BBPMAININT and CUA

Similar Messages

• BBPMAININT with CUA

  We have a landscape with SRM 5.0 and CUA in two different systems and intend to use BBPMAININT to create Users and need the user to be replicated or created in CUA.
  We already implemented note 402592, but the user is created only in SRM and without any Role.
  Regards, Roberto

  Hi Robert
  We are creating user -ids in  CUA which replicates the user ids in SRM / R3 and CRM and other systems.
  After that through Users_gen we map the user -id to the Org structute  in SRM .
  We tried creating users in SRM and replicating to CUA but it didnt went well.
  SO now userid for the first time are created in CUA and replicated to all systems and after that we use Users_gen option Create users from Existing SU01 and mapp the user to SRM Org Struture.
  regards,
  Nimish Sheth

• Integrate HR org structure and CUA?

  We are considering a new design for our authorization management on our production ECC 6.0 system.
  There will be 2 productive ECC 6.0 systems; which system you use will depend on your global location.  We currently utilize the HR org structure to assist us with provisioning and deprovisioning accounts on our durrent single ECC 6.0 instance, and we hang composite roles off of positions in the org structure, so that a fair amount of authorization management is automated.
  If we were to put a CUA client over the two productive ECC 6.0 clients, how might that be integrated with the HR organizational model?  Does CUA integrate well with an org structure?  Any experiences with this would be helpful.

  Hi Mary,
  Firstly, are the org structures in the two ECC clients identical - in sync with each other?
  If the org structures are different then it would limit the options that you would have:
  - CUA client would simply be used for the provisioning of the user id
  - The role to position allocation would still take place locally in each of the ECC clients
  - You would have to maintain the 105 relationships locally in the ECC clients
  - You would have to set the role maintenance option in SCUM to local maintenance
  If the org structure is the same on both ECC clients, then it would provide you with some additional options:
  Option 1 - use the approach described above to allow for local maintenance
  Option 2 - ALE the org structure to the CUA client, then allocate the composite roles to the positions on the org structure and maintain the 105 relationship on the CUA client.
  - the roles will then be distributed to the correct child system when the org recon is run
  Option 3 - Use one of the ECC systems as the CUA client (Which we are busy implementing at the moment)
  I'm using my ECC system as my central CUA for the production system, I know that many people would disagree with this due to upgrade requirements and all the rest. However in the Netweaver environment the ECC client is typically on the highest basis release, which caters for the CUA requirement and CUA is far more stable these days which reduces the risk. The other reason we have chosen this route is also the capacity of the ECC production system which is suitable.
  Also the HRORG is maintained on the same system, therefore less ALE requirements to move the org structure between systems etc. In the landscape we currently have BI and Portal, future applications/modules include ESS, MSS, APO and SEM.
  To achieve the solution I create all roles for all applications in the landscape, in the ECC client - for non-ECC roles the role definition is only role name and description (the correct authorisations are then maintained in the relevant child system). These are then distributed via RFC to the various child systems, it requires a couple of small changes but does work fine. All roles are then inlcuded into a composite role, regardless of which child system the role belongs to. The composite role is then allocated to the position in the HR org and once the HR recon is run, the role allocations are distributed to the correct child system. An example of a Line Manager Composite role would include:
  - HR Line Manager (ECC Client)
  - Cost Centre Manager (ECC Client)
  - BW Line Manager Menu role (Portal)
  - BW Line Manager Data role (BI client)
  - Purchasing Approval (ECC Client)
  I'm not sure if this has helped you, but in short the CUA integration with HRORG does work reasonably well and depending on the approach you choose it could affect the amount of maintenance that takes place. Just remember that the structural profile allocations would always take place locally on the ECC clients and only the role allocations can be managed from the CUA.
  Regards
  Sujeet

• Client Delete and Logical System and CUA

  I'm getting ready to do some client clean up in prep for an upgrade from ECC 5 to ECC 6 soon.
  Currently we have a 3 system landscape: DV1 QA1 PR1
  Clients on these systems are as follows: (not including 000, 001, 066)
  PR1:100 - the production client
  QA1:100 - Integration Master - not used except for RFC connections for Solution Manager
  QA1:110 - Cycle 1 testing - not used
  QA1:120 - Cycle 2 testing - not used
  QA1:200 - Old training master client - not used
  QA1:201 - Old training client - not used
  QA1:710 - no longer being used for testing
  QA1:720 - client used for system and integration testing
  DV1:100 - Configuration - not used
  DV1:110 - ABAP development
  DV1:120 - Configuration
  DV1:700 - Template for test - not used
  DV1:710 - Test with prod data
  Most have a logical system defined for the client.
  I am going to delete those I've underlined above as they are no longer used.
  Some of these are setup in the CUA system.
  All are showing up in Solution Manager SMSY system landscape.
  My plan is to backup the system database first! 
  Then:
  1) Delete the client(s) (SCC5) one by one
  2) Remove the client from CUA (SCUA)
  3) Remove the logical name (SALE)
  What I am unsure about is the order of the process.  Should the CUA and ALE modifications come before actually deleting the client?
  Does this sound like a reasonable plan to clean up our client landscape?
  Thanks in advance for your suggestions and help.
  Laurie McGinley

  Dear Laurie,
  Order should be like below:
  1) Remove the client from CUA (SCUA)
  2) Delete the client(s) (SCC5) one by one
  3) Remove the logical name (SALE)
  More over you should delete these clients from Solution Manager also inorder not to have error message when you go to solution Manager for doing anything on that system.
  Please revert back for any queries.
  Regards
  Shailesh Mamidwar

• No IDOC's for the change record in child and CUA systems.

  Hi,
  The user profile was modified and  assigned roles and profiles on so and so date by someone as it is showing in the change record of the user in the child system with a batch user id.
  I have search the IDOC's with respective of the child system, date & time but I didnu2019t find any IDOC with respective of the above criteria.
  So kindly help me out is there a way I can find the information as who changed the user profile via CUA system....
  Thanks for your help...
  Thanks & Regards
  Sukumar. V

  Release:
  700   Master & Child
  SP level
  Can i know for which area you need it...
  BASIS
  0015   Master
  0013   Child
  Netweaver
  0016   Master
  0015   Child..
  Please let me know if you need any further info....
  SV

• EP 6.0 and CUA

  I am trying to integrate Enterprise Portal 6.0 SP12 into CUA using the ABAP system as the data source for the J2EE Engine. All other clients (ABAP systems) have been integrated into the CUA except the Enterprise Portal.
  I want to start creating all users from our central system. Please can you help me with materials / steps on this?

  Hi Babalola,
  UME can be configure to the following types of data sources:
  1. Database
  2. Lightweight Directory Access Protocol (LDAP)
  3. ABAP
  and according to your requirement you need to configure ABAP(in your case CUA) as data source.
  For this you need to change your dataSourceConfiguration xml file.
  Check link for more information on how to change dataSourceConfiguration xml file from configtool http://help.sap.com/saphelp_nw04/helpdata/en/0f/bdd93f130f9115e10000000a155106/content.htm
  You need to choose dataSourceConfiguration xml file according to your requirement, these are Scenario and corresponding file:
  1. If your want to create, read, and modify users in ABAP system then user <b>dataSourceConfiguration_r3_roles_db.xml</b>
  2. If your want to read user from ABAP and create, read, and modify user in database then user <b>dataSourceConfiguration_r3.xml</b>
  3. If your want to Create, read, and modify user in ABAP system also Read and modify user in database then user <b>dataSourceConfiguration_r3_roles_db.xml</b>
  Rgds,
  Raj
  <b>PS: Please consider rewarding points!!</b>

• E-Commerce for ERP and CUA

  We are installing the E-Commerce module for ERP and we are running into an issue with the User Management peice.  We are unable to create new users.  The error we are getting is:
  1.- You do not have authorization to maintain users in the central system
  2.- Error while creating user in Service Backend
  Is this because we are using CUA to manage users in ECC?  If so, how can we get around this?
  Our environement is:
  ECC 6.0
  E-Commerce (ISA) 5.0
  Netweaver 7.0 SP 18
  We have also configured the E-Commerce module to use the UME.
  Maximum points to the first person with an answer and helpful a work-around.
  - Andrew Castillo

  Hi Andrew,
  We are installing the same thing currently using the B2B E-commerce for ERP option.  We have configured E-Commerce right now to use the SU01 contact person for web users.  Also, the manager does have the same role you pointed out below SAP_ISA_UADM_MANAGER assigned, not the other CRM role mentioned.
  The process we have to go through right now is to create the user in CUA, sync that to ECC, assign the customer contact person number in the SU01 References table related to the customer we want them to be(working on an abap program to do this automatically from CUA), and then the user should be able to log into E-Commerce for that specific customer. 
  We are embedding the E-Commerce app into EP 7.0 through i-views and using single sign on from portal so customers won't have to log in again anywhere.  Please let me know if this is similar, if it helps, and what type of ecommerce configuration you're using...especially in how you configured the e-commerce module to use the UME.
  Jon

• CC 5.2 , UME and CUA

  How can I configure the CC5.2, UME connect to CUA? The SAP system is on a different box from the CUA. I want to get the most current userIDs from the CUA.
  Please advise!

  Established the JCO connections to the CUA and made the CUA as the User master source

• HRUSER Trx and CUA to be synced up Any ideas...

  Hi All,
  I am a newbie for Security and I am stuck at a certain place, the scenario is as follows
  We have a ECC6.0 Box (R/3) , Portal 7.0 whose UME is the ECC Box and BW Box as other system, we have setup the R/3 as CUA.
  We are implementing the HR Portal ESS MSS Functionality so we have created all users by using the HRUSER Trx but those users are not the same as the users when I create by SU01 Trx. When I create a user by SU01 in R/3 then the user id is created in all 3 systems.
  Now I am stuck where though the HRUSER can create the user in SU01 but they create it with a ESSUSER Group in which the systems tab is not at all updated.
  Any ideas on this or solutions will be greatly appreciated.
  Points will be rewarded accordingly.
  Thanks
  Samar.

  If you are working with a CUA scenario, you must create all users in the central system and selecte there the targer system.
  Before an user´s creation you´ll need to have created the different user groups (Tcode SUGR) in all child systems as the central system too.
  Regards,
  Leandro

• Portal 7 and CUA

  Hi! I want to implement Portal, solution manger and ECC (DV,QS, PD), all of them with the latest version and support packages, so.. the very brand new things. What I want to do put the parent CUA into the solution manager, then I want to connect the UME of portal directly to the CUA.
  The question is: could I centrally manage the user creation and roles asignments from the UME (portal, ume and abap roles)? Where can I read about it to check it out?
  If it not possible to completly manage the users and roles assignments, cuold I do it from the CUA? and again, where could I find some readings to verify?
  I know that abap roles should be created locally in every instance and transported, the question is about the asignment.
  Thank you very much
  Alejandro

  It is posible to centrally assign roles and create users using cua, even UME roles can be assigned if it is used an abap counterpart and relate those UME roles to the java group, so it would be an indirect assignment.
  help.sap.com is confussing but i tested it in an installed system and it works as the help says

• HRALXSYNC and CUA

  Hello,
  We have installed our e-recruitment on the same instance than our HR system. Everything has been customized and
  synchronisation program HRALXSYNC runs correclty.
  Then we connect HR server to CUA. We decided to set the Reference User for Additional rights to local. This field contain our internal candidate reference user. We also have installed note 746863.
  We face to a few problems:
  1. When running the synchronisation program; it does not assign
  internal candidate reference user to our existing users.
  2. For new hire person, the user in SU01 is not created automatically
  by synchronisation program HRALXSYNC.
  3. Some existing users has been changed from user type dialog to type
  communication.
  4. It is impossible to use the link 'forgotten password' on e-
  recruitment application. An email is send with the new password but the
  password has not been reset in CUA.
  Thanks for your help,
  Regards,
  Anne Wouters

  Hi Anne,
  I am also working on E-REC (ECC and EREC on the same server).  When I run HRALXSYNC, if an employee has a SY-UNAME assigned in Communication infotype 0105, that user gets created in SU01.  However, I do not know what password that user gets created with.  Is there any way to determine this?
  Thanks
  Shane

• SRM + CUA Active

  Dear Gurus,
  How can I maintain the su01 users in EBP when CUA is active,although gone through notes 402592 and 772347,still not clear on how to manage as system throwing error while using users_gen to assign user to EBP org structure.kindly advice.
  Thanks and Regards,
  Sathya kumar.

  Hi
  Which SRM and R/3 versions are you using ?
  <b>For RFC users in SRM server the RFC user should have SAP_ALL access and also the SAP_BBP_STAL_Administrator role.</b>
  <u>We have used Solution Manager(SM) as CUA to generate the User-Ids so that there will be a central creation of users and which will follow to R/3 and SRM and all other systems through Solution managers.</u>
  <u>If you are using CUA at your place also apply this notes :-></u>
  Note 402592 EBP with CUA config settings
  Note 772347 BBPusermaint deactivated for CUA
  <b>Related links -></b>
  Re: BBPMAININT and CUA
  Re: SUS and Central User Admin
  Re: Solution Manager for SRM
  Do let me know.
  Regards
  - Atul

• HR Org Structure into an existing manaully created SRM Org structure

  Hi,
  SRM 5.0, Classic Scenario
  1) SRM Org. structure exists and  users are using it for Company Code A.
  2) Now I have  to replicate the HR data from R/3
  3) Can I create a NEW root node and replicate the HR data from R/3 (including Company code A users.....this group of users will be using this NEW structure later) ?
  Is it possible ?
  -Regrads,
  Pranav

  Hi
  Which SRM version are you using ?
  Try these pointers ->
  Re: Not able to generate user users_gen
  OSS Note - 402592
  Re: SRM + CUA Active
  If you are using CUA at your place also apply this notes :->
  Note 402592 EBP with CUA config settings
  Note 772347 BBPusermaint deactivated for CUA
  Related links ->
  Re: BBPMAININT and CUA
  Re: SUS and Central User Admin
  Re: Solution Manager for SRM
  Do let me know.
  Regards
  - Atul

• Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

  Hello,
  I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
  1. Connected CUABOX to GRCBOX like a plug-in system.
  2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
  3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
  After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
  Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
  Any help in this regard is very helpful.
  Thank you,
  Pawan

  Hi Alessandro,
  I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
  1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
  2. Approvals provided to assign the ECC role.
  3. I see the following in GRFNMW_DBGMONITOR_WD.
             Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                 New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                 T-CUA_CHILD User does not exist in target system CUA
  GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
  However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
  So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
  Thank you for your help!
  Pawan

• CUA and SU10: unexpected deletion in all child systems

  Hi,
  I am facing with a problem with SU10 and CUA.
  I have updated a lot of users with SU10 in CUA. For 20 users in a child system, I first add a new role, everything is fine. Then I perform a remove of a old role (I know that the end date will be changed), everything is fine except for one user. All roles were removed from all systems where the user is defined ! However, when I look in each child systems, it is not the case, the roles are well present except in the child sytem for which I do the remove.
  This problem occurs twice, for different users. It is a real problem because we have to adapt a lot of users.
  I have reinstalled the 'missing' roles with SCUG and with the change document for users but it can be a workaround because I have discovered this by chance. I can imagine check all users after each run of SU10.
  Hope someone can help me.
  Regards

  Hi Olivier,
  that sounds like you are facing the problem corrected with sap note #1117530......
  The removal shows up only at the next change of a user, the actual deletion of role assignements because of the copy might have happend already some time ago.....
  b.rgds, Bernhard