BBPMAININT with CUA
We have a landscape with SRM 5.0 and CUA in two different systems and intend to use BBPMAININT to create Users and need the user to be replicated or created in CUA.
We already implemented note 402592, but the user is created only in SRM and without any Role.
Regards, Roberto
Hi Robert
We are creating user -ids in CUA which replicates the user ids in SRM / R3 and CRM and other systems.
After that through Users_gen we map the user -id to the Org structute in SRM .
We tried creating users in SRM and replicating to CUA but it didnt went well.
SO now userid for the first time are created in CUA and replicated to all systems and after that we use Users_gen option Create users from Existing SU01 and mapp the user to SRM Org Struture.
regards,
Nimish Sheth
Similar Messages
-
Hello Experts,
We are implementing SRM 5.0 and CUA in our company. I have come across this situation due to the CUA. Our scenario is CUA is seperate system by itself and all the SRM, BW and EP clients/systems are set as Child.
And we have activate the workflow 1000209 for external userid creation and also developed a Zworkflow for creating userids for employees of Business Partners(suppliers).
Due to setup of CUA and Child restrictions, SU01 is locked which is causing the issues in EBP client. Is there any solutions you can recommend to resolve this will be greatly appreciated. We have no issues in creation internal userids. USERS_GEN is working as usual.
Please point me to right direction to have the workflows work as intended along with CUA.
Thanks in advance.
VijayHi
<u>Please refer the following SAP OSS Notes for all the detailed info on creation of users in EBP in CUA environment for SRM 5.0 -> </u>
Note 876186 - EBP 5.0+: USERS_GEN locked when CUA is active
Note 1022859 - USERS_GEN: Not able to include SU01 user in Org. Structure
Note 931570 - BBPUSERMAINT: user creation in SRM with CUA environment
Note 1002725 SRM 5.0: BBPUM01 - user creation in SRM with CUA
Note 931555 SRM 4.0/5.0: User administration with active HR integration
Note 937180 SRM 5.0: Deactivating the BBP_USER_DELETE function module
Note 906353 SRM/EBP: Deleting user in CUA environment
Note 794913 Additional fields in Internet Service BBPUSERMAINT
Note 844055 BBPUSERMAINT: Unnecessary error message BBP_IUM 014
Note 808872 Available fields in BBPUSERMAINT dependent on admin auth
Note 402592 - EBP in the environment of a Central User Administration
In case of SRM there are 2 SAP OSS Notes which we have applied. They are 402592 and 772347 for customising. Kindly apply the second note also.
<u>Refer to the following OSS Consulting note and all other related OSS notes (mentioned inside it).</u>
Note 312090 - Integration HR - EBP/CRM
<b>Other related links -></b>
Re: Not able to generate user users_gen
Re: Error with Importing Users via RFC
BBPMAININT with CUA
Re: HR Org model replication vs. Manual creation of Org. Structure
User creation error
Re: "Error Reading roles (Not maintained/no authorization?)
EBP and SUS in CUA.
Do let me know.
Regards
- Atul -
Central maintenance of info with CUA
Dear all,
We are planning to implement CUA in our landscape. I guess, we can maintain initial passwords and lock status of users centrally with CUA.
Could we also maintain centrally the definiton of authorization profiles and completely definiton of user roles? and the information of "which user is allowed to logon to what client" with CUA?
Which of the above informations can be maintained centrally using CUA?
Your help will be appreciated. Thanks in advance.Hi
I guess, we can maintain initial passwords and lock status of users centrally with CUA - correct
Could we also maintain centrally the definiton of authorization profiles and completely definiton of user roles - you can centrally maintain the allocation of roles and profiles.
and the information of "which user is allowed to logon to what client" with CUA - Yes. You maintain user to role mapping centrally and that also means you can control the systems and clients which they log into
You can also centrally distribute Parameter ID's (though that is not without it's "features" - nothing that can't be easily fixed), User Data, Printers, User Groups (same "features as PID's").
CUA does a job which is quite narrow, you may want to look at Netweaver IdM which can do some of what CUA does but is a proper IdM tool. Could be overkill for what you want but could also be the basis of a strategic solution for managing SAP accounts. Both have their place. -
What are any issue with UME synch with ABAP CUA? If I have one CUA should I point all of my UMEs (Java instances to a single ABAP instance).
Does anyone have any experience with CUA and java? What architecture issues should I be aware of>
Thanks
MikieTheoretically you can do this for ABAP UME users, but there is a big "gotcha":
Java systems don't have the same client concept as an ABAP system, and what is behind the ABAP role mapping on the Java side is not known to the ABAP system and may even differ.
The consequence is that if you point multiple Java UME's to one ABAP CUA system's client dependent user store... then assigning a role to the user will assign it in all Java systems, depending on what is mapped behind it.
Using a <SID> naming conventions for Java systems within the ABAP roles is not scalable and there are many standard roles anyway.
A consideration I have heard of was to use a multiple of ABAP clients, one for each Java system, but that might not be scalable as a solution either unless you are sure you will only have limited number of Java landscapes and systems.
Instead of trying to support such a workaround yourself, you will be better off looking into an IdM. See the thread at the top of the forum page about Identity Management (IdM).
Cheers,
Julius -
Hi,
Our Scenario:
We are using portal with CUA userbase.
But, now we want to use the portal for a Non-CUA system users ( this system is not part of CUA)
How can I set up the portal authentication ? Can I setup two user bases ?
Please adviceAre you talking about the same portal or different portal systems ?
If you are talking about the same portal, the only option I see is to add the other users to the CUA. If you are talking about a two portal installations, there is no problem, except that for SSO, the users have to have the same name in both installations.
Regards,
Patrick -
Hello,
I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
1. Connected CUABOX to GRCBOX like a plug-in system.
2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
Any help in this regard is very helpful.
Thank you,
PawanHi Alessandro,
I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
2. Approvals provided to assign the ECC role.
3. I see the following in GRFNMW_DBGMONITOR_WD.
Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_SECURITY
New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
T-CUA_CHILD User does not exist in target system CUA
GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
Thank you for your help!
Pawan -
I am implementing CUA for my SAP landscape and would like to incorporate our portal but I am unsure how to do this.
I have changed my portal UME to point to the ABAP system as it's datasource.
I am unsure how I can get my portal roles assigned to my portal users from the ABAP system.
When I create a user I need the ERP users creating with ABAP roles and the Portal user creating with Portal roles, which are not the same in both systems.
How can I acheive this. I do not have an LDAP.
Regards
GrahamHi,
interesting questions. Portal is running on top of Netweaver platform (Java stack). Hence no Apache web server. I doubt that it supports any Apache modules. You can use Apache as reversed proxy in front of SAP portal. Check note 480520 with attached configuration guide. I don't know answer for your question regarding REMOTE_USER setting.
SAP portal supports all standard [authentication methods|http://help.sap.com/saphelp_nw70/helpdata/en/8a/cb136e68592f478266d19bb2b89766/frameset.htm] supported by Netweaver. Probably the only possible way is to use [SAML|http://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/frameset.htm]. [Here|http://www.ibm.com/developerworks/tivoli/library/t-cssosap/index.html] is a how-to guide how to set up SSO based on SAML between Tivoli and Netweaver applicaiton server.
Also search on net. I found links to interesting presentations (e.g. [this one|http://www.switch.ch/aai/support/presentations/ws-sap-2010/ETHZ_AAI_SAP_SAML_Artifact.pdf]).
Cheers -
Indirect Role Assignment with HR-ORG in a system landscaper with CUA
Hi all,
we have 2 SAP systems:
1) SAP ECC6 (with composite roles)
2) SAP HR with PA and OM
We would like to assign SAP ECC6 roles through HR-OM.
Since HR-OM is not on the same ECC6 system, we would like to try the logic: HR-OM -> CUA -> ECC6
There are several documents that describe this situation (ex. SCUR351).
From PFCG point of view, we should create a composite role in CUA system which include simple roles of child system.
If we try to create a composite role in CUA central system, we can insert only simple roles available in central system (and not in child).
Any experience on this scenario ?
Pros vs cons ?
Are the different possible scenarios ?
Many thanks...
AndreaWhole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
CUA has its own pros -
Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
Rakesh -
How to delete users in the child systems with CUA?
Hi All,
We have:
1. My SAP ERP 2005 (ECC 6.0)+ Windows 64bit + Oracle 10
2. EP 7.0 + Windows 64bit + Oracle 10
3. BI 7.0 + Windows 64bit + Oracle 10
4. Solution Manager 4.0 (CUA)
We managed all our QA and DEV users in ECC, EP using CUA from the Solution Manager server (Productive servers and all the BI 7.0 System Landscape aren't in the CUA).
My problem is when i want to delete a user. Sometimes if you delete a user in the solution manager (where the CUA is defined) the user still exists in the Child Systems. In fact you can see it with the SU01 only in the child system. I guess the idea is that if you delete the user in the CUA them the user is delete in the child system.
I found this information in the SAP Help:
As well as the authorizations already mentioned, you also need another authorization in the central system for object S_USER_SYS. You can only assign new systems to a new user with this authorization. ( No Problem with this )
When a user is deleted in the central system, the system entry for the user is retained until the deletion is confirmed. If an error occurs, you can repeat the deletion by canceling the system (in the child system).
What does mean: deletion is confirmed?
Best Regards,
Erick IlarrazaHi, thanks a lot for your reply.
We used the SAP Transaction SCUG to solve CUA Problem.
It is something about the refresh of the user in the Parent / Child systems, you need to Re-Refresh users and delete it again.
Best Regrads,
Erick Ilarraza -
Technical upgrade to ERP2005 6.0 and CRM2007 with CUA on 640?
We are in the planning stages of a technical upgrade to ERP2005 6.0 and CRM2007. Our CUA system is not being considered for this upgrade; it's currently at kernel release 640, patch level 80, ABAP load 1521, CUA load 15.
I've searched all over for recommendations, and all I've found is this from the SAP Help pages: "Use the most up-to-date system in your system landscape as your central system (if possible with a release status of 4.6C or higher). In this way, the newest functions in CUA are available to you." In Frank's NetWeaver Identity Management 7.0 Technical Overview Presentation, he states "IdM will replace the CUA in the long run, however, SAP will continue to support CUA in its current functionality according to SAP maintenance rules."
Will we have a problem if our CUA system is at a lower release than the rest of our systems?
thanks,
Mary-Annepossibly not. still i would test the scenario on a sandbox system which is already on ERP 6.0 and another one with CRM2007 on it. you could for that purpose simply add them to your ALE-scenario (BD64). after such a test you can be sure whether everything is still o.k.
that recommendation from SAP makes sense though: distributing from a system which is running on the latest software is preferable, since you would have a source which is likely to be more 'reliable' than the target.
why don't you upgrade your CUA central? what are the reasons for this? -
How to restrict the t code BBPMAININT with DISPLAY Mode in SRM?
Hi experts,
I want to restrict the T code BBPMAININT : Maintain Business Partner with DISPLAY mode in SRM system?
Action Taken:1. I have restricted with "03 Activity" of all check and maintainauthorization objects for this tocde .
2. I have performed the authorization trace also, there also I have not found any new objects.
Here are list of auth object I have restricted:
BBP_FUNCT
BBP_PD_AUC
BBP_PD_BID
BBP_PD_CNF
BBP_PD_CTR
BBP_PD_INV
BBP_PD_PCO
BBP_PD_PO
BBP_PD_QUO
But I have not clearly understand of the object : BBP_FUNCT.
In this Object, I have maintained BE_F4_HELP value only. And rest of the auth object I have restricted to 03 activity only.
But still users are able to acess the CREATE and MANAGE buttons.
So how Can I restrict the this T code in display mode?
Please suggest me...
Thanks in advance.
Regards,
SivaSiva,
Does your users have any other tcodes assigned to them other than the one you needed to be resticted?
As a trial, assign only your tcode to a user and run the trace.
Let us know your findings.
Regards,
Brahmeshwar -
Central System not accessible (SRM with CUA)
Hello Folks,
We are using Central user administration CUA and like other system SRM is connected to CUA. I am getting the error 'Central system not accessible' while creating the employee for business partner (Vendor) transaction BBPMAININT (Manage Business Partner).
Here are the steps
1. Login to SRM
2. Click on Manage business partner (BBPMAININT)
3. Look for Employee for Business Partner 'Create' option and create a
employee for one of the vendors.
4. Enter details and press save button
5. You will get the message Central 'System not accessible'
Any help in this regards is highly appreciated
PradeepHi Joerg,
RFC user has SAP_ALL. Also we have also applied those notes. Could you please point to the excat cause of the issue. We can attache user to org structure using users_gen.
Thanks,
Pradeep -
Help with CUA and modifying user "own profile".
Hey guys,
We just implemented CUA in our enviornemnt, and have run into the system.
I understand why all accounts now get modified in the central system, however, our users are asking to be able to still modify thier account defaults (i.e. hour format, numbering format, etc) in SU3 (system ->user profile -> own data)... however the CUA has removed this option from all clients connected to it.
Is it possible to still have this functionality?
Thanks everyone for any info.
RichardHi Richard,
It is possible to change multiple attributes and the changes are executed according to
the setting associated with each attribute. Therefore, global attributes are changed in
the central system and distributed and those attributes that are to be maintained locally
are filtered out and not changed.Local attributes should be maintained using the maintenance functions
(SU3) in the child systems. So you will have to change the settings in The central system to allow this to be maintained from the child system.
Many Regards,
Harimander Singh. -
Hi Gurus,
I have successfully linked 5 child system to the CUA.. All the changes are also flowing to the child system but we when i see the CUA log all the changes appear as unconfirmed except for the parent system.. ...
I have check teh RFC connection, CUA landscap ... All seems to be working fine
Can anyone tell the solutions....
ParveenHi Parveen,
your problem can have various causes....
The most common is, that the user in your rfc-destinations from the child system to the cua-central has not sufficient authorizations. Pls check sm58 on the child systems.
Temporarily try, if you have a change of behaviour, if you assign sap_all to that user.
You could also run ST01 for that user to find out, if authoriaztions are missing.
Another common failure is caused by wrong definition of rfc-destinations. Change the rfc-user to 'dialog' and perform a login with that rfc-connection. Are you logged on the the central system then?
Pls check idoc status in the child systems (bd87). Are they really processed without errors?
b.rgds and good luck,
Bernhard -
Hi Team,
we implemented CUA in our CRM system such as NCSCLNT300 was made as CUA and NCSCLNT200 as child system.
CUA works well in most cases except for the below issue.
1. For some roles available in client NCSCLNT200, when we try to add it to a user in CUA, system throws a error 'The central system does not have any information about the existence of role SAP_CRM_COMPETITOR in child system NCSCLNT200'
we have performed a text comparison but it didn't help. Thanks to help.Hi,
if the text comparison does not work, there are only 2 possible causes:
1. the logical system name of the child system is not defined correctly (review table t000!)
2. the rfc-connection from child to central system is not configured correctly.
In most cases cause 1 is applicable. the fact, that you think that the text comparison works perfectly for other roles could be also that you have another system in the landscape with the same logical system name containing that same roles.
Simple test: create a role form scratch in child and trigger the text comparison direktly in pfcg of the child system.
Is the role thena available in the central system?
An indication for cause 2 would also be no confirmed status in SCUL.
b.rgds, Bernhard
Maybe you are looking for
-
Mobileme, iTunes and backing up...
My brother who is dubious of the mac ecosystem but was impressed enough with his orginal iPhone to buy a 13 macbook pro the other day. And MobileMe in the process in large part for the iPhone backup options. He has been calling me confused about sett
-
Use of Single Click in RRI/WAD
I want to use a single click to link two queries in the WAD. I have created the Jump targets etc. and the context menu works fine (with Goto). I believe it is possible to have the link via a single click (Left mouse button) and have investigated the
-
Adworker fails with "Error calling FNDLOAD function" for patch 7303033
hi, we have some problems applying patch 7303033 (12.1.2) for EBS: 1. installed ebs R12 12.1.1 with 11.0.7 database; 2. applied patch R12.AD.B.DELTA.2 Patch 8502056 3. trying to apply patch 7303033 after ~6 hours of runnig one of worker failed. worke
-
Hi, I'm using Toplink ORM 10.1.3. I have a table called STORE_CONFIG which has a primary key called KEYWORD (a VARCHAR2). The POJO mapped to this table is called StoreConfig. In the JDeveloper (10.1.3.1.0) mapping workbench I've defined a named query
-
CENVAT utilization by Manual Journal Entry
Hi All, Can anybody explain me the process of cenvat utilization by passing Manual Journal Entry. Please reply fast Regards, Abhishek