Role creation: how to detect if is ERM or PFCG

Similar Messages

• How to raise role creation/modification request in AC 10

  We are implementing AC10. I have issue more related to the process followed than technical. Please suggest from your experience.
  We found that we can raise the request for new user account, role assignment to user, etc in Acess Request(formerly CUP), but we cannot raise the request for role creation, role modification. This is directly done in Role management.  My question is, how the security admin will recieve the requests for creating or maintaining the roles. Is it necessary to use ticketing tool for users to raise the request for role creation and modification.
  Thanks everyone for your valuable solutions.

  Dear Ashish,
  Whatever you have mentioned is correct to have the common platform for every request, either for user creation or role creation.
  But what we decided earlier, that the end users can raise the request in CUP directly, rather than involving security admin. But after realizing that there is no request type for role creation, I think we have to use our ticketing tool as a common platform.
  Request will come to security admin from the ticketing tool and than he will create the request in CUP, thereafter it will follow the approval workflow.  Only problem I see in this, it goes to the manager twice, once in ticketing tool and than through CUP workflow. i think we need to take out the manager stage from the workflow.

• How to detect Role Environment

  Hello,
  I want to know how to detect Role Environment is staging or production in web role. i am doing project in Azure cloud with asp.net

  Hi Vikas,
  You could use Azure Management API to get the deployment configuration. For example, You could use
  'Get Deployment' to get a deployment information. And you could get the role environment form the 'DeploymentSlot' . About how to detect the Environment, I suggest you
  could refer to those post:
  http://stackoverflow.com/a/4330628
  http://stackoverflow.com/a/7111195
  And I suggest you could see this code sample from this page:
  http://convective.wordpress.com/2009/12/19/service-management-api-in-windows-azure/
  Hope this helps.
  Will 
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• ANSWER: HOW TO DETECT Java Plugin from JavaScript

  I created a new topic because the questions about
  how to detect Java Plugin in browsers are scattered
  thoughout this forum.
  Basically you need to employ two approaches for IE and NS.
  In IE you need to try to instantiate a small applet
  (not your production applet) in order to see if browser
  can do it. if the browser can do it, you can make a
  call applet from JavaScript in order to find version of
  JRE (as well as a host of other things).
  In NS you can write a simple JavaScript which will
  interrogate the browser for all plugins installed. Then
  ypu can make a desicion whether to pass execution to
  the next(or generated) page which hosts your applet,
  or ask the user to download/install a plugin.
  I ecourage everybody to host a plugin on your site
  rather leave default link to it which is generated by
  html converter.
  In order to run sample,
  Prerequisites:
  Java Plugin 1.3.
  If you have a different version of plugin,
  substitute hardcoded plugin version in JavaScript for
  value that you have.
  1. compile java file
  2. put class file in the same directory with html file
  3. load html file into the browser.
  4. press "Check Java Plugin.." button
  5. see it work
  6. examine code
  7. uninstall plugin
  8. repeat steps 1 - 4
  9. see it work
  10. install plugin.
  Sample code follows:
  **********************HTML FILE BEGIN***********
  <HTML>
  <HEAD>
  <!-- Generated by Kawa IDE -->
  <TITLE>Detect Java Runtime</TITLE>
  </HEAD>
  <SCRIPT LANGUAGE="JavaScript">
  var browsername;
  function doNetscape()
  for (i=0; i < navigator.plugins.length; i++)
  for (j = 0; j < navigator.plugins.length; j++)
  if(navigator.plugins[i][j].type == "application/x-java-applet;version=1.3")
  alert("You are running Netscape with Java Plugin 1.3.0 - OK");
  return;
  alert("You are running Netscape\nPlease, install Java Runtime Environment 1.3.0");
  function doMicrosoft()
  var applet = document.myApplet;
  if(applet == null)
  alert("You are running Microsoft Browser.\nPlease, install Java Runtime Environment 1.3.0");
  return;
  var version = applet.getJavaVersion();
  if(version == "1.3.0")
  alert("You are running IE, Java Plugin 1.3.0 installed - OK");
  else
  alert("You are running IE, other plugin installed - mybe OK if later that 1.3.0\nYour version: " + version);
  function getJava()
  var applet = document.myApplet;
  if(applet == null)
  alert("Please, install Java Runtime Environment");
  return;
       alert("JRE Version: " + document.myApplet.getJavaVersion());
  function checkJavaPlugin()
       browsername = navigator.appName;
       if(browsername.indexOf("Netscape")!= -1)
            browsername="NS";
            doNetscape();
       else
            if(browsername.indexOf("Microsoft")!=-1)
                 browsername="MSIE";
                 doMicrosoft();
            else
                 browsername="N/A";
                 alert("Unknown browser: " + browsername);
  </SCRIPT>
  <body>
  <Strong>Check Java Plugin</strong>
  <OBJECT id="myApplet" classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
       WIDTH = 1
       HEIGHT = 1 >
       <PARAM NAME = CODE VALUE = "DetectPluginApplet.class" >
       <PARAM NAME="scriptable" VALUE="true" >
       <embed type="application/x-java-applet;version=1.3"
            code = DetectPluginApplet width = 2 height = 2 MAYSCRIPT = "true" >
       </embed>
       </EMBED>
  </object>
  <FORM>
       <INPUT TYPE="button" value="Get Plugin Version in IE" onClick="getJava()">
       <INPUT TYPE="button" value="Check Java Plugin in NS and IE" onClick="javascript:checkJavaPlugin()">
  </FORM>
  </BODY>
  </HTML>
  **********************HTML FILE END***********
  ***************APPLET FILE BEGIN***********
  import java.awt.*;
  public class DetectPluginApplet extends java.applet.Applet
       public void init()
            add(new Label("DetectPluginApplet"));
  public String getJavaVersion()
  return System.getProperty("java.version");
  **************APPLLET FILE END************

  Try following java script, it works on new browsers (NS 4+, IE5+). For IE you have to enable 'ActiveX objects creation' in security options.
  var agt=navigator.userAgent.toLowerCase();
  var is_major = parseInt(navigator.appVersion);
  var is_nav = ((agt.indexOf('mozilla')!=-1) && (agt.indexOf('spoofer')==-1)
  && (agt.indexOf('compatible') == -1) && (agt.indexOf('opera')==-1)
  && (agt.indexOf('webtv')==-1) && (agt.indexOf('hotjava')==-1));
  var is_nav4up = (is_nav && (is_major >= 4));
  var is_ie = ((agt.indexOf("msie") != -1) && (agt.indexOf("opera") == -1));
  var is_ie5 = (is_ie && (is_major == 4) && (agt.indexOf("msie 5.0")!=-1) );
  var is_ie5_5 = (is_ie && (is_major == 4) && (agt.indexOf("msie 5.5") !=-1));
  var is_ie6 = (is_ie && (is_major == 4) && (agt.indexOf("msie 6.0") !=-1));
  var is_ie5up = (is_ie && (is_major == 4)
  && ( (agt.indexOf("msie 5.0")!=-1)
  || (agt.indexOf("msie 5.5")!=-1)
  || (agt.indexOf("msie 6.0")!=-1) ) );
  var pluginDetected = false;
  var activeXDisabled = false;
  // we can check for plugin existence only when browser is 'is_ie5up' or 'is_nav4up'
  if(is_nav4up) {
  // Refresh 'navigator.plugins' to get newly installed plugins.
  // Use 'navigator.plugins.refresh(false)' to refresh plugins
  // without refreshing open documents (browser windows)
  if(navigator.plugins) {
  navigator.plugins.refresh(false);
  // check for Java plugin in installed plugins
  if(navigator.mimeTypes) {
  for (i=0; i < navigator.mimeTypes.length; i++) {
  if( (navigator.mimeTypes[ i].type != null)
  && (navigator.mimeTypes[ i].type.indexOf(
  "application/x-java-applet;jpi-version=1.3") != -1) ) {
  pluginDetected = true;
  break;
  } else if (is_ie5up) {
  var javaVersion;
  var shell;
  try {
  // Create WSH(WindowsScriptHost) shell, available on Windows only
  shell = new ActiveXObject("WScript.Shell");
  if (shell != null) {
  // Read JRE version from Window Registry
  try {
  javaVersion = shell.regRead("HKEY_LOCAL_MACHINE\\Software\\JavaSoft\\Java Runtime Environment\\CurrentVersion");
  } catch(e) {
  // handle exceptions raised by 'shell.regRead(...)' here
  // so that the outer try-catch block would receive only
  // exceptions raised by 'shell = new ActiveXObject(...)'
  } catch(e) {
  // Creating ActiveX controls thru script is disabled
  // in InternetExplorer security options
  // To enable it:
  // a. Go to the 'Tools --> Internet Options' menu
  // b. Select the 'Security' tab
  // c. Select zone (Internet/Intranet)
  // d. Click the 'Custom Level..' button which will display the
  // 'Security Settings' window.
  // e. Enable the option 'Initialize and script ActiveX controls
  // not marked as safe'
  activeXDisabled = true;
  // Check whether we got required (1.3+) Java Plugin
  if ( (javaVersion != null) && (javaVersion.indexOf("1.3") != -1) ) {
  pluginDetected = true;
  if (pluginDetected) {
  // show applet page
  } else if (confirm("Java Plugin 1.3+ not found, Do you want to download it?")) {
  // show install page
  } else {
  // show error page
  }

• Role Creation in CUP 5.3

  Hello,
  I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
  My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.  
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  Please tell me if I'm wrong.
  HM

  HM,
    The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
  The below statement is wrong.
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
  Regards,
  Alpesh

• Idm-Vaau Rbac role creations and mapping

  Hi All,
  I'm working on the integration between Idm and Vaau's Rbacx (role based access control) tool for role creation and provisioning...I've imported the spml.xml and SPMLGetObjectsform.xml into Idm for the SPML calls between Rbacx and Idm.
  The challenge I'm facing is mapping the attributes of Rbacx roles to enable the attributes to be populated in Idm...I'm able to export roles into Idm, but they are not populating with any attributes eg. resource type, resource attribute etc. I'm uncertain as to where I have to map these properties and do any customization for this to work. I would appreciate if anyone who has worked on this or know how to do this, to pls give me some pointers/share your experience. I don't have any documentation to refer to and am doing everything on trial and error basis.
  Any help is greatly appreciated!
  Thank you.

  Hi newbie,
  Were you able to solve this issue? I am facing the same problem while assigning resource attributes for a created role using a custom workflow.
  This is where I set the resource attributes in my workflow:
  <Action id='1'>
  <expression>
       <block trace='true'>
       <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].valueType</s><ref>ADGroupsValueType</ref></set>
       <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].requirement</s><ref>ADGroupsRequirement</ref></set>
       <append><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].value</s><ref>ADGroupsValue</ref></append>
       </block>
  </expression>
  </Action>
  where <ref>ADGroupsValue</ref> contains the attribute value.
  thanks,
  Lokesh

• Approval of role creation

  Hi All
  I need to create a WET for role creation, this is simple But I need to incorporate approval of the creation of the new MX_ROLE entry. I can only find documentation/guides on how to implement approval of role and privilege assignment. Does anyone know if it is possible to setup approval on creation on a new entry?
  Kind regards,
  Heidi

  I have tried to implement the MX_INACTIVE solution. Now it is not possible to see the role on the "Adminstrate"-tab, and there is an approval task on the "To do"-tab. When I click this task, details on the role are displayed properly, but when I try to process the request by clicking the "Show request"-button (button name translated from Danish, it might be translated differently...) I get an error: "Access denied".
  I have set correct approver on the approval task, and I was able to process approval requests, before I set the role to inactive.
  On the approval task, I have checked the "Use inactive entries" checkbox.
  Does anyone have an idea what could be wrong?
  Kind regards,
  Heidi Kronvold

• Customizing Role creation form??

  Hi,
  We have requirement to customize the Role creation form. We have to store extra information in the role object. I know that we can store extra information by using properties attrinute of the Role. But the question is how to expose this to administrators through UI?
  I don't find any form mapping for role creation in the "Forms and Process Mappings" section. Anybody knows how to achieve this requirement? What is the default form used for role creation?
  Thanks in advance.

  There's a userForm configuration object called "Role Form" that is used when you create a new Role.
  You can add a new field to this form like so;
  <Field name='properties.Department'>
  <Display class='Text'>
  <Property name='title' value='Department'/>
  <Property name='disabled'>
  <Boolean>true</Boolean>
  </Property>
  </Display>
  </Field>
  Then the Department attribute will be saved against the Role attribute.
  Is this what you're looking for?
  Cheers,
  Paul

• GRC AC Request Role Creation

  Hello all,
  I noticed that by default GRC AC doesn´t have a Request Type for Role Creation. Normally how this is done? I mean, if someone realizes that a new role is necessary, how can this person report the need for a new role creation? What are my option here?
  Regards,
  SAP Legend

  Hi SAP Legend,
  You can not request a new role to be created via an Access Request workflow. You still need a business governance strategy where someone has to raise a request outside of the GRC system for the new roles through the right channels deemed fit in your company to get the new role made. Maybe you have a support ticketing system in place or some SAP security department you can raise the formal requests to.
  The BRM Role creation/maintenance workflow runs separately from the Access Request workflow. Further more, the definition and creation process of roles via GRC should only involve and be used by Business Process Owners/Role Owners and the Authorisation security team only, i.e. not general end users.
  A role build methodology will have to be set up and then the underlying approval workflows (based in MSMP technology also, like the AR workflow).
  Once the role has been built (either via back end PFCG) or via GRC using the BRM methodology and approval flows, the role will be available to the end user to request via AR.
  Hope that helps.

• Mass roles creation

  Hi all,
  I am supposed to create 2000 roles in our system.
  Is there any way to create roles in mass.
  If there please provide me the details to do the mass roles creation.
  Thanks in advance.
  Regards,
  Suganya

  > I am supposed to create 2000 roles in our system.
  > Is there any way to create roles in mass.
  How do you mean 'in mass'? Do you want 2000 identical copies of one role, are you talking about derived roles or do you need to create 2000 completely different roles?
  Please give us some more information. (And prepare for the fact that some tasks do not have shortcuts...)
  Jurjen

• How to do Enhancements in Reporting & What is Role and How to create Roles

  Hi All,
  Can any one tell How to do Enhancements in Reporting, and also What is Role and How to create Roles in Reporting?
  Plz reply back me on [email protected]
  Regards,
  Kiran

  Reporting Enhancement - RSR00001 - BW: Enhancements for global variables in reporting
  And using the SAP Exit - EXIT_SAPLRRS0_001
  RSR00001- With this enhancement to global variables in reporting you have the option of determining your default values for variables. You can use this enhancement for variables, for which 'Processing by Customer-Exit' has been selected in the variable maintenance. This is valid for all variable types (characteristic value, node, hierarchy, formula and text variables). You use the Exit EXIT_SAPLRRS0_001 for this.
  The Enhancement component (RSR00001) must be assigned to a Project Created using the Transaction CMOD. On activating the Project, the Exit would become active and in turn the logic written inside the Exit.
  To ensure that the data warehousing soultion reflects your company's structure and business needs it is critical that you establish who is authorized to access the data.With SAP BW, Authorizations can be defined and maintained by object and can also be applied to hierarchies and these authorizations can be inserted into roles that are used to determine what type of content is available to specific users or user groups.
  T-code for Role maintainence -PFCG.
  Please assign points if it is useful.
  Regards
  Pavan Prakhya

• How to detect USB Flash Drive name in LabVIEW

  Hi there
  I was looking for how to detect a USB Flash Drive name in Labview
  appearently every time i insert USB Flash Drive in a computer, windows assign it a different name
  once "J:" and sometimes "M:"
  Is there anyway to obtain USB Flash Drive name programmatically in Labview ?
  Because in my program an user shouldn't be able to access HDD Drives except his USB Flash Drive (for inserting some file ...)
  thank you and excuse me for my poor english 

  I was able to get the demo.vi to load, but it could not load the other two because there is no block diagram associated with those.  I'm not sure why this is.  I haven't had any issues with other llbs before.
  Reese, (former CLAD, future CLD)
  Some people call me the Space Cowboy!
  Some call me the gangster of love.
  Some people call me MoReese!
  ...I'm right here baby, right here, right here, right here at home

• How to detect a selected row in ALV GRID

  Hi,
  Can anyone tell me how to detect and catch an event when a row is selected in an ALV GRID?
  I would like to catch such event when the end user presses Ctrl + Shif + Space bar.
  Thank you and best regards.
  Hassane.

  Hi,
  Use this wiki link, to have a checkbox with all the records in ALV Grid and to process those selected records at a user command, as per the requirement.
  https://www.sdn.sap.com/irj/scn/wiki?path=/display/snippets/alv%252bgrid%252bdisplay%252bwith%252bcheckbox%252bto%252bprocess%252bselected%252brecords%252bat%252bruntime
  Hope this solves your problem.
  Thanks & Regards,
  Tarun Gambhir

• How to detect the Acrobat Browser Plug-in version installed on a users system for non-IE browsers?

  How to detect the *Acrobat Browser Plug-in version* installed on a users system, on Firefox, Safari, Opera, etc?
  Or one script for detecting Plug-in version for major browsers. Need full example code.

  Wrote an article on this with code samples (Javascript + HTML) - basically there are differences between IE and other browsers. Chrome natively comes with the Chrome PDF Viewer so I've incorporated that in my detection script.
  The script detects the browser type, and the installed acrobat version...
  Have a look here:
  Detect the Adobe Reader Plugin

• How to detect the path of Temp directory

  I am writing a class library which allows users to manipulate a database in the web server java applications/applets. In my logic the Application/Applet communicate with a CGI script/Servlet in the server and that do all the database handling. My objective is to make the Client independant from the Database Drivers, and to some restrictions and possible security threats that can arrice when accessing the database directly.
  99% of the work is done and now I am doing the fine tuning.
  My Problem:
  When the user downloading a blob object from the server database. each time the program read the blob it will get a new copy from the server. This is not good if the blob is large (few 100 megs) . So I am going to implement a cache system. but the problem is If I am caching in the memory it will not support large objects (Memory is a limited factor). So the preferance is use the Temperary files but I do not know how to detect the path to temperary folder.
  And my 2nd questions is are the applets allowed to write and read in temperary folder.

  The Java default temporary file path can be determined with
  System.getProperty("java.io.tmpdir")This is typically the same value as the os environment variable