on 02-24-2012 2:12 PM
Hi All,
May I know how can I synchronize and bring all the roles available in backend system so that I can select them while creating a request in Access Management?
Regards,
Faisal
Hello Faisal,
You should be aware that there's a known error regarding this:
[Note 1661323 - Sync Generated Roles not displayed in search result in ARQ|https://service.sap.com/sap/support/notes/1661323]
Cheers,
Diego.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Faisal
I thought you had already imported the roles. If you want to import roles from back-end, please check "role import" starting from page 102 here: http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/80063a8e-1da6-2e10-aaa5-fda1f0936...
Cheers,
Diego.
Hi Kaushal,
Thanks for your reply.
I went to Role Import option in AM. While in the first stage Define Criteria, I am able to get the connector group under Landscape field which is mandatory. Howerver, the backend system in not displayed under Source System field.
Any where else I have to update some configuration so that I get the list of all backend systems here?
Please suggest.
Regards,
Faisal
Hi Faisal,
You need to select Application Type as SAP, then select Landscape, then select System.
If you dont get Landscape fter selecting App Type as SAP, then you might have missed to create connector Group (Maintain connectors and connector groups) with the system assigned to it or not assigned ROLMG Scenario to the System (Maintain Connector Settings).
Regards,
Ajesh.
Ajesh,
Thanks for your reply.
It really helped me a lot.
Now I could see the connector group/connector name.
However, when I submit for role import, it says:
Error: Scenario Link is not defined in grfnconnscnlk table for <connector name>
I must be missing something. Can you please help me?
Regards,
Faisal
Hello Faisal,
Please re-check the configuration as per the guide http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/80063a8e-1da6-2e10-aaa5-fda1f0936...
(page 17)
"For Role Management it is required to have the ROLMG, AUTH and PROV scenarios linked to the connector, this is done via IMG...."
Cheers,
Diego.
Hi Diego,
Now I have successfully configured the integration scenario for ROLM and AUTH (PROV was already completed). Having done this, when now I try to import the roles, I get this error in the last step:
Correctly define the scenario handler class in CCITS
I did some search on this and found one note#1575072.
I am unable to understand the it how I can use in my situation. Does it have to do with user data source
Can you please help me?
Regards,
Faisal
Hi,
I could solve this problem by using the CL_GRAC_AD_ROLE_GENERATION_RFC class against my connector type in Maintain Connection Settings in SPRO.
Now when I imports, it says the status as Success. I presume that the roles are imported successfully.
Further, I tried to create a new request, However, while adding the roles, I could not find even a single role while searching.
Later I tried to update the roles. This time I could find my sample role which I had created in the back end system and I suppose that it is now brought here.
May I know why I am unable to see the roles while creating a request?
Regards,
Faisal
Hi,
Thanks for your reply.
I did execute this option and below are the activities I did:
1. Selected Role Update option
2. Selected all the roles in option *Select Roles
3. In Select Criteria options, I select All Attributes as the attribute and update as the action
4. In Select Values stage, I selected multiple values like business process etc. Here, I have selected Role Status as the Production one.
Still of no help.
Regards,
Faial
Hello,
What is the value assigned to the "Role Status"? If it is not "Production/PRD", then Access request doesn't allow it to be displayed as a selectable option for assignment. Prior to SP06, this was not checked, but SP06 got updated to ensure roles that are not in Productive use status can not be assigned for usage.
Once you change this status over in the roles you wish to make available for assignment via Access Request, you should be able to search and select them
The change is within the role properties itself, but what you can do from the SPRO config is set the default value of the Role Status to "Prod"/"PRD" (can't remember the param ID off the top of my head), so when you add a new role into GRC, you will not have to worry about checking this everytime per role you bring in.
Thanks & regards
Asheesh
Ashish,
Thanks for your reply.
I made some changes in the configuration as follows:
1. Under SPRO->GRC->Access Control->Maintain Configuration settings, I changed Parameter value to PRD against PARAM ID 3004 (Role Management being the Parm Group).
2. Under SPRO->GRC->Access Control->Role Management->Maintain Role Status, I selected the PRD Check box.
However, still I am unable to see the roles from the back end system while creating the request.
Please suggest.
Regards,
Faisla
Hi Fisal,
Have you added "approvers" when you made the role import for those roles?
Regards
Swarna
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Faisal
Have you added approvers to these roles when you made the mass the role import ?
Regards
Swarna
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.