on 03-08-2010 8:43 PM
Hello Experts,
I have a question.
Can I create a UME user (and add UME roles) through a CUP request as we can do for a SAP user?
Just note what I mean by the UME user is a GRC user whoever operates GRC (could be a security admin, approver, role owner, etc).
Thanks,
HM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you, Alpesh. Here they are.
2010-03-19 06:03:53,885 [SAPEngine_Application_Thread[impl:3]_33] ERROR Error occurred while importing roles.
com.virsa.ae.configuration.ConfigurationException: java.rmi.RemoteException: Service call exception; nested exception is:
com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document"
at com.virsa.ae.configuration.bo.ImportRolesBO.importFromSystem(ImportRolesBO.java:131)
at com.virsa.ae.configuration.actions.ImportRolesAction.importRoles(ImportRolesAction.java:197)
at com.virsa.ae.configuration.actions.ImportRolesAction.execute(ImportRolesAction.java:61)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Caused by: com.virsa.ae.configuration.ConfigurationException: java.rmi.RemoteException: Service call exception; nested exception is:
com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document"
at com.virsa.ae.configuration.bo.ImportRolesBO.importFromWSSystem(ImportRolesBO.java:280)
at com.virsa.ae.configuration.bo.ImportRolesBO.importFromSystem(ImportRolesBO.java:124)
... 19 more
Caused by: com.virsa.ae.service.ServiceException: java.rmi.RemoteException: Service call exception; nested exception is:
com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document"
at com.virsa.ae.service.ws.RoleProfileWSDAO.getRoleProfs(RoleProfileWSDAO.java:397)
at com.virsa.ae.configuration.bo.ImportRolesBO.importFromWSSystem(ImportRolesBO.java:274)
... 20 more
Caused by: java.rmi.RemoteException: Service call exception; nested exception is:
com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document"
at com.sap.grc.ae.service.wsclient.userrolesearch.Config1BindingStub.getRolesWithDetails(Config1BindingStub.java:467)
at com.sap.grc.ae.service.wsclient.userrolesearch.Config1BindingStub.getRolesWithDetails(Config1BindingStub.java:478)
at com.virsa.ae.service.ws.RoleProfileWSDAO.getRoleProfs(RoleProfileWSDAO.java:317)
... 21 more
Caused by: com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document"
at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.handleResponseMessage(MimeHttpBinding.java:998)
at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1449)
at com.sap.grc.ae.service.wsclient.userrolesearch.Config1BindingStub.getRolesWithDetails(Config1BindingStub.java:460)
... 23 more
2010-03-19 06:03:53,887 [SAPEngine_Application_Thread[impl:3]_33] INFO MessagingHelper.java@127:addMessage() : @@@Adding msgValue: Code: 0101; Locale: en
2010-03-19 06:03:53,888 [SAPEngine_Application_Thread[impl:3]_33] INFO MessagingHelper.java@137:addMessage() : @@@Creating new message list
2010-03-19 06:03:53,888 [SAPEngine_Application_Thread[impl:3]_33] INFO MessagingHelper.java@147:addMessage() : Adding msg to msglist
2010-03-19 06:03:53,889 [SAPEngine_Application_Thread[impl:3]_33] DEBUG NavigationEngine.java@296:execute() : Target returned by execute action: failure
2010-03-19 06:03:53,889 [SAPEngine_Application_Thread[impl:3]_33] DEBUG AEFrameworkServlet.java@458:service() : forwarding to:/import_roles.jsp
2010-03-19 06:03:53,893 [SAPEngine_Application_Thread[impl:3]_33] DEBUG PopupCalendarTag.java@180:doStartTag() : Date Format in PopUpCalendar Java :- M/d/yyyy
2010-03-19 06:03:53,894 [SAPEngine_Application_Thread[impl:3]_33] DEBUG jsp_AECalendar_Locale1268836122552.java@97:_jspService() : Date Format in AECalendar.jsp :-M/D/YYYY
2010-03-19 06:03:56,080 [Thread-86] DEBUG CacheManager.java@138:refreshCache() : INTO the method :
I am not sure why the logs are referencing the WS URL for GRC AC IDM. Have you configured this URL in your UME connector?
http://10.25.125.24:50000/SAPGRC_AC_IDM_SEARCHROLES/Config1?wsdl&style=document
The URI to should be http://<server>:<port>/UserRoleSearchForAEService_5_3/Config1?wsdl&style=document
Check out Page 98 (Section titled 'Defining Connectors for SAP Enterprise Portal') from the AC 5.3 latest config gudie.
Alpesh
Alpesh,
Thanks!
Now I can get "Existing Roles/Groups" for an already excising UME user in a CUP request form.
However, I cannot get (search) all the available UME roles with an error message "No Records Found". Wired.
Here I have additional information in the connectors. If you can, please assist me.
ROLE_DATA_SOURCE = ROLE.PCD_ROLE_PERSISTENCE.
USER_DATA_SOURCE = USER.PRIVATE_DATASOURCE.un:
Have a look at this document, it has detaied documentation on what you need to configure to provision portal roles:
[http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/502a14db-6261-2c10-22b5-95117ab0e5ed|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/502a14db-6261-2c10-22b5-95117ab0e5ed]
You might need to have Portal components deployed (no need to actually use the portal) in order for the SPML service to be available.
Frank.
Frank and Alpesh,
Thanks!
Now, I can see and select UME roles in a CUP request---What I had to do was to give each UME role a business process attribute to get them on a CUP request.
I have another problem though...Please give me some advice.
My problem:
When I try to create a CUP request for a new user with only UME roles to be assigned, CUP workflow cannot be triggered. An error message "Error creating request" comes out when I hit a submit button.
What I can do and cannot do:
(1) I have no problem submitting and provisioning a CUP request for a new user with ECC roles.
(2) Also, I have no problem submitting and provisioning a CUP request for a new user with both ECC and UME roles.
(3) The thing that I cannot do is submitting and provision a CUP request for a new user with UME roles only.
Do you have any clue? Please help me!
HM
Alpesh,
Thank you for your response. I always appreciate it.
I have realized that currently I don't have risk analysis setup, so when I try to approve a request with UME role assignment only, I get a message u201CRisk analysis failed: EXCEPTION_FROM_THE_SERVICEInvalid Systemu201D.
As our premise, we want risk analysis mandatory at each approval stage. When I released this restriction, UME provisioning worked.
I come to the conclusion that this should be the cause of my problem.
I am trying to set up a RAR connection to UME (portal). Do you have any good document that can assist my connection setup?
Thanks,
HM
Frank is correct. Everything should be in the document Frank mentioned. Also, it makes sense as if you are trying to run risk analysis, if the system does not exist in RAR, CUP will error out. Just create a connector in RAR with exact same name is CUP and you would not see that error.
Regards,
Alpesh
OK. Everything looks good. Now, I can provision UME users through CUP no problem.
The problem was I didn't have a UME connection in RAR-- CUP kept giving me an error message since CUP, as Alpesh said, could not find a target system (UME).
All I did for this part of problem was creating a UME connection in RAR and nothing else.
Alpesh & Frank, thank you very much for you help!
HM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.