Roles in CUA

Hi,
I have setup CUA with 2 Child systems. Now I created about 50 users with some roles associated with them to the central system. Now I want to distribute these 50 users along with the roles assignment to the child systems.
I was able to "download" the roles and upload them to the child systems.
I know how to distribute the users to the child systems -> basically add the client name to the "systems" in the central system. But what I dont know is, how to assign the roles to the users in child systems.
Unless I manually goto all 50 users and add the roles in the central system for all child systems....
Is there an easier/automatic way to do this?
Thanks
Seelan

Hi Seelan
In the Central system on Role tab page, it is possible to assign roles to a user in the child system.For this the central system should know all role names in the child systems. It is always possible to manually assign a role that exists only in a child system, but not in the target system. However, you can only use the F4 help with current data if you have first performed the Text Comparison from Child Systems . If you
want to use F4 help with current data, ensure that you perform a new text comparison between the central system and the child system after creating new roles in the child system. During the text comparison, specify as the Target System the system from which the central information is to query the new  information.

Similar Messages

  • Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

    Hello,
    I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
    1. Connected CUABOX to GRCBOX like a plug-in system.
    2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
    3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
    After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
    Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
    Any help in this regard is very helpful.
    Thank you,
    Pawan

    Hi Alessandro,
    I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
    1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
    2. Approvals provided to assign the ECC role.
    3. I see the following in GRFNMW_DBGMONITOR_WD.
               Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                   New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                   T-CUA_CHILD User does not exist in target system CUA
    GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
    However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
    So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
    Thank you for your help!
    Pawan

  • How to create automatically users&roles in CUA and in chlid systems?

    Hi,
    i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
    i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
    are there any standard BAPI or Funcion modules that can do this job?
    is the role created automatically in CUA can be seen automaticall in the portal child system?
    any help?
    Thanks&Best regards

    You can use one of the various ways Java EE provides you, e.g. container managed authentication.
    It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
    You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
    Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/].

  • How to create automatically users&roles in CUA and child systems

    Hi,
    i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
    i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
    are there any standard BAPI or Funcion modules that can do this job?
    is the role created automatically in CUA can be seen automaticall in the portal child system?
    any help?
    Thanks&Best regards

    Thank you all. I got the solution.
    Regards
    Rajesh

  • Changing Roles in CUA - Using BAPI's

    Hi Experts,
    My scenario is to Create and Change  SYSTEMS and ROLE of parent and children systems in CUA from Oracle .For that
    I am using BAPI_USER_LOCACTGROUPS_ASSIGN , I have been testing this BAPI in SAP system itself, But sometimes its working with respect to my input perfectly  , and few other times its not , Let me put my issue with Example:
    1) User created in SU01 without systems and roles .
    2) Using the above BAPI,  I can assign 3 Systems(1 parent and 2 child system ) and 3 Roles(1 for each),
    3) When i tried to change  roles of the child system i can achieve that ,
    But in 2nd time when i give only 1 parent and 1 child system with roles, in ACTIVITYGROUPS of a Table parameter in the BAPI,
    The role and systems are not get changed .
    My ques is :
    Is my approach wrong ? then  could you tell me the exact behavior of this BAPI with child and parent system?
    Note: After i tried in SAP system and also read lot of threads in SAP SDN , i am posting this que .
    Regards,
    Saravana.S
    Edited by: saravanasap on Jan 23, 2012 9:48 AM

    Hi Experts,
    My scenario is to Create and Change  SYSTEMS and ROLE of parent and children systems in CUA from Oracle .For that
    I am using BAPI_USER_LOCACTGROUPS_ASSIGN , I have been testing this BAPI in SAP system itself, But sometimes its working with respect to my input perfectly  , and few other times its not , Let me put my issue with Example:
    1) User created in SU01 without systems and roles .
    2) Using the above BAPI,  I can assign 3 Systems(1 parent and 2 child system ) and 3 Roles(1 for each),
    3) When i tried to change  roles of the child system i can achieve that ,
    But in 2nd time when i give only 1 parent and 1 child system with roles, in ACTIVITYGROUPS of a Table parameter in the BAPI,
    The role and systems are not get changed .
    My ques is :
    Is my approach wrong ? then  could you tell me the exact behavior of this BAPI with child and parent system?
    Note: After i tried in SAP system and also read lot of threads in SAP SDN , i am posting this que .
    Regards,
    Saravana.S
    Edited by: saravanasap on Jan 23, 2012 9:48 AM

  • Create user and assign role in CUA context

    Hi,
    i'm in CUA context ; in ABAP, when i use the FM BAPI_USER_CREATE1 the new user is well created in all system now i want to assign new roles to this user. Which FM can i use and especially can i assign role to user in a client system ?
    Thanks for help.
    Regards

    Hi,
    Please check this BAPI.
    BAPI_JOBROLE_CLONE
    BAPI_USER_ACTGROUPS_ASSIGN
    Regards,
    Ferry Lianto

  • New role in CUA user record not getting pushed to child system

    I added a new child system to our CUA setup.  I've confirmed that the RFC connections from both sides are working properly (test connection succeeds) and I've successfully completed the user transfer function in SCUG.  All exisitng roles assigned to the users in the child system are now appearing in the CUA central system as expected.  I added a new role to a user via SU01 in the central system to this child system, but when I go to the child system, it does not appear in the user's SU01 record.  Any ideas why this would not be syncing properly?
    Thanks,
    Michael

    Hi,
    Whenever you create a new role in child system, it has to be sync up with the central system.
    To sync up with the central system, login to central system goto su01>enter any user name>go to roles tab- click on Text comparision from chiled system. Its navigate to another screen, there you have to mention the child system and click on execute. it syncs up with child sytem. Hope it will help you out to resolve the issue.
    If still you are getting the same issue login to the central system.. goto SE38-- enter the program name as "RSCCUSND" and click on execute there mention the user name and the logical system id of the Child system name, select the parameters which you wanted to distribute to child system and execute it.
    Best Regards
    Mani

  • Push single role to CUA

    Hi,
    Created the single role in child system and not able to find the same in CUA system so please let me know the process to push this role from child to CUA.
    Thanks,
    Lisa Pl

    Thanks for that Jurjen.
    I agree on your comment if you are assigning the role(child role) to the user in CUA directly then only text comparison will do!!!
    >This actually copies the whole role from the child.
    This only copies the description and role menu from the Child system not the entire role.
    >For CUA purposes the CUA master only needs to know about the existence of the role on a child system. In SU01 on the CUA master go to the tab where you assign roles to the user and look for the 'text comparison' button.
    But when composite roles exsist in CUA and further single roles from the child system are mapped to the composites in CUA, In that case you need to perform an RFC read of the single role so as to refresh the menu of  the composite role.
    Rakesh

  • Indirect Role Assignment with HR-ORG in a system landscaper with CUA

    Hi all,
    we have 2 SAP systems:
    1) SAP ECC6 (with composite roles)
    2) SAP HR with PA and OM
    We would like to assign SAP ECC6 roles through HR-OM.
    Since HR-OM is not on the same ECC6 system, we would like to try the logic: HR-OM -> CUA -> ECC6
    There are several documents that describe this situation (ex. SCUR351).
    From PFCG point of view, we should create a composite role in CUA system which include simple roles of child system.
    If we try to create a composite role in CUA central system, we can insert only simple roles available in central system (and not in child).
    Any experience on this scenario ?
    Pros vs cons ?
    Are the different possible scenarios ?
    Many thanks...
    Andrea

    Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
    CUA has its own pros -
    Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
    on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
    It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
    Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
    Rakesh

  • How to add/delete single role to/from CUA

    Hi All,
    I want to add/delete single role from CUA system. I found one FM to change roles i.e BAPI_USER_LOCACTGROUPS_ASSIGN , In function module documentation said that it will overwrites all existing roles with the roles in the table parameter.I dont want to do that. I need a FM to add/delete role to CUA system. Please help me with your suggestions.
    Thanks,
    Suman

    I am not aware of another BAPI based way to do it. You will need to get the details of the Roles AND manual profiles assigned, and then re-assign the new set in the call.
    Cheers,
    Julius

  • CUA roles sometimes do not match the target system

    Hi,
    We are using CUA on Solution manager to assign roles to our different systems.  Every now and then what is in CUA does not match the target System.
    I know that you can look at the idocs using WE05 and see what the root cause was, fix it and then re-assign the role.
    The problem is that when you assign the role using CUA, it doesn't warn you that the transmission failed on the target system.
    We just went live last week, so I am added and removing roles from many different users using SU01 and SU10 and I do not think it is a valuable use of time to sift through the idoc logs every time I make a change.  Especially, since most of the time it works.
    Is there a better way to monitor the Idoc logs?  Can you have it send a notification (email for example) when there is an error?  Is there a better process then WE05?
    Thank you in advance for the help!
    Neil

    Neil. It was a long time I played around with CUA. But I am remembering some transaction where you had the logs. Think it is SCUL.
    I searched saphelp and got the following hits for you:
    http://help.sap.com/saphelp_nw70/helpdata/EN/c1/db4063fd3111d5997a00508b6b8b11/frameset.htm
    http://help.sap.com/saphelp_nw70/helpdata/EN/cc/50b43be7492354e10000000a114084/frameset.htm
    Best of luck to you!
    Regards Fredrik

  • CUA sync with child client issue for indirect role assignment.

    Hello Security experts,
    we have a indirect role assignment set up in our ECC environment. there is a syncronization issue from the parent CUA to the chlild client. The role assignments have been made to role although they are not always reaching target system without having to sync up either the role or the IDu2019s position # manually.   This has been an ongoing issue CUA has on any role or user from time to time.   any hint on fixing this issue. please help..

    Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
    CUA has its own pros -
    Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
    on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
    It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
    Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
    Rakesh

  • Role Assignment does not get distributed from CUA

    Hi all.
    I create user and role in CUA client.
    There is no error in role generation.
    When I try to find my role in SU01 by pressing F4 of my role (Y*), system give me message role not found. But that's not my biggest problem.
    I can assign my role by typing manually.
    My biggest problem is only SAP ID get distributed into target system, not the role assignment.
    So in the target system I can see my user id without role assign to it.
    I checked my user id from SCUL. User and profile does not contain any error message in target client.
    I tried with transaction RSCCUSND, still my user id does not contain role.
    I checked my SCUM transaction, profiles and roles has Global settings.
    Does someone can give me a clue why this happens and how to solve this issue.
    Many thanks

    Lets try to simplify the thing in layman language.
    CUA is to manage user ids of different SAP systems (client level) centrally from one system without logging into each of those child systems. To do so, the Central system stores the information of the Roles (and their Text and Generated Profile Name ONLY) and Profiles (standard or non-generated profiles) in few of it's tables like: USLA04, USRSYSACT, USRSYSACTT, USRSYSPRF, USRSYSPRFT etc.
    It doesn't mean that the Roles for the corresponding child system is present in the central system and no need of creating (or making available) such roles in the Child systems. The physical existence of the Role for each system doesn't get transferred in the Central system when you do the Text comparison rather the identity only against the corresponding system.
    So the Roles has to be there in the corresponding Child systems and the Assignment (not physical assignment  -  only linking the name for that child system) of them to the user ids can be done from Central system.
    Also you have got the idea of Text comparison and requirement of keeping or creating roles in each system based on it's nature from the other posts.
    Let us know any more questions you have.
    regards,
    Dipanjan

  • Role creation in CUA

    Hi All,
    We have a CUA environement in our lab.
    There is CUA admin sytem and one cua child system.
    Admin system :HR6CLNT800
    Child system :HR4CLNT800
    I wanted to know how to create the role in CUA.
    If i create locally on CUA admin system by going to Menu Tab ,specifying the
    Target system "HR6CLNT800".
    I get the following error
    "Role TestRole has been edited in the system .HRCLNT800 distribution cancelled".
    Please let me know if any one has come across this problem.
    best Regards
    Manoj

    >
    sap.sec.akshay wrote:
    > Hi,
    >
    > I have a list of around 1000 existing users whose password need to be changed in different systems(selective).For example if user is having access to 20 systems his password need to be changes in just 2 systems. All the systems are connected to one Central system.
    >
    > I agree for user creation/role assignment in CUA landscape is possible through Ecatt. But password change in CUA landscape doesn't seems to work with ecatt as there are multiple systems to select.
    I agree but not because of the "multiple systems to select" but the lack of a consistent pattern that you stated in your example.
    -John N.

  • CUA: Previously Assigned Job roles disappeared

    Hello Dear!
    Recently I have implemented CUA in our SAP System landscape.
    I have one issue with it that  I am unable to see the previously assigned Job roles to the users .
    Can some one advice me how to resolve it?
    Regards
    Saqib

    >
    M.Saqib Ayub wrote:
    > I have selected DEV Server as a CUA and others as Childs.
    that is exactly what i would have avoided, if possbile. you say, you have a solution manager hanging around ... i strongly recommend you use this as the CUA master. the reasons being: if you have developers on your DEV and you are doing some development on roles etc, you will always disturb the others, since you have to run PFUD and whatnot jobs while develping roles, maybe ALE scenarios, IDOCs. your SolMan, on the other hand ... is independent. you would disturb no-one, downtimes for maintenance, developments etc. are fewer (in which time you would have no control over the users in your landscape). you could setup a totally different backup strategy, you could synchronize naming conventions/proceedings from the very beginning instead of having to re-design it some day in the future (and that day will come, it always does). since you are at the very beginning of your project, you might want to reconsider ...
    but i am off-topic.
    >
    M.Saqib Ayub wrote:
    > Now when I am going to see existing users assigned job role in CUA (DEV) thru SU01. Its not showing already maintained Job roles. The users are  not complaining about any authorizations issue,  it means  the authorizations are intact in the system.
    how did you set that up? are you adding single roles per system in DEV or do you have a composite in DEV the singles of which point to the other systems or do you attach them to PPOME? or something totally different?

Maybe you are looking for

  • I am getting following error in my application please find the sol...jax rs

    15 Mar, 2013 1:09:49 PM com.sun.jersey.spi.container.ContainerRequest getEntity SEVERE: A message body reader for Java class aero.omanair.flightStatus.vo.SearchCriteriaVO, and Java type class aero.omanair.flightStatus.vo.SearchCriteriaVO, and MIME me

  • I can't connect with the Time Capsule.

    Hello everyone, Some years ago, I bought a Time Capsule. Until now, I didn't want to use it as an extern HD. So I tried today. I am using it for a year now, as main router. Several computers and iDevices are using it. Because I had forgotten some thi

  • In iOS 7, is deleting a message by sliding your finger to the right on the message and tapping delete no longer available?

    Only recently I discovered a faster way to delete a message thread from the main Messages screen/listing in iOS 6.  Sliding my finger from left to right on the message 'thread' in the main screen (that lists all message threads) would bring up a 'Del

  • ANOTHER RANDOM HARD FREEZING IN 10.9.1

    Experiencing hard freezes except without the spinning ball. This started 3 months AFTER I had some bad RAM removed which was deemed the cause of the hard freezes before. The difference this time is that I can move the cursor, but still am unable to f

  • Reg. Logical Database

    Hi Experts,       This is with reference to Logical Database (LDB) , I have some Doubts\Clarifications , 1, What is the Significance of the Hierarchy of LDB structure (I.e Nodes\Tables).? 2, How to find the relation between to Nodes\Tables that is wi