SCM authorizations
We are planning on upgrading APO 3.0 (ancient, I know) to SCM...will be setting up a new landscape, project team, quality testers, production users (eventually).
Is anything in old APO 'salvageable ' from a role perspective, or is this really a 'start from scratch' activity? I have also heard rumblings from our business customers that they want 'more' security in SCM than they have currently in APO - separate certain divisions and companies possibly.
Does anyone have any experience with SCM security? Are the SAP delivered roles any good, or do they need a lot of tweaking and testing adjustments? We find in other 'bolt ons' that many more auth checks are performed by various programs that have to be incorporated into roles - wondering if we can expect the same in SCM.
Can anyone relate their experience with SCM auths?
Hi Mary,
The DP and SNP roles are very useful. They are good starting points. You can use pretty much use the same roles defined in [Roles in SAP SCM|http://help.sap.com/saphelp_scm50/helpdata/en/43/4ec7101c091dede10000000a422035/frameset.htm].
The detailed objects are explained in [Authorization in Supply Network and Demand Planning|http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/frameset.htm].
I am not that experienced in 3.0 to 5.0 transition of authorizations, but most of the 3.0 objects are retained in 5.0 but some of them are obsolete such as C_APO_SEL2 . But strangely they are still used....
In one of my previous projects, we started of with the standard roles and since the same user can not be used for all users we created Z roles adding, changing objects as needed.
For example, not all users need to have authorization for all planning books. I want to restrict my SNP users to display the DP books and display and edit the SNP planning books.
The same for DP, they should be able to display the SNP books and both display and edit the DP books. SO we modify the existing roles and created Z roles...
Overall in my experience, I see that SAP delivered roles are good starting points and as always since the client requirements vary, we end up creating zroles.
Similar Messages
-
Hi,
We are facing a serious
authorization problem in our SCM system.
We want to provide a bifurcation at
the Production Planner "APO_PL_PPS"
level.This is possible for
authorization object "C_APO_PPL"
(PP/DS, Production Planner),
however "C_APO_PROD" (Master Data,
Products) consists of only 3 fields.
Since the Product Id's ("APO_PROD")
do not follow any specific
nomenclature in our landscape, we
cannot provide any limitation here.
The problem is that when Product Id is "*"; irrespective of other
objects (eg. APO_PL_PPS); all the Product's can be viewed by all users.
Is there some way in which we can allow users belonging to a particular
Production Planner to view only their respective Product Id's..
Please help, since it's real important that only users belonging to a
particular Production Planner view their respective Product Id's.
Thanks a lot,
Saba.In C_APO_PPL authorization object as you said it is possible to put in Production planner as a criterion. You can create multiple authorizations based on Production Planner values. The production planner is part of Location Product master. There are authorization acitivites like Display and Change that should enable one production planner set not to view something under the purview of other production planner. There could be production planner IDs that are like logical groupings. Eg. Assume there are two business units U1 and U2. Then, 1U1 or 2U1 are IDs for two production planners under unit 1. similarly 2U2 or 3U2 for production planners under unit 2. Unit 1 and 2s could be logical set of location products. Given this you can then use patterns such as *U1 or *U2 for authorization roles. From what I see in your notes it looks when you create a role for production planner *U1, the *U2 production planners are able to display and change data for *U1
If this is not working, I would recommend you to raise OSS message. -
Hi,
I am looking SAP SCM Security tcodes and tables that are used on daily basis like in R/3 ECC SU01,SU10,SE10,SU01,PFCG,SU24,SE16,SE11,SE38,su21,su20 etc.
thanksHi Jain,
I highly recommend you to read this nice guide if you haven't read yet:
http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/80c094de-90aa-2910-02b8-e31a6f5ff0c2
In this guide you'll be able to find definition of roles and responsibilities when implementing GRC. You'll understand that Auditors should take a GRC course also; GRC it's a tool that involves a lot of areas. If you've been working with SAP authorizations so far, you won't have problems understanding GRC, you should read the corresponding guides and you'll be able to "map" your company requirements via system configuration.
Cheers,
Diego. -
Hi,
We are facing a serious
authorization problem in our SCM system.
We want to provide a bifurcation at
the Production Planner "APO_PL_PPS"
level.This is possible for
authorization object "C_APO_PPL"
(PP/DS, Production Planner),
however "C_APO_PROD" (Master Data,
Products) consists of only 3 fields.
Since the Product Id's ("APO_PROD")
do not follow any specific
nomenclature in our landscape, we
cannot provide any limitation here.
The problem is that when Product Id is "*"; irrespective of other
objects (eg. APO_PL_PPS); all the Product's can be viewed by all users.
Is there some way in which we can allow users belonging to a particular
Production Planner to view only their respective Product Id's..
Please help, since it's real important that only users belonging to a
particular Production Planner view their respective Product Id's.
Thanks a lot,
Saba.Before you change the standard program, I would suggest keeping the thread here for a while to see whether somebody who has encountered this in APO knows whethere the naming convention (nomenclature) is the intended design and whether or not an alternate solution (work-around for retro-fit) is possible / available.
If you wish, I can move this thread to the "APO" forum to see whether the functional or development folks have solved this problem? Formally, forum "cross-posting" is not encouraged, but if you do, then please also cross-reference the threads...
Cross-reference.... SCM Authorization Issue
Cheers,
Julius
Edited by: Julius Bussche on Apr 4, 2008 7:16 AM -
Planning Stucture authorization issue in SCM
Hello Experts,
Need your help.
In our SCM7.0 system, we have implemented FM: /SAPAPO/MCP_PERMISSION_CHECK2 for authorization check to Planning Structure Infocube. That is working fine.
Now Users are facing authorization issue in Prodcution when they executed transaction /n/SAPAPO/SDP94 with below message.
Error message: You do not have authorization for all the characteristic values selected Message no. AUTHORITY041
Analysis authorization trace message: " Message EYE001: You do not have sufficient authorization for InfoProvider ZDM_PLN1 with activity 03.
We have assigned customized analysis authorization and that is maintained with InfoProvider "0TCAIPROV" as " * ".
Earlier this was working fine in production but now users are getting authorization issue. When we tested in other systems, it is working fine.
I appreciate your help in this issue.
Regards
Ravi
Edited by: Ravi K on Jul 5, 2011 6:04 PMRavi
Verify the selections in the Production system v/s the test system. Are they exactly the same ? I can think of two possibilities -
1. User is attempting to access a selection where he/ she does not have access to at least one of the CVC's filtered by the CVC.
2. The selection definition should (but does not in your case) contain the characteristic on which the authorization is setup.
Rishi Menon -
Error while posting data from SCM to XI
Dear Expertise,
I got a requirement where I need to post data from SCM to XI server. From SCM
side it is an ABAP proxy. When I tested the scenario and checked in the MONI of
SCM I got an error. But SCM is correctly configured pointing to XI under Tcode
SM59 (SM59 --> Connection Type H (HTTP Connection to ABAP System) -->with
correct user credentials and PIPE line URL of XI server).
Please let me know is this the correct settings for ABAP proxy for connecting
from SCM system to XI system.
Error Dump in SXMB_MONI:
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- <!-- Call Integration Server
-->
- <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="">
<SAP:Category>XIServer</SAP:Category>
<SAP:Code area="INTERNAL">HTTP_RESP_STATUS_CODE_NOT_OK</SAP:Code>
<SAP:P1>401</SAP:P1>
<SAP:P2>Unauthorized</SAP:P2>
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText><!DOCTYPE html PUBLIC"-//W3C//DTD HTML 4.01Transitional//EN">
<SAP:ApplicationFaultMessage namespace="" />
<SAP:Stack>HTTP response contains status code 401 with the description Unauthorized Authorization error while sending by HTTP (error code: 401, error text: Unauthorized)</SAP:Stack>
<SAP:Retry>M</SAP:Retry>
</SAP:Error>
Thanks in Advance,
GujjetiHI
Check these
For Error: HTTP_RESP_STATUS_CODE_NOT_OK 401 Unauthorized
Description: The request requires user authentication
Possible Tips:
Check XIAPPLUSER is having this Role -SAP_XI_APPL_SERV_USER
If the error is in XI Adapter, then your port entry should J2EE port 5<System no>
If the error is in Adapter Engine
then have a look into SAP note- 821026, Delete the Adapter Engine cache in transaction SXI_CACHE Goto --> Cache.
May be wrong password for user XIISUSER
May be wrong password for user XIAFUSER
for this Check the Exchange Profile and transaction SU01, try to reset the password -Restart the J2EE Engine to activate changes in the Exchange Profile After doing this, you can restart the message -
Uploading Roles from ECC 6.0 to SCM 5.1 (APO)
Hi,
We are trying to re-use some roles created in SAP ECC 6.0 in order to be used in a APO(SAP SCM 5.10) system.
We downloaded and uploaded the roles to the target system, although we do not identify any problem in doing that I will like ask the experts if there is something that I should do or not, and if there is something that we have to take into account in doing this.
The roles are only for some activities that are the same in both systems like user administration, authorization administration and other technical stuff that is the same in both systems.
Our goal of course is that every time that we make changes in the source system we will download and upload in order to keep updated the target system.
I would like appreciate your opinion
Best Regards
FedeX> We downloaded and uploaded the roles to the target system, although we do not identify any problem in doing that I will like ask the experts if there is something that I should do or not, and if there is something that we have to take into account in doing this.
Well, there could be a difference in objects, customizing switches and patchlevels which could lead to unwanted (and sometimes almost invisble) problems. If there are objects in the roles that do not exist in the target system (or if they're linked to a non-existent object class) you will not be able to see or maintain them in PFCG.
This will also cause problems when transporting these roles through the target landscape.
So I'd suggest you thoroughly compare TOBJ on both systems and make sure these tables are identical for the objects concerned. That should cover technical issues. After that make sure the systems behave the same (customizing etc). -
Restricting Authorization for a specific Info-object
Dear All,
I have a scenario where I have to restrict the account managers by specific channels.
I have 2 info-objects, Sold-to party and Sales Channel. Sales Channel is defined as attribute of the the Sold-To Part info-object.
I was exploring the BI authorizations concept in SCM 2007.
I created a authorization called "Test" and assigned the info-object Sales Channel in the authorization and restricted it for one value. This authorization along with 0BI_ALL I have added to the role under BI authorizations.
However in interactive demand planning, I cannot restrict by the sales channel. It allows me to load data for all the channels.
If I remove 0BI_ALL object, then I cannot load anything in interactive planning.
Does anyone have a step by step proceedure for using the BI authorization concept?
Regards,
KedarYes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).
Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.
Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.
You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".
Things to consider:
1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.
2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.
3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.
4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.
This is probably enough to get you going, reply back if you have specific questions or issues.
I've been thru this in a painful way, sometimes the best things learned are learned the hard way -
DBM Error return code -11 in LC10 Administration in SCM System Live Cache
Hello,
We have installed SCM 4.1 on Solaris on one box and LC 7.5 on another solaris box.
For kernel upgrade, we shut down Live Cache using LC10>administration on SCM server. After kernel patch, other patches for ABAP stack, we upgraded LC to SP11 build 35.
Since then, we get following error in LC10.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Name and Server : LCA - gva1073
DBMRFC Function : DBM_EXECUTE
Command : dbm_version
Error : DBM Error
Return Code : -11
Error Message : tp error: Terminating. [nlsui0.c 1934] pid
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Also, in DB59, when we try to check connection, we get following error -
General Connection Data
Connection Name....: LCA
Database Name......: LCA
Database Server....: gva1073
tp Profiles........: no_longer_used
DBM User...........: CONTROL
Test Scope
1. Execute an external operating system command (DBMCLI)
2. Determine status using TCP/IP connection SAPDB_DBM (DBMRFC
command mode)
3. Determine status using TCP/IP connection SAPDB_DBM_DAEMON (DBMRFC
session mode)
4. Test the SQL connection (Native SQL at CON_NAME)
Application Server: gva1075_SCD_03 (
SunOS )
1. Connect. test with "dbmcli db_state"
Successful
2. Connect. test with command mode "dbmrfc db_state"
Unsuccessful
dbm_system_error
Name and Server : LCA - gva1073
DBMRFC Function : DBM_EXECUTE
Command : db_state
Error : DBM Error
Return Code : -11
Error Message : tp error: Terminating. [nlsui0.c 1934] pid
3. Connect. test with session mode "dbmrfc db_state"
Unsuccessful
dbm_system_error
Name and Server : LCA - gva1073
DBMRFC Function : DBM_CONNECT
Error : DBM Error
Return Code : -11
Error Message : tp error: Terminating. [nlsui0.c 1934] pid
4. Connect. test with "native SQL" ( LCA )
Successful
++++++++++++++++++++++++++++++++++++++++++++++++++++
Can anybody please help?
Thanks and regards,
VaibhavHello Vaibhav,
while using transaction LC10, the error 11 "tp error: Terminating. [nlsui0.c ...]" occurs. The user authorization with tp fails and the application server cannot connect to the liveCache.
I assumed, that it's due to a library version mismatch, tp cannot use the liveCahe UNICODE libraries.
Please check, that the tp call at the command line works properly. And a dbmcli call in the transaction SM49 with the tp options
(dbmcli ::
-d <LC-SID> -n <LC-servername> -tpp <profile> -tpi <system-SID>
-tpc <connection - LCA/LDA> dbm_version)
works also properly.
I recommend you to update the liveCache client software on the Application server.
If you've got access to OSS/Service Market Place, then please take a look at note
649814 how to update the liveCache client software on the application server.
< Please also review the SAP notes 847736 & 831108 >
Before the liveCache client version will be upgraded on the application
server you can use the workaround by switching off the central authorization for the liveCache LCA/LDA connections:
In transaction LC10, choose Integration and deactivate the option Central authorization, then save.
If you are the official SAP customer, I recommend you to create the ticket to SAP on 'BC-DB-LVC' queue.
Thank you and best regards, Natalia Khlopina -
No authorization for the creation of resource WG10 00_1000_001
Dear All,
While checking SMQ1(Outbound queue), we found 2 displayed , pls check below details.
Queue Informationen
Number of Entries Displayed: 11
Number of Queues Displayed: 2
Cl. Queue Name Destination Entries
100 CFLDZ31CLNT100_0034 E06CLNT100 4
100 MCEX03 NONE 7
While Double clicking queue (CFLDZ31CLNT100_0034), Its shows Status SYSFAIL .
Please check details log.
Cl. Queue Name Destination Entries Status Date 1 Time 1 NxtDate NxtTim Wait for queue
100 CFLDZ31CLNT100_0034 E06CLNT100 4 SYSFAIL 22.09.2011 12:57:11 22.09.2011 13:16:32
Note : E06CLNT100 (SCM System).
While double clicking SYSFAIL Its shows No authorization for the creation of resource
00_1000_001.
Kindly Suggest.And also User not able to do activate Integration Model using Transaction CFM2 , it is giving error as below .
System: E06CLNT100 User: KAPGATEG 22.09.2011 12:57:11
Function/Q/SAPAPO/CIF_RES_INBOUND4
Text: No authorization for the creation of resource WG10
Kindly advise. -
Restricting the ATP user for GATP - corrrect roles/authorizations
Hi:
If the dialog user that is used for the ATP check (from ECC to GATP) has more authorizations than needed and this is going to be a problem in production. The user can run SCM transactions from the results screen of ECC and this is not desirable.
Therefore, the ATP user should be a restricted user that has only authorizations for this specific task. If you know what are the exact roles/authorizations to give to the ATP user, could you share them?
Thanks in advance.
SatishFor R/3 please check OSS Note 447543 - APO: Authorizations too comprehensive/not user-specific.
"If it is necessary to have different authorization profiles in APO for different R/3 users when calling in APO, the following solution applies:
Activate the setting in SM59 that is used for the RFC connection CURRENT USER.
In the APO system, create the respective users and assign authorization profiles. This is necessary in order to achieve the necessary flexibility concerning authorizations in the APO system."
For APO :
AuthorizationsObject C_APO_ATP in APO .
please chose activity as per user role.
01 Create or generate
02 Change
03 Display
04 Print, edit message
06 Delete
16 Execute
39 Check
Manish
Edited by: Manish Kumar Rathi on Oct 21, 2008 1:24 PM -
DP - No authorization for all characteristics value
Dear All,
I am trying to implement the role SAP_APO_FCS_SU (APO: Demand Planning Standard User) in SCM 5.0.
When I logon as a user who has been assigned to this role and try to load a predefined selection profile or create one, I get the error You do not have authorization for all the characteristic values selected.
Can you please let me know what I am doing wrong?
Thanks in advance for your help.
EmilieHi Raj,
I created a BI authorization object for my additional characteristics (ie, other than 9AMATNR and 9ALOCNO) and then added to the role.
Below is the link for how to create BI authorization object.
[http://help.sap.com/saphelp_scm50/helpdata/en/8f/9d6937089c2556e10000009b38f889/frameset.htm]
Regards,
Emilie -
Roles and authorizations in BI content
Hi experts,
I'm trying to define a very simple scheme of roles and authorizations for my queries.
So, i'm trying to limit the acess by infocube and DSO, but I'm missing the authorizations objects for Cube and DSO.
I know that authorization object for queries it's S_RS_COMP.
So my roles would be something like
BI_ROLE_FI
Authorization Object Autorization Object Value
Acess query (S_RS_COMP) NA
Infoobject (whats the object???) 0FIGL_C01
DSO (whats the object???) 0FIGL_O14
BI_ROLE_PUR
Authorization Object Autorization Object Value
Acess query (S_RS_COMP) NA
Infoobject (whats the object???) 0PUR_C01
Can you help me find out whats the missing information
Thanks and regards
JoanaHi,
Iu2019ve gave authorization to the object youu2019ve mentioned, but itu2019s still not working.
Basically what I have is the following:
One role that allows me to execute queries, workbooks, etc.
A second role, dependent on the area of work, that should allow me only to have access to queries from cubes/MP/DSO that are specific to users area.
I will then give each user role 1 + the adequate role 2, depending on their work area.
For role 1 I have got:
S_RFC
Activity: 16
Name of RFC to be protected: *
Name of RFC object to be protected: *
S_TCODE
Transaction code: RRMX
S_GUI
Activity: 16
S_USER_AGR
Activity: 01, 02, 03
Role Name: ANLG_BI_01
S_USER_TCD
Transaction code: RRMX
S_RS_AUTH
BI Analysis Authorization: BI_ALL
S_RS_COMP
Activity: 03, 16
InfoArea:*
InfoCube: *
Name (ID) of a reporting component: *
Type of a reporting component: *
S_RS_COMP1
Activity: 03, 16, 22
Name (ID) of a reporting component: *
Type of a reporting component: *
Owner (Person Responsible) for a reporting Component: *
S_RS_TOOLS
Logical Command Name: THEMES
Iu2019ve tested this role, and it works u2013 they can access queries, create workbooks, create permanent model workbooks
For role 2 u2013 Finance I have
S_USER_AGR
Activity: 01, 02, 03
Role Name: ROLE2
S_RS_ADMWB
Activity: 03,66
Data warehousing workbench Object: INFOAREA
S_RS_ODSO
Activity: 03
Infoarea: 0FIGL_ERP
DataStore Object: 0FIGL_014
SubObject for ODS Object: *
S_RS_ICUBE
Activity: 03, 66
Infocube SubObject: *
Infoarea: 0FIAP
InfoCube: 0FIAP_C02
S_RS_MPRO
Activity: 03
Infoarea: 0FIN_REP_SIMPL_1_ERP
MultiProvider: 0FIAP_M20, 0FIAP_M30
MultiProvider SubObject: *
I then gave to my test user this 2 roles, and with that user I can still see every infoarea, and access all reports.
I will have more specific roles u2013 to other areas (SCM, TV, etc), but I chose this one has an example.
First question I have: can I manage my requirement in 2 different roles: one for action that can be performed (role 1) and other for areas that they can access data from (role 2)?
What objects/restrictions am I missing in role 2?
Many thanks
Joana -
Authorization in APO: org level concept (parent role -- derived role) ?
Hello experts,
we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
Regards
ThomasI got the solution - the profile generation was missing !
-
Process Order Source Display in SCM
Hello users, please forgive my ignorance in this are but I am trying to understand why a specific users would not have a Source/Target section in an SCM Process Order in a released status.
If the user drills into a process order from the product view then the following data sections should be available for display: Dates/Times, Primary Product, Status, *Source/Target*. For one user the Source/Target section is not displayed.
Is there a users specific setting that determines this display?
ThanksHi Christopher,
Are the authorizations for the specific user and any otehr user(for whom display is correct) similar ?
Regards
Datta
Maybe you are looking for
-
SAP BW Multidimensional OLEDB Provider and NOPROMPT option
Hello I'm trying to connect to a SAP system using the SAP BW oleDB provider with this kind of connection string: Provider=MDrmSap.2;Data Source=SAP VPN;Password=PASSWORD;User ID=USERID;Location="";Integrated Security=False;Persist Security Info=True;
-
After installing Lion I can't open CrossOver anymore.
-
Exc– ORA-00604: error occurred at recursive SQL level 1 ORA-01003;No Stat P
I am getting above mentioned error when calling the below procedure. Please guide me procedure xyz(P_ROTATION_NO , P_VESL_NO , P_VESL_NAME , P_CM_REGN_NO , P_FINAL_CLOSE_STA , P_FROM_REG_DATE , P_TO_REG_DATE , P_FROM_ARRIVAL_DATE, P_TO_ARRIVAL_DATE,
-
RECEIVING MULTIPLE DOWNLOAD ERROR ON ITUNES
receiving multiple downlad errors on itune songs........how do i delet them so I can re-download them?
-
I purchased Thor on Blu-ray + digital copy. I tried transferring the movie to my MacPro tower, but the digital copy disk will not load. I'm able to insert it and I can hear the drive trying to read it, but after about a min., it is ejected. I also