cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Roles cannot be selected when using Model User

Go to solution
Former Member

on ‎04-30-2013 6:57 AM

0 Kudos

Hello all,

I just started GRC Module operating position,

I want to select roles and give it to requested user in Model User functionality.

but I cannot select roles in model user screen.

I don't know why but other functions which can select roles, there's 'X' marks on 'Row Selectable' Column when  I see 'More Fields Help'.

But here I cannot see X marks on 'Row Selectable' Column in model user ALV options.

I can see this message : "Roles that are coming as disabled are not being maintained in ERM"

So I imported Role to front end through "Role Import" Functionality. And run Repository Sync again.

But I still not able to select roles. What can I do?

I attached some related screen shots.

Thank you!

Is there any guide about 'Model User' ?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎04-30-2013 7:24 AM
0 Kudos

HI KT

As part of the role Import, what provisioning status do you have the roles set to

Open up one for your roles in the ERM repository (role maintenance) > choose Additional Details > check your Role Status and Systems for Provisioning

The Role Status in the drop down are taken from IMG Configuration "Maintain Role Status". You need to choose a status in this box which has the configuration checks as Production, otherwise provisioning is not allowed.

Check this configuration out. If you need to make changes, rerun synch afterwards.

Show replies
Show replies
Former Member
‎04-30-2013 8:21 AM
0 Kudos

Hi colleen, Thank you for your reply!

I've checked settings you showed me,

Most roles are set like above. 'Production' status, Provisioning Allowed : 'Yes'.

This is IMG setting.

Still not works...

Colleen
Advisor
Advisor
‎05-01-2013 5:23 AM
0 Kudos

Hi KT

your first screen shot does not show the DROP DOWN Box for the Role status (not the individual system entry). That is that status that must be selected as Production

Former Member
‎05-02-2013 1:46 AM
0 Kudos

Hello Colleen,

I've checked role status drop down box, but it's production status.

Is there any reason for this issue?

Thank you!

Colleen
Advisor
Advisor
‎05-02-2013 10:22 PM
0 Kudos

What do you have for configuration parameters:

2033    Allow All Roles for Requestor

2034    Requestor Role Restriction Attribute (applies if 2033 is set to YES)

2044    Display profiles in Existing assignments, My Profile and Model user

Have you run a full synch on the roles and users since uploading roles, etc? Not sure if your original comment was a full object repository sync or a delta synch for roles

Can you try and scroll down the list to see if any roles are selectable (your screen shot suggests the Model User has more roles assigned than what's showing. It could help to see if any is selectable - such as system).

Finally, have you checked the authorisations necessary for Model User? (Object GRAC_ROLEP for Activity 78 for the connector the role belongs to). The warning message on my system is "Roles that are coming as disabled are not being maintained in ERM or for which USER don’t have the connector authorization"

Former Member
‎05-03-2013 11:45 AM
0 Kudos

1. 2033 is 'YES'

2034 is 'YES'

2044 is 'NO'

I've set those all 'Yes' but it still does not work.

2. Run a full repository sync -> nothing different...

And there's No Roles I can select.

3. I got SAP_ALL profile on this server, so I don't think it's authorization problem..

Is there any connection between situation and ALV setting?

I attached some screen shots at first.

Is there any possibility that this is a matter on web dynpro settings or codes?

There's no 'X' marks on 'Row Selectable' Column. I wonder how can I change this column set to 'X'.

And I also search with this on Google but there's no result on 'SALV_WD_ROW_SELECTABLE'.

That's context path that web dynpro object shows...

Thank you for your help. It's to hard for me to deal with this matter.

Colleen
Advisor
Advisor
‎05-05-2013 11:38 PM
0 Kudos

Hi

Parameter 2034 is not a YES/NO option. Values can be either:

B    Restrict on Business Process

F    Restrict on Functional Area

Alternatively, remove it from the configuration altogether.

ALV layout is not tied to role types, etc

Your next options (to rule out the Role Configuration) is to attempt to do a standard User Request to request one of the roles already assigned to the template user. If this works, then you konw your ERM configuration is in place as well as the Integration Framework for your Connectors (such as Maintain Connection Settings for PROV-  Provisioning)

You might be at the stage where you need to raise a message with SAP and have them investigate your system. There is only so much can be done on SCN when we don't access the system. If not, see if your developer can DEBUG it for you.

Former Member
‎05-08-2013 9:02 AM
0 Kudos

Thank you Colleen for your reply.

but model user still dos not work..

I tested 2033 Yes, 2034 B and F, 2035 Yes. But It's still not working..

Are there any pre-requisites that I should perform before use Model User?

(If this is a matter of Roll Status)

I imported roles back end system to Front end.

And performed All Sync jobs including Full Repository Sync with all connectors.

Is there any other things that I should do?

Colleen
Advisor
Advisor
‎05-09-2013 6:01 AM
0 Kudos

Hi KT

As mentioned, i recommend you step back from Model User and see if you can do a standard Access Request and select your role

Also, I noticed on one of you screen shots that you have used a connector for trusted systems generated RFC Connection ""@GRD.DOMAIN_GRC"". I have no idea if this might be related but you might want to clean it up anyway.

Former Member
‎05-09-2013 6:59 AM
0 Kudos

Thank you,

Do you mean, Access Request Creation?

I perform Access Request Creation, and request a role that I already have.

And role normally go into my account in destination server.

So now I have two same roles with different date setting.

Colleen
Advisor
Advisor
‎05-17-2013 1:39 AM
0 Kudos

Hi KT

Yes, I did mean to do a User Access Request and to request a role. So long as ZHTR_22 role is one of the roles the Model User has that you cannot select? If not, try to request role Z10_ORG_DEFINE. the goal of this test is to verify if the role repository definition for the role is correct.

If model user has ZHTR_22 AND you were able to select it via normal request form, then this suggests that the role repository setup is correct. So we are still back to why won't Model users work.

SAP did release KB article note 1850080  - Cannot select role assigned to a model user. Again, this note claims role import/object repository synch is incomplete. And, if you can request the role via the access request then it won't help you.


pavan_muthyala
Explorer
‎10-23-2014 7:25 AM
0 Kudos

Hi KT,

I had similar issue, where i couldnt select the roles in model user.

I unchecked role type : Derived roles in 'De-activate Role Types' in SPRO

and i could see the derived roles enabled to be selected.

So make sure what ever roles you want to assign in Model User , SIN, DRD should be activated first.

Hope this solves your issue.

Regards,

Pavan Muthyala

Answers (0)

Ask a Question