SIngle riole that belong to composite role with user

Similar Messages

• Transporting role with user assignments

  Hi Guru's,
  When we transport a role with user assignments then in the target system, the role will wipe out all the existing assignment and show the the users in the original released request.
  eg. D->Q
  In dev:
  role-A has userA, userB
  In Qas;
  Role-A has UserA and userC
  ......after import of request:
  the roleA will have userA and userB
  What I have noticed is even if userB does not exist in Qas, the assignment will be reflected in AGR_USERS. A PFUD or user compare in a role does not remove the ghost entries. Is there any way to remove these inconsistencies ?
  I saw note 534010, which is applicable for UST04.
  Thank you
  Abhishek

  Hi Matt,
  Yes, I do agree this is not a best practice. However, for a particular requirement, we thought this was the best way to solve the problem. Infact, this was the first time I ever did this
  We have a role that needs to ONLY be assigned to every person in a particular team. With more than 30 systems present( out of the production landscape, just the testing systems), we thought this would be the only fast way out than going in each system and assigning this role. This would also ensure unassignment of this role to any other person too
  Any other alternative?
  Thank you
  Abhishek

• Assign single role to composite role with alternate logsys assignments

  Dear gurus,
  In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
  Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
  But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
  Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
  Cheers,
  Julius

  Hi Martin and others,
  I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
  While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
  Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
  You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
  There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
  That is a bit of a bummer because it means that you also cannot ever test anything...
  Did anyone ever try to actually use this?
  Cheers,
  Julius

• Fail to create roles with users in LDAP

  I installed and configured two Directory Services one for AM and one for identity. I created an LDAP Data Store for the root realm and can see the LDAP users in the Subjects->User tab in AM. I can create Subjects->Groups and add LDAP users successfully, but I cannot create Subjects->Roles with LDAP users. I get the following error:
  Plug-in com.sun.identity.idm.plugins.files.FilesRepo: Unable to find entry: C:\SFU\app\ironscale\amserver\idRepo\user\awhite
  Any ideas? I also found it odd that my new Group was created in the FileRepo under idRepo/group. I thought it would have been written to the AM DS.
  I deleted the flat file Data Store and the Group/Roles tabs disappeared. Must I import additional LDIFS to my LDAP Identity DS to store roles and groups it that DS?

  Update.
  I deleted LDAPv3 Plug-in Supported Types and Operations values group, user, and role, based on Sun's Access Manager training class examples. I re-added them and deleted the File Data Store and groups now get created in the LDAP Identity repo. However when I create a role and add users the operation sucessfully completes. But I cannot find the roles using an LDAP browser. I can grep the role name from the LDAP database and the roles remain after restarting the db and AM. It appears AM is adding roles in a way other tools cannot see them.

• Table that stores the business role and user id mapping

  Hi,
  i want to know the table that stores the Business role and the business role and user id mapping in CRM system.
  Thanks in Advance.
  Regards,
  Pricy

  Hi Mary,
  There is no direct table but there is a way to find it.
  HRP1263 is the table where business roles are stored when maintained at org level. These are stored against the Position.
  For getting user ID and position linkage refer table HRP1001.
  In HRP1001 table use below criteria to get the User and Position.
  OTYPE = CP
  SCLAS = US
  SOBID = User ID
  ENDDA = 31.12.9999
  Get the OBJID
  Query the HRP1001 table again with following
  OTYPE = CP
  OBJID = OBJID from above Query
  ENDDA = 31.12.9999
  SCLAS = S
  SOBID = Thats Position.
  Pass the position to HRP1263 as below.
  OTYPE = S
  OBJID = POSITION
  PROFILE - Thats business role assigned for the given position and user.
  Hope this is helpful.
  Regards,
  Naresh

• Moving roles with user assignment

  Hi There,
  Need your help...
  We have roles and users created in QA for training, now we want to move roles from QA to Production with user assignment.
  Users that are created in QA for training have also been created in Production, is it possible to move the roles from QA to Production with the user assignment.
  Thanks and Regards,
  Azher.

  Table PRGN_CUST does'nt contain any entries, its an empy table in QA.
  USER_REL_TRANSPORT entry with value NO locks system from TR imports with User assignment. So you have to ensure your target system-Production does not has that entry in PRGN_CUST.
  TR is geting created in Local change request which cannot be moved to Production.
  This TR request are created in Local Change request only when you do not specify a target system/group . All you need to do is specify the "Target" while creating the TR in PFCG (subsequent screen after you hit Create request) and release your TR via SE10. Once released, the TR would be added to the import queue of Production. You/your Basis team can import it manually via STMS_IMPORT (Extras>Other requests>Add TR and CTRL+F11 to import). If there are any errors please have Basis team to review the transport logs.
  P.S:  You can only transport direct user assignments of roles via PFCG transport option described in my post. In case of indirect user assignments that were created using Organizational Management (HR-Org), you will have to use transport functionality in Organizational management.
  Thanks
  Sandipan

• Restrict Moving roles with user assignment

  Hi There,
  Need your help...
  How to restrict to move roles from dev->QA with user assignment. (want to disable the user assignment restirction)
  Thanks and Regards,
  Gnanaprakasam

  Unfortunately this is not the default installation setting, so you need to go into the security settings customizing and change the USER_REL_IMPORT switch to 'NO'.
  This does however NOT make the checkbox disappear in the transport source system. It prevents the import in the target... so you must set it and transport it there first, then it works.
  Cheers,
  Julius

• SAP Security Report for single and composite roles

  Hi
    I have a requirement to create a cutomize report in SAP Security.
  I have to display Composite roles,corresponding single roles,the tcodes assigned to those single roles and the description of t- codes. The selection screen has composite roles,single role and T-code which are optional.User can enter selection in any of the selection critreria.How should I go on this?If user gives only composite roles on the selection for e.g 'TEST'. for this role I get suppose 3 child roles 'TEST1' 'TEST2' 'TEST3' from table AGR_AGRS.Now to get the tcodes i go to table 'AR_1251' and I get the tcodes.
  But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.for e.g, 'TEST' 'SAP1' 'SAP2' etc..Now if go to get the tcodes for this single role in AGR_1251,I will ceatainly get the tcodes for eg MM01,FB01,etc.But then how would I know whether MM01 belongs to composite role 'TEST' SAP1' or SAP2' for the single role 'TEST2'.
  Please advise.
  Thanks
  Edited by: Julius Bussche on Aug 13, 2009 4:52 PM
  Subject title improved

  I though of seperate selection options for singles and composites, but you also said:
  > But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.
  My suggestion would be to build better single roles, but that is just me...
  Cheers,
  Julius

• Report to list the Single Roles contained in each Composite Role...

  Hi, 
  Can someone tell me how I can produce a report in a 4.6C system that shows the Single rolse contained in all Composite roles?
  Thanks
  Sharon

  Hi Jurjen,
  Thankyou for that.
  Can you also tell me what the difference is between a "Composite role, Indirect (HR)" and a "composite Role"?  (I see these two Activity Group Types when running a report in SUIM to list users and their activity groups).
  Thanks
  S

• CUP 5.3, Risk test of all roles in a Composite Role - possible?

  We want to use a Function (Dummy) Role in CUP, that shall have Composite Roles connected in CUP.
  But when I do this - I only see the composite role when I make a SoD / Risk check in my cup WF.
  Can I somehow also check the single roles in the composite roles?
  Thank you
  Kristian

  Hi Kristen,
  It should definitely be possible to analyse the composite role via GRC.
  Either through simulation of the assignment of the additional single role into the composite or by the assignment of the composite role into the user's authorisations.
  The composite role itself will not have any authorisations but it should read through the single roles contained within it as it is those authorisations which end up with the user.
  Have you tried analysing the composite role directly in RAR to isolate it away form the CUP functionality as a unit test? If that works, you should then be able to prove that the risk analysis is indeed working. Then you can concentrate on the configuration of the workflow processes through CUP without being distracted from primary objective.
  Simon

• PFCG composite role copy issue

  'morning!
  A colleague of mine is facing a strange problem at her customer site:
  On copying composite roles with PFCG you should receive a dialog box with the question "Should the Single Roles Be Copied and Reentered?". This gives you the opportunity to just enter the original singles or to copy them and enter the copies.
  Unfortunately this pop-up is missing on their ECC 6.0 system and the singles are always copied as well. This is not the required way.
  Is there any system setting/parameter that steers this popup? We would really like it back....

  Hmm... I am not logged on so I confess that this is guessing.
  Next option is that the message is displayed using a popup function which is obsolete in ECC 6.0 but still using in the coding - which now simply defaults what the function module would have returned.
  Activate the ABAP debugger immediately ahead of where the popup should have appeared and look at the call stack to see what the name of the function is?
  Particularly keep an eye out
  a) CALL FUNCTION 'POPUP_TO_CONFIRM_WITH_MESSAGE' 
  b) CALL FUNCTION  'POPUP_TO_CONFIRM_STEP' 
  c) CALL FUNCTION 'POPUP_TO_DECIDE' 
  d) CALL FUNCTION 'POPUP_TO_CONFIRM'

• ERM / composite role gener. / Function parameter "Authority_check" unknown

  Dear All GRC AC Women and Men,
  I have a problem to generate a composite role with sap grc ac erm. My GRC version is a 5.3 sp5
  For single roles, it s ok.
  For composite roles, I to a first generation in GRC AC ERM . The error  message is: "Function parameter "AUTHORITY_CHECK" is unknown."
  The role is generated in the back-end and the status in GRC AC ERM is "in progress" (Yellow colour).
  I do a second generation in GRC AC ERM, and the status is "done" (green colour); the role is generated one more time in the back-end.
  The message error in ERM logs is:
  "2010-03-18 15:48:48,393 [Thread-140] ERROR com.sap.mw.jco.JCO$Exception: (104) RFC_ERROR_SYSTEM_FAILURE: Function parameter "AUTHORITY_CHECK" is unknown.
  java.lang.Throwable: Function parameter "AUTHORITY_CHECK" is unknown.
       at com.sap.mw.jco.MiddlewareJRfc.generateJCoException(MiddlewareJRfc.java:516)
       at com.sap.mw.jco.MiddlewareJRfc$Client.execute(MiddlewareJRfc.java:1514)
       at com.sap.mw.jco.JCO$Client.execute(JCO.java:3980)
       at com.sap.mw.jco.JCO$Client.execute(JCO.java:3417)
       at com.virsa.re.service.sap.dao.GenerateRoleDAO.generateRole(GenerateRoleDAO.java:564)
       at com.virsa.re.bo.impl.GenerateRoleBO.generateRoleAsBackGroundOnMultipleSystems(GenerateRoleBO.java:484)
       at com.virsa.re.backgroundjobs.RiskAnalysisAndRoleGeneration.execute(RiskAnalysisAndRoleGeneration.java:238)
       at com.virsa.service.backgroundjobs.BackgroundTask.run(BackgroundTask.java:53)
       at java.util.TimerThread.mainLoop(Timer.java:432)
       at java.util.TimerThread.run(Timer.java:382)"
  Do you know the origine of this problem? I am "quite" sure that it is not a back-end problem like authorisations missing for the user rfc (used in Jco).
  Best Regards,
  Ronan.

  Hi Ronan,
  This is an issue identified and resolved in SP07.
  Please refere to Note # 1290039 if you don't want to upgrade to SP07.
  Best Regards,
  Sirish Gullapalli.

• Get child users of composite role

  Hello
  There is FM (ESS_USERS_OF_ROLE_GET ) which bring all user of roles but what i want it's more complicated
  IF there is composite role i want to get all the user that in the roles under the composite role .
  Let say i have composite role with two roles inside (in the role tree ) .
  Composite role
  user1"this is the users of the composite role
  user2
  user3
  Role number  1
  user4
  user7
  user9
  Role number 2
  user 8
  user 5
  user7
  user6
  What i want is to get all the users of the composite role  and the child  role (which is parent ) .
  which is .
  users 1 - 9.
  I read some previous post on this issue in the forum but what I need is to use just this FM without access  to the DB
  table such as T_AGR_AGRS and COLL_ACTGROUPS_GET_ACTGROUPS ,
  What i need to do is recursive call on  the FM ESS_USERS_OF_ROLE_GET  .
  Regards
  Joy
  Edited by: Joy Stpr on Aug 23, 2009 8:50 AM

  Hello Joy,
  How is it possible to use just function module ESS_USERS_OF_ROLE_GET to get data without DB access?
  I mean this function module takes input as Simple/Composite ROLE so you have to have some list maintained
  which will be input for this function module.
  I think you can load composite and simple role in table and loop at it to make calls to function module ESS_USERS_OF_ROLE_GET to get users for compsite/simple roles.
  Some input has to be there, That's what I feel.
  Check if this helps!
  Thanks,
  Augustin.

• SECATT to create a composite role

  hello,
  until now i was using secatt with succes to create composite roles.
  but i now have to create composite roles with a lot of included simples roles.
  and i have this problem : when i try to add more than 11 simples rôles to my composites roles, it doesn't works.
  i think it's problem related to scrolling but i cannot see how to resolve it.
  thanks for your help
  best regards

  JEROME TOCANNE wrote:
  > hello,
  >
  > until now i was using secatt with succes to create composite roles.
  >
  > but i now have to create composite roles with a lot of included simples roles.
  >
  > and i have this problem : when i try to add more than 11 simples rôles to my composites roles, it doesn't works.
  >
  > i think it's problem related to scrolling but i cannot see how to resolve it.
  >
  > thanks for your help
  >
  > best regards
  SECATT reads your source file sequentially, one line at a time.  Design your script to read each line with the name of the composite role then on the same line the simple role that needs to be added.  With this design you can add 1 or 20 simple roles on a composite role.  You might need two scripts to make it simpler, one to create the composite role and the other to add the simple role to the composite.
  Good luck!

• Improve Auto-Stack and Process Collections with user settings

  I have read through all of the Bridge request discussions, and encountered a few comments on the stacking process but nothing to explain my critique and feature request. My apologies for any redundancy.
  Bridge CS4 includes two features that would (virtually) streamline my entire photo-organization workflow. Brilliant! Except that they offer zero configuration and my default scenario is very different from Adobe's, so these two would-be-wonderful features are pretty much useless to me, and to anybody else who doesn't happen to shoot in the way the presets are configured.
  The first feature is to automatically group images into stacks, based on their similarity, exposure settings, and timestamps. Unfortunately Bridge considers no minimum or maximum amount of photos per stack, and has a fixed timestamp window of 18 seconds. I shoot everything in three-exposure bursts and sometimes multiple shots in less than 18 seconds, so being able to say "process collections in 3-item stacks only" would be absolutely perfect. For other people, being able to limit the timestamp range or other min/max exposure options would work great.
  The second feature, which could save me hours every week but is equally useless, is to automatically process collections in Photoshop. My biggest ire about this function is that it completely ignores stacks that I have manually created AND stacks that were previously created using the auto-stack feature. Every time this function is run, it re-runs the auto-stack process from scratch and then delivers the collections to Photoshop. Not only is this made useless by the previously mentioned inflexibility of the auto-stack process, but even if auto-stack worked perfectly, this would waste time by doing the entire thing again and denying the user the option to review the stacks before committing to the Photoshop processing. The process collections feature would also be much improved if the option were given to process ONLY panoramas or HDR photos, or auto-detect. I have never shot a panorama in my life and I'm sure plenty of people have never shot HDR, but Photoshop isn't capable of knowing our intentions and there's no reason why we shouldn't be able to instruct it.

  Agree. It is an interesting capability that falls short of being really useful. I feel like an ingrate to complain, but ...
  I'd also like to see the capability to specify something than "Auto" for the panorama option. My experience is that most of my panos work best with "Cylindrical + Geometric Correction".
  My experience is that once you get past 5+ images in a pano, it becomes very tedious ... and then 20+ images in rows is painful. Unlike a single image that you can quickly evaluate, with panos I find I need to make the pano to tell if it going to turn out.  I have been generating smaller 1800x1200 or 1200x1800 files to speed up the evaluation process, but it is still very manual and tedious.
  The Auto-Stack generates a AutoCollectionCache.xml, but I haven't found it workable to edit this. I'd like to be able to modify it to "force" my knowledge of what is in a group. It seems to check the time-stamp, and re-do the Auto-Stack, thus ignoring my changes. Sigh.