cancel
Showing results for 
Search instead for 
Did you mean: 

User Import with SAP Integration Failure

Former Member
0 Kudos

I have installed the SAP integration Kit 3.1 on my Business Objects XI 3.1 Enterprise installation.

I have installed SAP Encryption on the server as well.

Following the steps in the book Integrating SAP Business Ojbects XI 3.1 Tools with SAP Netweaver, I was able to conect to my SAP system and see roles for import.

I imported some roles asigned to my SAP account, I did not automatically import users.

I then logged in to Infoview with my SAP account and this account was validated and created in BO.

My account was assigned to the roles/groups in BO correctly.

I then tested a universe and was able to make one and setup Single Sign On at the connection level and validate that I could see only the data that my SAP account had access to.

All of this was good and I was happy with the installation.

I then configured SSO tickets exchanging PSE files with our SAP system.

I configured SNC options so that we could do publications.

When we run a publication I get an error saying:

BusinessObjects_PublicationAdminErrorLog_Instance_2530 - [Publication ID # 2530] - Scheduling document job "IB_SYS_IVIEW_SONJA" (ID: 2,538) failed: A database error occured. The database error text is: The SAP SSO authentication process will fail because the current user doesn't have an alias that matches system EB1CLNT101.. (WIS 10901) Scheduling document 'IB_SYS_IVIEW_SONJA' (ID: 2,538) failed for the following users: EB1~101/Z0013BYF (ID: 2100) . These users had the following profile values: [No profile values] (FBE60502) [1 recipients processed.]

This lead me to wonder if the users were getting created correctly, so I changed options to import users automatically and forced user syncronization. Then went to role import and hit update. I promptly lost all my users associated to the SAP system I have configured.

Any idea why this might happen?

Accepted Solutions (1)

Accepted Solutions (1)

IngoH
Advisor
Advisor
0 Kudos

Hi Marcel,

when you did setup the SAP authentication did you create it for the system EB1CLNT101 ?

Did you also import the users ?

I assume you used the category Enterprise recipients and you used the SAP roles as recipients ?

thanks

ingo

Former Member
0 Kudos

Hi Marcel,

when you did setup the SAP authentication did you create it for the system EB1CLNT101 ?

Yes I setup the authentication for SAP to EB1CLNT101.

Did you also import the users ? Initially I did not import the users. I just imported roles that my SAP account had access to and then logged into InfoView with that SAP account using SAP authentication. This then created my SAP account during login. The account used in the Publication was also created via login and not imported.

I assume you used the category Enterprise recipients and you used the SAP roles as recipients ? I use Enterprise Recipients. I selected just one SAP user as the recipient, no roles where selected. Would it matter if I did not select a SAP role?

It also turns out that the SAP BW team did not import any of the SAP Integration Kit transports, so I assume this could also be part of the problem.

Thanks

Marcel.

IngoH
Advisor
Advisor
0 Kudos

Hi,

Did you also import the users ? Initially I did not import the users. I just imported roles that my SAP account had access to and then logged into InfoView with that SAP account using SAP authentication. This then created my SAP account during login. The account used in the Publication was also created via login and not imported.

>> which then only imports that one single account - not all other accounts.

I assume you used the category Enterprise recipients and you used the SAP roles as recipients ? I use Enterprise Recipients. I selected just one SAP user as the recipient, no roles where selected. Would it matter if I did not select a SAP role?

>> which then means that the publication will only have one recipient.

It also turns out that the SAP BW team did not import any of the SAP Integration Kit transports, so I assume this could also be part of the problem.

>>yes.

Ingo

Former Member
0 Kudos

Ok the transports have been added to the SAP BW system and I am able to automatically import users with roles now.

I am still getting this error when running a publication. I used the automatically created user from the role import as the enterprise recipient. We have also validated this user can refresh and see data from the report used in the publication.

2009-07-30 07:58:42,617 ERROR [PublishingService:HandlerPool-125] BusinessObjects_PublicationAdminErrorLog_Instance_3039 - [Publication ID # 3039] - Scheduling document job "IB_SYS_IVIEW_SONJA" (ID: 3,045) failed: A database error occured. The database error text is: The SAP SSO authentication process will fail because the current user doesn't have an alias that matches system EB1CLNT101.. (WIS 10901) Scheduling document 'IB_SYS_IVIEW_SONJA' (ID: 3,045) failed for the following users: EB1~101/Z0013BYF (ID: 2739) . These users had the following profile values: [No profile values] (FBE60502) [1 recipients processed.]

Let me add a couple of other pieces of information. 1 our system in Windows 2003 (64bit) and for the SAP cryptographic Library I used the ntintel folder not the ntia64 or nt-x86_64, on the assumption that since the code base for Business Objects is 32bit it would not interact correctly with the 64bit versions. If this is a wrong assumption please let me know.

Edited by: Marcel Van der Sleen on Jul 30, 2009 4:07 PM

IngoH
Advisor
Advisor
0 Kudos

Hi,

- did you configure the SAP authentication ?

- are you able to logon with SAP credentials to InfoView and CMC ?

- are you able to view the report with SSO ?

Ingo

Former Member
0 Kudos

Hi,

- did you configure the SAP authentication ?

- are you able to logon with SAP credentials to InfoView and CMC ?

- are you able to view the report with SSO ?

Ingo

Yes SAP Autnentication is configured.

Yes I am able to login to both infoview and CMC with a SAP based account.

Yes If I set the universe connection to Single Sign on at refresh time I am able to refresh report data.

The above only happens when using a publication, which authenticates with Logon Tickets and does not use passwords.

IngoH
Advisor
Advisor
0 Kudos

Hi,

a publication with "logon tickets" ? a publication requires a complete configuration of server side trust between SAP and BusinessObjects. The details are outlined in the Installation Guide.

ingo

Former Member
0 Kudos

Yes. We have configured server trust between the servers, or should I say we believe it is all configured.

We have followed the installation guide and steps oulined in your book Chaper 8 page 159 to page 184.

Although given the error recieved I am sure something long that line has not been configured correctly.

IngoH
Advisor
Advisor
0 Kudos

so lets assume for now that the server side trust has been configured.

- the Universe has been configured to use SSO ?

- what are the values for the publication in regards to recipients, and other settings ?

ingo

Former Member
0 Kudos

Yes the Universe is set to use SSO.

The publication is set to use one WEBI report built off of the universe.

We have setup one Enterprise Recipient for our connected SAP System. The user was created when the roles were imported to the BOBJ Enterprise System.

Destiniation is set at the user inbox.

Format of report is WEBI

Processing servers are set to the SAP Processing Group as defined by in your book section 8.3.7 SAP Business Objects Services.

The publication is then run via schedule->recurrence (Now) and hitting schedule.

After some minutes it fails with the above error.

If the user used in the publication logs in and runs the reports (refresh data button) in webi it works correctly refreshing data.

Thanks.

IngoH
Advisor
Advisor
0 Kudos

Hi,

what are the advanced settings for the publication ?

ingo

Former Member
0 Kudos

Advance settings are:

Profile Resolutions:

set to Do Not Merge

Personalizations: Unchecked.

Report Bursting Method:

Set to One Database Fetch for all recipients

Now you make we wonder if it should not be set to one per recipient.

Ok I changed it to the setting to fetch one for every recipient and it runs. Now for some reason the administrator can not put the results in to the recipients inbox which I find really weird but I am sure that is just a case of security not getting configured on auto import of users.

Thanks.

Edited by: Marcel Van der Sleen on Jul 30, 2009 7:43 PM

IngoH
Advisor
Advisor
0 Kudos

Hi,

because you referenced it earlier : page 190 in the book =:).

on the security : did you assign the imported SAP roles security in the BusinessObjects Enterprise system ?

ingo

Former Member
0 Kudos

I did not doh, what a hommer simpson moment there. So focused on getting the report to run we never tried to create an instance of the report. I will update security now.

Answers (1)

Answers (1)

Former Member
0 Kudos

Ok so I am able to run the publication but now the administrator can not put objects into the destination.

IngoH
Advisor
Advisor
0 Kudos

do the imported SAP roles have assigned rights in the BusinessObjects system ?

Ingo

Former Member
0 Kudos

All SAP roles have View On Demand right for the SAP folder and any sub folder.

Content and publication object are under this folder structure.

This is the error message I get.

2009-07-30 13:57:19,001 ERROR [PublishingService:HandlerPool-99] BusinessObjects_PublicationAdminErrorLog_Instance_3100 - [Publication ID # 3100] - Scheduling document job "IB_SYS_IVIEW_SONJA" (ID: 3,106) failed: Sorry, you do not have the right to 'Add objects to the folder' (ID: 1) for 'IB_SYS_IVIEW_SONJA_tid6703' (ID: 3110). Please contact your administrator if you require this right. Scheduling document 'IB_SYS_IVIEW_SONJA' (ID: 3,106) failed for the following users: EB1~101/Z0013BYF (ID: 2739) . These users had the following profile values: [No profile values] (FBE60502) [1 recipients processed.]

IngoH
Advisor
Advisor
0 Kudos

Hi,

and the error message is pretty clear about what the issue here is. there are rights missing.

Ingo

Former Member
0 Kudos

Yes I have determined that the Enterprise Recipient needs more permission then View on Demand, Infact the schedule permission is also not enough. The recipient needs Full control of the publication object to have it complete successfully. In this case the destination was the default folder or the inbox, but either requires full control.

I would be interested in what part of full control provides enough permissions for the publication to work.

Not sure if email is the destination that the user needs full control as well then but our none SAP based reporting publications require full control for the user executing the publication when a Dynamic Recipient list is used. Also a non admin when creating the publication would need more then full control as they need to be able to see the Users and Groups to assign Enterprise Recipients.

Thanks again for all the help and my problem is now officially solved.