On the Manage menu, click Requests. The Requests page is displayed
Click the New icon. A drop-down list displays the list of requests that can be created for the Insights installed on your machine.
Click the SAP - Role Assignment request. The page for creating a new request is displayed.
This page contains: ShowHide
The SAP - Role Assignment request type enables you to:
Assign SAP roles to users in SAP or revoke existed roles. This request can also be used to assign roles in CUA managed clients.
Assign IRC roles to IRC users or revoke IRC roles:
Change user details such as validity period
Change the validity period for role assignments
Roles can be assigned to only one user at a time.
Note: SAP Role assignment requests can be created to edit user details such as the user validity period or user attributes without assigning any new role or making any changes to already assigned roles.
In addition to assigning IRC roles to IRC users through the User Management tab on the Security page, IRC roles can be assigned to IRC users through the Role Assignment Management request type by selecting IRC in the Connections drop-down list.
By default, this feature is enabled. To disable this feature, the AMSConfig.xml file located at [InstallPath]\Approva\BizRights\PresentationServices\xml should be modified by changing the <enableamiforbizrights> node to ‘false’.
To create a SAP - Role Assignment type of request:
Provide details as described below.
Click Send. The request appears on the Requests home page. Click the request link to drill down to view the request details and take further action.
Note: If you have selected User Groups as Additional Attributes, the validation of the selected user groups will be done against the last extracted data.
A Role Assignment request can also be generated from the What-if analysis for Role Assignment .
Use this panel to provide general information about the request such as the request name and other details, and the connection for which the request is created.
Provide a unique name to identify the request. This name is reflected on the Requests home page.
From the drop-down list, select a priority for the request.
Select the connection for which the request is being created. If a connection is set from the Preferences page, it is selected by default in this drop-down list. You have the option of removing this connection and adding another connection.
To select a connection, type in a part of the connection name in the autosuggest text box. All connection names matching the search criteria are displayed. Select the required connections. Alternatively, browse and select the desired connections and click OK. The selected connections appear in the grid below.
Note: The connections displayed in the drop-down list are a combination of both mapped and unmapped connections. You can select multiple mapped connections, but the following combination of connections is not supported by IRC as the users in these connections will be different.
Mapped and unmapped connections
Multiple unmapped connections
For details on mapped and unmapped connections refer to the topic Create or modify a connection.
When selecting multiple connections, if a CUA Central System connection or an IRC connection is selected along with another SAP connection, the CUA Central System or IRC connection will overwrite the selected SAP connection.
CUA Requests
Select the entry 'CUA Central System' so that you can make changes across multiple clients through a single request.
Note: In case of secured connections, users signed into IRC will be able to view and use only those connections that they have access to.
Select the user who is to be assigned new roles.
To select a user, type in a part of the user name. All users from the selected connections and matching your search criteria will be displayed. If multiple connections are selected and the same user exists in those connections, the user will be displayed multiple times.
Select the required user. Alternatively, browse and select the required user and click OK. The selected user appears in the Select User field .
Important: If users are manually mapped, the browse window will display the mapped name and not the ERP name. Write-back to the ERP will be on the basis of the mapped name.
By default, users locked in SAP are also displayed in the Browse Users pop-up window. If you select a locked user, the request will fail. To remove locked users from the Browse Users window, modify the xml file AMIConfig.xml.
Note: If a request for the same user is already pending, IRC displays a message alerting you about the duplicate assignment. You have the option to continue the request, cancel it or select a different user.
If the request is continued, then, during the approval process, the approver will see the message in the Previous Comments section.
After you select a user, the screen will display the roles already assigned to the selected user and will allow you to add or remove roles.
If the connection selected is a mapped connection then the list of roles assigned to the user from the other connections are also displayed.
This field displays the full name of the user selected. This field is a read only field and cannot be edited.
Define the validity period as follows:
The Valid From text box enables you to provide a date from which the selected user is valid.
If a valid from date is already selected for the user, that date appears in the text box. Click the Calendar icon to modify the date or select Date of Approval if the validity period is to begin from the date of approval of the request.
If a valid from date is not set for the selected user, click the Calendar icon to either select a specific date or select Date of Approval.
The Valid Through text box enables you to provide a date till the selected user is valid.
If a valid through date is already selected for the user, that date will appear in the text box. Click the Calendar icon to modify the date or select Never Expires.
Provide the name of an SAP user who will be the approver for the current request if the user’s manager is unable to approve the request. For example, if the approval template has 'Manager of User' as the approver at one or more stages, but the manager is out of office, then the Approval Manager specified here approves the request.
Note: The Approval Manager field will be enabled only if the option Allow users to redirect request is selected on the Access Management section on the Configuration page.
To select an approval manager, type in a part of the user name. All users matching the search criteria will be displayed. Select the desired user .Alternatively, browse and select the desired user and click OK. The selected user appears in the Approval Manager field
Specify the name of the user whose roles you want to assign to the selected user.
To select a user, type in a part of the user name in the autosuggest text box. All users matching the search criteria are displayed. Select the required user.
Alternatively, browse and select the required user and click OK. The selected user appears in the Assign Roles as this User field:
Select additional user attributes if required and provide values for them.
User attributes can be configured for all connections in which the user is present and should be enabled through the additionaluserattributes.xml file so that they are displayed on the request creation page.
For details, refer to the SAP - Configuration Settings Guide.
Note: Any additional user attributes added in the additionaluserattributes.xml cannot be connected and cannot write back to SAP.
This panel enables you to assign new roles to the selected user. If you have selected an existing user in the Assign Roles as this user field, this panel will list the roles belonging to that user as well.
Roles may be assigned to a user present in a single connection, or they may be assigned to multiple connections in which the user is present. The process of selecting roles varies depending on whether the roles are to be assigned to the user in one connection or in multiple connections
If the role is to be assigned to the selected user in one connection, select the role as follows:
Import Roles
If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles types can be imported and selected to be assigned:
Click here to view the format of this CSV file and the Role Type IDs of the above listed roles types.
Role or Profile Name | Role Type ID |
Simple Profile | 2 |
Composite Profile | 3 |
Simple Role | 4 |
Composite Role | 5 |
BizRights Role | 0 |
Import these roles as follows:
If multiple connections are selected from the Connections drop-down list and the user is present in two or more of the selected connections, this panel displays two drop-down lists:
You need to select roles for each connection separately as follows:
Import Roles
If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles types can be imported and selected to be assigned:
Click here to view the format of this CSV file and the Role Type IDs of the above listed roles types.
Role or Profile Name | Role Type ID |
Simple Profile | 2 |
Composite Profile | 3 |
Simple Role | 4 |
Composite Role | 5 |
BizRights Role | 0 |
Import the required roles as follows:
Note: Role Assignment requests fail if a role that is currently assigned to the user is selected in this panel to be assigned again.
This panel displays roles already assigned to the selected user in the selected connection. If the selected connection is a mapped connection, this panel will also list the roles assigned to this user in other connections to which the user belongs.
This panel enables you to revoke any of the roles already assigned in the selected connection. Roles assigned to this user in other connections cannot be revoked. .
To revoke a role, select the check-box next to the role to be revoked and click Revoke. The role will be revoked after the request undergoes the approval process.
By default, all existing role assignments can be revoked through this request. This means that users can have zero role assignments. You can modify this default setting in the AMSConfig.xml file to ensure that all existing roles are not revoked.
For details refer to the SAP - Configuration Settings Guide.
Note: Indirect assignments, that is, simple roles belonging to a composite role cannot be revoked. Only direct assignments can be revoked or the validity period changed.
Composite roles are listed on the User Interface marked with an icon.
Note:The Valid From and Expires On dates can be changed for existing roles assigned. The validity date changes can be viewed from the Request Details page.
This panel enables you to provide additional information about the request.
Provide additional information about the request.
Comments are mandatory if the requestor comments option check box on the Access Management section on the Configuration page is selected.
This tab enables you to send email notifications to request participants or other users at specific stages of a request.
Select any of the request status check boxes next to a user. Email notifications will be sent to that user when the request reaches that status. The option Approval Email Notification ensures that a user is notified whenever a request is posted to that user’s Inbox.
Select the check box Display comments in email notifications, if you want the application to display comments in the notification.
Other users can be notified by selecting the option Others. Provide the email address for the other users in the Other emails text box and click the Add icon .
Note: Email settings are enabled and may be changed only if the check box Override this Option is selected in the Options panel of the Approval Process Templates page.
This panel provides details of the approval stages defined in the template created for this request type. It also displays the current status of the approval stages.
Note: Role Assignment for SAP requests support only automatic request completion.
Role assignment requests for CUA clients can be created as above, except for the following details:
From the Connections drop-down list, select the required CUA connection:
New Roles to be Assigned panel
The options available in this panel vary depending on the option selected in the Connections drop-down list.
If a CUA Central System is selected and the user is present in two or more child connections, this panel displays two drop-down lists.
To assign roles to the user, you need to select roles in each child connection separately as follows:
To assign roles to all the child connections associated with the selected CUA master connection, select the option All in the first drop-down list and select the required role.
Import Roles
If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles types can be imported and selected to be assigned:
Click here to view the format of this CSV file and the Role Type IDs of the above listed roles types.
Role Type,Role Type ID Simple Profile,2 Composite Profile,3 Simple Role,4 Composite Role,5 BizRights Role,0 |
Import these roles as follows:
If a child CUA connection is selected, select the roles to be assigned as follows:
Import Roles
If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles types can be imported and selected to be assigned:
Click here to view the format of this CSV file and the Role Type IDs of the above listed roles types.
Role Type,Role Type ID Simple Profile,2 Composite Profile,3 Simple Role,4 Composite Role,5 BizRights Role,0 |
Import these roles as follows:
If two or more child connections are selected in the Connections drop-down list, this panel displays two drop-down lists:
You need to select roles for each child connection separately as follows:
Import Roles
If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles types can be imported and selected to be assigned:
Click here to view the format of this CSV file and the Role Type IDs of the above listed roles types.
Role Type,Role Type ID Simple Profile,2 Composite Profile,3 Simple Role,4 Composite Role,5 BizRights Role,0 |
Import these roles as follows:
Note: A role assignment limits rule format will not generate violations for a Role assignment management request as only one user can be analyzed at a time.