Role assigned after workflow triggered

Similar Messages

• Role Assignment to Workflow Tasks

  Hi Experts,
  Any hints on below requirement please :
  Details:
  1. For a role in transaction PFCG, I don't see the Workflow tab
  2. For the same role in transaction SUIM, I can see the Workflow tab and the tasks assigned.
  3. Now, I have a list of workflow tasks and I need to assign Role X, Role Y to all of them
  What is the correct and best way out to do this
  - Role-Task Assignment ::: Is it enough if I add all the workflow tasks in SUIM transaction(workflow tab) for both roles X,Y
  or
  - Task-Role Assignment ::: Can I assign both Roles X,Y in pftc transaction for each of the workflow tasks
  or
  - Both need to be done
  Thanks in advance ...
  ~Ali~

  Hi Ali,
  Answers for your questions:
  1. Transfer Missing Elements: YES
       With this step, new elements will create in the task container based on the method container elements and creates the binding b/w them. It is better to choose YES and after that, if you dont require the binding, you can delete it for respective elements.
  2. YES, we need to follow the same procedure.
  3. Basically production system is having the mandatory configurations like RFC destinations and Classify tasks are general, probably no other activities are required.
  4. For this, I am also waiting for other folks reply.
  Regards,
  Murali Krishna.

• HR indirect role assignment

  If personel no is not the same as infotype 0105 assigned user, How do you check your Indirect role assignment If you are using soultion manger. We dont have PA20, PA30, PA48 t-codes in soulution mangers.our CUA a in Soultion manger . Help is greately appericiated. Thanks

  I created HR_ORG structure(HRMD_ABA) in dev (HR system-Sending system) and add filters according to help.sap document, generate partner profile using we20. After that I transfered org structure in CAU (SolMan-Non HR systems- Receving system) using ALE run (Run SA38 -RHALEINI) i think its working.
  Composite roles are reside in Dev (HR-system), For indirect roles assignment (position level security) i created composit role just only roles name and description with out tcodes and auth object in CUA (SolMan -Non HR system).
  For test position assigment, I run pfcg in CUA(SolMan) click on organization management  select position and click indirect roles assignment after that i did user comparsion but i cant not see users id in user assignment. Please let me know any helpful Suggession. Thanks for ur quick response..

• HR Indirect Role Assignment through HR ORG Distribution Model with ALE

  1) When i assigned indirect (position level security) roles in CUA(SolMan) using pfcg click on organization managment to position after that i did user comparsion but i can not see user id in user tab.
  2) If personel no is not the same as infotype 0105 assigned user, How do you check your Indirect role assignment If you are using soultion manger. We dont have PA20, PA30, PA48 t-codes in soulution mangers.our CUA a in Soultion manger .
  Help is greately appericiated. Thanks

  I created HR_ORG structure(HRMD_ABA) in dev (HR system-Sending system) and add filters according to help.sap document, generate partner profile using we20. After that I transfered org structure in CAU (SolMan-Non HR systems- Receving system) using ALE run (Run SA38 -RHALEINI) i think its working.
  Composite roles are reside in Dev (HR-system), For indirect roles assignment (position level security) i created composit role just only roles name and description with out tcodes and auth object in CUA (SolMan -Non HR system).
  For test position assigment, I run pfcg in CUA(SolMan) click on organization management  select position and click indirect roles assignment after that i did user comparsion but i cant not see users id in user assignment. Please let me know any helpful Suggession. Thanks for ur quick response..

• Abap workflow triggering

  Hi all ,
  i am new to workflow.please let me know how to trigger the workflow .
  my workflow does not get triggered even after my assignment in the triggering events.
  i had also used the transactions swel and swetypv..
  how to check whether through which event my workflow
  gets triggerd .it is a standard sap workflow .

  hi jyothi.
  b4 that.
  go tthur this links. this will give u a good idea.
  http://help.sap.com/saphelp_erp2005/helpdata/en/fb/135962457311d189440000e829fbbd/frameset.htm
  http://help.sap.com/saphelp_erp2005/helpdata/en/c5/e4a930453d11d189430000e829fbbd/frameset.htm
  Workflow
  http://www.sap-img.com/workflow/sap-workflow.htm
  http://help.sap.com/saphelp_47x200/helpdata/en/a5/172437130e0d09e10000009b38f839/frameset.htm
  For examples on WorkFlow...check the below link..
  http://help.sap.com/saphelp_47x200/helpdata/en/3d/6a9b3c874da309e10000000a114027/frameset.htm
  http://help.sap.com/printdocu/core/Print46c/en/data/pdf/PSWFL/PSWFL.pdf
  http://help.sap.com/saphelp_47x200/helpdata/en/4a/dac507002f11d295340000e82dec10/frameset.htm
  http://www.workflowing.com/id18.htm
  http://www.e-workflow.org/
  http://web.mit.edu/sapr3/dev/newdevstand.html
  rgds
  anver
  if hlped mark points

• Need procedure for creation of BW Roles, Assigning Queries,Publishing Roles

  Hi Experts,
    Could you please let me know the procedure for creation of BW Roles, Assigning Queries,Publishing Roles in Business Explorer (BEx - BW 3.5)
  Thanks in advance,
  Andy

  Hi,
  Creating BW Roles
  http://help.sap.com/saphelp_nw04/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm
  Assigning Queries
  After creating the query, save the query to a role from the query designer.
  Publishing Roles in Business Explorer
  https://websmp101.sap-ag.de/~sapdownload/011000358700002894802003E/HowToBIPortal1.pdf
  Hope this helps you..!
  -Pradnya

• OBPM 10gR3 Dynamic Role Assignment at user login

  Hi,
  For all the great integration with LDAP in 10gR3, unfortunately, the system is unable to deal with dynamically-defined LDAP groups.
  Our goal is to apply a BPM Role to ALL humans defined in our LDAP.
  All humans happen to already be defined by a dynamically-defined LDAP group called 'AllPeople'.
  It would have been perfect if we could simply assign our BPM Role, 'Employee', to the LDAP group, 'AllPeople'. Sadly you can't (one for the next release pls).
  So as a workaround, what we want to do instead is assign the BPM Role 'Employee' to each individual user dynamically when they first login.
  Since the FDI library is useless outside of a BPM context (you'll find that some of the familiar methods of RoleAssignment are missing), We opted to create an actual BPM process to conduct role assignments, and we would then trigger it via PAPI.
  The question then was, where/when do we invoke the process such that it does the role assignment quickly and soon enough for the appropriate views and applications to appear in their workspace straight after login?
  We opted for a customised implementation of the SSOWorkspaceLoginInterface class.
  However, we tried making the invocation in the setupAuthenticatedSession() and the processRequest() methods but, although the role assignment was successfully done in either case, sadly the user's session was loaded without the new changes - perhaps loaded quicker than the role assignment could be fed back through the directory.
  Therefore, we dumped the invocation in the actual constuctor - and this seems to work for the most part. Yet on the odd ocassion, the role assignment is not quick enough to be realised in the user's workspace session - the user has to logout and back in before the changes are realised.
  We've even tried to get the execution to sleep for a second or two, while the PAPI thread goes about doing the role assignment - again not much success.
  So I really have 2 questions:
  1. Where during login can we make a PAPI call to do a role assignment so that it should be picked up by the time the session is created? perhaps we already are doing it in the right place.
  2. How could we refresh/request a new session cookie without explicitly logging out and back in again? Note, page refresh is not enough.
  Thanks for reading.

  Sorry for the belated response - I don't get notified of replies.
  The code for my custom SSOLoginModule class is:-
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import java.io.FileInputStream;
  import java.io.IOException;
  import java.util.Properties;
  import fuego.workspace.security.SSOWorkspaceLoginInterface;
  import fuego.papi.Arguments;
  import fuego.papi.CommunicationException;
  import fuego.papi.InstanceInfo;
  import fuego.papi.OperationException;
  import fuego.papi.ProcessService;
  import fuego.papi.ProcessServiceSession;
  import fuego.sso.SSOLoginException;
  import fuego.sso.SSOUserLogin;
  import fuego.jsfcomponents.Util;
  import fuego.workspace.model.common.WorkspaceApplicationBean;
  public class CustomSSOWorkspaceLogin extends SSOUserLogin implements SSOWorkspaceLoginInterface {
  private ProcessService pService;
  private ProcessServiceSession pServiceSession;
  private Properties properties;
  public SSOWorkspaceDBLogin() {
  //Do the role assignment here because it works, and does not work in the ideal location of setupAuthenticatedSession method
  pService = createProcessService();
  pServiceSession = createProcessServiceSession();
  assignDefaultRole(Util.getHttpServletRequest().getRemoteUser());
  private ProcessService createProcessService() {
  return WorkspaceApplicationBean.getCurrent().getProcessService();
  private ProcessServiceSession createProcessServiceSession() {
  return pService.createSession("yourdirectoryusername","yourdirectorypassword",null);
  //This method is used to remotely invoke a BPM process to do the role assignment - no external API to do this directly!
  private void assignDefaultRole(String email) {
  try {
  String processId = "myRoleAssignmentProcessId";
  String argumentName = "argumentName"; //the name of the input argument to feed in the participant
  String argumentValue = email;
  Arguments arguments = Arguments.create();
  arguments.putArgument(argumentName, argumentValue);
  InstanceInfo instance = pServiceSession.processCreateInstance(processId, arguments);
  Long waitTime = new Long(1000);
  Long timeLimit = new Long(5000);
  boolean roleAssigned = false;
  boolean timeLimitExceeded = false;
  Long startTime = System.currentTimeMillis();
  //Allow role assignment thread to complete
  while (!roleAssigned && !timeLimitExceeded) {
  try {
  Thread.sleep(waitTime);
  if (pServiceSession.processGetInstance(instance.getId()).isCompleted()) {
  roleAssigned = true;
  if (System.currentTimeMillis() - startTime > timeLimit) {
  timeLimitExceeded = true;
  } catch (InterruptedException e) {
  e.printStackTrace();
  //close process service session
  pServiceSession.close();
  //Do not close the service itself as it is shared with the Workspace itself!
  //pService.close();
  } catch (Exception e) {
  e.printStackTrace();
  public void setupAuthenticatedSession(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  //Unfortunately, the below does not work here because the role assignment is not fast enough
  //The result is that the user logs in but cannot see any applications because the role assignment has not been made in time.
  //Therefore, we run the below statements from the constructor - ugly but functions.
  //pService = createProcessService();
  //pServiceSession = createProcessServiceSession();
  //assignDefaultRole(httpservletrequest.getRemoteUser());
  public void processRequest(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  }

• Workflow triggering problems

  Hi all,
  I have a puchase order release workflow ,and have activated the triggering in tcode pftc,but the problem is ,every time I create a purchase order the workflow triggering gets deactivated and have to manually activate it after each Purchase Order creation or change.
  Does anyone have a clue as to what may cause this problem?
  Regards
  MM

  Hi Raja,
  Thank you for your reply.
  I tried changing the method but it still throws the same error. i dont think this error is related to the Task method , since it can also be a dummy method (as is the case with the leave approval workflow 12300111) .
  Any other helpful suggestions ??
  Thanks,
  Joe

• User-id / Roles  assigned in Solution Manager system

  Hi Friends,
  I need an information regarding following:
  User-id / Roles  assigned in   SOLMAN Dev system   
  SM59 Destinations in Solman dev system  & user-id/pwd used  for connecting to Satellite systems
  User-id/ Roles assigned in   Satellite systems  - EG: ECC , PI , SCM ,BW   for SOLMAN Related User-ids 
  SM59 Destinations in  Satellite systems  & which user-id /pwd is used for connecting to   Solman dev system
  Kindly suggest me how I can get all the above information.
  Thanks & Regards,
  Solman Starter

  All users are created in SOLMAN_SETUP with the proper authorizations, just follow the guided procedure. In LMDB, you can set up the RFC connections to your satellite systems after you pushed the system information with RZ70 / SLD data supplier.

• Status of roles assigned in SU01

  Hi All, Need help to understand the status of a role and effect of user comparison on it... in SU01 assignment to a ID....Cases as below:
  1.Role assigned to the ID has expired....The color of the role I have noticed becomes red...why is it so? is it because the role had a new profile generated since the time role got expired in that user? or is it just because role has got expired and so it becomes red in SU01?
  And are roles and corresponding profiles which got expired removed from the ID automatically or just both role&profile left as it is with only the role turned red giving the text (User comparison required)...
  2.Role assigned to a ID with validity start date set as some date in future. Have seen that in this case too role becomes red after a day!! PFCG_TIME_DEPENDENCY runs..But why is it so??Why does it turn red?

  Hi,
  Role assigned to the ID has expired. the color of the role becomes red. This is because each role assigned to the user has a validity end period. once this date is crossed, the user will not have authorization to objects contained in the role. You can check more details in AGR_USERS table. there you will find that each role attached to a user has a start and end date.

• CUA and role assignment

  Hi forum,
  I have a CUA configured where I want the profile and the role assignment to be distributed global from the central system. I can create new roles with PFCG assign, users there, but I don’t see these new roles in the user details in SU01.
  What am I doing wrong?
  Thank you!

  Hi Chris,
  Seems pretty simple to me. Since it is a new role you need to do a text comparision.
  In the central system of CUA execute the report SUSR_ZBV_GET_RECEIVER_PROFILES in SE38 transaction.
  In receiving systems give all the systems that are part of CUA including the central system (in this particular case only central system can be input since the new role is present in central system) Now execute it and then do the role assignment wither through SU01 or PFCG once again. Check once more.
  After every new role creation this report needs to be executed. This is what is known as Text comparison of roles which can also be done in SU01. Check for the pushbutton for text comparision under tabsrtip Roles within SU01.
  Regards.
  Ruchit.

• Indirect role assignment- PO Release strategy  roles

  Hello,
            I am in the midst of creating PO release strategy roles for implementation and trying to figure out if indirect role assignment / position based assignment would be a good idea for these roles. The reason- there are 35 release codes.
  I am pretty new at using indirect role assignment but do understand a bit about the evaluation paths. We are not implementing SAP HR so there will be no usage of infotype 105. The role will be assigned to the position and then the position to the user ID. The HR Org structure is in place (atleast for the PO release workflow).
  Is this a good idea?
  There is one other think that stumped me. One of the functional consultants (who is also part of business) has asked me why we can't use indirect role assignment for all function (purchasing, sales, finance etc.).  For one, i know with so many users assigned to positions and then indireclty to roles, the overhead would be too much and complex and then the problem with the evaluation paths.
  But i am not convinced myself that this is the best explanation to give...
  Any ideas on how to put it through correctly?
  Regards,
  Prashant

  Hi Prasanth,
  I also had a similar requirement, but since there are multiple release codes, and limits, we ended up with a custom solution, since it is a bit tough when it is required to manually assign the authorization to a person who is in a seperate job role.
  We have used a custom user exit, and all the values were stored in a custom table which contains Sales Organization, User, Lower limit, Upper limit, Division, and Release codes information etc.,
  We have further created a custom transaction code that reads information from the table and authorizes for the upper, and lower limit of approvals along with the company code/release code authorzation checks.
  Hope this helps!!
  Regards,
  Raghu

• GRC 10 BRM - Approve Single Role assignment in Business Roles

  Hello,
  I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
  The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
  Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
  Do you know any way to configure this?
  Thanks,
  Fernando

  Hi Claudio - thanks for breaking it down
  @ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
  By using this role approval methodology your single role approvers are indirectly allowing  any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
  As mentioned - you are using two different workflow process ids
  Role Build - using BRM to approve the single roles being part of the business role
  Access Assignment - approving the user to receive the business role which includes the single roles
  Regards
  Colleen

• Workflow triggers unwantedly

  Hi All ,
  we are a strange issue in EC incoming Invoice workflow in SRM, descriptiojn is as follows
  we have two workflow in our system for invoice one goes through approval and other auto approval , and on the SRM portal at header level in the basic data we have added two custom fields allow NON-PO invoice and Allow RE ,and implemented the doc_check_badi , now at the line item level if we do not give any PO refernce and check/post  then we get an error message saying the entrer PO and the status of the invoice to " to be corrected manually" ideally in the above case approval  workflow should not trigger , it sould only trigger when we tick the allow Non-po invoice check button , and it was working fine , but suddenly after patch upgrade the approval workflow triggers even if we do not tick the chck box at header level . Can anyone suggest did any thing go wrong in patch upgrade , I have checked all the conditions and linkages all are fine, but i guess some standard setting is missing which would have gone missing .

  Dear all,
           Thanks a lot for reading my post with intention to answer.
           The issue is resolved now.
           The problem was at BAdI.To trigger the workflow with event CREATED for purchase requisition, BAdI named ME_REQ_POSTED needs to be used :
           Following coding is used for the same :
  method IF_EX_ME_REQ_POSTED~POSTED.
    DATA: WA_EBAN TYPE EBAN.
    DATA L_S_EBAN TYPE UEBAN.
    DATA: OBJKEY TYPE SWEINSTCOU-OBJKEY .
    LOOP AT IM_EBAN INTO L_S_EBAN .
    ENDLOOP.
      IF ( SY-TCODE = 'ME51N' AND SY-UCOMM NE 'MECHECKDOC' ) OR SY-TCODE = 'ME52N'  .
        IF  L_S_EBAN-BSART = 'ZNB'.
          OBJKEY = L_S_EBAN-BANFN.
          SELECT SINGLE * FROM EBAN INTO WA_EBAN WHERE BANFN EQ OBJKEY.
          IF SY-SUBRC NE 0.
            CALL FUNCTION 'SAP_WAPI_CREATE_EVENT'
              EXPORTING
                OBJECT_TYPE             = 'BUS2105'
                OBJECT_KEY              =  objkey
                EVENT                   =  'CREATED'
               COMMIT_WORK             = 'X'
               EVENT_LANGUAGE          = SY-LANGU
               LANGUAGE                = SY-LANGU
               USER                    = SY-UNAME
  *   IFS_XML_CONTAINER       =
  * IMPORTING
  *   RETURN_CODE             =
  *   EVENT_ID                =
  * TABLES
  *   INPUT_CONTAINER         =
  *   MESSAGE_LINES           =
  *   MESSAGE_STRUCT          =
          endif.
        endif.
      endif.
     endmethod.
            I have missed the loop block.That's why the workflow was not triggering.
  Regards,
  S.Suresh

• Approval Task for role assignment

  Hello again,
  is there any manual for approval tasks with the SAP Provisioning Framework? There is a task group called Request new business role, but if I use this, the approver approves the request, but the status of the role assignment is "in process"and never changed to "OK".
  I only found these manuals:
  - How To... Create Approval Tasks in SAP NetWeaver Identity Management
  - Implementing role approvals
  But both documents didn't show an end-to-end role-request-and-approval workflow.
  Thanks in advance.

  Hello Matt, hello Peter,
  the web-enabled task "Request New Business Role" and the including approval task are only examples.
  To create own approval processes for your projects you have to understand how approval tasks and pending values work.
  The following document shows the basics of PVOs (pending value objects).
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0d6b459-3456-2b10-209e-9e78ec9fd97b?quicklink=index&overridelayout=true
  This is documentation of the release 7.0, which is not updated to 7.1. But basics of PVOs are still the same.
  There is also a document which describes approval task for Release 7.1:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/20b67ad5-c69a-2c10-9da2-9721b1cf749c?quicklink=index&overridelayout=true
  Also a "How-To Guide" is available:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/904deabf-73b9-2c10-e8bb-8514dc3757f2?quicklink=index&overridelayout=true
  I think this is enough to learn to create workflows in SAP IdM.
  There is also a nice book available with detailed information:
  EN: http://www.sap-press.com/products/Understanding-SAP-NetWeaver-Identity-Management-.html
  DE: http://www.sap-press.de/2007
  I think this will help you.
  Best regrads,
  Christoph Reckers