Role creation issue

Similar Messages

• Request Number is not generated for BRM "new" role creation

  Hello Gurus,
  I have configured BRM in SAP GRC AC 10, along with the workflow .
  I have selected the following methodology
  Define Role --> Maintain Auth >Analyze & Access Risk>Request Approval>Generate Roles>Maintain Test Cases
  Role name : Y_TEST_BRM_FUNCTIONALITY
  So i do the following steps and assign
  1) Role approver as Mr. ABC & Alternate approver as Mr. QRS
  2) Assign the Required transactions and do the RAR i.e i am done till step 3 of methodology
  When i click "Initiate Approval request"
  The approval triggers , and goes to the 1st stage as configured in MSMP
  1) Power User Approval .
  Here the Power User : EFG , open his workflow and see the request as
  Role approval required for role Y_TEST_BRM_FUNCTIONALITY
  The approver approves the request and then the request all together vanishes.
  Unfortunately i am not able to search the request for that role from NWBC -->Search request by
  Process Id : Role Approver Workflow
  It gives blank !!
  Hence neither i am able to find the request no able to do any debugging of it using
  GRFNMW_DBGMONITOR_WD
  Please note that the Request Id is created for any request in CUP.
  Is it that i have to create a number range for BRM request ??
  If so will you please let me know the object

  Hello All,
  I was wrong in posting the cause of problem.
  Please note no "Request number" is generated for Role creation Request.
  The problem was i was unable to search the Role Request approval status from "Search Request" via  Process Id
  It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
  My Issues is Resolved.
  Thank You.
  Regards,
  Victor

• BRM-No Role Creation

  Hi gurus,
  I have just upgraded my GRC 10.0 to SP18 and when I access to create a new role in the NWBC, the button is in grey, I mean, I can not start the creation of it. However, I can modify the roles without problems.
  Any idea of what can be happening?
  Thanks,
  Regards,

  Hello All,
  I was wrong in posting the cause of problem.
  Please note no "Request number" is generated for Role creation Request.
  The problem was i was unable to search the Role Request approval status from "Search Request" via  Process Id
  It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
  My Issues is Resolved.
  Thank You.
  Regards,
  Victor

• How to raise role creation/modification request in AC 10

  We are implementing AC10. I have issue more related to the process followed than technical. Please suggest from your experience.
  We found that we can raise the request for new user account, role assignment to user, etc in Acess Request(formerly CUP), but we cannot raise the request for role creation, role modification. This is directly done in Role management.  My question is, how the security admin will recieve the requests for creating or maintaining the roles. Is it necessary to use ticketing tool for users to raise the request for role creation and modification.
  Thanks everyone for your valuable solutions.

  Dear Ashish,
  Whatever you have mentioned is correct to have the common platform for every request, either for user creation or role creation.
  But what we decided earlier, that the end users can raise the request in CUP directly, rather than involving security admin. But after realizing that there is no request type for role creation, I think we have to use our ticketing tool as a common platform.
  Request will come to security admin from the ticketing tool and than he will create the request in CUP, thereafter it will follow the approval workflow.  Only problem I see in this, it goes to the manager twice, once in ticketing tool and than through CUP workflow. i think we need to take out the manager stage from the workflow.

• Idm-Vaau Rbac role creations and mapping

  Hi All,
  I'm working on the integration between Idm and Vaau's Rbacx (role based access control) tool for role creation and provisioning...I've imported the spml.xml and SPMLGetObjectsform.xml into Idm for the SPML calls between Rbacx and Idm.
  The challenge I'm facing is mapping the attributes of Rbacx roles to enable the attributes to be populated in Idm...I'm able to export roles into Idm, but they are not populating with any attributes eg. resource type, resource attribute etc. I'm uncertain as to where I have to map these properties and do any customization for this to work. I would appreciate if anyone who has worked on this or know how to do this, to pls give me some pointers/share your experience. I don't have any documentation to refer to and am doing everything on trial and error basis.
  Any help is greatly appreciated!
  Thank you.

  Hi newbie,
  Were you able to solve this issue? I am facing the same problem while assigning resource attributes for a created role using a custom workflow.
  This is where I set the resource attributes in my workflow:
  <Action id='1'>
  <expression>
       <block trace='true'>
       <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].valueType</s><ref>ADGroupsValueType</ref></set>
       <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].requirement</s><ref>ADGroupsRequirement</ref></set>
       <append><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].value</s><ref>ADGroupsValue</ref></append>
       </block>
  </expression>
  </Action>
  where <ref>ADGroupsValue</ref> contains the attribute value.
  thanks,
  Lokesh

• JmsQueueConnectionFactory error post user role creation

  Hi All,
  I installed OIM R2 Ps2 successfully. I tried to create a user , got the error javax.naming.NameNotFoundException:While trying to looup jms.QueueConnectionFactory. But the user got created when i rechecked.
  Same error popped up during role creation. But the role too got created.
  please help me to resolve this error. I dont know what kind of impact this error will create later.
  pls find the below screenshot.
  Thanks.

  Here is the solution :
  The issue was with metadata that has been imported as part of patch deployment (BP06).
  /db/ldapMetadata/EventHandlers.xml has been imported with wrong name. Just deleted meta data it start working.
  Regards,
  Krishna

• 10.6.7 - general pdf creation issues?

  I wondered whether anyone else had run into this issue after updating to 10.6.7 when using pdfs created by Preview - perhaps related to the pdf/font issue.
  If it is generally happening, then the 10.6.7 pdf-font issue has an even larger
  impact than previously described:
  1. Open a pdf document in Preview
  2. Select a region and save to clipboard
  3. Save as a new pdf file
  4. Then try importing it as a "Picture" into any of the new Office 2011 apps: Word, PPT, etc.
  This crashes my office 2011 apps (latest version, 14.02) But NOT any earlier version of Office (2008. etc.), which may not do as much pdf checking.
  Before the 10.6.7 upgrade (ie, 10.6.6), this never happened with Office 2011.
  Acrobat complains when opening the Preview-created pdfs about 'missing fonts', so I suspect some sort of pdf creation issue.
  Any fixes (besides the previously suggested one of downgrading to 10.6.6)
  If it's a real bug (not just local to my system), then it's a more far-reaching one than previously described.

  rcberwick wrote:
  So, 3 different Apple tech support people say they know this problem affects
  "multiple applications, including any that deal with pdf files" but that "no fix is
  currently in the works"
  That is wrong because it only involves OpenType Postscript fonts.
  The only solution offered so far is to "downgrade by doing Archive & Install" and
  then re-applying each Combo Upgrade, starting with 10.6.3 up to 10.6.6.
  You wouldn't have to do that either. That is the point of a Combo update. You only need to apply the one you want. It includes all of the previous updates.

• Role Creation in CUP 5.3

  Hello,
  I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
  My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.  
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  Please tell me if I'm wrong.
  HM

  HM,
    The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
  The below statement is wrong.
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
  Regards,
  Alpesh

• Approval of role creation

  Hi All
  I need to create a WET for role creation, this is simple But I need to incorporate approval of the creation of the new MX_ROLE entry. I can only find documentation/guides on how to implement approval of role and privilege assignment. Does anyone know if it is possible to setup approval on creation on a new entry?
  Kind regards,
  Heidi

  I have tried to implement the MX_INACTIVE solution. Now it is not possible to see the role on the "Adminstrate"-tab, and there is an approval task on the "To do"-tab. When I click this task, details on the role are displayed properly, but when I try to process the request by clicking the "Show request"-button (button name translated from Danish, it might be translated differently...) I get an error: "Access denied".
  I have set correct approver on the approval task, and I was able to process approval requests, before I set the role to inactive.
  On the approval task, I have checked the "Use inactive entries" checkbox.
  Does anyone have an idea what could be wrong?
  Kind regards,
  Heidi Kronvold

• Role Creation using CAT Scripts

  Hi,
  Step by step procedure needed.
  I need role creation using scripts(SECATT),org values that needs to maintain
  is full authorization.
  pls help me.
  ram

  Hi Ram,
  There is a SECATT tutorial here: http://www.*********************/tutorials/secatt_user_create.html
  If you learn that & the principles associated with SECATT then you can apply that to creating and populating roles.
  In my opinion SCAT is much easier to use, though less flexible,

• Role migrate issue

  When I migrate some Roles from portal nw04 to nw04s, the roles have issue.
  The issue is when I assign these role into some user, the role doesn't work.
  My solution is I go to Content Administrator>xxx role>Change ID then the role is working for user.
  I don't know why I need to do this process when I migrate role.
  Anybody know why?

  It's possible I'm not being very clear as I think you have misunderstood it.  The Hyper-V hosts are fine and their access to the iSCSI CSV is functional.  The problem is the VMs throw up this error when I add a Shared VHDx that is stored on the
  Hyper-V Hosts CSV. 
  Hyper-V Host cluster 'HVCLLAB1' with an iSCSI CSV e.g. C:\ClusterStorage\Volume1.  This is all fine.
  Two virtual file servers in a cluster 'FSCL1'
  The quorum and storage disks for the virtual file server cluster are Shared VHDx that are stored in the 'HVCLLAB1' CSV.  They are added to the virtual file servers through Failover Cluster Manager running on one of the Hyper-V Hosts.
  I hope that makes sense.
  I think I got it.
  You are nesting the VHDX files _within_ the cluster guests?
  If that is the case then the cluster would not be online until after the guests finish their own boot and initialization processes.
  Chicken and the egg.
  Essential cluster resources like the witness disk should be direct attached to an iSCSI LUN not nested within the guest workloads.
  Guest clusters are possible but the focus would be on the workloads they would be running internal to themselves.
  I hope I have things correct this time around. Essentially, putting your cluster witness disk within the guest workloads is not a good practice.
  Philip Elder Microsoft Cluster MVP Blog: http://blog.mpecsinc.ca

• Session creation issues with DS3.2

  We are using BODS 3.2 for development. We are aware that a newer version of DS has been released quite a long time ago but due to some reasons we are still using DS 3.2.
  We are facing some session creation issues. We are using Teradata and Oracle as source and extracting\updating data using some SQLs in script tasks. SQLs are targeting huge amount of data. We executed a job and checked on the servers, sessions were created on the databases. Job kept on executing for long time and was not getting completed, there was no error also. After waiting so long, I checked on Database server and found that session was lost for these SQLs on Database servers. We are able to create a successful connection using Data Stores.
  Please suggest something, Why the sessions are not getting lost on the database servers?.
  Thanks & Regards,
  Gaurav Bansal

  ginger_11 wrote:
  Hi...I'm new to the forum.
  2 of the same phones in my household having similar issues since OS upgrade. 
  -Text automatically going to MMS when sending pics and the pics won't send.  1 phone freezes, the other acts like its sent but not sent-this phone won't load emailed pics either.
  -Keep getting notifications that passwords need updated for email accounts.
  -Facebook app won't load on 1 phone-tried deleting, pulling battery and re-installing.  Still getting "session re log-in required" but there is nowhere to load the log-in info under accounts. Getting the same message on the other phone but the app is still listed under accounts so am able to log in.
  -Both phones are randomly re-starting. Multiple times over past 3 days. 
  Any known issues like these?
  There must be some common factor why both phones are having the same problem.
  With the 10.2.1.537, the only problem I had was a few contacts merged and surnames were repeated.
  I haven't noticed any difference with the latest upgrade.
  Maybe a security wipe and restore contacts and email then one app at a time.

• Customizing Role creation form??

  Hi,
  We have requirement to customize the Role creation form. We have to store extra information in the role object. I know that we can store extra information by using properties attrinute of the Role. But the question is how to expose this to administrators through UI?
  I don't find any form mapping for role creation in the "Forms and Process Mappings" section. Anybody knows how to achieve this requirement? What is the default form used for role creation?
  Thanks in advance.

  There's a userForm configuration object called "Role Form" that is used when you create a new Role.
  You can add a new field to this form like so;
  <Field name='properties.Department'>
  <Display class='Text'>
  <Property name='title' value='Department'/>
  <Property name='disabled'>
  <Boolean>true</Boolean>
  </Property>
  </Display>
  </Field>
  Then the Department attribute will be saved against the Role attribute.
  Is this what you're looking for?
  Cheers,
  Paul

• Program for PFCG Role Creation

  Hi Guys,
  I have a requirement for creating a program that will automate the Role Creation (Transaction PFCG)
  I have the following Questions.
  Is it Really possible via Program.
  The expectation is in selection screen user will give the Standard and Derived Role after execution he expect the role to be created.
  If anybody have experience in the same scenario kindly share me.
  Regards,
  Vijay.

  Try with PFCG_START_PFCG
  G. Lakshmipathi

• GRC AC Request Role Creation

  Hello all,
  I noticed that by default GRC AC doesn´t have a Request Type for Role Creation. Normally how this is done? I mean, if someone realizes that a new role is necessary, how can this person report the need for a new role creation? What are my option here?
  Regards,
  SAP Legend

  Hi SAP Legend,
  You can not request a new role to be created via an Access Request workflow. You still need a business governance strategy where someone has to raise a request outside of the GRC system for the new roles through the right channels deemed fit in your company to get the new role made. Maybe you have a support ticketing system in place or some SAP security department you can raise the formal requests to.
  The BRM Role creation/maintenance workflow runs separately from the Access Request workflow. Further more, the definition and creation process of roles via GRC should only involve and be used by Business Process Owners/Role Owners and the Authorisation security team only, i.e. not general end users.
  A role build methodology will have to be set up and then the underlying approval workflows (based in MSMP technology also, like the AR workflow).
  Once the role has been built (either via back end PFCG) or via GRC using the BRM methodology and approval flows, the role will be available to the end user to request via AR.
  Hope that helps.