SAP - Write permission denied for value "Role"


we are testing a change of the SAP CUA to a new client. Thereby the following error still occurs in the log of the sync in the step "userinCUARole" with the new CUA:

[810025] SAP user accounts: assignments to role: Write permission denied for value "Role".

What should this error tell us?
Which configuration or setting should we check and adjust so that the cause of this error can be eliminated?

Thank you very much for any hints and food for thought that will help us.

Kind regards

  • Hi,

    seems you are using an existing One IM having imported a real SAP CUA without errors in the past. I understand now you are trying to switch over the central client to an existing client in the one IM database (new client or former child of central system)?



  • hi tino, 

    you are right. we have an existing synchronization to a cua. our sap colleagues are now building a new one and we wanted to set up a sync with this new cua - but the error mentioned above appears in the log. 

  • Hi,

    the error message tells you that there would be more damage if the operation would performed. The storage of SAP data for a CUA in One IM is fundamentally different from that of a normal SAP client. Starting with the linking of the child clients to the central client (have a look at SAP client master data), all SAP accounts exist only in the central system, but memberships in roles and profiles can refer to roles in child systems where the SAP account has a logon authorization. The roles and profiles of a CUA are assigned to the respective child clients in One IM.

    The next challenge is the formation of DistinguishedName and CanonicalName for a CUA. These properties contain the name of the central client for the SAP account. In the case of a reconfiguration, this means that all SAP accounts must be reimported from the new central instance and should be deleted in the old central instance. For roles and profiles the above mentioned properties contain the logical names of the clients used in ALE distribution model of SAP. If there are also changes this data is also no longer correct.

    For the task you describe I see 2 possible solutions: a) Switch off the synchronization to SAP, reconfigure the clients in One IM and delete all SAP accounts including all dependencies from the old CUA client. Then reimport the data from the new CUA central instance.
    b) Create a second One IM installation and import the new CUA data there. Then have a look how the DistinguishedName and CanonicalName values are formed and convert them in the original instance. This requires extreme insider knowledge and the list of places I pointed out where changes would be needed are not yet complete.

    I think this topic is to big to solve in this kind of forum.



  • Hi,

    the error message tells you that there would be more damage if the operation would performed. The storage of SAP data for a CUA in One IM is fundamentally different from that of a normal SAP client. Starting with the linking of the child clients to the central client (have a look at SAP client master data), all SAP accounts exist only in the central system, but memberships in roles and profiles can refer to roles in child systems where the SAP account has a logon authorization. The roles and profiles of a CUA are assigned to the respective child clients in One IM.

    The next challenge is the formation of DistinguishedName and CanonicalName for a CUA. These properties contain the name of the central client for the SAP account. In the case of a reconfiguration, this means that all SAP accounts must be reimported from the new central instance and should be deleted in the old central instance. For roles and profiles the above mentioned properties contain the logical names of the clients used in ALE distribution model of SAP. If there are also changes this data is also no longer correct.

    For the task you describe I see 2 possible solutions: a) Switch off the synchronization to SAP, reconfigure the clients in One IM and delete all SAP accounts including all dependencies from the old CUA client. Then reimport the data from the new CUA central instance.
    b) Create a second One IM installation and import the new CUA data there. Then have a look how the DistinguishedName and CanonicalName values are formed and convert them in the original instance. This requires extreme insider knowledge and the list of places I pointed out where changes would be needed are not yet complete.

    I think this topic is to big to solve in this kind of forum.



No Data