User, Role, Profile Synchronization - Full sync job
I've scheduled this job and it's been running since feb 2. I understand that this job brings only the header data into CC tables. When I look at the CC log file.- It says Delete user XXXX from all tables. I checked the userid in the backend system it actually does not exist.
Hi Partha,
GRC RIG has created an accelerator "How to Performance Optimize SAP GRC Access Control 5.3" which provides step by step instructions to increase performance of AC 5.3.
Please find the document at the following link on SDN.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90aa3190-8386-2b10-c4ba-ced67322ea6d?quicklink=index&overridelayout=true
Hope this helps.
Best Regards,
Sirish Gullapalli.
Similar Messages
-
Trying to understand "User/Role/Profile Synchronization" and Batch Analysis
Hello,
Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job.
I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile to be included to the full and incremental jobs?
How the incremental analysis logic is built ?
br JanneJanne,
In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
In terms of CC tables:
VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
VIRSA_CC_GENOBJ >> User, Role and Profile master data
VIRSA_CC_GENACT >> User-action, role-action and profile-action data
VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
VIRSA_CC_SAPOBJ >> Action-permission
VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
Hope this helps.
Regards,
Imanol -
User, Role, Profile Synchronization Job Fails
Hi Gurus,
When I am scheduling a job the User, Role, and Profile Sync. job fails giving an error
"Cannot assign a java.lang.String object of length 53 to host variable 5 which has JDBC type VARCHAR(40)."
This happens when the synchronization happens with a portal system. We dont have a ruleset for the portal system, So if I put in a "*", it includes this system and results in the error, If I manually select all other system, it works fine. Is there any way to remove this error so that I can schedule the jobs without having to select every system manually.
Regards,
ChinmayaHi,
As per my knowledge, in the Portal system, you should perform only user sync. Roles/profile sync will not work since portal will have workset roles.
Please refer SAP Note 1168120, which may help you to understand the limitations
Hope this helps!!
Rgds,
Raghu
Edited by: Raghu Boddu on Nov 4, 2010 7:39 PM -
RAR: Best strategy for users/roles/profiles synchronization
Hi all,
Assuming that:
1) we will be never interested about profiles risk analysis (just users and roles)
2) roles risk analysis will be run first and after sometime (threee weeks) we will run it for users.
and we will run batch risks analysis:
Question 1) Is it possible to synchronize just roles and do it for users just when we want to execute risk analysis for them? Or is a best practice to synchronize always for users/roles and profiles eventhough risk analysis will not be done for all three?
Question 2) If we execute just full sync and full risk analysis, users/roles or profiles deleted in backend between executions are also deleted from DB? or removal takes place only when executing incremental sync?
Many thanks in advance. Best regards,
ImanolHi Imanol,
Answer Q1: Yes, you can just select user and roles for the snych and risk analysis. Go to configuration-background jobs - shedule job. If you don't run risk analysis for profiles, you shouldn't sync and select them.
Answer Q2: Both, the Full risk analysis will alwaly update your DB. I will recommend you, to do this job in some periodic times. The incremental sync job will as well update your DB, if anything changed in the backend system. Normally your are going to run your daily or weekly jobs with this selection.
Thanks,
Martin -
Compliance Calibrator 5.2 user/role/profile sync
I have run into an issue with a user. Where the user is getting flagged as having risks associated in basis for having a combination of transactions. Under CC it is saying that she has S_Develop Auth Obj with Activity 1 and 2. However when we check the user in R3 all of her profiles and roles that have a Basis associated and have the auth object she has activity 3. So the information is not synchornizing properly.
Thanks for any helpwhen was the last time you ran a user/role/profile synchronization or a batch risk analysis for this user ?
In case you need more info, check : https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/50cd7177-5c22-2a10-8cba-8e0c64bc4ea8
Regards. -
Solution Manager 4.0 Solution Monitoring User -Roles-Profiles for Satellite
Hi All,
I have installed Solution Manager 4.0 (OS -Linux ,Database - DB2) .
Now i need to connect solution manager to the R/3 4.6C
Satellite Systems (DEV, QAS ,PRD) for Solution Monitoring
and Service level Reporting .
I have read the configuration guide , but unable to get clear idea .
1) what users (alos type of user -Dialog , Service, Communication etc) do i need create in DEV , and Test in QAS for solution Monitoring .
2) what exact roles /profiles need to be assigned to these users in satellite systems .
3) what users/roles /profiles needs to be done in SOLMAN system
i have applied all the required plug ins and support packs
in satellite systems and solman 40 ..
Please advice . Your response will be a great help for me .
SatishHello Satish,
Just clarify, if u have meant connecting the satellite systems for EWA reports to be precise. Early watch Reports. If its is the case, then repond so that i can putin my inputs which may be helpful for you in this config.
Rgds,
Sri -
Function module to modify the user roles & profiles
Hi All,
I am working on user maintenance and i need a function module to modify the user roles & profiles.
Thanks in Advance.
Phani.i used the below fms
BAPI_USER_ACTGROUPS_ASSIGN for assigning the roles.
delete the profiles of the user qnd assign the profiles to the user:
BAPI_USER_PROFILES_DELETE
BAPI_USER_PROFILES_ASSIGN
i used the above FMs for my requirement.
Regards,
Phani. -
The User profile synchronization Full , runs for 1 second successfully
Hi!
On our sharepoint 2013 farm we can run the user profile incremental synchronzation timer job without issues, it runs for about 2-3 min.
However when trying to run a Full import, we observe that the full user profile synchhronization job only runs for a second and is finished. There must be something wrong..
The user profile service and synchronzation service are up and running. The connections to Active directory are present and working (incremental synchronization works).
Have anyone experienced this?
brgs
BjornHello Bjorn,
You should not run Full incremental until anything on UPA is broken. It should be only ran in case of disaster and recovery.
Thank You, Pallav S. Srivastav ----- If this helped you resolve your issue, please mark it Answered. -
Copy user roles/profiles : Su01
Hello,
I want to copy user roles /privileges from one user to other?
how do we do this and which user can do this ? my pisuper does not seem to have authority to copy user profiles from one user to other?
ThanksTry to Copy the user(Src user to Target user) from SU01 by logging in your user. When it displays authorization error, open a new Session of SU53. It will tell you the missing authorization objects. Add those authorizations to your user & you will be able to copy Users using ur userid.
If you want to keep it simple.. Give yourselves SAP_All. You can do whatever you want.
Copying Users
http://help.sap.com/saphelp_nw04/helpdata/en/52/6711c5439b11d1896f0000e8322d00/content.htm
Regards,
Siva Maranani -
XIUSER - Service users role/profile at R/3 system
All,
Currently, we have the following scenarios
1) IDoc to XI to 3rd Party System
2) 3rd Party System to XI to R/3 RFC
3) R/3 RFC to XI to 3rd Party System
These scenarios are working using service user XIUSER with SAP_ALL, SAP_NEW access at R/3.
I would like to know the Roles needs to process the above scenarios.
Thanks,
Peterhi Peter,
>>>>2) 3rd Party System to XI to R/3 RFC
it depends what does your RFC do
if you're posting MM transaction then you'll need MM roles if SD then SD, etc
>>>>1) IDoc to XI to 3rd Party System
SAP_XI_APPL_SERV_USER <-- user role on the XI
http://help.sap.com/saphelp_nw04/helpdata/en/d4/d12940cbf2195de10000000a1550b0/content.htm
Regards,
michal -
Cannot see BEx Query in user role profile in BEx query designer
I assigned several BEx query objects into user profile menu via t-code PFCG first.
Then expected - when I need and open them in BEx query designer I could find them after clicking "Role" button in "Open" window. But unfortuantely I'm not able to do that.
Do I miss anything to archive that? Is other customizing activity else neccessary?
Thank you for any suggestion.Hi Brad.Ma,
If you can open query from Area "button", after that, you publish it to roles you want assign.
You try generate Authoriation in Role in Tcode PFCG.
Hope help you to solve the problem.
Dao
Edited by: xuandao_sap on Sep 20, 2011 3:33 AM -
How to check user role/profile
Dear all,
I'm finding function module to get a list of profile/role of user. Would you please suggest me on this?
Btw, if you have any other advise please feel free to let me know.
Thanks in advance.
PeersitI've just found the related threads on this site.
User Profile Details
Re: User Profile Details
User Wise Authorization/profile report needed
User Wise Authorization/profile report needed
Have a good day. -
VIRSA tables for users, roles and profiles sync?
Hello,
I am in a customer, implementing CC 5.2. At the first time, we tried CC 5.2 in DEV environment, and when everything was OK, we redirect RFC connectors to QA environment.
After doing user, roles and profiles sync in DEV and in QA environment too, I have 4.500 user (1.100 from DEV + 3.400 from QA) when I recover all users "*" with "user level - risk analysis" from the "Informer" tab.
It seems that "users, roles, profiles, sync" works like and "APPEND", but I did a COMPLETE syncronization not an INCREMENTAL.
If I start an analysis for QA environment, CC works properly and only analyse QA users (3.400). But I would like to clean CC tables (users, roles and profiles) in order to have a clean copy of QA in CC.
Which VIRSA tables (users, roles and profiles) I need to clean?
It is necessary to do the same with authorization and text objects? Which would be these tables?
Thanks in advance,
VictorHi all,
SAP GRC Support provides a script which allows you to remove a connector since it does delete all data link to it. Anyway, I would recommend a deep analysis of it and find out if it does what you really want to do.
Víctor, if what you want to do it is just to remove all user, role and profile master data (stored in tables VIRSA_CC_SYSUSR and VIRSA_CC_GENOBJ) you could upload a text file using data extractor functionality with the delete field set to X. Doing so user, role and profile master data will be removed from CC database.
In order to use data extraction functionlaity you connector must be of type "File Local".
Be careful about removing data directly from DB since, as Prem states, you might loose the DB consistency.
Hope it helps. Best regards,
Imanol -
GRC AC 10.1: Authorizaion Sync Job Error
Hello Everyone,
I'm currently configuring my GRC 10.1 Access Control, I have just finished my common configuration tasks and ran the initial Authorization full sync job.
and am facing the below error message.
Authorization Sync
Starting authorization sync for connector SE3CLNT302 and language EN
Error in SE3CLNT302; Reason Error in RFC; 'No RFC authorization for function m
PFCG authorization sync failed with errors
Repository Object Sync
Program for Repository Profile Syncronization
Processing for connector SE3CLNT302
Error in RFC; 'No RFC authorization for function module /GRCPI/GR'
Profile sync failed with errors
Program for Repository Role Synchronization
Processing for connector SE3CLNT302
Error in RFC; 'No RFC authorization for function module /GRCPI/GR'
Role sync failed with errors
Program for Repository User Synchronization
Processing for connector SE3CLNT302
Error in RFC; 'No RFC authorization for function module /GRCPI/GR'
User sync failed with errors
Repository Object sync job failed with errors
Please check SLG1 for further details
I have double checked my connector settings and connection setting, everything seems fine. I checked the tables GRACCONNSTAT and GRFNCONNSCNLK, the tables are populated correctly. I checked to see the RFC ID passes the authorization test and connection test and the logical systems are populated in BD54, can anyone please tell what I'm missing here and why i'm facing this error message?Hello Reddy
Kindly assign the role SAP_GRAC_ALL to the RFC user . This user can also be
assigned the profile SAP_ALL.
Best Regards,
Neeraj -
How to add profiles to critical roles & profiles table in GRC RAR
Hello,
As per Note# 1034117, it says Add "SAP_ALL" type security roles and the SAP profiles, see list below for profiles, to the Critical Roles and Critical Profiles table.
SAP_ALL All Authorizations For The SAP System
SAP_NEW All Authorizations For Newly Created Objects
S_A.ADMIN Basis Operator
How do we add the profiles, to the Critical Roles and Critical Profiles table in RAR.
Thanks,Hi,
I configured the critical roles & profiles in rule architect.
But when I schedule the background job for batch risk analysis, it is taking all the users, roles & profiles.
Is there a way to exclude users, roles & profiles? (I have already configured the excluded users, roles and profiles in exclude option), but still when I schedule the background job and say show parameter, it shows the User Range as '*'. It is not showing the excluded users.
Can you please update how to exclude the list of users, from the batch risk analysis?
Thanks,
Maybe you are looking for
-
Dvd drive making noises and spitting out dvd
I don't know what's going on but whenever I put in a dvd the dvd drive makes a lot of noise which doesn't sound good, and sometimes it spits out the dvd or shuts the dvd program down and then my computer freezes on a black screen and i have to shut d
-
Where can I get a case specifically for my MacBook Pro with Retina Display?
I really want to get a case/sleeve that really fits my MacBook Pro with Retina Display; however, everywhere I look only has cases for the regular 15" MacBook Pro. I want something that has a tight fit on my Retina. Any ideas?
-
PRICING ISSUE BADI ME_DEFINE_CALCTYPE- URGENT
Hi Guys, My requirement was to trigger new pricing on change of Delivery Date. I have to retrigger pricing only if there is any change in fields EKKO-INCO1, EKKO-INCO2, EKPO-MATNR and EKPO-ADRNR. For the same I have implemented three badi's and one p
-
Creation of table in SAPScript
Hi, I am new to SAPScripts. Could you please give me a sample code to draw a table with 5 rows and 4 columns in SAPScript
-
I want to change the security questions but my email secours is false
CAN some one help me ?!!