SAP IDM 7.1 Role assignment issue

Similar Messages

• No Portal Roles assigned issue

  Hi Experts ,
  We had recently integrated CRM with portal , but some users inspite of having the portal roles assigned to their id were getting an Access Denied page (we had customized the "no portal roles assigned " error page ) . Knowing the dependency of portal on IE and browser settings , this issue is sometimes resolved by clearing cache , cookies , and changing a few browser settings etc on IE 6.0 . If this doesn't work then upgrading to IE 7.0 definetly helps . Since this is just a workaround , I would like to know if anyone has experienced such a thing before and has a solution for this . Your inputs will be highly appreciated .
  Regards
  Mayank

  Hi Mayank,
  This is an error which happens when there is No roles assigned to the user. I am not sure how your systems are designed for User Management. Say for example in some cases LDAP is used to maintain Group to User Relationships and Portal Roles are connected to Groups therfore all users in the group is assigned to the Role. In some cases UME is used.
  Having said that you can disable the cache for the browser. You have to compromise with the performance however, this will ensure that everytime the user logs in, the request will always go to the server.
  Regards
  Avik

• SAP CRM 2007 Business role assignment

  Hi all,
  We are using CRM 2007. and we are trying to assign Business roles to users using the PFCG ROLE ID attribute.
  1- We create a PFCG role : "pfcgrole1"
  2- We create a Business Role "Businessrole1" and put PFCG Role id = "pfcgrole1"
  3- assign the user to the PFCG role "pfcgrole1"
  We have two cases :
  CASE 1:The user is assigned to a position in Org management but the position does not have any Business roles assigned.
  RESULT : The user logs in  to CRM, the user gets error message  "Logon is not possible because you have not been assigned a business role"
  CASE 2:The user is not assigned to any  position in Org management.
  RESULT : The user logs in to CRM, everything works fine
  my interpretation : org management has precedence over business role assignment using PFCG roles and blocks Business role assignment even if the position has no Business roles assigned
  Anyone has any idea how to assign business roles using PFCG ROle ID even if the user is assigned to a position without any business roles
  Thanks in advance.

  Please review these old threads first:
  Re: Reg: Business Role
  Assignment pfcg-role to user and assignment pfcg-role to business role
  There is a lot of technical background on how business role to PFCG role assignment works.
  Thank you,
  Stephen
  CRM Forum Moderator

• Role Assign Permission

  I am trying to check programmatically if a user has Role assign permission for a Role. The below code returns false even if the user has Role assign permission.
  IAclManager mgr = UMFactory.getAclManager();
  mgr.hasPermission(iRole.getUniqueID(),iUser, "com.sap.portal.pcd.roleservice.roles.Assign")
  Also, using getPermissionStatus() returns an undefined permission status.
  In addition to the above if the user is an administrator then the above methods return true always.
  Any help is appreciated.
  Thanks.

  Hi Raghav,
  Thanks for your response.
  The target user is a demand planner and would require to change alpha, beta and gamma factors based on changing sales trends.
  In production system, it will be risky to give model configuration permission to such users.
  Regards,
  Aditya G

• Issue while changing validity date for assigned roles: SAP IDM 7.2 SP8

  Hello Experts
  I assigned the Task on repository for validity modification for Roles as in below screenshot:
  When I modify the role validity, Task defined for Validity modification doesnt get triggered and IDM executes the tasks defined as Modify Task and fails with below errors:
  1. Could not obtain repository name from Pending object.
  2. Error ! Audit id , Variable doesnt exist in MXPT_GET_ENTRYTYPE.
  I tried checking provisioning audit logs but could'nt find any Audit ID created for validity modification and I guess due to this tasks are getting cancelled.
  Why the task defined in Modify Valdity tasks doesnt get triggered when I modify the Role assignment validity ?
  Am I doing anything wrong with the SAP Standard way of working ?
  Regards
  Deepak Gupta

  Hi Deepak/Chris,
  We are also facing a similar issue in our project where modifying validity of the role does not trigger any task. We then changed the Modify attribute(in task tab) on the priveleges to "inhereted".
  The modify task is now triggered and completes successfully. However, no changes occur in backend.
  We need unedrstand where do we maintain the setting to define which attributes(if changed) will trigger an event task in the provisioning framework. the "check attributes modification" task within the provisioning framework executes the below query:
  select COUNT(VarName) from mxpv_audit_variables where AuditID=%AUDITID% and VarValue='%MSKEY%' and VarName='MARK_EXEC_MODIFY_ATTR%MSKEY%'
  The query gives the result as "False" in case we only modify the validity of the role assigned to user. Thus no event tasks are executed for the same.
  Can anyone please share where do we define the attributes for this query to give "True" as result for role validity modification.
  regards,
  Nits

• Role Assignment Migration Issue

  Hi All,
  We migrated from EP6.0 to NW04 and encountered an issue with role assignment.  We currently have two LDAPs (1 for external customers and 1 for internal customers), when we did the migration, what we noticed is that for the external users, all their roles were not attached and for internal users, some of the roles were not attached.  Has anyone encountered this issue?
  Thanks

  Hi Reyna,
     I did some research on this.  I was unable to find anyone who migrated from a portal with two ldaps configured.  I was aware of some issues if people changed ldaps or migrated the uses from one ldap to another.  Or if they didn't use the migration tools.  Since you used the tools and used the same ldap, I'm not sure what is going on.
  If you haven't already, I suggest you open a message with SAP.  Let us know here if you make any progress.  If I find out more, I'll post here too.
  Thanks,
  John

• Indirect Role Assignment in My SAP SRM

  Hello,
  I am trying to do a Indirect Role Assignment in My SAP SRM.
  In my ECC system we have done it through PFCGgotoOrg Mgmt---assign positions and then reconcilitaion
  in HR master data the Sap USer ID is communication through infotype 105
  but in My SAP SRM I need some help on how to do that...
  as HR master data does'nt exist in my SAP SRM..
  so can you please tell me how to do that.
  -Thanks
  Sam

  Hi Its done the same goto PFCG, user tab >org assign > select the position and reconcile, once done do a PFUD then goto PPOSW fine your position and you will see the role assigned to that position then goto su01 to make sure the role has been assigned there to.

• CUA sync with child client issue for indirect role assignment.

  Hello Security experts,
  we have a indirect role assignment set up in our ECC environment. there is a syncronization issue from the parent CUA to the chlild client. The role assignments have been made to role although they are not always reaching target system without having to sync up either the role or the IDu2019s position # manually.   This has been an ongoing issue CUA has on any role or user from time to time.   any hint on fixing this issue. please help..

  Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
  CUA has its own pros -
  Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
  on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
  It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
  Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
  Rakesh

• SAP CRM Role assignment block - Customer cc

  hi there, can anyone please tell me what the Customer CC refers to in the SAP CRM Role assignment block
  Thanks, Sue

  hi ahmedi khan,
  the role key what you have created that will be assign to your business role.
  go to CRMC_UI_PROFILE or
  SPRO >> Customer relationship Management >>UI Framework >>Business Roles >> Define Business Role
  click on your business role and under role config key you have to pass your custom role key..
  like this..
  go through this link you can get to know..
  The Usage of the SAP CRM Role Configuration Key –Detailed example
  Thanks & Regards,
  Srinivask

• Role Assignment Discovery Issue for Files and Folders through Sharepoint REST services

  To preface, I am a decided Sharepoint newbie in every sense. I am trying to use the Sharepoint REST services (Sharepoint 2013) to walk the folder and file structure of my Sharepoint server and, determine as I go, the Role Assignments (and subsequently
  Permissions) on those folders and files. I'm using an Administrator credentials and I'm actually able to successfully do it but I've run into some caveats. All the caveats begin with this; when I'm examining a folder, for example:
  /_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/ListItemAllFields
  I receive either an empty list or an error response doc when following the link supplied for ListItemAllFields.  When following that kind of link for folders, I either get:
  <d:ListItemAllFields
  m:null="true"
  />
  or an error response document that says "The object specified does not belong to a list." When I hit the /ListItemAllFields endpoint for files, I receive a response with a link for Role Assignments which subsequently also works and I get the
  info I need. So, is this a bug? Why does the link returned from Sharepoint work for files and not folders? So, google, google, google, and I discover that there is another possible way to get at the Role Assignments (and that the object does, indeed, belong
  to a list!).
  If I know the Title (or the guid) of the folder in question, I can use the following endpoint:
  /_api/Web/Lists/GetByTitle('Development')
  If I use that endpoint, I get the information I would have expected to get from following /ListItemAllFields and the subsequent Role Assignments links all work and I get what I need. If there's a bug and this is how I have to work around it, that's fine
  but I have yet to discover how to dynamically determine the Title of a given folder nor am I sure if all Titles are supposed to be unique within a given Sharepoint server. I'm assuming that the folder name as represented in the server relative URL and the
  Title may be different and this is where my newbishness may start to shine if I'm misunderstanding what a "List" is supposed to be in Sharepoint. Anyway, I did find that I could use the Properties endpoint to perhaps get the Title, for example:
  /_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/Properties
  gives me:
  <d:vti_x005f_listtitle>Development</d:vti_x005f_listtitle>
  whose value I assume I could then supply to the /GetByTitle endpoint and be golden. However, "vti_x005f_listtitle" just sounds a little too deep to be something I should be relying on but maybe that's kosher. That's part of what I'm trying to
  find out. Also, if there is a way to use the Sharepoint REST API to discover the guid of a given object, then I could look it up in that way.
  So, in summary:
  1. Am I going about getting folder Role Assignment information in the wrong way? Based on the CSOM examples I've seen, I believe I'm doing it correctly and that the answer to #2 below is a resounding "Yes!" :)
  2. Is it a bug if I'm not able to use /ListItemAllFields on folders using the server relative url?
  3. If I'm supposed to use GetByTitle as a workaround, am I discovering that Title correctly through /Properties? Seems quite circuitous and awkward. Are Titles required to be unique throughout a given Sharepoint server?
  4. If I'm supposed to use the guid, how can I use the REST interface to discover an object's guid? Once we get down to the Role Assignments and other links, the guid appears in those links but I don't know how to discover it independently if that's the
  path I should use to get the data I described above.

  Upon further research, I'll answer my own question for the benefit of some other potential future newbie.  The answer to question number 1 above is "Not exactly.".  The server relative URLs I was using corresponded to lists (which are
  returned as a collection through /_api/web/lists).  I was treating them mentally like regular folders.  That, coupled with the fact that accessing their data as I showed above returns a ListItemAllFields link, made me think that was the way to get
  the Role Assignments just as I would for files and, as it turns out, "real" folders and sub-folders created under these lists.  That was the other problem with thinking of these lists as regular folders.  So, ListItemAllFields works on
  all files and folders in a list.  However, if you want Role Assignments for the lists themselves, you can keep track of the Titles and\or Guids from the /_api/web/lists that you're interested in (in my case, all non-hidden "document library"
  type lists) and then access those Role Assignments as I discussed in questions 3 and 4 above.  For example, from the /_api/web/lists collection from my test server, the "Development" document library Role Assignments are accessable via /_api/Web/Lists(guid'cd242eeb-aafa-4efa-aecc-9bbdf8e3d459')/RoleAssignments
  or /_api/Web/Lists/GetByTitle('Development')/RoleAssignments.

• Role assignment not working

  Hi everyone,
  I am trying to assign different roles to different users for GRC - Risk Management 10.0; however it seems like standard roles don't have any affect on type of activity. I have maintained various levels of roles (e.g. risk owner, risk expert, risk manager, etc) using PFCG and assigned almost every role to the users; but it doesn't give them the authorization to create or edit anything, they can only display.
  The only workaround for this was assigning a role with the authorization object GRFN_USER (with 02 Change value enabled) or assigning SAP_GRC_FN_ALL (Power user role which also contains object GRFN_USER). However this would allow users to do "anything" they want which obviously isn't what I seek.
  I have tried changing customization options such as Maintain Custom Agent Determination Rules and Maintain Entity Role Assignment, it hasn't solved anything so far.
  I urgently require your assistance on this issue. Thank you.
  Regards,
  Seckin

  Hi,
  I 'm facing same kind of problem.
  Case 1:
  I tried with:
                    Assigning users to group (abap role) which didn't worked.
                    Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                    Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
  How can i do the same from portal?
  Case2:     
  While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
  Why are the portal roles not getting transfered even though the status is green?
  Mr.Chowdary

• Another FPN Thread: Remote role assignment not working

  Hi all,
  We have successfully implemented FPN for use in our ESS and BW environment and we are experiencing very little problems with it. We now want to start implementing it for our eRecruitment and SRM systems (as producers). For some reason we are not able to use the Remote Role Assignement functionality.
  We have set up trust for the systems and use SSO.
  Connection test for the producer is successfull.
  We can see the Producer content in the pcd on the consumer.
  Server times are the same.
  As far as I know I have correctly set permissions on producer and consumer.
  Possible cause: We are in the process of upgrading our consumer Portal to NW 7.0 SPS15 and have encountered some problems. The system is partially upgraded, so some components are SP15 and some others are still SP13. This is currently under investigation by SAP. Can this be an issue as our producer portals all are still on SP13?
  I hope to hear from you soon. Please ask if you need any screenshots. Thanks in advance.
  Best regards,
  Jan Laros

  Hi Jan,
  if remote role assignment not works, you can also use remote delta links. I only work with remote delta links because i have more options   and a better performance.
  If your connection works you can go to Content Administration ->Portal Content-> NetWeaver-Content-Producer. Hier you can see your remote system. Now you can copy the role and add it to your portal-content.
  If you can not see the content make sure that you have the same user  on both sides also check the premissions on the portal-content of your remote system. To test the connection it is easier to add Everyone group to the content of your remote system.
  regards,
  Sharam

• Indirect Role Assignment

  I am adding roles to positions using indirect role assignment, when adding the role to the position I am prompted to carry out a reconcilliation of indirect user assignments, receive message 'Indirect user assignments ok'  so then I've run PFUD.  When I check both the role and the user I cannot see the role attached to the user, but the role is listed in the 'Relationships' in PP01.
  A new organisation structure has been created, when I click on the drop down at the 'change agent assignment' the old organisation structure is displayed.  Any suggestions please how I can select the new organisation structure?
  Thanks

  Hello Anthea,
  to pass on a role from a position to a SAP user id I would suggest the following.
  Go to transaction SA38 and run report RHPROFL0.
  Some notes on the report and report selections.
  The report can be used to eveluate and assign roles from HR objects to SAP users. The report starts reading at a given HR object along an evaluation path. It then updates the SAP user found with authorisation roles.
  Selections:
  You have assigned the roles to a position therefore you should select object type S.
  Then put the position number in the Object ID.
  The key date is hopefully self explaining.
  The evaluation path might have defaulted to PROFL0. That would be the correct one.
  The program has a test mode. I suggest you run the test mode first. It will tell you what the program would change in an actual run.
  In the next selection box - "Generate authorization profiles"
  You might leave the ticks in the boxes:
  - Standard authorizations
  - PD authorizations
  That will generate profiles if they aren't generated yet.
  Next selection box - "Delete manually maintained authorisation profiles"
  Leave the tick boxes blank if you have any direct assigned roles.
  If you tick the boxes all roles and profiles directly assigned to SAP user ids will be deleted.
  In section "New Users"
  There is a tick box "Generate".
  If that box is ticked the report will create new SAP user IDs for all occupied positions with roles but without SAP user ID on the Employee record.
  You might leave that box unticked for the moment.
  I suggest to create the application log --> Last tick box on the selection screen.
  Some general comments at the end.
  The report RHPROFL0 might be scheduled in production systems if indirect role assignments are used. Depending on your needs make sure that the deletion of manual assigned profiles is activated or deactivated.
  If you do not enter an object id, the report will run for all object ids.
  A further note on the indirect setup.
  If roles should be passed on from a Position to a SAP user id, it is important, that the following conditions are fulfilled.
  The Position is valid/active as of the report key date.
  The position has a holder at key date.
  The holder has an assignment of a valid SAP user ID at key date. Infotype 0105 subtype 0001 for object type P.
  The Roles on the position are valid at the key date.
  I hope that helps solving your issue.
  Best regards
  Karsten

• Role assignment to user in child system

  Hi,
  We have a CUA with role assignment in SCUM defined as global. There is any way of assigning roles to users in child system when CUA system is not available? There is any way to allow roles assignement  in both Parent and  child systems?
  Many thanks for your help!!
  Raquel

  One way would be to temporarily delete the CUA assignment in the child and then maintain locally, but you will need to attach it again... and decide whether you want the CUA master to know about what you have done.
  Plan B on older Support Packs is to take a look at the correction instructions of [SAP Note 1504495|https://service.sap.com/sap/support/notes/1504495] but for this you need full access () to the S_USER objects, in which case you could detatch the CUA anyway.
  However as a temporary workaround in Test systems it could have been usefull.
  Plan C: Allow reference user assignments locally and authorize the role indirectly. Via the available authorizations of and access to the reference users you can then contain the scenario. Works fine for me if the concept of reference users is understood.
  However in most cases you should do it via the CUA and will end up doing this anyway via the CUA - that is what you have a CUA for. So... logon to your CUA in the morning, give the SAPGui scheme a nice bright colour and administrate the users and role assignments there. This is a small price to pay compared to not having a CUA or IdM...
  Cheers,
  Julius

• Role Assignment does not get distributed from CUA

  Hi all.
  I create user and role in CUA client.
  There is no error in role generation.
  When I try to find my role in SU01 by pressing F4 of my role (Y*), system give me message role not found. But that's not my biggest problem.
  I can assign my role by typing manually.
  My biggest problem is only SAP ID get distributed into target system, not the role assignment.
  So in the target system I can see my user id without role assign to it.
  I checked my user id from SCUL. User and profile does not contain any error message in target client.
  I tried with transaction RSCCUSND, still my user id does not contain role.
  I checked my SCUM transaction, profiles and roles has Global settings.
  Does someone can give me a clue why this happens and how to solve this issue.
  Many thanks

  Lets try to simplify the thing in layman language.
  CUA is to manage user ids of different SAP systems (client level) centrally from one system without logging into each of those child systems. To do so, the Central system stores the information of the Roles (and their Text and Generated Profile Name ONLY) and Profiles (standard or non-generated profiles) in few of it's tables like: USLA04, USRSYSACT, USRSYSACTT, USRSYSPRF, USRSYSPRFT etc.
  It doesn't mean that the Roles for the corresponding child system is present in the central system and no need of creating (or making available) such roles in the Child systems. The physical existence of the Role for each system doesn't get transferred in the Central system when you do the Text comparison rather the identity only against the corresponding system.
  So the Roles has to be there in the corresponding Child systems and the Assignment (not physical assignment  -  only linking the name for that child system) of them to the user ids can be done from Central system.
  Also you have got the idea of Text comparison and requirement of keeping or creating roles in each system based on it's nature from the other posts.
  Let us know any more questions you have.
  regards,
  Dipanjan