cancel
Showing results for 
Search instead for 
Did you mean: 

CUP Auto Provisioning Error 260: User Comparison

Former Member
0 Kudos

I am in the process of configuring the CUP 5.3 module within our ECC and SRM environments. I believe the path and associated stages are established properly. I have tested the auto provisioning functionality within both SRM and ECC. As it relates to SRM, the auto provisioning functionality works without a hitch. However, when I attempt to auto provision a user into our ECC environment, I receive the following error:

Auto provisioned for request on 04/07/2010 13:41

New User: T00522 created on 04/07/2010 13:42 in System(s): DR4-300.

User attributes changed for User : T00522 in System(s) :DR4-300.

Role Provisioning failed for System(s) : DR4-300. Error Message : 260:User master comparison incomplete; see long text

Speaking with out security team, the only time they have seen this issue was when they attempted to map a user, using PFCG, to a role. However, I informed them that CUP uses SU01. They have not experienced such an issue using SU01 and clicking on the user comparison button.

Interesting point: The user record is created and roles assigned to user but have a red light indicator by the role within SU01. However, when the next day rolls around the role has been changed to a Green light, profile assigned and everything is looking good. Unfortunately, CUP can't seem to register this and when the Role Owner attempts to approve the role / user request again. The same error occurs and until I can get around this error, the workflow is not closed out nor is the requester notifiied.

Questions:

(1) How can I fix this issue, I assume it will require a security change to be made within the ECC environment?

(2) If this issue can't be fixed, can I get around this issue with a detour or other CUP error processing step?

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi,

This makes sense as not only CUP assigns the role to the user (SU01), it also runs user comparison job depending on the settings. Can you make sure to see that the RFC user has necessary authorizations to run user compare job. If you paste logs here, it should specify @ this. Now, response to your options:

(1) How can I fix this issue, I assume it will require a security change to be made within the ECC environment?

Go and check the ' Provision Effective Immediately' settings under configuration -> workflow -> autoprovisioning -> Provisioning - Role Assignment.

(2) If this issue can't be fixed, can I get around this issue with a detour or other CUP error processing step?

Yes. You can create a an escape route for autoprovisioning failures. Route this approval to Security team.

Regards,

Alpesh

Answers (5)

Answers (5)

Former Member
0 Kudos

Problem Solved

By setting AUTO_USERCOMPARE to "NO" in table PRGN_CUST this issue has been resolved.

This issue also remains fixed after removing AUTO_USERCOMPARE from the table all together.

Former Member
0 Kudos

The issue at the root of this thread is still occuring. I have investigated a few items in our system and here is what I have found:

Issue Summary:

CUP provisions to our SRM enviroment without throwing the 260 error and all is well. When provisioning in ECC the CUP application throws the 260:User master comparison incomplete; message and our request fails and returns to the cup admin.

SRM Investigation:

PRGN_CUST entries:

GEN_PSW_MAX_DIGITS

During an SU01 trace the auth objects S_USER_AGR, GRP were checked.

ECC Investigation:

PRGN_CUST entries:

ADD_ALL_CUST_OBJECTS

AUTO_USERCOMPARE - NO

CUA_USERGROUPS_CHECK

HR_ORG_ACTIVE

USRPROF_AUTOEXEC

During an SU01 trace the auth objects S_USER_AGR, GRP & PRO were checked.

Questions:

What is missing in ECC versus SRM that is causing one to work and the other to fail?

Is the missing table entry for "AUTO_USERCOMPARE" in SRM causing it to skip this check altogether therefore causing this to work?

Lastly, why would SU01 in ECC check S_USER_PRO and not in SRM?

Thanks in advance for any help you can give. This issue is a huge issue for our project.

ECC = SAP BASIS release 700 017

SRM = SAP BASIS release 640 022

Former Member
0 Kudos

Hello ,

This seems to be an issue with the RFC user authorization , please check if the user has all the required rights.

Regards

-Ranjiv

Former Member
0 Kudos

Denoted below is the log that corresponds to the 260 comparison error. Does anyone know what access I am missing within the UME. I have tested this provisioning process, manually, and do not run into a Comparison error within the SU01 screens:

2010-04-27 13:44:54,748 [SAPEngine_Application_Thread[impl:3]_31] ERROR com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text

com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text

at com.virsa.ae.service.sap.SAPProvisionDAO.executeRoleOperation(SAPProvisionDAO.java:1706)

at com.virsa.ae.service.sap.SAPProvisionDAO.assignRoles(SAPProvisionDAO.java:1458)

at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionInNonCUA(ProvisionSAPUserDAO.java:1232)

at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionRole(ProvisionSAPUserDAO.java:932)

at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionUser(ProvisionSAPUserDAO.java:118)

at com.virsa.ae.accessrequests.bo.ProvisioningBO.autoProvision(ProvisioningBO.java:216)

at com.virsa.ae.accessrequests.bo.RequestBO.autoProvisioningForApprove(RequestBO.java:4572)

at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:5565)

at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5339)

at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5191)

at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)

at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)

at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)

at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)

at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:219)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

2010-04-27 13:44:54,927 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.bo.RequestAuditHelper : logMajorAction() : : intHstId : 3068

2010-04-27 13:44:54,972 [SAPEngine_Application_Thread[impl:3]_31] ERROR no dtos exist which are in the same state as the passing dto

com.virsa.ae.core.ObjectNotFoundException: no dtos exist which are in the same state as the passing dto

at com.virsa.ae.workflow.bo.WorkFlowBOHelper.getIfUnapprovedPathExists(WorkFlowBOHelper.java:2662)

at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleWFForNewPathStage(WorkFlowBOHelper.java:2516)

at com.virsa.ae.workflow.bo.WorkFlowRequestRerouteHelper.rerouteRequest(WorkFlowRequestRerouteHelper.java:68)

at com.virsa.ae.workflow.bo.WorkFlowBO.rerouteRequest(WorkFlowBO.java:614)

at com.virsa.ae.accessrequests.bo.RequestBO.rerouteRequestForAutoProvisioningFailure(RequestBO.java:6897)

at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5239)

at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)

at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)

at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)

at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)

at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:219)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

2010-04-27 13:44:55,394 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.actions.RequestViewAction : confirmRequestApproval() : : setting context to true, ending context

2010-04-27 13:44:55,414 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataForwardDAO : findTransactions() : : sbQuery : SELECT REQNO, REQPATHID, STAGE_NAME, FWDED_BY, APRVRID, ITERATION, FORWARD_TYPE, STATUS FROM VIRSA_AE_RQD_WPFWD WHERE REQNO = ?

2010-04-27 13:44:55,486 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.SAPConnectorDAO : findAllActiveSAPConnectors : : going to return no of records= 3

2010-04-27 13:44:55,495 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.OracleAppsConnectorDAO : findAllActiveORACLEConnectors : : going to return ImmutableList(empty)

2010-04-27 13:44:55,498 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.PACSConnectorDAO : findAllActivePACSConnectors : : going to return ImmutableList(empty)

2010-04-27 13:44:55,502 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.WSConnectorDAO : findAllActive : : going to return ImmutableList(empty)

2010-04-27 13:44:55,505 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.ApplicationDAO : findAllForContext : : going to return ImmutableList(empty)

2010-04-27 13:44:55,532 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx) : : going to return ImmutableList(empty)

2010-04-27 13:44:55,535 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx) : : going to return ImmutableList(empty)

2010-04-27 13:44:55,540 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.dao.sqlj.RequestDataMitigationDAO : findAllForContext(SqljContext ctx) : : going to return ImmutableList(empty)

2010-04-27 13:44:55,579 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() : : INTO the method

2010-04-27 13:44:55,580 [SAPEngine_Application_Thread[impl:3]_31] INFO com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() : : request number : 154

2010-04-27 13:45:14,055 [SAPEngine_Application_Thread[impl:3]_18] INFO com.virsa.ae.dao.sqlj.RequestTypeDAO : findAll : : going to return no of records= 20

Former Member
0 Kudos

I have confirmed that my system had been configured so that the "Provision Effective Immediately" has been set to "Yes". I do not have any issues when provisioning, using CUP, to the SRM landscape. I am just having this issue when attempting to provision within ECC.

What else should I try or confirm within CUP or ECC security settings?

Please advise,

Brandon

Former Member
0 Kudos

Can you make sure to see that the RFC user has necessary authorizations to run user compare job. If you paste logs here, it should specify @ this.

Former Member
0 Kudos

Hi,

Check the Provisioning setting 'Provision Effective Immediately', if this is set to YES, then the User Comparison button should be GREEN after provisioning.

Thanks & Regards,

Venky.