Upload of role in Access Enforcer 5.2.

Similar Messages

• Access Enforcer(error in approving the request) and import roles

  Dear all,
  error in approving the request at security stage(last)
  manager and role owner are successfully approved.
  and also importing roles into access enforcer was not successful.
  imortstatus : 0 roles imported of 28 records found.
  please find the system log:
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.messaging.MessageFormatter : parseDesc :   : INTO the method : desc :Please specify a file to import.paramNames :paramsMap :{FIELD_NAME=#_!FIELD_NAME#_!}
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle :   : INTO the method : en
  2008-09-05 13:02:28,234 [Thread-47] DEBUG

  In Addition to my previous response:
  I meant to include the following:
  Some of the fields that need to be properly defined with attributes are:
         System: must have the know SAP system defined here
         Role Approver (i presently are using most of the roles without having need for approval; I created a user called NOAPPRV in AE)
         Functional Area: need to have all the areas defined that roles will be assigned to
         Company: I only have one company so that's an easy one
  Some areas I presently do not use but found they must ne coded and coded properly:
         ResponsibilityID:   N/A  (coded as is)
         CommentsMandatory: NO (coded as is)
         Parent Role Owner:   NO
         Business Process: NA  (I believe I originally coded N/A and it did not like that)
         Sub Process: NA  (again N/A I believe error on me)
         Reaffirm Period: presently I am using 0 (zero)
         LastReaffirm: presently using 12/31/9999
  Hope this helps a bit
  I wanted to include an attachment with a sample of my Role Import spreadsheet but I'm not sure exactly how to do that; if I figure that out or someone can provide me the process I will include it
  Jerry Synoga
  Ryerson Inc.
  630-758-2021

• CUA still necessary/recommended with Access Enforcer?

  Hello forum members,
  we are planning to implement SAP GRC Access Control for one of our clients. There are 5 R/3 Systems in the landscape, one of them a HR System. Currently there is no CUA in place an all users and roles are maintained separately in each system. Now with the introduction of GRC Access Control there is the question, if we should at the same time also have a CUA introduced or if it is better to directly provision the Users and Roles from Access Enforcer to the target systems.
  What are the pros/cons to have a CUA in between? Does Access Enforcer also provide overview on all users in all system and the assigned roles?
  Thanks for your replies.

  This is a question that I'm asked all the time.  For some environments, using CUA with AE is really nice.  For other environments, it's just not feasible to have CUA as the security authorisation strategies are too inconsistent across systems.
  For example:
  a. There are three systems (ECC, BI, and SRM) implemented with a consistent top-down (job) approach to defining roles.  So, a AP clerk will receive the 'AP Clerk' role in ECC, 'AP Clerk' role in BI, and 'AP Clerk' role in SRM (for simplicity).   Obviously, the roles are different as they are for different systems, but the point is, it is easy to categorise the authorisations for a particular job across each of the systems.  If security is consistent like this, then CUA can be implemented and the three single roles for the three systems can be grouped together in a cross-system composite role called 'AP Clerk'.  When AE is implemented over the top of this, a user only has to request the 'AP Clerk'  role (composite).  AE performs the workflows, risk analysis etc and then finally passes the request to CUA, which then provisions out to the other two systems.  Very easy from a user point of view as they only have to request one role, which is their job.
  b.  If however due to inconsistency between the systems, it is not feasible to group access into cross-system composites, it may just be better to go with AE without CUA.  In this scenario, a user must request the applicable roles from each of the three systems.  It is more flexible, but a little more difficult for the end user.
  I normally spend quite a bit of time developing the Access Controls strategy during the blueprint phase of the implementation just to make sure that I'm coming up with the optimal design.  A bit of prototyping helps also!

• Access Enforcer Role Import - Reaffirm period

  Hello
  What does the following terms mean;
  last reaffirm
  reaffirmperiod
  We current upload roles into AE, with last reaffirm as current date, and reaffirmperiod of 60 which means 5 years.
  Can someone please explain what these terms mean, because many roles have reaffirm periods that end in 2010.
  Thanks

  Hi Prakas,
  Reaffirm period ( in months ) is the duration after which you would like the Approver of the Role ( Role Owner /Role Approver ) to get notified on which all user in SAP has access to that Role and Does he want to continue giving that role to them or wants to remove that Role from all of them or any one of them .
  He would get the details on which Role requires Reaffrim at following location :
  In AE 5.2 ;  login with Role approver id ( eg ABC )  into AE .
  In tab Access Enforcer > Reaffirm .
  A list of All the roles of which ABC is apporver and which require re-affrim would display here.
  ABC can now take approriate action by selecting the role name.
  *Last reaffrim * is the date when the Role was Reaffrim /revisited/reassgined last.
  In your scenario you have given Reaffrim period = 60 which means your Role Owner would get the Role in his Reaffrim inbox after 5 years .
  This is not best practise . For security reason , SAP advices to keep the Reaffrim period to a maximum of 2 months.
  I hope this answers your query .
  Thanks
  Jasmine

• Access Enforcer Import Role Automation

  We would like to automatically import roles from SAP.
  We do know that you can use Role Expert which in itself can be used to automate the import. However, we still have to manually import into AE - even if RE is used as the role source.
  Is there a way to periodically automate the import from either SAP or RE because it does not make sense to have to manuall import roles every time a new role is created in SAP.
  Thanks

  Actually, it does make sense.
  One of the prime features of Access Enforcer is that you don't import all the roles, but just the ones you want users to be able to request.
  For each of the roles, it's useful to put them into some kind of category (functional area, business process, sub-process), which makes handling for users a lot easier, and you have to assign approvers.
  One way to do that is to use an Excel spreadsheet and manage the data there. Easy to use and update, and quick to upload into AE.
  Kind regards,
  Frank.

• Access Enforcer - Role Reaffirmation

  Hi,
  Access Enforcer offers a role <-> user assignment reaffirmation after a defined period.
  My question is, what happens if using the Remove or Hold button in the Role Reaffirm menu entry.
  I tried removing the access, but all that happens is the user entry is marked as "Remove".
  Should an automatic Request for the role removal be triggered or what's the purpose of these two options?
  Thanks,
  Daniela

  I answered the question myself.
  Hold will keep the role in the queue to reaffirm.
  Remove will automatically remove the role from the user once all user-role assignments have either been affirmed or removed.

• Access Enforcer - REMOVE roles/existing roles inoperant

  Hello
  After some time using the capability to ADD and REMOVE roles when creating a request on Access Enforcer (using the option 'Existing Roles' to REMOVE), now Access back to the screen to ADD always that we try to access 'Existing Roles'.
  So, the function to REMOVE roles are inoperant.
  Any ideas what It cold be?

  Hi,
  When you open a changing access request it's possible to add new roles and remove existing roles from the user, right?
  However, the option to remove roles (which is accessed through the 'existing roles' button) is not working longer.
  When that option is accessed, it's not showed anymore the current user's access: the screen returns to the add roles option.
  I haven't found any setting for the feature to remove roles and still don't know how that option, previously used in other requests, is not working for anyone else.
  Regards
  Heverton Kesseler

• Access Enforcer and Import Roles

  Hi All,
  I am having issues importing roles that have the exact same name across different systems. This makes it almost impossible to implement Access enforcer across Dev/QA and Production environments at once. I would have thought that AE uses the (System ID, role name) as the key for that particular table used.
  Has anyone managed to find a workaround for this?
  Cheers,
  Cuneyt

  Nevermind i have solved the problem.

• PD profiles in Access Enforcer

  Hello
  Regarding setting up PD Profiles in Access Enforcer,
  1. Are PD Profiles set up manually in AE
  or
  2. Is there a connector configuration that derives PD profiles from the HR system
  0r
  3. Is there a flat file upload of PD profile data in AE, like we do with roles.
  Can you also point me to any guide in SAP marketplace / Wiki How to Guides, that describes setting up PD profiles in Access Enforcer.
  Your help is appreciated.

  Hi Selva,
     I am not able to get what exactly you are looking for. You want to know which values you need to enter for parameter values then it is explained in the name itself.
  To understand what to enter in parameter values either you need to know EP or need to work with EP administrator. It won't be easy to explain you each and every parameter. If you don't know where to find a particular parameter then I should be able to help you.
  Regards,
  Alpesh

• Uploaded BW Roles and Iviews launch

  Hello Gurus,
  My goal is to replace the BEx Browser with the Portal.
  I am experiment different things but so far it seams that the best way would be to Upload SAP_BW Roles to the portal with the following settings:
  Upload user mapping:               YES
  Upload user mapping:           YES
  Upload included services:           YES
  Select first folder level as entry point:      YES
  Convert roles to worksets:          NO
  Role name only
  I am facing a couple of problems though:
  1) Once I added an uploaded role to a Portal User, I am accessing the portal with it:
  Folders contained into the roles now are shown as tabs, which is actually fine.
  Web queries, contained into the role, are shown as sub-tabs which doesn’t thrills me but I don’t see any problem with it.
  The first web query (Iview) contained into the folder starts by itself even though I am not clicking it and this is not alright!
  I was imagining something different like what we have accessing the portal with role “com.sap.ip.bi.business_explorer_showcase_0”
  A folder which contains clickable links leading to the web queries (iViews).
  Do you know a way to have the same thing with uploaded roles?
  If it is not possible can you please tell me how to avoid the automatic start of the first query (Iview)?
  2) I am not able to find within the KM, web queries (iviews) imported with the tool… can you please tell where they have been stored?
  If you believe there is a better strategy to replace the BEx Browser with the portal please let me know it !
  Thank you very much!
  Matteo Mariniello

  Hi Matteo,
  If you are using NW 2004s, i would recommend going with the BI- Java Usage type which would provide you with Business Explorer and Business Planning Roles. This contains a Bex Web Analyzer through which you can run your queries and reports through portal. This also provides acces to Bex Portfolio where you can publish Queries to KM Folders.
  You can install BI as a usage type while installing NW 2004s.
  Check out the following links.
  BI Suite
  http://help.sap.com/saphelp_nw04s/helpdata/en/5b/30d43b0527a17be10000000a1
  14084/frameset.htm
  Integrating BI with Portal
  http://help.sap.com/saphelp_nw04s/helpdata/en/a3/7b583c2439e66fe10000000a114084/frameset.htm
  Thanks,
  Abhishek

• "Refresh" of development Access Enforcer system

  Greetings!
  Our Access Enforcer system is now in production. Our development system is quite a mess, with old requests and configuration.  We would like to make the dev system look more like the production and test systems and get rid of all of the old requests, initiators, stages, etc. Does anyone know how to clean up AE so we can start over with a clean slate? We are on 5.2 with SP3, running on an AIX box with Netweaver only.
  Thanks!

  Hi,
  I am not sure on the reasons for system refresh. Look at the below points:
  1. The RAR data c(Rules, Functions, Risks etc) an be downloaded and uploaded in the Development environment. Why you need the production user data in Development?
  2. The SPM users are intended for production. Why you are planning to copy/simulate them in development?
  3. The ERM and CUPs are workflows, where the systems and other settings have to be created manually. What is your intention in getting them to development?
  As per my knowledge, no system refresh is performed for GRC systems? May be you need to educate the client on these things. Please look for the ideas from the other experts too before you go back to your client.
  Hope this helps!!
  Warm Regards,
  Raghu

• Can access enforcer be implemented with going through the SOD check.

  Hi All,
  I have couple of questions regarding Access enforcer:
  1. Can Access enforcer be implemented with going through the SOD check?
  2. Can we provision roles for the project team using Access Enforcer (without having a million SOD conflicts which need to be cleared)?
  I would really appreciate any insight on these questions.
  Thanks

  https://websmp103.sap-ag.de/~form/sapnet?_FRAME=OBJECT&_HIER_KEY=501100035870000015092&_HIER_KEY=601100035870000206624&_HIER_KEY=601100035870000212731&_HIER_KEY=601100035870000210510&_HIER_KEY=701100035871000519581&_SCENARIO=01100035870000000202&#HOME

• Uploading BI role in EP:com.sap.portal.pcd.rolemigration.RoleMigrationExcep

  i am getting follwing error while uploading BI role in portal.can anybody suggest us.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Access denied (Object(s): portal_content/com.sap.portal.migrated/SAPComponentSystems/roles/BIDCLNT900) - save(aibw03). Access denied (Object(s): portal_content/com.sap.portal.migrated/SAPComponentSystems/roles/BIDCLNT900) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.save(RoleMigrationObject.java:5715) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.save(RoleMigrationObject.java:5179) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1857) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:782) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:523) Original exception: com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/com.sap.portal.migrated/SAPComponentSystems/roles/BIDCLNT900) at com.sapportals.portal.pcd.gl.PcdFilterContext.filterCreateSubcontext(PcdFilterContext.java:242) at com.sapportals.portal.pcd.gl.PcdProxyContext.createSubcontext(PcdProxyContext.java:147) at com.sapportals.portal.pcd.gl.PcdGlContext.createSubcontext(PcdGlContext.java:440) at com.sapportals.portal.pcd.gl.PcdGlContext.bind(PcdGlContext.java:369) at com.sapportals.portal.pcd.gl.PcdProxyContext.bind(PcdProxyContext.java:524) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.createContexts(RoleMigrationObject.java:171) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.save(RoleMigrationObject.java:5612) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.save(RoleMigrationObject.java:5179) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1857) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:782) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:523)

  Hi,
  It seems you don't have the necessary rights to create content in the portal_content/com.sap.portal.migrated/SAPComponentSystems/roles/ directory.
  You should check the permissions on the Portal Content > Migrated Content > SAPComponentSystems > roles directory (right click on the folder then Open > Permissions). With the default permissiosns, I think you need the super_admin_role or content_admin_role to import roles in the portal.
  Regards,
  Pierre

• CUA vs. Access Enforcer

  Can anyone explain the need for implemented both CUA and Access Enforcer?
  We are currently upgrading to ECC6.0 and implementing the GRC tools(5.2) and CUA  With the distributed access provisioning available in Access Enforcer, I am trying to determine the benefit of implementing CUA .

  Hi Patrick
  1) In this scenario the only benefit with CUA i can see is
       a) Password reset
       b) locking and unlocking the user.
  2) If you use GRC AC in landscape, it is not at all recommended to assign roles, profiles using CUA. This can lead to high level compliance /regulatory issues.
  3) If you are implementing new CUA, then i would recommend to go for NW Identity Management Solution. Advantages are
      1) User provisioning for SAP and non-SAP system
      2) can be integrated with GRC for Risk analysis and remediation.
      3) Password Management also possible.
          https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  regards
  Anand.M

• Risk Analysis Error - Access Enforcer

  Hi Experts,
  I am getting error while running risk analysis in Access Enforcer and the error is
  <b>Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: java.lang.Exception: Incorrect content-type found 'text/html'
  </b>
  We are using seperate RFC IDs for Access Enforcer connector and Comlaince Calibrator connector.
  Please help me.
  Thanks&Regards,
  Vijay

  Reddy,
  The user must indeed be created in the UME as a Compliance Calibrator user.
  I don't know exactly which role he should be assigned, usually I indicate there my CC admin user-id and password.
  When you see it is working with that user-id, you can try to re-fine the roles.
  Some more info regarding what needs to be set in the URI in case the one I inducated in my previous answer is not working:
  "There are two selectable versions of Compliance Calibrator. If you select 5.0 Web Service, three additional fields appear (URI, UserName, and Password). For the URI field, you need to navigate to the SAP NetWeaver Web Application Server Home page > Web Services Navigator > CCRiskAnalysisService > WSDLs > Standard link of Document, where you will see a list of all web services in the server. Select the desired URI address. If you select Compliance Calibrator 4.0, there is no need to connect to a URI address."
  Karim