Role and Naming concpets

Similar Messages

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• Export and Import of Roles and Privileges

  Hi,
  We're nearing the end of our development phase and are now preparing for initial load in our QA / Test environment.
  Is there a way to export the Roles and Privilege metadata from one environment to import them into the other. The Staging guide states you need to create them before importing your Identity Stores. I was hoping we didn't need to do this as it's a time consuming task to create them manually.
  Thanks
  Paul

  What I've seen is Business Role Export / Import functionality. It is pretty straight-forward to do, just export the Business Roles in a job (limit what to export in the source SQL) to a CSV-file, then read it back in to different environment in similar job.
  When we were exporting the Business Roles we expored the privilege-references as MSKEYVALUEs not MSKEYs. Note how you have named your repositories in different environments (as you know the name of the MX_PRIVILEGE differs if your ERP repository in development is eg ERP100 and in Q/A ERP200), you may need to convert the privilege names accordingly in export or import.
  One more thing you need to keep in mind is to pay attention whether your data has CR+LFs, which will break the CSV, we tackled this by encrypting/decrypting the data that had line feeds (DESCRIPTION-attribute).

• Need some roles and responsibilites in bi7

  can any one plz let me know the roles and responsibilities of an bi7 consultant in supporting ,implementation and upgrading from 3x to bi7.
  please consider it as ugrent issue.
  points must be assigned.
  regards,
  prav

  Here are few jobs:
  1) Convert Data Classes of InfoCubes. Set up a new data class .
  2) Pay attention to the naming convention. Execute the RSDG_DATCLS_ASSIGN report. 
  3) Run the report RSUPGRCHECK to activate objects. 
  4) Upgrading ABAP and JAVA in parallel which may cause issues. If there is no custom development on J2EE instance, it is recommended to drop the J2EE instance and re-install the latest J2EE instance after the upgrade. 
  5) Apply SAP OSS Notes if you include the Support Patch
  6)You may be included Basis Support Packages up to package level 6 (SAPKB70006) in the upgrade.  
  and there are lots of other stuff are which #$#$#$ me
  Atul

• Roles and Owner details

  Hi,
  We are using Oracle 8i database.
  We need to extract roles and owner names which were created the roles. Please let us know in which data dictionary table I'll get these details.
  Note: I have already verified DBA_ROLES , ROLE_TAB_PRIVS and ROLE_SYS_PRIVS. I didnt get the details.
  Thanks,
  Suri

  A role is simply named a collection of privileges it does not have an owner. As far as I know, there is no easy way to determine which user created a role.
  If by "We need to extract roles and owner names which were created the roles" you actually mean that you want to know which users have particular roles, then something like:
  SELECT grantee, granted_role
  FROM dba_role_privs
  WHERE granted_role IN (<list of roles you are interested in>)John

• Server Manager error 0x80070422 - Roles and features are not accesible

  Hi
  I cannot view Roles and Features in Server Manager on my Server 2008 R2 box. The error is:
  Unexpected error refreshing Server Manager: The service cannot be started, either because it is disbaled or because it has no enabled devices assicaited with it (Exception from HResult: 0x80070422)
  I have looked at my services - but don't know what service to look for, everything seems to be in order.
  After some investigation on the net, I understood that I need to setup the win readiness tool, I did and the output in CheckSur file is as follows
  =================================
  Checking System Update Readiness.
  Binary Version 6.1.7601.21645
  Package Version 12.0
  2011-05-31 19:02
  Checking Windows Servicing Packages
  Checking Package Manifests and Catalogs
  (f) CBS MUM Corrupt 0x00000000 servicing\Packages\Package_for_KB2296199_RTM~31bf3856ad364e35~amd64~~6.1.1.1.mum  Expected file name Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum does not match the actual
  file name
  (fix) CBS MUM Corrupt CBS File Replaced Package_for_KB2296199_RTM~31bf3856ad364e35~amd64~~6.1.1.1.mum from Cabinet: C:\Windows\CheckSur\v1.0\windows6.1-servicing-x64-apr29.cab.
  (fix) CBS Paired File CBS File also Replaced Package_for_KB2296199_RTM~31bf3856ad364e35~amd64~~6.1.1.1.cat from Cabinet: C:\Windows\CheckSur\v1.0\windows6.1-servicing-x64-apr29.cab.
  Checking Package Watchlist
  Checking Component Watchlist
  Checking Packages
  Checking Component Store
  Summary:
  Seconds executed: 4058
   Found 1 errors
   Fixed 1 errors
    CBS MUM Corrupt Total count: 1
    Fixed: CBS MUM Corrupt.  Total count: 1
    Fixed: CBS Paired File.  Total count: 1
  Here again, it seems that everything is fine.
  Thanks in advance for your help

  Hi,
  Please try to install Windows Server 2008 R2 Service Pack 1 directly and check the result. Service Pack 1 for Windows Server 2008 R2 includes all the
  previous released Windows Updates and hotfixes.
  If it does not work, you will need to copy these files from another working Windows Server 2008 R2 system to replace the corrupt ones.
  Otherwise, you will need to perform an In-Place upgrade to repair the system.
  Regards,
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• How to create a report of users in ucm about their roles and permission

  Hi All ,
  I need to create a report and it should contain all the users in ucm as well as their roles and permissions. Basically the report would be for the admin who can see all the users in a single report and can know about the roles and access of each and every users.
  How to create such report ?? I have tried from web layuot editor but the default report template i.e stdUserReport in user datasource does not contain more than three fields..Is there any method to get such kind of report???
  Please suggest!!

  There was an example component to demonstrate this kind of function. Under Stellent in version 7.5
  I do not know if they hand it out anymore but it is not on the standard samples page for Oracle. You may want to open a Support SR to ask for it. It should still be around in their servers if they can get permission to hand it out as a sample again.
  Sample CustomReports component to demonstrate how to create customized reports
  CustomReportsBundle.zip
  Date:     October 30, 2006
  Sample Version:     version=2006_10_20 (build 1)
  Product and Version:     Content Server
  Sample Status:     This is a Stellent Sample. Stellent Samples are free and include non-supported add-ons, utilities, tutorials or programming examples. It may require additional configuration or security auditing for maximum effect. It is not supported by Stellent without a consulting engagement.

• Problem with Roles and Triggers

  I'm having a strange problem with Roles and Triggers in Oracle. It's a little difficult to describe, so bear with me...
  I'm trying to create a trigger that inserts records into a table belonging to a different user/owner. Of course, the owner of this trigger needs rights to insert records into this other table. I find that if I add these rights directly to the owner of the trigger, everything works okay and the trigger compiles successfully.
  However, if I first create a Role and grant the "insert" rights to it, and then assign this role to the owner of the trigger, the trigger does not compile successfully.
  To illustrate this, here's an example script. I'm using Oracle 10g Release 2...
  -- Clean up...
  DROP TABLE TestUser.TrigTable;
  DROP TABLE TestUser2.TestTable;
  DROP ROLE TestRole;
  DROP TRIGGER TestUser.TestTrigger;
  DROP USER TestUser CASCADE;
  DROP USER TestUser2 CASCADE;
  -- Create Users...
  CREATE USER TestUser IDENTIFIED BY password DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP" QUOTA UNLIMITED ON "USERS";
  CREATE USER TestUser2 IDENTIFIED BY password DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP" QUOTA UNLIMITED ON "USERS";
  CREATE TABLE TestUser.TrigTable (TestColumn VARCHAR2(40));
  CREATE TABLE TestUser2.TestTable (TestColumn VARCHAR2(40));
  -- Grant Insert rights on TestTable to TestRole...
  CREATE ROLE TestRole NOT IDENTIFIED;
  GRANT INSERT ON TestUser2.TestTable TO TestRole;
  -- Add TestRole to TestUser. TestUser should now have rights to INSERT on TestTable
  GRANT TestRole TO TestUser;
  ALTER USER TestUser DEFAULT ROLE ALL;
  -- Now, create the trigger. This compiles unsuccessfully...
  CREATE TRIGGER TestUser.TestTrigger AFTER INSERT ON TestUser.TrigTable
  BEGIN
  INSERT INTO TestUser2.TestTable (TestColumn) VALUES ('Test');
  END;
  When I do a "SHOW ERRORS;" after this, I get:
  SQL> show errors;
  Errors for TRIGGER TESTUSER.TESTTRIGGER:
  LINE/COL ERROR
  2/3 PL/SQL: SQL Statement ignored
  2/25 PL/SQL: ORA-00942: table or view does not exist
  SQL>
  As I said above, if I just add the Insert rights directly to TestUser, the trigger compiles perfectly. Does anyone know why this is happening?
  Thanks!
  Adrian

  Hi Raghu,
  If the insert rights exist only on TestRole, and TestRole is assigned to TestUser, I can do the INSERT statement you suggest with no problems if I just execute it from SQLPlus (logged in as TestUser).
  The question is, why does the same INSERT fail when it's inside the trigger?

• BI Publisher - SuperUser not able to acces Roles and Permission Page

  I have set up the BI Publisher as said in http://gerardnico.com/wiki/dat/bip/configuration_bip.
  But
  1. SuperUser is not able to access Roles and Permission.
  2. I'm not able to access the BI Answers Catalog.
  I also have a doubt about the BI Server Admin. Is it the RPD Admin?
  Kindly Help

  I have set up the BI Publisher as said in http://gerardnico.com/wiki/dat/bip/configuration_bip.
  But
  1. SuperUser is not able to access Roles and Permission.
  2. I'm not able to access the BI Answers Catalog.
  I also have a doubt about the BI Server Admin. Is it the RPD Admin?
  Kindly Help

• BP creation in CRM WebClient - Role and Number Range assignment

  Hello,
  I have the requirement to specify a particular number range and BP role when an Account is created in the CRM WebClient Interface.
  For example as standard, when an employee is created through the CRM WebClient (BSP component BP_EMPL) the default employee role (BUP003) and the default number range are assigned to the BP.
  I would need to specify a different number range and role to the employee
  I've tried to configure the Account Identification profiles (activity "Define Account Identification Profiles" in customizing); with that activity you can specify which role and which number group you want to use for the BP (account) creation. However this customizing is affecting the IC WebClient only and not the CRM WebClient.
  I was wondering if a similar customizing activity exists for the CRM WebClient (in particular for the BP_EMPL application), or if there's a way around this.
  Anybody has an idea about how to solve this?
  Any help would be greatly appreciated, thank you in advance.

  Hi all,
  I have done this by defaulting the bp group in the BADi 
  1.Go to the se18 and select BADI_CRM_BP_UIU_DEFAULTS and select the interface IF_UIU_BP_DEFAULTS
  2. Go to the method IF_UIU_BP_DEFAULTS~GET_DEFAULT_VALUES and you can write your logic here to default the grouping.
  In my case I wanted all accounts created to be defaulted to a particular grouping and my code looks like this
  lv_name1 = lr_current->get_property_as_string( iv_attr_name ='BP_CATEGORY' ).
                      IF lv_name1 IS NOT INITIAL.
                        IF lv_name1 = '2'.
                          lr_current->set_property( iv_attr_name = 'BP_GROUP'
                                     iv_value = '0060' ).
                        ENDIF.
                      ENDIF.
  Thanks & Regards,
  Sanila

• Account Creation - Badi for Default values for BP Role and Sales Area

  Hi all,
  my requirement regards the possibility to create a new prospect (a link should be available in the navigation bar or create section).
  Logically, a bp role as "Prospect" and particoular sales area should be created automatically.
  I created an implementation for the BADI definition "BADI_CRM_BP_UIU_DEFAULTS". But don't know how to create the default values for BP role and Sales area:
  In my code
  assign cr_me->('VIEW') to <lv_view_name>.
    if sy-subrc ne 0.
      exit.
    endif.
    lv_viewname = <lv_view_name>.
    case lv_viewname.
      when 'AccountDetails.htm'.
  I obtain the viewname "AccountDetails" , the related context "Header". After I don't know how to proceed to obtain the related entities through the relationship BuilRolesRel and BuilSalesArrangementRel.
  Am I following the right way? Is there another solution to prepare the output for default values?
  Any kind of suggestion will be appreciated.
  Regards, Roberto

  go to spro>cross-application components>sap busines partner>business partner> basic settings>field groupings>Configure Field Attributes per BP Role
  Double click the business role which you want to customaze (e.g. 'A') and change the proper settings.
  Regards.

• Navigation through a new role and persistence of user properties

  Hi there,
  I have a question related to roles and user-experience in the SAP Enterprise Portal.
  Depending on the preference of the portal user I would like to offer a different navigation by assiging a new role to the user.
  For example initially a role offers the navigation show below:
  Role 1:
  Toplevel navigation:     Entry A        Entry B     Entry C
  After a user request for a different navigation the order of the toplevel navigation changes.
  Role 2:
  Toplevel navigation:    Entry B     Entry C    Entry A     
  In order to realize this, I created two worksets for Entry A. By using merge-ids and a difference in sorting I managed to move the Entry A to the end of the toplevel navigation bar after assiging role 2.
  However I noticed that iView properties set by the portal users under role1 are lost after assigning the role2. Is there any way a user can keep the properties set under a previous role when getting assigned to a new role that has the same page?
  Thanks in advance,
  Arko

  FacesContext context = FacesContext.getCurrentInstance();
  context.getApplication().getNavigationHandler().handleNavigation(context,
  null,
  "<<NAVIGATION STRING>>");
  Thanks,
  Navaneeth

• Automatic Creation of Roles and Role Mappings in GRC

  Hi,
  we are planning to use SAP Identity Management and SAP GRC Access Management.
  In SAP IDM we have defined several business roles that contain privilieges in SAP systems. When a user is requesting a role, the request will first be sent to SAP GRC for approval and risk checking.
  In order to get this to work, we need to load the business roles of SAP IDM into SAP GRC and we also need to configure the role mapping between the business roles and the technical SAP privileges.
  From what I understood, this could be implemented by loading the required information via Excel filles into SAP IDM.However, this is a quite cumbersome and error-rpone approach an we would like to automate this.
  Is there a way to use e.g. web service calls to create/delete roles and role mappings in SAP GRC?
  BTW: is a documentation of all available GRC web service calls and their parameters available?
  Thanks for your help in advance!
  Best regards
  Tom

  Hi Tom,
  as stated before, the web service description is in the config guide.
  Unfortunately there is no web service to create roles or even mappings in CUP - this is one of many I would also like to se created
  I don't think in your context you will be able to directly send Business Roles to CUP. The role mapping only happens after you send the request, so I'm not sure if that's in time for risk analysis - you will need to try that.
  Are you a customer or a consultant - anyway, feel free to contact me if you need further help integrating CUP and IdM. This is an evolving interface with many possible scenarios, so it's not easy to give you good advise without seeing the full picture.
  Frank.

• Roles and Authorization strategy for SAP BIBO

  Hello All,
  We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
  Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
  Current structure is like,
  User 1 belongs to Plant1 of Country1
  User 2 belongs to Plant2 of Country2
  user 3 belongs to Plant3 of Country1 etc..     
  We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
  As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
  The options we considered are,
  1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant  1, 2 or 3 and provide necessary authorizations.
  2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
  We are also forced to avoid Bex queries in BW and hence,  trying to connect Multiproviders directly in BO universe.
  How should we go forward in designing the authorization concept? Any better ideas?
  Thanks and Regards,
  Srinivas

  There are two ways which we can implement this kind of authorization based on my knowledge.
  1. Data Security purely at BW
  If the data is secured based on roles and users, there is no  need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
  Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
  2. Data Security from BO
  Let's assume that, if nothing is set at BW and every thing to be take care from BO.
  Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
  Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
  So you would need to create many restrictions for different permutations and combinations.
  I never tries this option with Multiprovider. But It worked well with NON-SAP data.
  Hope this helps!
  Regards
  Gowtham

• Interaction of BW Roles and BWA Explorer Security

  We secure all our BW users via roles these roles have Analysis
  authorizations embedded in them which restrict access to specific
  infoproviders and values in these based on authorization relevant
  infobjects.
  When we try to create a BWA Explorer object in RSDDTPS we are forced to
  assign a userid and an analysis authorization directly in
  the "Authorizations" tab. Our security group only wants to have too
  assign roles to users either via SU01 or CUA.
  Configuration
  BO 2008 Enterprise Server (connected to BW system)
  BW system (Netweaver 7.01 EHP1)
  BWA 7.2
  1) How can we create BWA Explorer objects on a infoprovider without
  directly assigning users in Authorization Tab and how can we make the
  system ignore whatever is on this tab and base access to a BWA explorer
  object on the roles assigned to the user via SU01/CUA.
  2) If a User has roles assigned in BW that give them access to a
  specific infoprovider will this automatically also give them access to
  a BO Server published BWA explorer object built on that infoprovider.
  Related to this do we also need import the same roles and assign to the
  user in CMS server with link to BWA Explorer Server or does the user
  automatically get access to BWA Explorer as long as BWA Explorer is
  published on BO Server.
  3) If the user in BW is assigned roles that limit values based on an
  authorization relevant object is this restriction enforced in the
  values returned in published BWA Explorer for the user. Example
  Authorization Relevant object is Profit Ctr and the user has two value
  roles one contains access to all profit center that role up to a
  hierarchy node limited to the USA and the other contains hierarchy
  analysis authorization limiting access to all profit centers rolling up
  to hierarchy node representing Europe. When a user access's the BWA
  Explorer object which contain profit ctr will the values be limited
  only to USA AND Europe Profit centers or will the BW value based
  security be ignored.
  Please provide advice on above questions and document resources on how
  BW role based security interacts with BWA Explorer.

  Hi Expert,
  I need a solution for same scenario, anyone can give inputs.
  Regards,
  Ganesh