3 The timestamp of the logon data is invalid
The error code of the SAP logon procedure was 1.
Meaning:
0 Login was correct
1 Wrong password or invalid user ID
2 Locked user
3 Too many attempted logons
5 Error in the authorization buffer (internal error)
6 No external user check
7 Invalid user type
System environment
SAP-Release 700
Application server... "gcbeccd"
Network address...... "10.10.4.158"
Operating system..... "HP-UX"
Release.............. "B.11.23"
Hardware type........ "ia64"
Character length.... 16 Bits
Pointer length....... 64 Bits
Work process number.. 1
Shortdump setting.... "full"
Database server... "gcbeccd"
Database type..... "ORACLE"
Database name..... "RD3"
Database user ID.. "SAPSR3"
Char.set.... "C"
SAP kernel....... 700
created (date)... "Apr 5 2008 00:55:24"
create on........ "HP-UX B.11.23 U ia64"
Database version. "OCI_102 (10.2.0.1.0) "
Patch level. 146
Patch text.. " "
Database............. "ORACLE 9.2.0.., ORACLE 10.1.0.., ORACLE 10.2.0.."
SAP database version. 700
Operating system..... "HP-UX B.11"
Memory consumption
Roll.... 16192
EM...... 4189840
Heap.... 0
Page.... 0
MM Used. 1194640
MM Free. 2992576
User and Transaction
Client.............. 000
User................ "SAPSYS"
Language Key........ "E"
Transaction......... " "
Transactions ID..... "489F2BD6C36D0F12E10000000A0A049E"
Program............. "SAPMSSY1"
Screen.............. "SAPMSSY1 3004"
Screen Line......... 2
Information on caller of Remote Function Call (RFC):
System.............. "SOL"
Database Release.... 700
Kernel Release...... 700
Connection Type..... 3 (2=R/2, 3=ABAP System, E=Ext., R=Reg. Ext.)
Call Type........... "synchron and non-transactional (emode 0, imode 0)"
Inbound TID.........." "
Inbound Queue Name..." "
Outbound TID........." "
Outbound Queue Name.." "
Client.............. 001
User................ 98819
Transaction......... "SMSY"
Call Program........."SAPLSRTT"
Function Module..... "SCCR_GET_RELEASE_NR"
Call Destination.... "SM_RD3CLNT200_TRUSTED"
Source Server....... "gcbsolm_SOL_00"
Source IP Address... "10.10.4.206"
Additional information on RFC logon:
Trusted Relationship "X"
Logon Return Code... 1
Trusted Return Code. 0
Note: For releases < 4.0, information on the RFC caller are often
only partially available.
Information on where terminated
Termination occurred in the ABAP program "SAPMSSY1" - in
"REMOTE_FUNCTION_CALL".
The main program was "SAPMSSY1 ".
In the source code you have the termination point in line 67
of the (Include) program "SAPMSSY1".
Source Code Extract
Line
SourceCde
37
endmodule.
38
39
module %_rfcdia_call output.
40
"Do not display screen !
41
call 'DY_INVISIBLE_SCREEN'.
42
perform remote_function_diacall.
43
endmodule.
44
45
module %_cpic_start.
46
if sy-xprog(4) = '%RFC'.
47
perform remote_function_call using rfctype_external_cpic.
48
else.
49
call 'APPC_HD' id 'HEADER' field header id 'CONVID' field convid.
50
perform cpic_call using convid.
51
endif.
52
endmodule.
53
54
55
form cpic_call using convid type c.
56
communication send id convid buffer header.
57
if sy-subrc eq 0.
58
perform (sy-xform) in program (sy-xprog).
59
else.
60
message a800.
61
endif.
62
endform.
63
64
form remote_function_call using value(type).
65
data rc type i value 0.
66
do.
>>>>>
call 'RfcImport' id 'Type' field type.
68
if sy-xprog = 'JAVA'.
69
system-call plugin
70
id 'JAVA' value 'FORW_JAVA'
71
id 'RC' value rc.
72
if there is no rollout on the JAVA side which
73
rolls both, JAVA and ABAP, we return to the
74
C-Stack and reach this point
75
76
in case there was an rollout, the ABAP-C stack is lost
77
and we jump direkt to this point
78
79
here we trigger the rollout on this Abap side with
80
the following statement
81
system-call plugin
82
id 'JAVA' value 'ROLL_OUT'
83
id 'RC' value rc.
84
else.
85
perform (sy-xform) in program (sy-xprog).
86
rsyn >scont sysc 00011111 0.
Contents of system fields
Name
Val.
SY-SUBRC
0
SY-INDEX
1
SY-TABIX
0
SY-DBCNT
1
SY-FDPOS
0
SY-LSIND
0
SY-PAGNO
0
SY-LINNO
1
SY-COLNO
1
SY-PFKEY
SY-UCOMM
SY-TITLE
CPIC and RFC Control
SY-MSGTY
SY-MSGID
SY-MSGNO
000
SY-MSGV1
SY-MSGV2
SY-MSGV3
SY-MSGV4
SY-MODNO
0
SY-DATUM
20080812
SY-UZEIT
185932
SY-XPROG
SAPRFCSL
SY-XFORM
READ_SINGLE_LOGIN_DATA
Active Calls/Events
No. Ty. Program Include Line
Name
2 FORM SAPMSSY1 SAPMSSY1 67
REMOTE_FUNCTION_CALL
1 MODULE (PBO) SAPMSSY1 SAPMSSY1 30
%_RFC_START
Chosen variables
Name
Val.
No. 2 Ty. FORM
Name REMOTE_FUNCTION_CALL
%_DUMMY$$
0000
0000
2222
0000
SY-REPID
SAPMSSY1
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
5454555322222222222222222222222222222222
310D339100000000000000000000000000000000
SYST-REPID
SAPMSSY1
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
5454555322222222222222222222222222222222
310D339100000000000000000000000000000000
HEADER
000000000000
000000000000
TYPE
3
0000
0003
SY-XPROG
SAPRFCSL
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
5455445422222222222222222222222222222222
3102633C00000000000000000000000000000000
%_ARCHIVE
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
RC
0
0000
0000
SY-XFORM
READ_SINGLE_LOGIN_DATA
000000000000000000000000000000
000000000000000000000000000000
544455444445444445445422222222
2514F39E7C5FCF79EF414100000000
%_SPACE
0
0
2
0
No. 1 Ty. MODULE (PBO)
Name %_RFC_START
%_PRINT
000 0###
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2222333222222222222222222222222222222222222222222222222222222222222222222222222222222222223000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
RFCTYPE_INTERNAL
3
0000
0003
Internal notes
The termination was triggered in function "ab_xsignon"
of the SAP kernel, in line 2491 of the module
"//bas/700_REL/src/krn/rfc/absignon.c#9".
The internal operation just processed is "CALY".
Internal mode was started at 20080812185932.
Calling system.....: "SOL "
Caller.............: "98819 "
Calling client.....: 001
RFC user ID........: "98819 "
RFC client.........: 200
Trusted return code: 0
Logon return code..: 1
Transaction code...: "SMSY "
Active state.......: "-782823270"
Note: At releases < 4.0, the information for the caller is not
available.
Active Calls in SAP Kernel
Lines of C Stack in Kernel (Structure Differs on Each Platform)
(0) 0x4000000003b2b450 CTrcStack + 0x1b0 at dptstack.c:227 [dw.sapRD3_DVEBMGS00]
(1) 0x4000000004d2c470 Z16rabaxCStackSavev + 0x1d0 [dw.sapRD3_DVEBMGS00]
(2) 0x4000000004d32160 ab_rabax + 0x3570 [dw.sapRD3_DVEBMGS00]
(3) 0x4000000002b43cb0 SignOnDumpInfo + 0x280 at absignon.c:2491 [dw.sapRD3_DVEBMGS00]
(4) 0x4000000002b3f2f0 ab_xsignon + 0xb30 at absignon.c:876 [dw.sapRD3_DVEBMGS00]
(5) 0x4000000002aa4cb0 ab_rfcimport + 0x1ad0 at abrfcfun.c:3599 [dw.sapRD3_DVEBMGS00]
(6) 0x40000000040f4a80 Z8abjcalyv + 0x500 [dw.sapRD3_DVEBMGS00]
(7) 0x400000000402f190 Z8abextriv + 0x440 [dw.sapRD3_DVEBMGS00]
(8) 0x4000000003f538b0 Z9abxeventPKt + 0xb0 at abrunt1.c:281 [dw.sapRD3_DVEBMGS00]
(9) 0x4000000003f360a0 ab_dstep + 0x280 [dw.sapRD3_DVEBMGS00]
(10) 0x4000000001cb4600 dynpmcal + 0x900 at dymainstp.c:2399 [dw.sapRD3_DVEBMGS00]
(11) 0x4000000001cab0e0 dynppbo0 + 0x280 at dymainstp.c:540 [dw.sapRD3_DVEBMGS00]
(12) 0x4000000001cb1ec0 dynprctl + 0x340 at dymainstp.c:358 [dw.sapRD3_DVEBMGS00]
(13) 0x4000000001c9dff0 dynpen00 + 0xac0 at dymain.c:1628 [dw.sapRD3_DVEBMGS00]
(14) 0x4000000001fea460 Thdynpen00 + 0x510 at thxxhead.c:4830 [dw.sapRD3_DVEBMGS00]
(15) 0x4000000001fb4de0 TskhLoop + 0x4e20 at thxxhead.c:4518 [dw.sapRD3_DVEBMGS00]
(16) 0x4000000001faae40 ThStart + 0x460 at thxxhead.c:1164 [dw.sapRD3_DVEBMGS00]
(17) 0x4000000001569ec0 DpMain + 0x5f0 at dpxxdisp.c:1088 [dw.sapRD3_DVEBMGS00]
(18) 0x4000000002c10630 nlsui_main + 0x30 [dw.sapRD3_DVEBMGS00]
(19) 0x4000000002c105c0 main + 0x60 [dw.sapRD3_DVEBMGS00]
(20) 0xc00000000002be30 main_opd_entry + 0x50 [/usr/lib/hpux64/dld.so]
List of ABAP programs affected
Index
Typ
Program
Group
Date
Time
Size
Lang.
0
Prg
SAPMSSY1
0
11.04.2005
09:27:15
22528
E
1
Prg
SAPLSCCA
1
05.07.2005
13:10:18
52224
E
2
Prg
SAPRFCSL
0
13.02.2005
17:31:45
17408
E
3
Typ
RFCSYSACL
0
13.02.2005
17:31:45
7168
4
Typ
SYST
0
09.09.2004
14:18:12
31744
Directory of Application Tables
Name Date Time Lngth
Val.
Program SAPMSSY1
SYST . . : : 00004612
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0001\0\0\0
Program SAPRFCSL
RFCSYSACL . . : : 00001760
SOL RD3
ABAP Control Blocks (CONT)
Index
Name
Fl
PAR0
PAR1
PAR2
PAR3
PAR4
PAR5
PAR6
Source Code
Line
116
CLEA
00
0035
SAPMSSY1
60
117
CLEA
00
0036
SAPMSSY1
60
118
CLEA
00
0037
SAPMSSY1
60
119
MESS
00
001C
SAPMSSY1
60
120
ENDF
00
0000
SAPMSSY1
62
121
00
0000
SAPMSSY1
62
122
PERP
00
0001
SAPMSSY1
64
123
PERP
02
0000
SAPMSSY1
64
124
WHIL
00
0002
0000
0000
0000
0000
0000
0000
SAPMSSY1
66
128
WHIL
00
0003
0000
0000
0000
0000
0000
0000
SAPMSSY1
66
132
BRAN
05
001E
SAPMSSY1
66
133
CALY
00
0003
0038
002A
0005
002B
0000
0000
SAPMSSY1
67
>>>>>
CALY
02
0000
0039
8000
0000
0000
0000
0000
SAPMSSY1
67
141
COMP
00
0002
0010
003A
SAPMSSY1
68
143
BRAF
02
000E
SAPMSSY1
68
144
SRFC
01
0000
003A
003B
SAPMSSY1
69
146
SRFC
01
0000
003C
C000
SAPMSSY1
69
148
SRFC
02
0000
0000
0000
SAPMSSY1
69
150
SRFC
01
0000
003A
003D
SAPMSSY1
81
152
SRFC
01
0000
003C
C000
SAPMSSY1
81
Thanks & Regards
Sudip

Assigning roles to LDAP users through BIP API

Hi.
My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
Is it possible to make that assignments through BIP API?
If not, any other ideas? New ideas or different approaches are welcome.
Thanks in advance.

In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
Let me know if that helps.

ABAP Role Assignments stored in MSAD

Hi all,
unfortunately I have only found contradicting information in relation to the possibility to manage ABAP role assignments using a MS Active Directory.
We plan to implement a WAS (ABAP) 6.40 SP14, synchronise data between the WAS and the corporate MSAD. While WAS (ABAP) is not capable of MSAD based authentication I suspect it is possible to manage the user/role assignments in MSAD. Am I right in my assumptions (see list below) that the following data entities can/cannot be managed and synchronised/stored with the WAS (ABAP) out of the box?
WAS ABAP
1. possible - user master data (e.g. userName, address, etc.)
2. possible - user/role assignments
3. not possible - user passwords (however, can be bypassed through SSO based on NTLM)
Portal UME
1. possible - user master data
2. possible - user password
3. possible - role/group assignments
4. possible - group/user assignments
5. possible - user/group assignments
6. possible - user/role assignments
Thanks for the help!!
Cheers Stefan

Hi,
Thanks for the suggestion. But ours was a different problem.
The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
Best regards,
Ashok

OBPM 10gR3 Dynamic Role Assignment at user login

Hi,
For all the great integration with LDAP in 10gR3, unfortunately, the system is unable to deal with dynamically-defined LDAP groups.
Our goal is to apply a BPM Role to ALL humans defined in our LDAP.
All humans happen to already be defined by a dynamically-defined LDAP group called 'AllPeople'.
It would have been perfect if we could simply assign our BPM Role, 'Employee', to the LDAP group, 'AllPeople'. Sadly you can't (one for the next release pls).
So as a workaround, what we want to do instead is assign the BPM Role 'Employee' to each individual user dynamically when they first login.
Since the FDI library is useless outside of a BPM context (you'll find that some of the familiar methods of RoleAssignment are missing), We opted to create an actual BPM process to conduct role assignments, and we would then trigger it via PAPI.
The question then was, where/when do we invoke the process such that it does the role assignment quickly and soon enough for the appropriate views and applications to appear in their workspace straight after login?
We opted for a customised implementation of the SSOWorkspaceLoginInterface class.
However, we tried making the invocation in the setupAuthenticatedSession() and the processRequest() methods but, although the role assignment was successfully done in either case, sadly the user's session was loaded without the new changes - perhaps loaded quicker than the role assignment could be fed back through the directory.
Therefore, we dumped the invocation in the actual constuctor - and this seems to work for the most part. Yet on the odd ocassion, the role assignment is not quick enough to be realised in the user's workspace session - the user has to logout and back in before the changes are realised.
We've even tried to get the execution to sleep for a second or two, while the PAPI thread goes about doing the role assignment - again not much success.
So I really have 2 questions:
1. Where during login can we make a PAPI call to do a role assignment so that it should be picked up by the time the session is created? perhaps we already are doing it in the right place.
2. How could we refresh/request a new session cookie without explicitly logging out and back in again? Note, page refresh is not enough.
Thanks for reading.

Sorry for the belated response - I don't get notified of replies.
The code for my custom SSOLoginModule class is:-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.Properties;
import fuego.workspace.security.SSOWorkspaceLoginInterface;
import fuego.papi.Arguments;
import fuego.papi.CommunicationException;
import fuego.papi.InstanceInfo;
import fuego.papi.OperationException;
import fuego.papi.ProcessService;
import fuego.papi.ProcessServiceSession;
import fuego.sso.SSOLoginException;
import fuego.sso.SSOUserLogin;
import fuego.jsfcomponents.Util;
import fuego.workspace.model.common.WorkspaceApplicationBean;
public class CustomSSOWorkspaceLogin extends SSOUserLogin implements SSOWorkspaceLoginInterface {
private ProcessService pService;
private ProcessServiceSession pServiceSession;
private Properties properties;
public SSOWorkspaceDBLogin() {
//Do the role assignment here because it works, and does not work in the ideal location of setupAuthenticatedSession method
pService = createProcessService();
pServiceSession = createProcessServiceSession();
assignDefaultRole(Util.getHttpServletRequest().getRemoteUser());
private ProcessService createProcessService() {
return WorkspaceApplicationBean.getCurrent().getProcessService();
private ProcessServiceSession createProcessServiceSession() {
return pService.createSession("yourdirectoryusername","yourdirectorypassword",null);
//This method is used to remotely invoke a BPM process to do the role assignment - no external API to do this directly!
private void assignDefaultRole(String email) {
try {
String processId = "myRoleAssignmentProcessId";
String argumentName = "argumentName"; //the name of the input argument to feed in the participant
String argumentValue = email;
Arguments arguments = Arguments.create();
arguments.putArgument(argumentName, argumentValue);
InstanceInfo instance = pServiceSession.processCreateInstance(processId, arguments);
Long waitTime = new Long(1000);
Long timeLimit = new Long(5000);
boolean roleAssigned = false;
boolean timeLimitExceeded = false;
Long startTime = System.currentTimeMillis();
//Allow role assignment thread to complete
while (!roleAssigned && !timeLimitExceeded) {
try {
Thread.sleep(waitTime);
if (pServiceSession.processGetInstance(instance.getId()).isCompleted()) {
roleAssigned = true;
if (System.currentTimeMillis() - startTime > timeLimit) {
timeLimitExceeded = true;
} catch (InterruptedException e) {
e.printStackTrace();
//close process service session
pServiceSession.close();
//Do not close the service itself as it is shared with the Workspace itself!
//pService.close();
} catch (Exception e) {
e.printStackTrace();
public void setupAuthenticatedSession(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
//Unfortunately, the below does not work here because the role assignment is not fast enough
//The result is that the user logs in but cannot see any applications because the role assignment has not been made in time.
//Therefore, we run the below statements from the constructor - ugly but functions.
//pService = createProcessService();
//pServiceSession = createProcessServiceSession();
//assignDefaultRole(httpservletrequest.getRemoteUser());
public void processRequest(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
}

Remote Role Assignments - Different User Base

Similar Messages

Maybe you are looking for