cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Federation, remote role assignment based on ABAP roles on producer

Former Member

on ‎09-11-2008 10:55 AM

0 Kudos

Hi all,

We have implemented the federated portal solution for our ESS users. We use the ABAP stack of the producer portal as user store for consumer and have no problems in assigning portal roles on our consumer based on ABAP roles in the backend (displayed as groups in the portal).

Now we want to add some extra functionality (eg SRM and eRec) and we encounter some problems. These systems all have their own ABAP stack as user store. We have maintained the functional authorization model in the ABAP roles for instance in SRM. So an example:

System I: ABAP + JAVA --> ECC 6.0

Here we have the standard R/3 functionality and the producer portal (A) installed. Roles created on producer portal and assigned based on ABAP roles.

System II: JAVA --> NW 7.0 Portal

Our consumer portal (B) where we use roles created on the producer portal (A) on System I.

System III: ABAP + JAVA --> SRM

Our SRM system with SRM producer portal (C). In the ABAP stack of this sytem the functional SRM roles have been assigned to the users. We have created functional SRM Portal roles in order to use remote role assignment on consumer portal (B).

+PROBLEM+

We want to remotely assign portal roles created on the SRM Producer (C) to users on the consumer portal (B), based on the ABAP role assignment in the backend of system III. How can we achieve this in a fast and efficient way?

Looking forward to your ideas. Anything helpfull will be gladly awarded with SDN points.

Best regards,

Jan Laros

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎09-15-2008 1:55 PM
0 Kudos

Hello Jan,

I have never worked on FPN but yaa we can achive ur desire by

1) assigning proper permission as given in link below.

[proper Permission|http://help.sap.com/saphelp_nw70/helpdata/EN/43/2236fc0b413fe1e10000000a11466f/frameset.htm]

2) And then Assigning Users to Remote Roles.

[Assigning Users to Remote Roles.|http://help.sap.com/saphelp_nw70/helpdata/EN/43/223e960b413fe1e10000000a11466f/frameset.htm]

hope this help's

regards.

Soni Vinit

Show replies
Show replies
Former Member
‎09-15-2008 2:58 PM
0 Kudos

Hi Vinit,

Thanks for your reply, but I do not think you understand our problem and the links you are providing are obviously basic stuff that we all use in productive systems already.

The problem is that we want to use some kind of batch role assignment based on ABAP authorization on the producer Portal, which has a different user store as the consumer portal.

Best regards,

Jan

Former Member
‎09-16-2008 2:10 AM
0 Kudos

Hi ,

To work with federation you should maintain same user repository or you should maintain unique ids which should exists in both user stores. You should be careful to avoid duplications

Koti Reddy

Former Member
‎09-16-2008 7:42 AM
0 Kudos

User ID's are the same in both user stores. The systems are both in CUA.

Former Member
‎10-06-2008 12:25 PM
0 Kudos

Anyone that can help me with this or should I start with manual replicating of the ABAP role assignment?

Former Member
‎11-04-2008 10:59 AM
0 Kudos

Bump? We are facing same problems with eRecruitment now.

ravi_joseph
Active Contributor
‎11-04-2008 11:32 AM
0 Kudos

just wondering are you maintaining two producers in your consumer portal (B) one for ECC (A) and one for SRM (C)?

Jo

Former Member
‎11-04-2008 1:26 PM
0 Kudos

Thats correct.

Former Member
‎11-04-2008 3:51 PM
0 Kudos

Jan,

Interesting question. Let me share my experience and hope that's of some use to you.

We started off federating corporate NetWeaver Portal (lets say B, parallel to your convention) as consumers to BI Portals (Lets say A).

- B's UME points to Active Directory

- A's UME points to BI ABAP user store

- User ids are identical in both systems

We ran into the problem of dual administration ((de)assigning portal role on both portals instead of just one) for a long time. The issue was because of different reasons at different times as we patched B's and A's. At one point we were on SP15 on both portals and we were told by SAP that RRA can be done on B for remote roles and the assignment propagates to A automatically if the following configuration is set up on both A and B.

- A's permissions are relaxed allowing "Everyone" group checked for "End User" access as per ([http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm|http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm]

However, we chose not to do the permission relaxation as enabling "Everyone" group with "End User" access can allow anyone to launch an iView (if the URL is known somehow) and the user would be able to see the layout of the iView, which can include text, etc. The user won't be able to access any data though, however, there is certain compromise on security which we decided that its not okay. So, we digressed in SAP's suggested practice because of security reasons.

Today we, manage security on B using Active Directory groups and on A using Java groups (ABAP roles).

In your case, I suggest investigating the option of relaxing the security on producer portal like in the above link. If you think its okay, all you have to do is, provision users on B by assigning remote roles from C and A.

Either my story is applicable or I must have got you totally wrong,

Kiran

Former Member
‎11-05-2008 8:38 AM
0 Kudos

Hi Kiran,

Thank you for your post. I don't think you understand my requirements quite correctly. I have no problems in finding and assigning roles from the producer portals to users on the consumer. That all works well.

I just would like to use the Java Groups (ABAP roles) on the producer as a "tool" for assigning roles on the consumer portal. So perhaps an example will clarify things.

We have an SRM system on which we run a portal with the business package and the roles, iviews, etc. We have maintained an ABAP role call "SRM_BUYER_USER" which contains the backend authorization for buyers. There is also a Portal role called "Buyer" in the SRM Portal (producer). We can choose to assign this Portal role to all users that are in the JAVA Group SRM_BUYER_USER. In other words: if a user has the SRM_BUYER_USER authorization in the backend, he or she will have the Buyer role in the Portal.

Now, how can we use this SRM_BUYER_USER ABAP role in the backend of the producer for assigning portal roles on the consumer? So I would like to assign the Portal role Buyer to users on the consumer portal based on the question if they have the ABAP role SRM_BUYER_USER in the producer backend. How can this be done when they dont use the same user store, but the userid's are the same?

Best regards,

Jan Laros

Former Member
‎11-07-2008 7:28 PM
0 Kudos

Jan,

I got what you are saying. I looked through our portals and its evident that the group search limits to the Build-in groups and UME (in our consumer case its Active Directory) but not to the producer groups.

I don't know the answer to your question and I am keen in knowing how you'll get by this design problem.

Earlier, when I explained my architecture to you, I am trying to tell something along the same lines (I didn't do a good job ).

To provision a user, earlier, we used to:

1) Add ABAP role

2) Add Producer Portal Role

3) Add Remote role on Consumer.

Now we use the ABAP role in (1) as Java groups and decreased it to two steps:

1) Add Producer Portal Role (ABAP Role/Group is added to this role)

2) Add Remote role on Consumer.

If you are able to find a better solution, the above process reduces to just one step.

Regards,

Kiran

Former Member
‎09-15-2008 8:58 AM
0 Kudos

Anyone any ideas?

Show replies
Show replies
Ask a Question