Use GRAC_USER_ACCES_WS to provision Business Role

Similar Messages

• Outbound E-Mail templates in a non-IC_AGENT Business Role

  Hi,
  Does anybody have experience of using outbound email templates in the CRM 2007 Web UI?  Specifically with a non-IC_AGENT Business Role as the email editor in the Web UI is different to the IC_AGENT Business Role email editor.  I am using a standard Grantor Business Role (CRMGRMPRGMAN) and therefore cannot select mailforms in the "Std Response" field used in the email editor of the IC_AGENT Business Role. 
  I have seen that when I create an Activity of type 'Outgoing E-Mail' that there is a "Default Text" field in email editor.  Is this where I would select an email template?  Can you please enlighten me as to how to create the templates and make them available in the email editor of an non-IC_AGENT Business Role?
  Many thanks,
  Onkar.

  Hello Onkar,
  (a) Email Editor is IC_AGENT has more advanced features compared to Email Create in NON IC_AGENT Business Role. One of the features being the Standard Response Group. Basically, Standard Response Group is grouping of Commonly used Standard Responses and assigning it to the Email Profile.
  However, in case of NON IC_AGENT Business Roles, there is no such provision of assocaiting a Email
  profile and thus there is no provision to assocaite a standard response group.
  (b) With respect to Draft mails, please refer the note 1251719. As mentioned in the note, draft mails are not yet supported in these Roles.
  Hope this clarifies your queries.
  Thanks and Best Regards,
  Varsha

• Business Roles configuration for ARM

  Hi Gurus,
  We have implemented ARM piece of AC but now we have a requirement to map our security technical roles to business roles. Can we create and use business roles without using BRM ?
  Example: Create/maintain single roles in backend (ECC/BW etc) and import in GRC then map single roles to Business roles for requestors to select.
  Regards,
  Salman

  Yes Salman,
  You can use BRM to create business roles to group roles as per your requirement. You need to confirm the check box for connection group as Business, as below:
  As you mentioned, I assume you have defined the Methodology Processes and Steps for role maintenance then under NWBC, you would be able to see role type as Business.
  Hope you completed the action for: Deactivate Role Types
  Let us know if you need more info on this or for any issues.
  Regards,
  Ameet

• Business Roles Provisioning - Issue

  Hi All,
  We are on GRC SP13.
  We are using business roles for provisioning.
  When i select "CHANGE ACCOUNT" request type and request for business roles through GRC, roles are being assigned to UserID and everything is working fine.
  Issue is with the notification mail user is getting after provisioning. My notification email has details as shown below.
  Hi Padmavathi Sai,
  The Request number : 453 , has been processed and the Request is Closed. The details are as follows:
  PREDDY User created in XXXXXXX
  XXXXXXXXX Business role assigned to PREDDY
  Kind regards,
  Access Control Administrator
  PREDDY UserID is already available in the target system and user selected change account request type, but notification email says that user is created
  Anyone came across this issue?
  Regards,
  Sai.

  Hi Colleen,
  I am using the standard notification template GRAC_AR_CLOSE.
  Hi %FIRST_NAME% %LAST_NAME% (%USER_ID%),
  The Request number : %REQNO% , has been processed and the Request is
  Closed. The details are as follows:
  %PROVISIONING%
  Kind regards,
  Access Control Administrator
  %PROVISIONING% variable shows mail notification as I have mentioned above
  Can you help me with this?
  Regards,
  Sai.

• Using fact sheet 'BP_ACCOUNT_FS' in IC business roles

  Hi experts!
  I have a requirement to customize the fact sheet in IC business role, where the 'ICCMP_AFS' fact sheet always opens. But I need all the assignment blocks and information that is in 'BP_ACCOUNT_FS' fact sheet.
  So, is there any way to make that in IC Business Roles there was fact sheet 'BP_ACCOUNT_FS' but not 'ICCMP_AFS'?
  This question is extremely important for me.
  Thanks in advance,
  Andrew.

  Hi, Chimalwar!
  What I've done:
  1. Defined logical link 'ZIC_AFS' in transaction CRMC_UI_NBLINKS, by copiyng it from standard 'IC_AFS'. I only changed the parameter and put it 'BP_ACCOUNT_FS'.
  2. Define Profile (choosed the profile I need) -> Define Generic OP Mapping
  Choosed my navigation bar profile and made the following customizing:
  Object type: FACTSHEET
  Obj.Action: B Display
  Use target: nothing checked
  Target Id: nothing selected
  Use Link: checked
  LogLink ID: ZIC_AFS
  3. Transaction 'BSP_WD_CMPWB', Component: BSP_DLC_FS -> Component structure browser -> Views -> BSP_DLC_FS/factsheet. I've created my own configuration, copying it from standard 'BP_ACCOUNT_FS':
  Config key: my own, for my business role
  Component usage: <DEFAULT>
  Object Type: 'BP_ACCOUNT_FS'
  Object Subtype: <DEFAULT>
  After confirming Business Partner I can see the fact sheet I defined.
  But my task was to see the fact sheet of the business partner when I select it in a call list, before I confirm it. And there was ABAP.
  Regards,
  Andrew.

• Business Role changes not being provisioned

  Guys (and girls),
  We're having the issue that whenever we change something to a business role in IdM 7.1 SP5, like adding or removing a technical role (SAP role) the change isn't provisioned to the system authomatically resulting in users not being updated.
  The workarround now is to change a business role and then remove it from a user and add it to that user again. Works ok when you're dealing with only a few users but I'm not looking forward to the day our basic role needs updating.
  Same thing goes for changing users telephone number or SNC name or the likes.
  I'm not sure if the two issues are related but am I missing an assignment of a task somewhere?
  Cheers,
  Jonathan

  Jonathan,
  I think so, but a pretty simple one to fix.
  I would do one of two things:
  1. Put a MODIFY task on MXREF_MX_ROLE or whatever attribute you're holding roles in.  Have this task do a role reconcilation.
  2. As a part of the workflow, have a role reconciliation execute.
  On the whole, I prefer the second option.  Don't like adding baggage onto the MXREF attributes.  Just keeps things running more efficiently.
  By role reconciliation, I mean executing the functions/tasks needed to reassert the roles on the user.  I think there's a built in scripting function to do this or you can automate the add/remove functionality you described in your message, holding the role MSKEYs in a temporary attribute.
  Matt

• How to get Currently used Business Role

  Hi Experts,
  I need to get the business role currently being used by the user (i.e. SALESPRO). I've come across the method calls
    Data: lr_ui_profile type ref to IF_CRM_UI_PROFILE,
          lv_profile    TYPE CRMT_IC_CONFIGPROF.
    lr_ui_profile = cl_crm_ui_profile=>get_instance( ).
    lv_profile = lr_ui_profile->get_profile( ).
  and so I tried it on an ABAP report being called from the WebUI via Transaction Launcher. However in my case after executing the method LV_PROFILE doesn't yield a value (but SY-SUBRC was 0).  Can anyone kindly provide a reason behind this? Or are there any other ways to retrieve the current login business role of the user?
  Regards,
  Marc
  Edited by: imdiko24 on Nov 12, 2010 8:51 AM

  Hi Marc,
  Please try once, as exactly what i said in my earlier repl..
  Assign any business role like for eg. "SALESPRO" in SU3 to parameter CRM_UI_PROFILE and test with the following code if lv_value holds the business roles?
  *DATA: lv_value TYPE tpara-partext.*
  *GET PARAMETER ID 'CRM_UI_PROFILE' FIELD lv_value.*
  lv_value will hold the current business role..If you get correct business role in lv_value, that means you have not assigned business role correctly in the org model.
  Cheers,
  Sumit Mittal

• Is it possible to get into the IC using the SALESPRO business role?

  Is it possible to get into the Interaction centre when using the SALESPRO business role?.
  If so, how is this done.
  I know using specific IC* business roles, like IC_AGENT, you are thrown straight into the IC, but I can't see how you can get into it via the SALESPRO business role, which I assume you should be able to do.
  Jason

  Please check
  Using Kerberos Authentication on SAP NetWeaver AS Java - User Authentication and Single Sign-On - SAP Library (NW7.3)
  Using Kerberos Authentication for Single Sign-On - User Authentication and Single Sign-On - SAP Library (NW7.0)

• Assigning Business Roles - No such task exists

  I am trying to create a user ID and assign a Business Role in the process.  The attribute that I am using is MXREF_MX_ROLE.  It is defined as a multivalue system attribute with a data type of entry reference and the reference type in MX_ROLE.
  From my workflow task, I can select the role from the selection window but when I click OK to save to the identity store, I get an error "You have tampered with the params".  From the Monitor UI, I see the message "Failed setting value for attribute Member of Role.  No such task exists"
  I have a Modify User task that uses the same attribute.  When I attempt to use it, I get the "Failed setting value for attribute Member of Role.  No such task exists".  But I do not get the "you have tampered with the params" message.
  I am only trying to set this in the identity store right now.  I am not yet ready to provision to my ABAP system.
  Any assistance is appreciated.

  Hi Lori,
  in case you have linked privileges to your role, SAP NW IdM searches for tasks in the related repository (as stated in the attribute MX_REPOSITORYNAME of your privileges). Type in the ID of some test tasks in the repository constants MX_DEPROVISIONTASK, MX_PROVISIONTASK and MX_MODIFYTASK and see if it works.
  Otherwise, there could be a missing relation the other way round from the role to the user. See if there is a MXMEMBER_MX_PERSON attribute in your role.
  Best regards,
  Nils

• Business roles in GRC  AC

  Hello,
  Is it possible in SAP GRC AC to create so-called business roles like in SAP IdM. This roles are not assigned to any backend system but derive backend system roles. The aim is to create set of roles that consist of roles in different backend systems.
  As I understand role mapping can't fully implement this functionality, because main role is assigned to backend system.
  Thanks,
  Yakov
  Edited by: Yakov Silin on Feb 24, 2010 7:00 AM

  Hi Yakhov,
  I was wondering if this is your dilemma.  We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
  - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
  Is this similar to the challenge you ar facing?

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• GRC 10 - Business role, no role owner but associated role have owner....

  Dear All,
  In GRC 5.3 we perform the following mapping:
  Business Role A mapped with (no owner)
  - Technical Role 1 (from ECC with Owner1)
  - Technical Role 2 (from CRM with Owner2)
  - Technical Role 3 (from HR with Ownwer3)
  IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
  GRC 5.3 request is able to close and provisioned as it can see owners from child role.
  Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
  Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
  Please advice.
  Jacky

  Hi Mustafa,
  you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
  Does this answer your question?
  Regards,
  Alessandro

• Business Role replication from HR

  Hi there,
  We have recently implemented CRM 2007 and activated the interface with HR (SAP Enterprise 4.7).
  In CRM the Business Role is an infotype that is maintained at the position level and that must be present in order for a user to be able to use the new CRM WebClient interface.
  As the data for the CRM Org Structure is derived from HR, we are looking to maintain the Business Roles centrally in our source system (HR) for each position.
  Do you know if there is any provision in the Standard SAP System for doing that?
  If not, is there any guide I can follow to enhance to enhance the HR-CRM ALE Interface to transfer over a custom infotype from HR and get it assigned to infotype 1263 (Business Role) in CRM.
  Thanks in advance
  Manuel

  Hi John,
  HR replication from R/3 to SRM is carried out by following these steps:
  1.) setting up the distribution model in SRM and R/3 for message type HRMD_ABA. You can set up  number of filters in this message type, where you define HR infotypes, subtypes, object type and so on.
  2.) Once you set up the distribution model, distribute the model.
  3.) Report RHALEINI is used to replicate the distribution model from R/3 to SRM in the insert mode. (You can also use transaction code PFAL).
  4.) Ongoing replication if performed in the update mode from R/3 to SRM will cause problems of users being broken in sporadic cases. It is advisable to use change pointers from BD14 to perform the ongoing replication.
  There is an SAP docuemntation of EBP transports which explains in detail the replication. Hope this information helps.
  Please assign points for usefull answers !!
  Sundeep

• GRC 10 BRM - Approve Single Role assignment in Business Roles

  Hello,
  I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
  The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
  Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
  Do you know any way to configure this?
  Thanks,
  Fernando

  Hi Claudio - thanks for breaking it down
  @ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
  By using this role approval methodology your single role approvers are indirectly allowing  any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
  As mentioned - you are using two different workflow process ids
  Role Build - using BRM to approve the single roles being part of the business role
  Access Assignment - approving the user to receive the business role which includes the single roles
  Regards
  Colleen

• Business Roles - Risk analysis

  Hi All,
  We are on GRC SP13.
  We are using business roles for provisioning to end users.
  When role owner is performing risk analysis for business roles, results are proper according to defined ruleset only if "SYSTEM" field is empty.
  If system is selected, then results shows that "NO VIOLATIONS".
  Is this the standard behaviour for risk analysis of business roles or Am i missing anything?
  Looking for your advise on this.
  Regards,
  Sai.

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong