On the Manage menu, click Requests. The Requests page is displayed
Click the New icon. A drop-down list displays the list of requests that can be created for the Insights installed on your machine.
Click the SAP - User Re-provisioning request. The page for creating a new request is displayed.
This page contains: ShowHide
This request type enables you to re-provision, or grant SAP access to users who have been previously de-provisioned through IRC. When you re-provision a user, you can
Assign new validity dates for the user
Assign new roles
Change user attributes, for example, change the user’s user group from the existing to a new one
Unlock users (depending on the locked status of the user)
Although re-provisioning requests can be created for all users but if the request is created for active users and if the status is active in SAP then during write-back the request will fail and an error message is displayed.
Note: The locked status of a user can be defined as excluded from unlocking in the file SAMIWritebackConfig.xml. The user’s lock status is checked during write-back to SAP. If it is defined as excluded, the user re-provisioning request will fail with the message ‘User is not Re-Provisioned in connection(s): <connection_name>’ and no change will be made to the user’s status in SAP or IRC.
For details refer to the SAP - Configuration Settings Guide.
To create a user re-provisioning type of request:
Provide details as described below.
Click Send. The request appears on the Requests home page. Click the request link to drill down to view the request details and take further action.
Note: If you have selected User Groups as Additional Attributes, the validation of the selected user groups will be done against the last extracted data.
Use this panel to provide general information about the request such as the request name and other details, and the connection for which the request is created.
Provide a unique name to identify the request. This name is reflected on the Requests home page.
From the drop-down list, select a priority for the request.
Provide the connections for which the request is being created. You can set this connection as default from Preferences page.
To select a connection, type in a part of the connection name in the autosuggest text box. All connection names matching the search criteria will be displayed. Select the required connection.
Alternatively, click the Browse icon to browse for and select the desired connection and click OK. The selected connection appears in the Connections field.
Note: Multiple connections for this request may be selected.
The connections displayed in the drop-down list are a combination of both mapped and unmapped connections. You can select multiple mapped connections but the following combination of connections is not supported by IRC as the users will be different.
Mapped and Unmapped Connections
Multiple Unmapped connections
For details on mapped and unmapped connections refer to the topic Create or Modify a connection.
If one connection has already been selected and you then select a CUA Central System connection, the CUA Central connection will overwrite the earlier connection selected.
Note: In case of secured connections, users signed into IRC will be able to view and use only those connections that they have access to.
CUA Requests
You have the option of selecting a CUA Central System connection to create this request.
Select the user whose account is to be re-provisioned.
To select a user, type in a part of the user name. All users from the selected connection and matching the search criteria are displayed. If multiple connections are selected and the same user exists in those connections, the user will be displayed multiple times.
Select the desired user name. Alternatively, click the Browse icon to browse for and select the desired user and click OK. The selected user appears in the Select User field .
Important: If users are manually mapped, the browse window will display the mapped name and not the ERP name. Write-back to the ERP will be on the basis of the mapped name.
This field displays the full name of the user selected. This field is a read only field and cannot be edited.
Define the validity period as follows:
The Valid From text box enables you to provide a date from which the selected user is valid.
If a valid from date is already selected for the user, that date appears in the text box. Click the Calendar icon to modify the date or select Date of Approval if the validity period is to begin from the date of approval of the request.
If a valid from date is not set for the selected user, click the Calendar icon to either select a specific date or select Date of Approval.
The Valid Through text box enables you to provide a date till the selected user is valid.
If a valid through date is already selected for the user, that date will appear in the text box. Click the Calendar icon to modify the date or select Never Expires.
Provide the name of an SAP user who will be the approver for the current request if the user’s manager is unable to approve the request. For example, if the approval template has Manager of User as the approver at one or more stages but the manager is out of office then the Approval Manager approves the request.
Note: The Approval Manager field will be enabled only if the option Allow users to redirect request is selected on the Access Management section on the Configuration page.
To select an Approval Manager, type in a part of the user name. All users from the selected connection and matching the search criteria are displayed. Select the desired user name. Alternatively, click the Browse icon to browse for and select the desired user and click OK. The selected user appears in the Approval Manager field .
Specify the name of the user whose roles you want to assign to this user.
To select a user, type in a part of the user name in the autosuggest text box. All users matching the search criteria will be displayed. Select the required user.
Alternatively, click the Browse icon to browse for and select the desired user and click OK. The selected user appears in the Assign Roles as this User field :
Select additional user attributes and provide values .
User attributes can be configured for all connections in which the user is present and should be enabled through the additionaluserattributes.xml file so that they are displayed on the request creation page.
For details refer to the SAP - Configuration Settings Guide.
Note: Any additional user attributes added in the additionaluserattributes.xml cannot be connected and cannot write back to SAP.
This panel enables you to assign new roles to the selected user. If you have selected an existing user in the Assign Roles as this user field, this panel will list the roles belonging to that user will be listed here.
Roles may be assigned to the user present in a single connection, or they may be assigned in multiple connections in which the user is present. The process of selecting roles varies depending on whether the roles are to be assigned to the user in one connection or in multiple connections
If the role is to be assigned to the selected user in one connection, select the role as follows:
Import Roles
If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles types can be imported and selected to be assigned:
Click here to view the format of this CSV file and the Role Type IDs of the above listed roles types.
Role or Profile Name | Role Type ID |
Simple Profile | 2 |
Composite Profile | 3 |
Simple Role | 4 |
Composite Role | 5 |
BizRights Role | 0 |
Import these roles as follows:
If multiple connections are selected from the Connections drop-down list and the user is present in two or more of the selected connections, this panel displays two drop-down lists:
You need to select the roles to be assigned to the user for each connection separately as follows:
Import Roles
If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles types can be imported and selected to be assigned:
Click here to view the format of this CSV file and the Role Type IDs of the above listed roles types.
Role or Profile Name | Role Type ID |
Simple Profile | 2 |
Composite Profile | 3 |
Simple Role | 4 |
Composite Role | 5 |
BizRights Role | 0 |
Import the required roles as follows:
This panel displays all roles already assigned to the selected user from the selected connection. If the selected connection is a mapped connection, this panel will also list the roles assigned to this user from the other connections to which the user belongs.
This panel also enables you to revoke any of the already assigned roles in the selected connection.
To revoke a role, select the check box next to the role to be revoked and click Revoke. The role will be revoked after the request undergoes the approval process.
By default, all existing role assignments can be revoked through this request. This means that users can have zero role assignments. You can modify this default setting in the AMSConfig.xml file to ensure that all existing roles are not revoked.
For details refer to the SAP - Configuration Settings Guide.
Note: Indirect assignments, that is, simple roles belonging to a composite role cannot be revoked. Only direct assignments can be revoked or the validity period changed.
Composite roles are listed on the User Interface with an icon next to them.
Note:The Valid From and Expires On dates can be changed for existing roles assigned. The validity date changes can be viewed from the Request Details page.
Provide additional information about the request.
Comments are mandatory if the requestor comments option check box on the Access Management section on the Configuration page is selected.
This tab enables you to send email notifications to request participants or other users at specific stages of a request.
Select any of the request status check boxes next to a user. Email notifications will be sent to that user when the request reaches that status. The option Approval Email Notification ensures that a user is notified whenever a request is posted to that user’s Inbox.
Select the check box Display comments in email notifications, if you want the application to display comments in the notification.
Other users can be notified by selecting the option Others. Provide the email address for the other users in the Other emails text box and click the Add icon.
Note: Email settings are enabled and may be changed only if the check box Override this Option is selected in the Options panel of the Approval Process Templates page.
This panel provides details of the approval stages of the request and its present status.
User Re-Provisioning requests for CUA clients can be created as above, except for the following details:
From the Connections drop-down list, select the required CUA Central System connection:
Select a CUA Central System connection: To assign roles to the user in multiple child connections associated with the selected master connection.
Select the required child connection: To assign the required roles to the user in this child connection only.
New Roles to be Assigned panel
The options available in this panel vary depending on the option selected in the Connections drop-down list.
If a CUA Central System connection is selected and the user is present in two or more child connections, this panel displays two drop-down lists.
To assign roles to the user, you need to select roles in each child connection separately as follows:
To assign roles to all the child connections associated with the selected CUA master connection, select the option All in the first drop-down list and select the required role.
Import Roles
If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles types can be imported and selected to be assigned:
Click here to view the format of this CSV file and the Role Type IDs of the above listed roles types.
Role Type,Role Type ID Simple Profile,2 Composite Profile,3 Simple Role,4 Composite Role,5 BizRights Role,0 |
Import these roles as follows:
If a child CUA connection is selected, select the roles to be assigned as follows:
Import Roles
If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles types can be imported and selected to be assigned:
Click here to view the format of this CSV file and the Role Type IDs of the above listed roles types.
Role Type,Role Type ID Simple Profile,2 Composite Profile,3 Simple Role,4 Composite Role,5 BizRights Role,0 |
Import these roles as follows:
If two or more child connections are selected in the Connections drop-down list, this panel displays two drop-down lists:
You need to select roles for each child connection separately as follows:
Import Roles
If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles types can be imported and selected to be assigned:
Click here to view the format of this CSV file and the Role Type IDs of the above listed roles types.
Role Type,Role Type ID Simple Profile,2 Composite Profile,3 Simple Role,4 Composite Role,5 BizRights Role,0 |
Import these roles as follows: