on 04-08-2010 7:20 PM
I am in the process of configuring the CUP 5.3 module within our ECC and SRM environments. I believe the path and associated stages are established properly. I have tested the auto provisioning functionality within both SRM and ECC. As it relates to SRM, the auto provisioning functionality works without a hitch. However, when I attempt to auto provision a user into our ECC environment, I receive the following error:
Auto provisioned for request on 04/07/2010 13:41
New User: T00522 created on 04/07/2010 13:42 in System(s): DR4-300.
User attributes changed for User : T00522 in System(s) :DR4-300.
Role Provisioning failed for System(s) : DR4-300. Error Message : 260:User master comparison incomplete; see long text
Speaking with out security team, the only time they have seen this issue was when they attempted to map a user, using PFCG, to a role. However, I informed them that CUP uses SU01. They have not experienced such an issue using SU01 and clicking on the user comparison button.
Interesting point: The user record is created and roles assigned to user but have a red light indicator by the role within SU01. However, when the next day rolls around the role has been changed to a Green light, profile assigned and everything is looking good. Unfortunately, CUP can't seem to register this and when the Role Owner attempts to approve the role / user request again. The same error occurs and until I can get around this error, the workflow is not closed out nor is the requester notifiied.
Questions:
(1) How can I fix this issue, I assume it will require a security change to be made within the ECC environment?
(2) If this issue can't be fixed, can I get around this issue with a detour or other CUP error processing step?
Hi,
This makes sense as not only CUP assigns the role to the user (SU01), it also runs user comparison job depending on the settings. Can you make sure to see that the RFC user has necessary authorizations to run user compare job. If you paste logs here, it should specify @ this. Now, response to your options:
(1) How can I fix this issue, I assume it will require a security change to be made within the ECC environment?
Go and check the ' Provision Effective Immediately' settings under configuration -> workflow -> autoprovisioning -> Provisioning - Role Assignment.
(2) If this issue can't be fixed, can I get around this issue with a detour or other CUP error processing step?
Yes. You can create a an escape route for autoprovisioning failures. Route this approval to Security team.
Regards,
Alpesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Problem Solved
By setting AUTO_USERCOMPARE to "NO" in table PRGN_CUST this issue has been resolved.
This issue also remains fixed after removing AUTO_USERCOMPARE from the table all together.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The issue at the root of this thread is still occuring. I have investigated a few items in our system and here is what I have found:
Issue Summary:
CUP provisions to our SRM enviroment without throwing the 260 error and all is well. When provisioning in ECC the CUP application throws the 260:User master comparison incomplete; message and our request fails and returns to the cup admin.
SRM Investigation:
PRGN_CUST entries:
GEN_PSW_MAX_DIGITS
During an SU01 trace the auth objects S_USER_AGR, GRP were checked.
ECC Investigation:
PRGN_CUST entries:
ADD_ALL_CUST_OBJECTS
AUTO_USERCOMPARE - NO
CUA_USERGROUPS_CHECK
HR_ORG_ACTIVE
USRPROF_AUTOEXEC
During an SU01 trace the auth objects S_USER_AGR, GRP & PRO were checked.
Questions:
What is missing in ECC versus SRM that is causing one to work and the other to fail?
Is the missing table entry for "AUTO_USERCOMPARE" in SRM causing it to skip this check altogether therefore causing this to work?
Lastly, why would SU01 in ECC check S_USER_PRO and not in SRM?
Thanks in advance for any help you can give. This issue is a huge issue for our project.
ECC = SAP BASIS release 700 017
SRM = SAP BASIS release 640 022
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Denoted below is the log that corresponds to the 260 comparison error. Does anyone know what access I am missing within the UME. I have tested this provisioning process, manually, and do not run into a Comparison error within the SU01 screens:
2010-04-27 13:44:54,748 [SAPEngine_Application_Thread[impl:3]_31] ERROR com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
at com.virsa.ae.service.sap.SAPProvisionDAO.executeRoleOperation(SAPProvisionDAO.java:1706)
at com.virsa.ae.service.sap.SAPProvisionDAO.assignRoles(SAPProvisionDAO.java:1458)
at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionInNonCUA(ProvisionSAPUserDAO.java:1232)
at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionRole(ProvisionSAPUserDAO.java:932)
at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionUser(ProvisionSAPUserDAO.java:118)
at com.virsa.ae.accessrequests.bo.ProvisioningBO.autoProvision(ProvisioningBO.java:216)
at com.virsa.ae.accessrequests.bo.RequestBO.autoProvisioningForApprove(RequestBO.java:4572)
at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:5565)
at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5339)
at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5191)
at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
2010-04-27 13:44:54,927 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.bo.RequestAuditHelper : logMajorAction() : : intHstId : 3068
2010-04-27 13:44:54,972 [SAPEngine_Application_Thread[impl:3]_31] ERROR no dtos exist which are in the same state as the passing dto
com.virsa.ae.core.ObjectNotFoundException: no dtos exist which are in the same state as the passing dto
at com.virsa.ae.workflow.bo.WorkFlowBOHelper.getIfUnapprovedPathExists(WorkFlowBOHelper.java:2662)
at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleWFForNewPathStage(WorkFlowBOHelper.java:2516)
at com.virsa.ae.workflow.bo.WorkFlowRequestRerouteHelper.rerouteRequest(WorkFlowRequestRerouteHelper.java:68)
at com.virsa.ae.workflow.bo.WorkFlowBO.rerouteRequest(WorkFlowBO.java:614)
at com.virsa.ae.accessrequests.bo.RequestBO.rerouteRequestForAutoProvisioningFailure(RequestBO.java:6897)
at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5239)
at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
2010-04-27 13:44:55,394 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.actions.RequestViewAction : confirmRequestApproval() : : setting context to true, ending context
2010-04-27 13:44:55,414 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataForwardDAO : findTransactions() : : sbQuery : SELECT REQNO, REQPATHID, STAGE_NAME, FWDED_BY, APRVRID, ITERATION, FORWARD_TYPE, STATUS FROM VIRSA_AE_RQD_WPFWD WHERE REQNO = ?
2010-04-27 13:44:55,486 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.SAPConnectorDAO : findAllActiveSAPConnectors : : going to return no of records= 3
2010-04-27 13:44:55,495 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.OracleAppsConnectorDAO : findAllActiveORACLEConnectors : : going to return ImmutableList(empty)
2010-04-27 13:44:55,498 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.PACSConnectorDAO : findAllActivePACSConnectors : : going to return ImmutableList(empty)
2010-04-27 13:44:55,502 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.WSConnectorDAO : findAllActive : : going to return ImmutableList(empty)
2010-04-27 13:44:55,505 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.ApplicationDAO : findAllForContext : : going to return ImmutableList(empty)
2010-04-27 13:44:55,532 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx) : : going to return ImmutableList(empty)
2010-04-27 13:44:55,535 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx) : : going to return ImmutableList(empty)
2010-04-27 13:44:55,540 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataMitigationDAO : findAllForContext(SqljContext ctx) : : going to return ImmutableList(empty)
2010-04-27 13:44:55,579 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() : : INTO the method
2010-04-27 13:44:55,580 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() : : request number : 154
2010-04-27 13:45:14,055 [SAPEngine_Application_Thread[impl:3]_18] INFO com.virsa.ae.dao.sqlj.RequestTypeDAO : findAll : : going to return no of records= 20
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have confirmed that my system had been configured so that the "Provision Effective Immediately" has been set to "Yes". I do not have any issues when provisioning, using CUP, to the SRM landscape. I am just having this issue when attempting to provision within ECC.
What else should I try or confirm within CUP or ECC security settings?
Please advise,
Brandon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Check the Provisioning setting 'Provision Effective Immediately', if this is set to YES, then the User Comparison button should be GREEN after provisioning.
Thanks & Regards,
Venky.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.