Roles/Privileges provisioning to unrelated systems

Similar Messages

• AE 5.2: Roles get provisioned to backend system but profiles randomly not

  Hi,
  we are currently switching from profiles to roles and therefore created user request containing the roles to be assigned and the profiles to be removed. The roles are assigned successfully to the user but the some profiles are not removed randomly. The backend user used by AE has the correct authorizations.
  Had anybody such a problem before?
  Thank you for your answers
  Marco

  Hi Hersh,
  we did a user role comparison several times before and users had the profiles already for a period of time. Also the request get submitted radomly meaning we can't monitor all the requests because the last approvers approve the request sometime and the the request gets provisioned. Further, AE should provide any message in such a case.
  Could it be if the user to be changed is logged on to the system that such a scenario could happen.But when changing user authorization in the backend system itself this doesn't have any impact and this also applies for the GRC backend user.
  Regards.
  Marco

• Role Provisioning failed for System(s) : Connector Name . Error Message : malformedRequest

  Hi Everyone we are facing following issue in GRC-SAC-SAE 5.3_16.3. So far our CUP was connected to Enterprize portal (7.01) and auto provisioning for group to users worked. However now it is not working with below error.
  Role Provisioning failed for System(s) : <Connector Name>. Error Message :
  malformedRequest
  Failed request now
  Successful request used to provision
  Regards,
  Arpan Paik

  Arpan,
  We used to get those "malformed request" errors. We dealt with them by requesting the portal to be re-booted during the weekend maintenance window, making the portal security changes manually, cancelling the CUP request and notifying the requester. It's not a great solution, I know, but it was all we could come up with at the time. Then they upgraded the portal to NW 7.31, which is incompatible with GRC 5.3, and we have to do everything manually, so our situation went from bad to worse. Good luck!
  Cheers,
  Gretchen

• Pre-populate adapters behaviour during role based provisioning

  Hi all,
  I have a question about pre-populate adapters behaviour during role based provisioning.
  I'll sortly describe our architecture: we have OIM 11.1.1.3, Active Direcotry connector and obviously Active Directory as target system.
  Our scenario is: assigning a role to a user , OIM should provision two account for this user to the same target system but in two different organizational unit (Active Directory).
  Here some sample information to better understand our request:
  - OIM User userID: userid1
  - Active Directory IT Resource: ADServer1
  - Active Directory Organizational Units: OU1 and OU2
  - Role: Example Role
  - UserID of the account provisioned in OU1: admin.userid1 (in this organizational unit the UserID is composted by a prefix "admin." and the OIM User UserID "user1")
  - UserID of the account provisioned in OU2: user.userid1 (in this organizational unit the UserID is composted by a prefix "user." and the OIM User UserID "user1")
  To achieve this goal, we have created two access policies AP1 and AP2. The first access policy provision the user account in OU1; while the second one in OU2.
  Here some access policies form details:
  ### AP1 ###
  - AD Server: ADServer1
  - Organization Name: OU1
  (other fields are empty)
  ### AP2 ###
  - AD Server: ADServer1
  - Organization Name: OU2
  (other fields are empty)
  Our idea was to develope two pre-populate adapter: one to compose the userID with "admin." prefix and the other one to compose userID with "user." prefix. However this solution cannot work because obviously you can link only one pre-populate adapter to a resource form field.
  Any suggestion to avoid to create a second resource form?
  Thank in advise,
  Daniele

  Hi,
  probably your confusion is caused by my english....anyway....
  I'm trying to generate two userids and in our scenario it's simple map the organizational units. For example userids in organizational units OU1 have "admin." prefix; while organizational units OU2 have "user." prefix.
  Do you suggest to create a pre-populate adapter that use a lookup to set the correct prefix based on organizational unit name?
  Thank you
  Daniele

• Getting an error message when trying to reinstall iTunes - 'Apple Mobile Device' failed to start. Verify that you have sufficient privileges to start the system services.

  After a recent iTunes update my iTunes failed to start. I uninstalled it and then reinstalled it again, but during installation an error message pops up saying: 'Apple Mobile Device' failed to start. Verify that you have sufficient privileges to start the system services. The three option buttons which can be clicked are 'Abort', 'Retry' and 'Ignore'. I tried pressing ignore, which allowed iTunes to install. However, it seemed that not all parts off the programme installed, as it wouldn't allow me to open iTunes again. Whenever I press retry it just makes the same message pop up again. How can I show that I have 'sufficient privileges'?

  Go to Control Panel > Add or Remove Programs (Win XP) or Programs and Features (later)
  Remove all of these items in the following order:
  iTunes
  Apple Software Update
  Apple Mobile Device Support (if this won't uninstall move on to the next item)
  Bonjour
  Apple Application Support
  Reboot, download iTunes, then reinstall, either using an account with administrative rights, or right-clicking the downloaded installer and selecting Run as Administrator.
  The uninstall and reinstall process will preserve your iTunes library and settings, but ideally you would back up the library and your other important personal documents and data on a regular basis. See this user tip for a suggested technique.
  Please note:
  Some users may need to follow all the steps in whichever of the following support documents applies to their system. These include some additional manual file and folder deletions not mentioned above.
  HT1925: Removing and Reinstalling iTunes for Windows XP
  HT1923: Removing and reinstalling iTunes for Windows Vista, Windows 7, or Windows 8
  tt2

• User-id / Roles  assigned in Solution Manager system

  Hi Friends,
  I need an information regarding following:
  User-id / Roles  assigned in   SOLMAN Dev system   
  SM59 Destinations in Solman dev system  & user-id/pwd used  for connecting to Satellite systems
  User-id/ Roles assigned in   Satellite systems  - EG: ECC , PI , SCM ,BW   for SOLMAN Related User-ids 
  SM59 Destinations in  Satellite systems  & which user-id /pwd is used for connecting to   Solman dev system
  Kindly suggest me how I can get all the above information.
  Thanks & Regards,
  Solman Starter

  All users are created in SOLMAN_SETUP with the proper authorizations, just follow the guided procedure. In LMDB, you can set up the RFC connections to your satellite systems after you pushed the system information with RZ70 / SLD data supplier.

• Finding out role assignments with CUA per system

  Hello experts,
  For user administration we use the CUA.
  can anybody tell me were the role assignemts per user and per system are saved in the central system.
  I have to find out which roles are assigned to an user in which system for reporting reasons and I cannot find this information in database tables.
  Table AGR_USERS doesn't help me because it contains only the role assignments of the local system.
  Thanks in advance
  Johannes

  Hi,
  you can get this information in the transaction SUIM in your CUA system. Simply start this transaction an go to User -> Cross-System Information -> Users by Roles. Than you can make selections of usernames und roles in recieving systems.
  The table, which has this information is USLA04.
  Kind regards
  Andrei
  Message was edited by:
          Andrei Borissov
  null

• The method to provision the OIM System Date to a target System

  Hi,
  I want to provision the OIM System Date(date format : "YYYY-MM-DD HH:MI:SS") to a target System(DB Type:Oracle).
  The Column type in The target System is Date Type.
  I use the process adapter and assign the System Date to the Process Data - Date Type Column - in the target System.
  it doesn't work.
  How do i do?????
  please help me

  - That's simple. You have already created this date type variable in your process form. Now pass it in whichever format it is. In your code for creation in oracle, do a date conversion as required using custom code. This would work if you have written your code and you are not using DBApp Tables connector. Do it as follows:
       SimpleDateFormat input = new SimpleDateFormat("OIM_DATE_FORMAT");
       SimpleDateFormat output = new SimpleDateFormat("ORACLE_DB_DATE_FORMAT");
       Date date = input.parse("Pass form date over here");
       return output.format(date); // Pass this value to Oracle
  - If its DBApp Table connector then connector must take care of this by itself.
  Thanks
  Sunny

• Warning while Role Upload in SPS19 Test System

  Hi,
  We are on the process of migrating our bw portal(JAVA & ABAP) from SPS14 to SPS19. While testing Role Upload in the migrated system, it is giving a warning message.
  Get drag and relate attributes from system 'SAPBW' for type 'BWReport', id '<prt_protcl>://<prt_server>/<bi_launcher>?TEMPLATE=XEXP_M04A_1168_Q001_W7' - The BW report cache doesn't contain <prt_protcl>://<prt_server>/<bi_launcher>?TEMPLATE=XEXP_M04A_1168_Q001_W7 _
  This message is there for all the iviews inside the role.  Please help to resolve this warning.
  Regards
  Baby

  Hi Baby,
  I'm currently facing the same problem, did you come up with a solution for this warning?
  Best Regards,
  Rasmus

• Linux Mint 17, migrated from Win7: Verify that you have enough disk space, and that you have write privileges to the file system, then try again.

  I get this error message (The messages could not be filtered to folder 'Generic Folder' because writing to folder failed. Verify that you have enough disk space, and that you have write privileges to the file system, then try again.) popping up on many, though not all of my incoming filters. I recently migrated from a Windows 7 installation to a Linux Mint 17 system.

  I did give it time to run through everything when I initially migrated, and it frequently will sit open for 3 to 4 hours while I'm working on other projects.
  The 'Generic Folder' represents sorting folders in my main mail account in Thunderbird. For example, my mail which is listed to filter into my 'Amazon' folder is sorted there with no problem, while any mail designated to be filtered into my 'Games' folder prompts the above error massage.

• Java Database User Role Privileges Framework

  Hello
  I am looking Java Framework which automatic generates Java Code for
  Database User Role Privileges Administration.
  Like in database we have a table of Users
  Now we have table of Author, Book etc. (Related to Library)
  Now i want to give insert permission to user1
  update and delete permission to user2 etc.
  Is there any framework related
  Remeber i do not need User Role Privileges in database.
  I need a framework to do this job.
  Thanks in Advance.

  There are tables created under the SAPSR3DB or SAP<SID>DB schema with extension .UME, such as SAPSR3DB.UME.ACL_ACL or SAPSR3DB.UME_ACL_ACLENTRY for AS-JAVA.
  There are other tables with the UME extension too.
  Regards,
  Anwar

• Right role/privileges for KVM Access only in UCS

  Hi
  I am making some locally Authenticated Users for some people at work.
  They only need to access KVM and do things there.
  What role/privileges do I need to set on the user?

  Thank you for your answer.
  I have looked into the thread, and was thinking about method #4.
  I have created a user under Locally Authenticated Users and if I set the role Operations I get this message after pressing launch under KVM launch manager.
  If I type the same username and password, I get login failed.
  If I add the role Server-profile to the user, I can login with no issue. But then I am afraid that I give to much privileges to the user.
  I'm using a Management IP Pool, so I don't know if the other methods works better. I think it is difficult to know the IP address, and maybe the adress can change.
  The best is, when I add a server to UCS, the user can find the server KVM by himself, and I don't need to find the IP address and give it to him.
  Maybe I am way off here, so please help me:)

• Roles/Privileges

  I am creating a new repository for OEM on 8i. I first created a sysdba user to manage the repository. When attempting to use the configuration assistant I run into the error that the user I created for the repository does not have the roles or privileges necessary to create the oem repository. Can anyone please tell me what roles/privileges the sysdba user is lacking to create this repository? Thank you.

  select * from dba_sys_privs where grantee='ROLENAME';
  select * from dba_role_privs where grantee='ROLENAME';
  select * from dba_tab_privs where grantee='ROLENAME';

• CUP-Role Status regarding to the System

  Hello,
  I have been doing some test and I wonder how to distinguish when the role is ready at the diferent phisical system as Prod, Q, Dev. 
  When searching a role already imported from ERM, you can select three diferent role status ( only the third one is authomatic set from ERM after the import):
  -Enable
  -Disable
  -Enable and provisioning
  What does this role status mean? would it be useful for diferring from one phisical system to another?
  Thanks in advance!
  Margarita.

  Hello Margarita,
  Here is the explanation of the staus of role:
  Enable u2013 roles you want to maintain but do not allow auto provisioning.
  Enable and Provision u2013 roles you want to maintain and allow auto provisioning when selected by a user.
  Disable u2013 roles that are disabled and are not displayed when the end user uses the Search feature to query for roles.
  In normal circumstances, when you import roles from ERM to CUP you would only import those roles which have been generated into production and thus are ready for assigning to users. That is why roles imported from ERM have the status as Enable & Provision.
  Regards, Varun

• Roles privileges inaccessible.

  Hello,
  We are running Oracle9i Enterprise Edition 9.2.0.2.0 in a Solaris environments and are having some issues with Role permissions being carried over to users.
  The real life scenario is a bit more complicated, but I did a quick test and it produced the same results. Here is the issue: I created a user called TSTUSER and a role called TSTROLE. To TSTROLE I assigned CONNECT, RESOURCE and SELECT ANY TABLE. Then I assigned TSTROLE to TSTUSER.
  TSTUSER can connect ok, but can't select from any tables in any schemas. I have ran simple select statements in TOAD, SQL*PLUS and even JDBC, and it doesn't work in any of these. Now, if I assign SELECT ANY TABLE directly to the user instead of the role, it works fine. I've tried other privileges, system and object, and have gotten the same results.
  When I select the session privileges, whatever privilege I am trying to use is returned even though it's not able to be used.
  Does anyone have a solution for this? I would just go ahead and assign the specific permissions to each user, but that would make things very complicated for audit.
  Thanks
  Garth

  Hey Guys,
  Thanks for your help.
  The error I get is for the query [select * from intranet.page (Where intranet is the schema name)] is: ORA-00942: table or view does not exist
  Here are the results of the queries:
  SELECT * FROM SESSION_ROLES;
  TSTROLE
  CONNECT
  RESOURCE
  SELECT * FROM USER_ROLE_PRIVS;
  USERNAME|GRANTED_ROLE|ADMIN_OPTION|DEFAULT_ROLE|OS_GRANTED
  TSTUSER|TSTROLE|NO|YES|NO
  I've also tried creating a view of the same query to see if that worked, but that didn't either. But the same test produces the same results with that. The view just won't compile.
  Thanks again
  Garth