Role Groups

Similar Messages

• GRC CUP - How to add a custom field in "Select Roles/Groups" form

  Hi Forum,
  I created a custom field "REGION" in CUP configuration. I used this field in "Role Attributes"
  In "New Account" workflow, when i click on Select Roles/Groups" a screen for Select Roles/Groups will display to select the roles by different combinations.
  I need this "REGION" field in the above selection creria to select roles by REGION.
  How to make this field "REGION" appear in above selet cretiria.
  Thanks,
  RAM
  Edited by: Ram.Sathish on Apr 21, 2011 3:46 PM

  you can not add custom fields in the search, have you thought about using the company field as the fied for location?
  Regards,
  Chinmaya

• Standard roles, groups, profiles of a rfc-user

  hi,
  can anybody tell me please, which are the standard roles, groups and profiles of a rfc-user in our sap xi-system?
  thanks.
  regards
  Stefan

  Hi,
  Check the links for authorizations.
  http://www.erpgenie.com/sap/netweaver/xi/xiauthorizations.htm
  also check if your user have this roles in abap stack TECODE su01
  SAP_XI_ADMINISTRATOR
  SAP_XI_CONFIGURATOR
  SAP_XI_CONTENT_ORGANIZER
  SAP_XI_DEVELOPER
  SAP_XI_DISPLAY_USER
  SAP_XI_MONITOR
  SAP_ALM_ADMINISTRATOR
  SAP_J2EE_ADMIN
  SAP_SLD_ADMINISTRATOR
  SAP_SLD_CONFIGURATOR
  SAP_SLD_DEVELOPER
  SAP_XI_ADMINISTRATOR_ABAP
  SAP_XI_ADMINISTRATOR_J2EE
  SAP_XI_CONFIGURATOR_ABAP
  SAP_XI_CONFIGURATOR_J2EE
  SAP_XI_ID_SERV_USER
  SAP_XI_IR_SERV_USER
  SAP_XI_RWB_SERV_USER
  SAP_ALM_CUSTOMIZER
  SAP_BC_BASIS_ADMIN
  SAP_BC_BASIS_MONITORING
  ARG_XI_DEV
  Thanks,
  Vijaya.
  Edited

• Effective start and end dates for roles/group assignment

  Hi,
  Does Access Manager (in legacy or realm) mode support effective start date/end date on a role/group assignment on a user?
  Thanks,
  Srinivas

  Hi Ankush,
  I am also of the same opinion. Start and end dates can probably be enforced by a policy condition in AM but would lead to proliferation of policies as we would end up creating policies per role entitlement duration for a user.
  Any thoughts on whether the sunrise/sunset concept of Identity Manager can be used for this requirement.
  Thanks,
  Srinivas

• UME Roles/Groups problem

  UME Roles/Groups problem
  I have installed an ABAP +J2EE instance with the view of using it for Adobe Document Services.
  While following the Adobe Document Services configuration guide, Step 3.2.1.1:
  I'm creating a role in the ABAP engine, creating a user (ADSUser); creating and assigning the role (ADSCallers) to it.
  When I start visual admin, i expect the user to be shown under the 'group': ADSCallers.
  While I can see the user in visual admin, I'm unable to see the group (role in ABAP instance)
  I'm on SP19 NW2004. Any views???

  There is a delay before roles show up as groups on the Java side. The delay runs about 30 minutes. See http://help.sap.com/saphelp_nw04s/helpdata/en/45/af3ac012d32e78e10000000a155369/frameset.htm
  -Michael

• Assign role, group to Human Task when initiated

  Hi all,
  Currently, when user login to BPM and create new task instance, i can get roles and groups of that user by programming. I want to assign roles of user to that task instance dynamically when user click SUBMIT button (Because i want to restrict users belong role are able to do this task, each user belong to a role and group can do it).
  Somebody help?
  Thanks.

  Hi Ming
  1. If you want to intercept any Actions from a Task like Save, Submit, Approve, Reject etc, you can create your own class like MyAppTaskValidationCallback that implements oracle.bpel.services.workflow.task.ITaskValidationCallback and in this overwrite one method named validateTaskOperation(bunch of parameters). See APIs for this.
  In this method, you can get the action performed on the task. Also you can get the complete Payload of the Task including your custom payload and the standard Task Payload stuff like History, Attachments, Comments etc. You can write some simple XML Parser utility methods to get and set attributes in the Payload xsd schema. So in your case, in this method, get Roles, Groups of the logged in user. Check the action performed. If he is not allowed to do that operation, throw the error from this method. Else continue with your logic. To begin with create java class like above, add this code snippet and just explore the data.
  Now, just curious. If your requirement is really to control the actions based on User Role/Groups, did you try to use the out of box functionality and avoid this custom logic. Say for BPM Applications, we have Swimlanes / Roles. Only users belonging to that Role, can work on that Tasks. Try to use out of box stuff as much as possible, unless you really need custom assignment logic.
  Thanks
  Ravi Jegga
  Just giving the code snippet to get an idea. But do refer the online APIs for more information.
  public void validateTaskOperation(ITaskValidationCallback.TaskAction taskAction, IWorkflowContext iWorkflowContext, Task task, Map<String, Object> parameters, Locale locale, List<String> errors) {
  try {
    Element taskPayload = task.getPayloadAsElement();
    String taskTitle;
    String taskOutcome;
    SystemAttributesType taskSystemAttributes = task.getSystemAttributes();         
    taskTitle = task.getTitle();
    System.out.println("MyAppTaskValidationCallback::validateTaskOperation() Begin For TaskTitle: " + taskTitle + " -> TaskAction: " + taskAction + " -> Parameters:\n" + parameters);
    if(taskAction == TaskAction.ACQUIRE) {
        System.out.println("Inside ACQUIRE");
        //parameters.put("AcquiredBy", iWorkflowContext.getUser());
    } else if(taskAction == TaskAction.OUTCOME_UPDATE) {
      System.out.println("Inside OUTCOME_UPDATE");
  } catch (Exception anException) {
    anException.printStackTrace();
  }

• Role grouping

  Hi Xperts
  Role group has been created and couple of roles assigned to it.But when creating
  Org and Group, my role grouping is not displayed in the drop down list.At the same time it is available in the list if trying to create Person.
  Can somebody throw some light on this
  Thanks
  Jessy

  Hi Jessy,
  Just check the roles u have assigned in ur BP role gouping are valid for all the BP categories.
  For this goto:
  SAP Implementation Guide-> Cross-Application Components->SAP Business Partner->Business Partner->Basic Settings->Business Partner Roles->Define BP Roles
  1. View the Roles u have added in BP Role Grouping and check their BP role category.
  2.  Now In BP Role category , check if in Possible Bussiness partner category the all the Bussiness partner categories are selected (Person, Organization, Group)
  In case in ur BP role category, u have a role which is valid for just one BP category say person, even ur BP role grouping will be visible in Person category.
  Regards,
  Shalini Chauhan

• RBAC Role Group rights across a Forest Trust

  Just looking for confirmation here, really.
  I am trying to give user "Jason Argonaut" in ForestA access to ForestB, as an Org Man & Recipt Man member, through a linked mailbox.
  It appears that some access is given once the ForestB mailbox is Linked to ForestA (but I can't tell what -- seems like some access is inherited through AD or something).
  I've then directly added Jason Argonaut's Linked account in ForestB to Org Man & Recipt Man (in ForestB). As I understood it (which isn't that well), that should allow Jason in ForestA to inherit those rights via the Exchange Linked mailbox.
  It appears the Org Man rights aren't really working correctly.
  Does anyone have any kind of explanation regarding what RBAC roles are available to the MsExchMasterAccountSid account? Or limitations?
  I know that alternately, instead of trying to push rights through a Linked Mailbox, I could create a Linked Role Group in ForestB, and a USG in ForestA and drop Jason into the USG, then link them up. That would accomplish the same thing, right?

  Hello,
  it may be a better idea to ask in the Exchange forum
  http://social.technet.microsoft.com/Forums/office/en-US/home?category=exchangeserver
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• NWA 7.1 - User Administration with regards to Roles/Groups

  Hello,
  Environment = NWA 7.1 , Java Stack Only , No Central User Administration
  Situation      = One group of individuals responsible for developing and maintaining Java Roles & Groups
                        (Permissions). Another group of individuals responsible for maintaining Users and
                        allocating the above Roles & Groups to the Users.
  In accordance with various documentation (ie. http://help.sap.com/saphelp_nwpi711/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm) I have set up a Role which includes the actions: UME.Manage_Roles, UME.Manage_Groups, UME.Manage_Users, UME.Manage_All_User_Passwords & UME.Read_All. This Role is intended for the second group of individual mentioned above.
  The problem is however that with the mentioned actions they can not only allocate an user to a Role or Group but also delete the Role/Group from the system. Without the above actions in the Role it is not possible to assign Users to a Role/Group.
  This leads me to the question if it is possible to split these two various areas of responibility or does NWA 7.1 view both activities as residing in only group (documentation to this effect would be helpful). If not, which actions will ensure that only Users can be administered but the rights to the system (Roles/Groups) can not be tampered with.
  Many thanks in advance,
  Jay

  Hi Jay,
  UME.Manage_All Provides permissions required by an overall user administrator.
  These include:
  u2022 Administration of users belonging to any company and
  possibility of assigning users to companies
  (In a multitenant portal, even if a tenant user is assigned this
  action, he or she will still only have access to users, groups,
  and roles in his or her tenant.)
  u2022 Group management
  u2022 Role assignment
  u2022 User mapping
  u2022 Import and export of user data
  u2022 Manual replication of user data
  To set up delegated user administration, overall user administrators
  must belong to a role to which the UME.Manage_All action is
  assigned.
  In portal installations, any role that includes the UME.Manage_All
  action automatically has Role Assigner permissions on all portal roles in the portal installation.
  Try this.
  Regards,
  Gowrinadh

• Obtaining url patterns for a user Role/Group

  I am looking for a way to find out how to obtain a the list of accessible urls (url
  patterns) for a role/group defined in weblogic.
  I have gotton as far as if checking if a user is in a group using: javax.ejb.SessionContext
  isCallerInRole(java.lang.String roleName)
  After checking if a user is in a role/group I want to access the url pattern authorised
  for a particular role under weblogic.
  Can this be done.

  I am looking for a way to find out how to obtain a the list of accessible urls (url
  patterns) for a role/group defined in weblogic.
  I have gotton as far as if checking if a user is in a group using: javax.ejb.SessionContext
  isCallerInRole(java.lang.String roleName)
  After checking if a user is in a role/group I want to access the url pattern authorised
  for a particular role under weblogic.
  Can this be done.

• CUP v5.3 SP11.1 - CUP Request button "Existing Roles/Groups"

  Hi!
  Re: CUP v5.3 SP11.1 - CUP Request button "Existing Roles/Groups"
  Can anyone explain why some of our CUP users will see this CUP button in the CUP Request and others will not? Are they missing a UME "ACTION"?
  The button works fine, but it only shows up for some users and not others.
  Thanks for your help!
  -john

  Hello ,
  For Approvers , the button "Existing Roles /Groups" will be visible only when the following "stage" level setting is set
  Change Request Content = Yes
  Add Role =Yes .
  Regards
  -Ranjiv

• Assigning Protal Roles/ Groups with a vaildity date?

  Hi Experts,
  I am trying to find a way by which I can assign the roles / groups to a user in Portal system with a validity date.
  Please comment.
  Thanks, Vishwas

  Directly in the way you are expecting it will not work.
  However there is a report you can schedule called prgn_compress_times which removes duplicate and obsolete assignments of roles. This will then also remove the UME group assignment if the portal used ABAP as UME.
  However you cannot use it if the CUA is active!
  Cheers,
  Julius

• Roles, Groups and Class of Service

  Hi,
  I am new to LDAP, have a good RDBMs background. I have read the Sun documentation to understand the concepts. Can someone recommend a good source that provide examples on how to set up Roles, Groups and Class of Services.
  Thanks,
  Bala.

  Directory Server documentation set contains the best examples to my knowledge.
  You may want to start with the Deployment Guide for introduction to the concepts and Administration Guide for setting them up and examples.
  Regards,
  Ludovic.

• Group-Group & Role-Group Mapping

  Hi Experts,
  Please provide the format of an ume script to Create a New Group and simultaneously assign an existing Group to the new one under Parent Groups.
  I am using the below format, but the existing Group is being assigned under Child Groups.
  [group]
  gid=Group1
  group=GroupA
  [group]
  gid=Group2
  group=GroupB
  [group]
  gid=Group3
  group=GroupC
  Also, Please provide the format of an ume script to assign an existing role to an existing Group.
  The below format doesnot work.
  [role]
  rid=Role1
  group=Group1
  [role]
  rid=Role2
  group=Group2
  [role]
  rid=Role
  group=Group3
  Please suggest on this. It would be really helpful.
  Thanks!
  Regards,
  Divya

  Divya,
  Divya pk wrote:
  Please provide the format of an ume script to Create a New Group and simultaneously assign an existing Group to the new one under Parent Groups.
  A "script" means something functional, this funcionality doesnt exists in that form in EP. What you mean are the descriptors produced by the UME through the export function
  There is no need for providing any examples to you, you can easily create a descriptor for whatever scenario you need simply by using UME export. Due my experience there are only 2 things you need to know about that:
  1.)try to avoid the description field, it will cause problems
  2.)the import engine is handling your definitions in the order they are comming, if any entities are missing, the import process will fail
  regards

• Provision Unix accounts/roles/groups to Directory server using OIM

  Hi,
  I have a requirement to integrated large number of Unix servers with LDAP (OID or Sun Directory Server) for Centralized Authentication and Authorization and to provision Unix accounts/roles/groups to Directory server using OIM, I have following queries.
  1. If using PAM_LDAP then what are the schema changes required in ldap to support it ?
  2. Does OIM's out of box connector for OID or Sun Directory Server supports Unix accounts/roles/groups provisioning to Directory server ? If not, can it be extend ? or do I need to write a custom connector ?
  3. If I use Oracle Authentication Services for OS for centralized unix account management then OIM provisioning is same as #2 or different ?
  Thanks
  Nitin

  yes. iPlanet connector support for multivalued attribute. Go through the connector doc. It will let you know how to extend its functionality.
  --nayan                                                                                                                                                                                                                                                                                                               

• Error when clicked on "Existing roles/groups" button in CUP

  Can you guys please help in resolving the following issues I am facing currently.
  CUP reports an error saying " Action failed" when clicked on  "Existing Roles/Groups" button in CUP request form.
  Below is the log
  2010-03-25 10:21:16,762 [SAPEngine_Application_Thread[impl:3]_2] ERROR com.sap.mw.jco.JCO$Exception: (127) JCO_ERROR_FIELD_NOT_FOUND: Field EXP_ROLES_FLAG not a member of INPUT
  com.sap.mw.jco.JCO$Exception: (127) JCO_ERROR_FIELD_NOT_FOUND: Field EXP_ROLES_FLAG not a member of INPUT
       at com.sap.mw.jco.JCO$MetaData.indexOf(JCO.java:9566)
       at com.sap.mw.jco.JCO$Record.setValue(JCO.java:14956)
       at com.virsa.ae.service.sap.RoleProfileDAO.findRoleProfByUser(RoleProfileDAO.java:110)
       at com.virsa.ae.search.bo.SearchRolesBO.searchExistingRoles(SearchRolesBO.java:580)
       at com.virsa.ae.search.actions.SearchRolesAction.loadExistingRolesHandler(SearchRolesAction.java:1610)
       at com.virsa.ae.search.actions.SearchRolesAction.execute(SearchRolesAction.java:372)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

  Hi Anand,
  "Action Failed" error for "Exisitng Roles/Groups" comes up when Support Pack level of frontend(JAVA) and backend(ABAP) RTA are not synchronized. It happens mostly with HR RTA.
  Please follow the SAP Note below to make sure your SP's are in Sync.
  Note 1352498 - Support Pack Numbering - GRC Access Control
  Best Regards,
  Sirish Gullapalli.