Yes, you definitely can. Check the URL mentioned by Ankur.

Alpesh

OK, Thanks. I will start loading UME roles to ERM and try creating a CUP request to see if a UME user can be created and auto-provisioned in UME as a CUP approver.

Alpesh or anyone,

As a first step, I thought I needed to upload UME roles to CUP, but I am unable to do this (Action Failed). What does it seem to be a problem? Just note that I am bypassing the role import step in ERM.

HM

Can you paste the error logs here?

Alpesh

Thank you, Alpesh. Here they are.

2010-03-19 06:03:53,885 [SAPEngine_Application_Thread[impl:3]_33] ERROR Error occurred while importing roles.

com.virsa.ae.configuration.ConfigurationException: java.rmi.RemoteException: Service call exception; nested exception is:

com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document"

at com.virsa.ae.configuration.bo.ImportRolesBO.importFromSystem(ImportRolesBO.java:131)

at com.virsa.ae.configuration.actions.ImportRolesAction.importRoles(ImportRolesAction.java:197)

at com.virsa.ae.configuration.actions.ImportRolesAction.execute(ImportRolesAction.java:61)

at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)

at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

Caused by: com.virsa.ae.configuration.ConfigurationException: java.rmi.RemoteException: Service call exception; nested exception is:

com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document"

at com.virsa.ae.configuration.bo.ImportRolesBO.importFromWSSystem(ImportRolesBO.java:280)

at com.virsa.ae.configuration.bo.ImportRolesBO.importFromSystem(ImportRolesBO.java:124)

... 19 more

Caused by: com.virsa.ae.service.ServiceException: java.rmi.RemoteException: Service call exception; nested exception is:

com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document"

at com.virsa.ae.service.ws.RoleProfileWSDAO.getRoleProfs(RoleProfileWSDAO.java:397)

at com.virsa.ae.configuration.bo.ImportRolesBO.importFromWSSystem(ImportRolesBO.java:274)

... 20 more

Caused by: java.rmi.RemoteException: Service call exception; nested exception is:

com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document"

at com.sap.grc.ae.service.wsclient.userrolesearch.Config1BindingStub.getRolesWithDetails(Config1BindingStub.java:467)

at com.sap.grc.ae.service.wsclient.userrolesearch.Config1BindingStub.getRolesWithDetails(Config1BindingStub.java:478)

at com.virsa.ae.service.ws.RoleProfileWSDAO.getRoleProfs(RoleProfileWSDAO.java:317)

... 21 more

Caused by: com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document"

at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.handleResponseMessage(MimeHttpBinding.java:998)

at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1449)

at com.sap.grc.ae.service.wsclient.userrolesearch.Config1BindingStub.getRolesWithDetails(Config1BindingStub.java:460)

... 23 more

2010-03-19 06:03:53,887 [SAPEngine_Application_Thread[impl:3]_33] INFO MessagingHelper.java@127:addMessage() : @@@Adding msgValue: Code: 0101; Locale: en

2010-03-19 06:03:53,888 [SAPEngine_Application_Thread[impl:3]_33] INFO MessagingHelper.java@137:addMessage() : @@@Creating new message list

2010-03-19 06:03:53,888 [SAPEngine_Application_Thread[impl:3]_33] INFO MessagingHelper.java@147:addMessage() : Adding msg to msglist

2010-03-19 06:03:53,889 [SAPEngine_Application_Thread[impl:3]_33] DEBUG NavigationEngine.java@296:execute() : Target returned by execute action: failure

2010-03-19 06:03:53,889 [SAPEngine_Application_Thread[impl:3]_33] DEBUG AEFrameworkServlet.java@458:service() : forwarding to:/import_roles.jsp

2010-03-19 06:03:53,893 [SAPEngine_Application_Thread[impl:3]_33] DEBUG PopupCalendarTag.java@180:doStartTag() : Date Format in PopUpCalendar Java :- M/d/yyyy

2010-03-19 06:03:53,894 [SAPEngine_Application_Thread[impl:3]_33] DEBUG jsp_AECalendar_Locale1268836122552.java@97:_jspService() : Date Format in AECalendar.jsp :-M/D/YYYY

2010-03-19 06:03:56,080 [Thread-86] DEBUG CacheManager.java@138:refreshCache() : INTO the method :

I am not sure why the logs are referencing the WS URL for GRC AC IDM. Have you configured this URL in your UME connector?

http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document

The URI to should be http://<server>:<port>/UserRoleSearchForAEService_5_3/Config1?wsdl&style=document

Check out Page 98 (Section titled 'Defining Connectors for SAP Enterprise Portal') from the AC 5.3 latest config gudie.

Alpesh

Alpesh,

Thanks!

Now I can get "Existing Roles/Groups" for an already excising UME user in a CUP request form.

However, I cannot get (search) all the available UME roles with an error message "No Records Found". Wired.

Here I have additional information in the connectors. If you can, please assist me.

ROLE_DATA_SOURCE = ROLE.PCD_ROLE_PERSISTENCE.

USER_DATA_SOURCE = USER.PRIVATE_DATASOURCE.un:

Frank and Alpesh,

Thanks!

Now, I can see and select UME roles in a CUP request---What I had to do was to give each UME role a business process attribute to get them on a CUP request.

I have another problem though...Please give me some advice.

My problem:

When I try to create a CUP request for a new user with only UME roles to be assigned, CUP workflow cannot be triggered. An error message "Error creating request" comes out when I hit a submit button.

What I can do and cannot do:

(1) I have no problem submitting and provisioning a CUP request for a new user with ECC roles.

(2) Also, I have no problem submitting and provisioning a CUP request for a new user with both ECC and UME roles.

(3) The thing that I cannot do is submitting and provision a CUP request for a new user with UME roles only.

Do you have any clue? Please help me!

HM

Check your initiator settings. Either it system or role based so it is not able to find an relationship between UME or UME roles.

Alpesh

Alpesh,

My current initiator settings for creating a new user are:

-

Condition = AND

Attribute = Request Type

Value = New Account

-

Currently, I don't have any application attributes set up.

I will try some combinations to get the workflow going.

HM

Paste the logs here when you receive the error in creating request.

Alpesh

Alpesh,

Thank you for your response. I always appreciate it.

I have realized that currently I don't have risk analysis setup, so when I try to approve a request with UME role assignment only, I get a message u201CRisk analysis failed: EXCEPTION_FROM_THE_SERVICEInvalid Systemu201D.

As our premise, we want risk analysis mandatory at each approval stage. When I released this restriction, UME provisioning worked.

I come to the conclusion that this should be the cause of my problem.

I am trying to set up a RAR connection to UME (portal). Do you have any good document that can assist my connection setup?

Thanks,

HM

Frank is correct. Everything should be in the document Frank mentioned. Also, it makes sense as if you are trying to run risk analysis, if the system does not exist in RAR, CUP will error out. Just create a connector in RAR with exact same name is CUP and you would not see that error.

Regards,

Alpesh

Frank, you're right. I will look into the linked document, and there shouldn't be much difficulty in setting up a connection. Thanks.

Alpesh, I will try thatu2014should solve my problem. I will let you guys know the outcome. Thank you!

HM

OK. Everything looks good. Now, I can provision UME users through CUP no problem.

The problem was I didn't have a UME connection in RAR-- CUP kept giving me an error message since CUP, as Alpesh said, could not find a target system (UME).

All I did for this part of problem was creating a UME connection in RAR and nothing else.

Alpesh & Frank, thank you very much for you help!

HM