Central System not accessible (SRM with CUA)

Similar Messages

• "Central system not accessible" when registering external candidate !!

  Hi,
  When registering an external candidate via candidate registration link we get an error as " Central system niet bereikt ( This is translation of "Central system does not reach " in Dutch language ). This issue is for only ONE language NL (Dutch) and working fine for other languages.
  The SICF service HRRCF_CAND_REG is displayed correctly in all languages . But when an external candidate goes to register itself, he gets such an error message. The recent installation of Dutch language was done correclty.
  Please help ,as what could be the possible reason.
  Thanks
  Shubham

  Hi Shubham,
  Did you add Dutch language in this parameter zcsa/installed_languages in RZ10 ?
  Thanks
  Sunny

• File sharing system not accessible after Apple update

  *Hi all,*
  *i've just made a mac os x server online update (10.6.3) and the file sharing service is not anymore accessible from users accounts (my admin account works). Authentication seems to succeed (/Library/Logs/PasswordService/ApplePasswordServer.Server.log):*
  May 19 2010 11:32:13 RSAVALIDATE: success.
  May 19 2010 11:32:13 AUTH2: {0x48dcf82a0f1aef720000001300000013, marc} DIGEST-MD5 authentication succeeded.
  *i was looking for some helpful log in /var/log, i noticed that system.log is always updated with the following messages:*
  May 19 11:36:56 osxserver com.apple.launchd[1] (com.apple.kdcmond[34130]): posix_spawn("/usr/sbin/kdcmond", ...): No such file or directory
  May 19 11:36:56 osxserver com.apple.launchd[1] (com.apple.kdcmond[34130]): Exited with exit code: 1
  May 19 11:36:56 osxserver com.apple.launchd[1] (com.apple.kdcmond): Throttling respawn: Will start in 10 seconds
  May 19 11:36:59 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60868] connect
  May 19 11:36:59 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7] is being rate limited
  May 19 11:37:02 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60871] connect
  May 19 11:37:02 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7] is being rate limited
  May 19 11:37:04 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60872] connect
  May 19 11:37:04 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7] is being rate limited
  May 19 11:37:06 osxserver com.apple.launchd[1] (com.apple.kdcmond[34138]): posix_spawn("/usr/sbin/kdcmond", ...): No such file or directory
  May 19 11:37:06 osxserver com.apple.launchd[1] (com.apple.kdcmond[34138]): Exited with exit code: 1
  May 19 11:37:06 osxserver com.apple.launchd[1] (com.apple.kdcmond): Throttling respawn: Will start in 10 seconds
  May 19 11:37:07 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60875] connect
  May 19 11:37:07 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7] is being rate limited
  May 19 11:37:10 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60876] connect
  May 19 11:37:10 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7] is being rate limited
  May 19 11:37:13 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60879] connect
  May 19 11:37:13 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7] is being rate limited
  May 19 11:37:16 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60882] connect
  May 19 11:37:16 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7] is being rate limited
  May 19 11:37:16 osxserver com.apple.launchd[1] (com.apple.kdcmond[34142]): posix_spawn("/usr/sbin/kdcmond", ...): No such file or directory
  May 19 11:37:16 osxserver com.apple.launchd[1] (com.apple.kdcmond[34142]): Exited with exit code: 1
  May 19 11:37:16 osxserver com.apple.launchd[1] (com.apple.kdcmond): Throttling respawn: Will start in 10 seconds
  May 19 11:37:18 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60883] connect
  May 19 11:37:18 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7] is being rate limited
  May 19 11:37:22 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60886] connect
  May 19 11:37:22 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7] is being rate limited
  May 19 11:37:24 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60887] connect
  May 19 11:37:24 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7] is being rate limited
  May 19 11:37:26 osxserver com.apple.launchd[1] (com.apple.kdcmond[34146]): posix_spawn("/usr/sbin/kdcmond", ...): No such file or directory
  May 19 11:37:26 osxserver com.apple.launchd[1] (com.apple.kdcmond[34146]): Exited with exit code: 1
  May 19 11:37:26 osxserver com.apple.launchd[1] (com.apple.kdcmond): Throttling respawn: Will start in 10 seconds
  May 19 11:37:27 osxserver jabberd/c2s[350]: [7] [::ffff:10.0.102.7, port=60890] connect
  *i dont know if it's related but actually /usr/sbin/kdcmond doesn't exist!*
  *in /var/log the file system.log is the only one that changes when i try to login according to "ls -lt", any suggestions? a dns problem? it sounds weird but in the passed i had problems with ldap and dns... thanks in advance!*
  K

  *in /var/log/krb5kdc/kdc.log*
  May 19 11:43:35 osxserverny01x.osxserver.org krb5kdc[96](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.102.101: CLIENTNOTFOUND: marc@LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897 for krbtgt/LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897@LKDC:SHA1.E12D05537EF D9FE67BF53BDB2C8D7725916B4897, Client not found in Kerberos database
  May 19 11:43:35 osxserverny01x.osxserver.org krb5kdc[96](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.102.101: CLIENTNOTFOUND: marc@LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897 for krbtgt/LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897@LKDC:SHA1.E12D05537EF D9FE67BF53BDB2C8D7725916B4897, Client not found in Kerberos database
  May 19 11:44:27 osxserverny01x.osxserver.org krb5kdc[96](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.102.101: CLIENTNOTFOUND: admin@LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897 for krbtgt/LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897@LKDC:SHA1.E12D05537EF D9FE67BF53BDB2C8D7725916B4897, Client not found in Kerberos database
  May 19 11:44:27 osxserverny01x.osxserver.org krb5kdc[96](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.102.101: CLIENTNOTFOUND: admin@LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897 for krbtgt/LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897@LKDC:SHA1.E12D05537EF D9FE67BF53BDB2C8D7725916B4897, Client not found in Kerberos database
  May 19 11:44:31 osxserverny01x.osxserver.org krb5kdc[96](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.102.101: CLIENTNOTFOUND: admin@LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897 for krbtgt/LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897@LKDC:SHA1.E12D05537EF D9FE67BF53BDB2C8D7725916B4897, Client not found in Kerberos database
  May 19 11:44:31 osxserverny01x.osxserver.org krb5kdc[96](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.102.101: CLIENTNOTFOUND: admin@LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897 for krbtgt/LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897@LKDC:SHA1.E12D05537EF D9FE67BF53BDB2C8D7725916B4897, Client not found in Kerberos database
  May 19 11:44:43 osxserverny01x.osxserver.org krb5kdc[96](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.102.101: CLIENTNOTFOUND: marc@LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897 for krbtgt/LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897@LKDC:SHA1.E12D05537EF D9FE67BF53BDB2C8D7725916B4897, Client not found in Kerberos database
  May 19 11:44:43 osxserverny01x.osxserver.org krb5kdc[96](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.102.101: CLIENTNOTFOUND: marc@LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897 for krbtgt/LKDC:SHA1.E12D05537EFD9FE67BF53BDB2C8D7725916B4897@LKDC:SHA1.E12D05537EF D9FE67BF53BDB2C8D7725916B4897, Client not found in Kerberos database
  *none of the two accounts are found in Kerberos database but admin can actually login*

• Does the Mac Operating System not work properly with Youtube?

  I noticed that my Messages on youtube are instantly deleted when I comment on some peoples Youtube channels. I don't think its the person that owns the youtube channels doing it because it is deleted almost instantly after I log out. It's very odd and I don't think its youtube censoring my comment because I'm not cursing in the comment and I don't believe cursing is against the TOS on Youtube anyways.
  Another thing I notice is that when I'm on a flash based chatroom that when someone I am talking to has left the chatroom it will still say they are in the chatroom until I click on my friendlist and than they turn red as if they are gone. It is very odd that I am noticing these strange bugs. However the chatroom thing could be a chatroom problem because it might do that on my Windows side which I never checked because I'm usually on that chatroom on my Mac side.

  The Adobe flash version could be checked to see if the system is actually using
  their latest version (see Adobe, not a third party prompt from elsewhere to get it)
  as that may be dated or you may have a newer -and- older Flash, and if so,
  the later one may not be in use. Within OS X you can choose the newer one.
  http://helpx.adobe.com/flash-player.html
  {see the links further down in the above linked page, should you have additional
  Mac OS X problems with Flash player or issues in general with installing it}
  Also, some of youtube can be run in HTML5 and depending on the author, should
  be visible even without a Flash player installed. youtube is a google product and
  they also have a help section for dealing with their content. And browser settings
  may affect how things work. Depending on what browser you use, this varies.
  Good luck & happy computing!

• CCMS alert monitoring data for ORACLE is not visible in Central system

  Hello,
  I have installed sapccm4x agents in the CI of the Satellite System and it shows in the Central System as sucessfully registered under Agents for remote System and the RFC Connection test is also successfull. When i check in RZ20 in Central System not all the predefined monitors are visible of the Satellite System in the Central System and mainly the MTE element ORACLE. The database,CI and other instances on the Satellite System are installed on separate hardware. As said the database is installed not with the CI but a standalone.
  Please let us know what needs to be configured in order to get the MTE element of ORACLE to show in the Central System.
  Thanks,
  Vinod Meno

  Bhudev,
  Thanks for the quick respose..
  1.Sapccmsr agent is installed on Java standalone server and it has been sucessfully registered and running and we can grep the process to see its state as well as in the Central System i can see under ccms agents for remote systems it shows and the RFC connection test is also sucessfull.
  2.Yes we are sending the data from the DB to CI first,but we also want the data visible in the Central System mainly for the MTE element Oracle.The filesystem of the Satellite Systems shows up in the Central System but i am intrested to capture the MTE element Oracle since we plan to monitor the tablespaces threhold .
  I am thinking of opening an SAP message but i am trying to see if i can get some info that can give me the result.
  Regards,
  Vinod Menon

• CUA Roles residing in Child system are not showing in Central System

  I just hooked up CUA today and have linked 8 child systems to the central system.  The 8 child system users and roles have already been established in the child systems.  Do I need to run program susr_zbv_get_receiver_profiles in each of the child systems to get the roles in the child systems to show up in the Central System for each user?  I tried this in one child system and it worked.
  Or is there something else I need to do without going into each child system?
  I tried this program susr_zbv_get_receiver_profiles in the Central system but it did not work.

  are you looking for roles or profiles? profiles will not show up in the central system. If you run SCUL do you see anything? when you first added the child system did you use an SAP user that had the proper permissions? In both the child and the parent? There are two roles that the user must belong to to add the child to the parent they are SAP_BC_USR_CUA_SETUP_CENTRAL and SAP_BC_USR_CUA_CENTRAL.
  If you have any question about the permissions of these user at the time you added the child to the parent I'd delete the child and re-add with either the above roles or a user with SAP_ALL in BOTH the child and the parent systems

• Could not access the central system - CUA problem

  Hi all,
  Please help me with this problem.
  Its just a test scenario, when everything will be good here, i have to do the same for Production.
  We just did upgrade our R3 system from 4.6 to ECC6.0.
  I created CUA on DB1100 ( Dev BW 4.6 ) with two child systems 1) DC1150 ( Dev CRM 4.6)
  2) DE1400 ( DEV ECC 6.0 ).
  Now everything is working fine between DB1100 and DC1150..
  It works like CUA ( DB1100) and child (DC1150) systems as it should be.
  But connection between DB1100 and DE1400 is not working fine. When you go to SU01 in DE1400, it does not allow me to change anything. It means connection is there and DB1100 is taking DE1400 as child system but when i am updating any user information or roles in DB1100 it is not updating child system DE1400.
  And when i went to tcode SCUA in DE1400 it gave me this error.
  "Could not access the central system DB1100".
  I dont know whats happening. I did same config in DE1400 as i did in DC1150. DC1150 is working fine but not DE1400. 
  The most weird thing is that DB1100 is thinking DE1400 as child system and i can not make any changes to DE1400 directly.
  please help me with this. What i can do to make this working between DB1100 and DE1400??
  i need to do the same in production if it gets passed.
  Thanks in Advance.

  Hi mala_swa,
  seems that you have a problem with the rfc-connections....
  Please check in both directions. The connection have to work without problems.
  Check SCUL in DB1100 - what is the status of the distributed users? Errors, unconfirmed?
  Check idocs in DE1400. Are there some? What is their status?
  The most common error is coming from not working rfc-connections. That brings for instance problems while generationg partner profiles, etc. Also the strict naming convention (log. system name=system name in CUA landscape = name of used RFC-connections) has to be considered....
  So that are some points, that you could check.
  good luck,
  Bernhard

• CUA - Users not created in Central System

  Hi -  Just put in CUA into a Solution Manager 4.0 client - and have the following issue.
  After performing SCUG - the users are brought into the central system BUT not created into the central system.
  For example:
  Child system is CLNT100
  Parent system is CLNT200
  In CUA - if I search on the user - I can see it exists in CLNT100, but no entry is created in CLNT200.
  This is an issue as I can't use SU10 in CUA - to do mass changes as the users don't exist in this client.
  I am pretty experienced with CUA - but have not seen this before - is there some new settitng that I need to make to create the users in the CUA client when performing SCUG?
  Thanks

  Hi - you only need to perform SCUG in the central system.
  I have brought all the users accross from each child system.
  I think I may have incorrectly analysed the error.
  What I am trying to do is use SU10 in the Central system to make changes on users in the child systems.  Issue is that none of the users that are in the child system only show up in SU10.
  I therefore think that this is an issue with SU10 in CUA parent - as it is only picking up uses if they exist in this CUA parent client (i.e. not if they only exist in the child systems)
  Is there any way to change the behaviour of SU10?

• An error The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered after launching a ps1 script from cmd file.

  I'm trying to load sharepoint script from *.cmd file. 
  I have Sharepoint 2010 installed on Windows 7 x64 and SQL server 2008r2.
  My cmd file is: 
  Powershell -v 2 -NonInteractive -NoLogo -File 1.ps1
  My sharepoint file 1.ps1 is:
  $snapin="Microsoft.SharePoint.PowerShell"
  if ($action -eq $null -or $action -eq '')
  {<br />
  # Action by default is complete uninstallation.
  $action='uninstall'
  $uninstall = $true
  else
  $action = $action.ToLower()
  switch($action)
  { $_ -eq "uninstall" } { $uninstall = $true; break }
  { $_ -eq "removesolution" } { $removeSolution = $true; break }
  { $_ -eq "deactivatecorpus" } { $deactivateCorpus = $true; break }
  { $_ -eq "deactivatesupport" } { $deactivateSupport = $true; break }
  default { Write-Host -f Red "Error: Invalid action: $action "; Exit -1 }
  Check the Sharepoint snapin availability.
  if (Get-PSSnapin $snapin -ea "silentlycontinue")
  Write-Host "PS snapin $snapin is loaded."
  elseif (Get-PSSnapin $snapin -registered -ea "silentlycontinue")
  Write-Host "PS snapin $snapin is registered."
  Add-PSSnapin $snapin
  Write-Host "PS snapin $snapin is loaded."
  else
  Write-Host -f Red "Error: PS snapin $snapin is not found."
  Exit -1
  $url = "http://pc1/sites/GroupWork/"
  $site= new-Object Microsoft.SharePoint.SPSite($url )
  $loc= [System.Int32]::Parse(1033)
  $templates= $site.GetWebTemplates($loc)
  foreach ($child in $templates){ write-host $child.Name " " $child.Title}<br />
  $site.Dispose()
  The script works fine from the Sharepoint 2010 management shell after launching the shell from the start menu (or from windows cmd by entering powershell -v 2):
  PS C:\2> .\1.ps1 
  PS snapin Microsoft.SharePoint.PowerShell is loaded.
  GLOBAL#0 Global template
  STS#0 Team Site
  STS#1 Blank Site
  STS#2 Document Workspace
  MPS#0 Basic Meeting Workspace
  MPS#1 Blank Meeting Workspace
  MPS#2 Decision Meeting Workspace
  MPS#3 Social Meeting Workspace
  MPS#4 Multipage Meeting Workspace
  CENTRALADMIN#0 Central Admin Site
  WIKI#0 Wiki Site
  BLOG#0 Blog
  SGS#0 Group Work Site
  TENANTADMIN#0 Tenant Admin Site
  {248A640A-AE86-42B7-90EC-45EC8618D6B4}#MySite2 MySite2
  {95629DC2-03B1-4C92-AD70-BC1FEAA49E7D}#MySite1 MySite1
  {7F01CFE4-F5E2-408B-AC87-E186D21F624C}#NewSiteTemplate NewSiteTemplate
  PS C:\2>
  I have an access to the database Sharepoint_Config from current domain user and from other 2 users. All users have db_owner rights to the Sharepoint_Config database. But
  i've loaded in windows from the user which is dbo in the database (dbo with windows authentication with domain\username for the current user). The dbo user has do_owner rights in the Sharepoint_Config database. I've tried to login under other users and launch
  the cmd file but without success.
  My PowerShell has version 2.0: 
  PS C:\2> $psversiontable
  Name Value
  CLRVersion 2.0.50727.5477
  BuildVersion 6.1.7601.17514
  PSVersion 2.0
  WSManStackVersion 2.0
  PSCompatibleVersions {1.0, 2.0}
  SerializationVersion 1.1.0.1
  PSRemotingProtocolVersion 2.1
  After launching the script from 1.cmd file i get an errors:
  C:\2>Powershell -v 2 -NonInteractive -NoLogo -File 1.ps1
  PS snapin Microsoft.SharePoint.PowerShell is registered.
  The local farm is not accessible. Cmdlets with FeatureDependencyId are not regis
  tered.
  Could not read the XML Configuration file in the folder CONFIG\PowerShell\Regist
  ration.
  Could not find a part of the path 'C:\2\CONFIG\PowerShell\Registration'.
  No xml configuration files loaded.
  Unable to register core product cmdlets.
  Could not read the Types files in the folder CONFIG\PowerShell\types.
  Could not find a part of the path 'C:\2\CONFIG\PowerShell\types'.
  "No Types files Found."
  Could not read the Format file in the folder CONFIG\PowerShell\format.
  Could not find a part of the path 'C:\2\CONFIG\PowerShell\format'.
  No Format files Found.
  PS snapin Microsoft.SharePoint.PowerShell is loaded.
  New-Object : Exception calling ".ctor" with "1" argument(s): "The Web applicati
  on at http://Pc1/sites/GroupWork/ could not be found. Verify t
  hat you have typed the URL correctly. If the URL should be serving existing con
  tent, the system administrator may need to add a new request URL mapping to the
  intended application."
  At C:\2\1.ps1:48 char:18
  + $site= new-Object <<<< Microsoft.SharePoint.SPSite($url )
  + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvoca
  tionException
  + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.Power
  Shell.Commands.NewObjectCommand
  Please help me. I don't understand why the script is launched from the sharepoint management shell but doesn't work from the cmd file.

  I have an answer for my problem:  for solving a problem I've made several steps:
  1. Run farm installation under AD admin credentials - runas /user:Domain1\DomainAdmin1 "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\psconfigui.exe".
  This user has been added as farm administrator in the wizard.
  This user has been added as DBO in the SQL Server. (This is the main difference with my previous attempts)
  2. Execute a command Add-SPShellAdmin Domain1\UserAccount1 in
  the Management Shell of Sharepoint.
  3. Run SQL server and add Sharepoint_Shell_Access to the Domain1\UserAccount1
  (my main account) in the Config database
  4. Run CMD file only from Start->Run menu. 
  runas /user:Domain1\UserAccount1 "C:\1.cmd".
  Do not use Total Commander command prompt or file list for executing *.cmd of *.bat files without root administrator account.
  Thanks all for help.

• Indirect Role Assignment with HR-ORG in a system landscaper with CUA

  Hi all,
  we have 2 SAP systems:
  1) SAP ECC6 (with composite roles)
  2) SAP HR with PA and OM
  We would like to assign SAP ECC6 roles through HR-OM.
  Since HR-OM is not on the same ECC6 system, we would like to try the logic: HR-OM -> CUA -> ECC6
  There are several documents that describe this situation (ex. SCUR351).
  From PFCG point of view, we should create a composite role in CUA system which include simple roles of child system.
  If we try to create a composite role in CUA central system, we can insert only simple roles available in central system (and not in child).
  Any experience on this scenario ?
  Pros vs cons ?
  Are the different possible scenarios ?
  Many thanks...
  Andrea

  Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
  CUA has its own pros -
  Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
  on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
  It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
  Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
  Rakesh

• Users were re-created in Child systems not in Cnetral System (CUA)

  Hi,
  The set of users were deleted some time back and today i verified in child system (PROD) with criteria as list of users without roles/profiles then I found a set of users in child systems.
  Were as those user master records are not showing in Central System (CUA).
  I verified the change document, It is showing the deleted date and later some time again it was created with no roles and profiles. On the same date all the others users are also get created.
  Then I have checked the change document of a user and verified is there any IDOC was generated in central system on that time and date but I didnu2019t find anything...
  I was expecting that the old IDOC's which are in status "distribution unconfirmed" with of the user and later there would be happen many changes for that user and which are get reflected in child system but the IDOC which was in unconfirmed status. When any one try's to execute the process through BDM2 or BD87 for that IDOC then again there would be chance of re-build the user account..... But one thing i was confused is if the old IDOC get re-generate then it has to be shown in the CUA system also?.
  It was strange issue, so please let me know what the reason behind it.....
  Please help me out...
  SV

  >
  Nishant Sourabh wrote:
  > I assume BD87 was executed in the child system and the idocs where manually processed which created these ids back again ....not sure if that is what happened. never seen something like that.
  Hi Nishant,
  what you are writing is the most common situation of how these users got 'recreated'.
  If you have a look at the method for user change idocs, you will notice, that it is the same method for creation and changing (CLONE).
  So if you have an unprocessed change idoc in the child system and you delete the user (succesfully) and reprocess this idoc in the child system locally, the user will get 'recreated'.
  b.rgds,
  Bernhard

• Central maintenance of info with CUA

  Dear all,
  We are planning to implement CUA in our landscape. I guess, we can maintain initial passwords and lock status of users centrally with CUA.
  Could we also maintain centrally the definiton of authorization profiles and completely definiton of user roles? and  the information of "which user is allowed to logon to what client" with CUA?
  Which of the above informations can be maintained centrally using CUA?
  Your help will be appreciated. Thanks in advance.

  Hi
  I guess, we can maintain initial passwords and lock status of users centrally with CUA - correct
  Could we also maintain centrally the definiton of authorization profiles and completely definiton of user roles - you can centrally maintain the allocation of roles and profiles.
  and the information of "which user is allowed to logon to what client" with CUA - Yes.  You maintain user to role mapping centrally and that also means you can control the systems and clients which they log into
  You can also centrally distribute Parameter ID's (though that is not without it's "features" - nothing that can't be easily fixed), User Data, Printers, User Groups (same "features as PID's"). 
  CUA does a job which is quite narrow, you may want to look at Netweaver IdM which can do some of what CUA does but is a proper IdM tool.  Could be overkill for what you want but could also be the basis of a strategic solution for managing SAP accounts.  Both have their place.

• Remote system monitoring entry- data not relayed to Central system

  Hello Folks,
                      I am trying to establish a central monitoring system for our client. I am trying to test it in the DEV environment first.
  The central system is a Solution manager system (Dual stack- ABAPJAVA). I am trying to bring in monitoring data from the ECC development environment (ABAPJAVA).
  First of, i created to RFC connections in Solution manager system, one for data collection and the other for analysis. I have maintained the host address of the ECC system as target.
  Then i have created a remote system entry in Transaction RZ21--> technical infrastructure entered the 2 RFC names and have executed the function.
  At this point i am only trying to bring in ABAP stack monitoring data form the ECC system so i have not generated the CSNCONF file.
  Now when i look in Solution manager RZ20-->CCMS monitoring templates, i can't see any data for the the ECC system.
  I guess i am doing something wrong. Am i looking in the wrong monitor set?
  As additional information: Solution manager (SMD) and ECC (ECD) use different transport domains / transport groups. I dont know if this makes a difference.
  Can some one please help.
  Regards,
  Prashant

  Hi Prashant,
  if I understand correctly your system shows only MTEs from R/3 Stack, not from the OS side, pls check your SAPOSCOL. Are the data in OS06 in your remote system correct and do you see the current data, refredhed all 10 seconds?
  To check your environment, pls do the following:
  in th efirst step check in RZ21 > in the Topology part the System Overview for your system connection to your back end system. Are the Read Destination Data RFC and the Destination Analysis RFC correct and works the authority chek fine?
  In the second step pls check in RZ21 > in the Agents for Remotey SAP Systems part; are there registered your remote ccms agents correctly and works the connection test.
  Stop the agents and in your RZ20 monitor pls enter STAT in your command field. Are there displayed for your MTE nodes the read RFC destinations?
  Start the agents and and in your RZ20 monitor pls enter STAT in your command field. Are there displayed for your MTE nodes the CCMS Agent RFC destinations?
  To rebuild the Monitor in the CEN system you could try to reset the node of your remote system in the warm up status > go in the remote system to RZ1 > go to local segments  > change to edit > select your segments > reset segment in "WARMUP" status.
  In the CEN system you coul try to go to the edit mode for the Agents for Remot SAP Systems > select your remote system and push the button Reinitialize Agents
  In the back end system you can try to delete all MTEs in RZ21 > menu Technical Infrastructure > Reorgenize Segment Table > select the options with "ALL" in the CEN and the remote system to reorgenize all data.
  Could you pls post for the missing MTEs a screenshot on the one side from the CEN system and on the other side from the remote system...
  and last but not least you could try the following for missing OS MTEs
  delete  ALALERTS, ALMTTREE and ALPERFHI in /usr/sap/ccms/<SID>_<SNR> and check in the agents folder all trace and log files for errors.

• Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

  Hello,
  I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
  1. Connected CUABOX to GRCBOX like a plug-in system.
  2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
  3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
  After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
  Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
  Any help in this regard is very helpful.
  Thank you,
  Pawan

  Hi Alessandro,
  I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
  1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
  2. Approvals provided to assign the ECC role.
  3. I see the following in GRFNMW_DBGMONITOR_WD.
             Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                 New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                 T-CUA_CHILD User does not exist in target system CUA
  GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
  However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
  So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
  Thank you for your help!
  Pawan

• How to delete users in the child systems with CUA?

  Hi All,
  We have:
  1.  My SAP ERP 2005  (ECC 6.0)+ Windows 64bit + Oracle 10
  2. EP 7.0 + Windows 64bit + Oracle 10
  3. BI 7.0 + Windows 64bit + Oracle 10
  4. Solution Manager 4.0 (CUA)
  We managed all our QA and DEV users in ECC, EP using CUA from the Solution Manager server (Productive servers  and all the BI  7.0 System Landscape aren't in the CUA).
  My problem is when i want to delete a user. Sometimes if you delete a user in the solution manager (where the CUA is defined) the user still  exists in the Child Systems. In fact you can  see it with the SU01 only in the child system. I guess the idea is that if you delete the user in the CUA them  the user is delete in the child system.
  I found this information in the SAP Help:
  As well as the authorizations already mentioned, you also need another authorization in the central system for object S_USER_SYS. You can only assign new systems to a new user with this authorization. ( No Problem with this )
  When a user is deleted in the central system, the system entry for the user is retained until the deletion is confirmed. If an error occurs, you can repeat the deletion by canceling the system (in the child system).
  What does mean: deletion is confirmed? 
  Best Regards,
  Erick Ilarraza

  Hi, thanks a lot for your reply.
  We used the SAP Transaction SCUG to solve CUA Problem.
  It is something about the refresh of the user in the Parent / Child systems, you need to Re-Refresh users and delete it again.
  Best Regrads,
  Erick Ilarraza