UME and Portal role provisioning is available in AC 5.3

Similar Messages

• Abap+java abap-user and portal-role PROBLEM?? help

  We have the ABAP+java add-on install.
  The UME is by default ABAP engine.
  From Portal:
  1 I create a portal user, it ALWAYS creates ABAP user in ABAP engine.
  2. I create a portal role, it creates a role in the Portal.
  3. When I assign the user this portal role,
  having worksets and pages,
  I get no pages or worksets shown in the portal page as soon
  user logs in.
  Can you help configure this so that I could see the pages and iviews inside this workset when user logs in.
  Thanks  a lot.

  Hi Mike,
  You did right,
  Just check the Entry Point Property of your iView, page and workset to YES
  there are two radio buttons yes and no select the yes one,
  you can see your pages afte rlogin with the new user.
  Regards
  Abhimanyu L

• Can anyone help me understanding the links between Launchpad roles, PFCG roles, and portal roles!?!

  Hi experts,
  I am looking at the newer EhP5 and EhP6 functionality for ESS and MSS, specifically the WD ABAP portal applications.  I've turned on all the business functions and services I think our team wants, however I'm confused on how to move forward in using them.  For a little tech info, we are on EhP6 for the backend, but our portal is 7.02.
  My first step was to assign the com.sap.pct.erp.ess.wda.Employee_Self_Service_WDA portal role to our test ESS user group in our sandbox environment.  The ESS user got a new ESS tab in the portal and it's linked to the Launchpad role ESS, Instance MENU.  I'm comfortable with ESS at this point, still need to learn more about customizing the menu for different employee groups without creating additional Launchpad or SAP roles.
  Question 1: Correct me if I'm wrong, but is the Launchpad roll ESS, instance menu linked to the PFCG role SAP_EMPLOYEE_ESS_WDA_2?
  Next, I was looking to see if there was a similar portal role for MSS, but it seems I can't find one.  I implemented the MSS Addon 1.0 for ABAP and the portal and got a new MSS portal addon role, but it doesn't seem to be connected to any MSS Launchpad role.
  Question 2: Is there a portal role to assign to users/groups that is linked to one of the MSS Launchpad roles? If yes, what business function or service is it a part of?
  I'd like to use of the existing MSS Launchpad role to test some of the new portal functionality, but I'm not sure how to do it.
  Question 3: How is a Launchpad role assigned to a SAP role in PFCG?  Anyone have some documentation they can point me too?
  Kind regards,
  Garrett Meredith

  Thank you Samuli, this was very helpful in connecting many of the pieces.
  For now I have a very good understanding of how the new ESS is controlled and modified.
  It appears that FPM_LAUNCHPAD_UIBB could be used to develop a similar component to call a custom launchpad role for MSS containing a customized list of WDA applications.
  Is a MSS Launchpad a good way to pursue since we use a SAP enterprise portal?
  I found a PAOC_MSS package containing other MSS embedded packages.
  Could I use one of the embedded packages in there and by creating a Component configuration in the FPM_LAUNCHPAD_UIBB for one of the MSS WD applications?
  Based on the documentation link above, PFCG roles are for NWBC HTML or Desktop versions.
  Kind regards,
  Garrett

• No Portal Roles assigned issue

  Hi Experts ,
  We had recently integrated CRM with portal , but some users inspite of having the portal roles assigned to their id were getting an Access Denied page (we had customized the "no portal roles assigned " error page ) . Knowing the dependency of portal on IE and browser settings , this issue is sometimes resolved by clearing cache , cookies , and changing a few browser settings etc on IE 6.0 . If this doesn't work then upgrading to IE 7.0 definetly helps . Since this is just a workaround , I would like to know if anyone has experienced such a thing before and has a solution for this . Your inputs will be highly appreciated .
  Regards
  Mayank

  Hi Mayank,
  This is an error which happens when there is No roles assigned to the user. I am not sure how your systems are designed for User Management. Say for example in some cases LDAP is used to maintain Group to User Relationships and Portal Roles are connected to Groups therfore all users in the group is assigned to the Role. In some cases UME is used.
  Having said that you can disable the cache for the browser. You have to compromise with the performance however, this will ensure that everytime the user logs in, the request will always go to the server.
  Regards
  Avik

• CRM Portal Role Copier

  Anybody used this tool?
  A portal role is linked to a backend single role.  SAP ships several standard portal roles / backend single roles specific to CRM.
  Since the CRM Portal Roles hyperlink between several portal iViews / PCUI applications within the Portal (this is setup in the backend on tables crmc_prt_role_mo & crmc_prt_role_rl).  To make things easier there is a role copied on the Portal (crm admin role)
  But I've tried using this by copying a crm backend single role and portal role that exists to a new single backend crm role and portal role.  So far hasn't work
  The documentation says make sure the single role and portal role exists - are they talking about the destination role?
  Also mentions addition to desitnation role field - what's this?

  To keep it clear ,using role copier copy CRM backend role to custom role whatever created on portal .Once portal role is generated assign that to user profile to get the object links .
  Thanks,
  Thirumala.

• ABAP roles v/s Portal Roles

  Hi All,
  Currently I was going through  EP security docs where I came across this
  "An important difference between ABAP roles and Portal roles is that in the portal,no authorizations are defined for the backend application itself. This must still be
  done within the backend applications (for example, mySAP ERP)."
  Can somebody plz explain me this..
  Would also like to know more difference  between ECC and EP security,
  Thanks,
  Ajit

  Hi Ajit,
  I have been looking into this for some time as well, but am still not sure of some things myself nor which scenarios fit best to which security aspects.
  My understanding is that it depends on how the portal is connecting to the backend.
  If the portal user is the backend user, then the portal role is just a permission to click on things in the portal. The portal roles are mapped to the backend roles in the ABAP system (so you can, and need to, define what that portal role can infact do when the portal user "clicks" in the backend, using the backend roles of the same backend user context).
  If the portal user is not the backend user (i.e. it is a system service for generic access to the backend), then you should restrict the backend access to the bare minimum of that service and control the security in the portal application (the calling application) as the backend user context is not the same.
  So it is a "design" answer as well...
  There are a few good posts about this if you use the search. If you find a good one, then please link it here so that others who use the search and follow up on their questions can use it as well.
  At the top of the forum, there is a sticky thread on FAQs and other usefull discussions. Sadly, portal security does not have any links yet, so if you find a good one then let me know.
  Cheers,
  Julius

• Portal Roles Intial load and Provisioning through IDM UI

  Dear All,
  I am trying to assign portal roles to Users in IDM 7.1 SP5.
  For this two activities needs to be performed:
  1) Portal roles Initial load in IDM Identity store
  2) Provisioning of Portal roles to Users through IDM UI
  Please suggest about the configuration guide or steps required for both points mentioned above.
  Thanks
  Honey

  Dear Christoph,
  Thanks for the reply.
  Now I am able to assign Role / Privileges to Users from IDM to UME.
  Require one clarification on  User / Identity creation:
  Where can I can set initial password for all the new user created from IDM UI ?
  I am able to create new User and assign roles as well from IDM UI and all is available in EP UME also.
  But when I am logging in with new user it is not taking the default password mentioned in Global Constant in IS.
  Do I need to mention the password somewhere else.
  Pls suggest.
  Thanks
  Honey
  Edited by: Honey Gyanani on Oct 6, 2010 9:10 AM

• How do you test portal roles and/or ESS roles if testid is not in LDAP?

  We have a process but it is hard to maintain and not very secure.  I was wondering how other Security Admins solve this problem.
  For examplle, we have users who use ESS, MSS, Adobe Forms and a few other portal roles.  And, all of them are using the LDAP to authenticate users.
  Our Basis guys have created test ids in the Portal but they need to be asisgned directly to a pernr (on Infotype 0105) in order to obtain the right information in the portal.
  I'm curious as to how others maintain this process.
  All suggestions and recommendations are welcome.
  Thanks,
  Penny

  If the Basis team has created the test-id on the portal, assign the MSS/ESS role as per the business process
  make sure to create the same userid on the backend system and assign the userid to a pernr
  Assigning userid to PERNR lot of postings are available to do this please search.
  Also I remember at one of my customers project  the portal was configured to have "parameter setting" on the portal rather than the backend system.
  summary: Userid - UME/LDAP ( Basis already created it in your case )
                                Portal roles ESS/MSS   - assigned to userid
                                ECC/HCM system roles -assigned to userid  ( after PERNR is tied to userid)
                                Paremeter setting to be done on portal
  Regards

• Web/UME Services to fetch list of Portal Roles??

  Hi All,
  Are there any out of the box Web or UME services available which can fetch list of Portal Roles based on certain criteria.
  Basically I am looking for a service that will fetch list of all Portal Roles (PCD & UME) and will take couple of input parameters, a Role Name/ID & the permission property "Role Assigner"
  Thanks
  Sandip

  Thanks for your reply.
  But I guess these forums shows how to retrieve roles & its sub-ordinates for a particular user. Where as I am trying to retrieve all PCD roles for which I have "Role Assigner" permission.
  Basically I am building a delegated admin functionality on Portal using custom coding. It is the same as Portal out of box Del User Admin but I am not using it because of some other enhancements.
  I will have many user admins and the roles they can assign to users are determined by the "Role Assigner" permission. So its like, User_Admin_RoleA has access to 5 Portal Roles, User_Admin_RoleB has access to some other 5 roles and so on.
  So just wanted to know if there are standard Portal service (like we have for KM) available to do this.
  Thanks
  Sandip

• Report on portal User ID and Assign Roles for all portal users

  Hi!
  I would like to know , is there way that we can get a report which shows all the portal user ids with there assign portal roles. If we can't get this from portal. Can we get it from Oracle database ?
  What are the oracle tables and fields which store this information?
  If nay one have a custom develop iview for this please let me know
  Thanks
  Ramesh

  Hi Ramesh,
  as Pascal stated (and as I did above), if developing within the portal is not really new for you, playing around with the UME API is really more or less trivial.
  Check Portal User and Role info as well as User to Role listing for similar requests and code hints / further links.
  Hope it helps
  Detlev

• Role Mapping For Portal Role Assignment and ABAP Role Assignment

  Summary:
  - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
  - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Problem Description:
  Our Scenarios we tested:
  Scenario 1:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
  *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
  Scenario 2:
  Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
  Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
  *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
  Questions:
  1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
  2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
  Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

  I tested this set up.
  1.  Defined ABAP role as Manin role
  2.  Defined Non-ABAP role as dependednt role
  3. ABAP role  is set up in initiator requiring business approval.
  4.  Non-ABAP role is set up in initiator with no approval required.
  Results Where Business Approver approves the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
  Results Where Business Approver rejects the ABAP Role
  1. Only the ABAP role is displayed in approver view which is desirable.
  2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
  Thanks again for your help.

• Customizing availability of Portal Roles/TABs (ESS)

  Hello Portal Knowledgeable ones,
  I am running EP 6.0 SP13.
  We will be implementing many of the Standard HR ESS functions.  We desire to purposefully limit the hours of the day when these capabilities are available to users--EVEN THOUGH THE PORTAL IS UP.  As an example, viewing paystubs is available 24x7, whereas other update-type ESS functions (update absences) will not be available from 1am to 5am each day.  We want to limit this access because our payroll processing occurs during this window, and we do not want updates to occur during it.
  Here is my question:
  For the standard ESS web dynpro portal functions, how do we implement a time-of-day switch such that access to certain iViews is prohibited. 
  The end user experience needs to be as follows: 
  If time is between 1am - 5am and user clicks on updating ESS item in the portal, the system displays an alternative iView indicating that the system is down for maintenance.
  General advice would be welcome as well.  It seems that the portal displays tabs/content solely based on your pre-assigned roles.  How do you turn-off assigned portal roles dynamically?
  Thank you for any insights!
  Kevin

  Found a solution.  All users are assigned to groups.  Groups are then linked to roles.  To change content for user, update the group to role link using UMFactory inside a portal application.

• Link ECC roles to Portal roles (Portal is using LDAP source for UME)

  Hi all,
  If a user is assigned a certain ECC ABAP role, they should also receive a related portal role.  Our portal is using LDAP.
  If our portal ume source was an ABAP system, I think it would be easy to achieve the ECC to ABAP role linkage.
  We were thinking of developing a UME java webservice and have an ABAP proxy class consume it to allow our abap system to assign the correct portal role, and delete the portal role.
  Any other ideas?

  Rajendra,
  Thx for your reply.  Can you provide any more details as to the design of your solution with the web service?  We are thinking of running a batch job nightly with a some mapping table in ECC to determine what ABAP role should link to the portal group then call the webservice to add the user to the portal group or delete the user from the portal group. 
  A second question is...does SAP Identity Manager offer any solution for this type of requirement?
  Thanks

• Provisioning Allowed and Allow Auto-provisioning YES   Role exists No

  Hello,
  I am unable to select the roles while submitting the user provisioning request.
  The role additional details are set Yes for Provisioning Allowed and Allow Auto-provisioning
  But Role exists is showing No; i have tried updating the roles in many ways, everything is getting updated except this paricular field.
  Could you pls help me ...
  Regards,
  Sumanth

  Hello Sumanth,
  Can you successfully generate roles using the role generation option?
  I have the same issue but I presently have issues with generating single roles ONLY as posted on this thread - "Illegal tcodes" error during the role generation phase of ERM in AC10
  ...so I am thinking it is becuase I can't generate single roles that is why the roles are not displaying. However, I can view the roles in other environments like risk analysis but not at the point of access request provisioning. It tells me no roles are available.
  I sure hope someone will be able to help us out.
  Thanks

• Portal role/ group provisioning via CUP

  HI Gurus,
  We are planing to perform portal role (EP 7 )provisioning via CUP. Is there any config guide available for this which we can follow.
  Thanks
  Ani

  This guide might be of help:
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/502a14db-6261-2c10-22b5-95117ab0e5ed
  Regards,
  Luis