Central User Administration using EP

Hi,
Can any body tell me how we can do central user Administration using EP. My landscape has multiple SAP systems, BW system and EP system. How should we go about it?
Any help?
regards,
Sujesh

HI Sujesh,
EP is not able to serve as a hub for central user administration in my opinion.
You can connect EP to several user stores like LDAP servers (including Microsoft ActiveDirectory) and SAP Systems.
So
a) you store all your users in an LDAP and connect all your SAP systems to that LDAP
b) you declare one of your SAP systems as central user administration (CUA) "master", connect all other as "slaves" and connect the EP UME to the master
But in any way - there is no GUI inside the EP where you can administer all user related things like roles from all systems, etc. This can only be done in an ABAP system.
Hth,
Michael

Similar Messages

  • Central User Administration Idoc's for a XI system

    Hello,
    We are setting up a Central User Administration (CUA) in Solution Manager. One of the systems that needs to be a child of this CUA is a SAP XI 2.0 system.
    The distribution of the Users is done by IDocs.
    Everything is working fine from the CUA to a SAP R/3 system.
    But when we make the XI 2.0 a child all the IDoc's are caught by the XI IDoc adapter in stead of going directly to the IDoc inbound handler of the XI system.
    Has anyone been able to send an IDoc to an XI 2.0 and bypassing the IDoc adapter and sending them directly to the XI IDoc Inbound handler?
    Any kind of info will be greatly appriciated.
    With kind regards,
    Leon Boeijen

    Hi Leon,
    to bypass the IDoc Adapter for specific IDocs you can specify these IDocs using the report IDX_SELECT_IDOCTYPE_WITHOUT_IS.
    Kind regards,
    Andreas

  • Central User Administration

    Hello,
    i want to realize a central user administration between two different SAP Systems.
    In an testing environment i realized it between two logical systems with different mandants in one SAP system.
    Now it should work between two hosts. For example SAP1 192.168.150.1 and SAP2 192.168.150.2. What are the differences i have to consider?

    Lets take two systems with SIDs: “SA1” and “SA2”.
    1. Cerate logical system name SA1MNDT100 on SA1 identifying mandant 100 on SA1
    2. Assign it to mandant 100 in system SA1
    3. Then on SA2 you have to tell that there is system named SA1MNDT100 ready for communication, so you must create logical system name SA1MNDT100 in SA2 but you don’t assign it to any mandant (because from SA2 point of view it is a remote system)
    4. Then on SA2 create the RFC Destination with exactly the same name as your logical system defined in step 1 SA1MNDT100 pointing to hostname or ip of SA1/mandant 100 (this links remote logical system name with remote SAP system SA1)
    5. Then on SA2 create different system name SA2MNDT500 indentifying mandant 500 on SA2
    6. Assign it to mandant 500 in system SA2
    7. Then on SA1 you have to tell that there is system named SA2MNDT500 ready for communication, so you must create logical system name SA2MNDT500 in SA1 but you don’t assign it to any mandant (because from SA1 point of view it is a remote system)
    8. On SA1 cereate the RFC Destination named SA2MNDT500 pointing to SA2/manadt 500.
    Hope this clarifies your doubt.
    -- Grzegorz

  • Central User Administrator in SAP 4.7

    Which the steps for configuration of the CUA (Central User Administrator) in version SAP R3 4.7... Nobody know....

    Try this:
    http://help.sap.com/saphelp_nw2004s/helpdata/en/08/ed591f9ff00343952f11a7b707f28a/frameset.htm
    Hope it helps.

  • Process Administrator - Enable User Administration using LDAP

    I'm using Oracle BPM 10gR3 connected to an LDAP. I would like to have business participants to be able to manage the Absence Periods (PTO) for participants, but I don't want them to have general admin privileges. I think the "Enable User Administration" checkbox on the participant screen will allow someone to do just that. But, the box is disabled due to the LDAP connection (I think). So, does anyone know:
    1. If a user has Enable User Administration checked will they be able to manage the Absence Periods for participants?
    2. How to check the box while using an LDAP to manage participants?
    I read in the the Adminstration Guide how to: Assigning Administrative Privileges to LDAP Groups. But that's not my intent, it's only to enable the "Enable User Administration" checkbox.
    Thanks in advance.

    I solved the problem and I posted the solution into my blog, visit http://rodrigozuchetto.blogspot.com/

  • Problem setting up Central User Administration

    I'm having an issue setting up CUA successfully. I have all of the systems setup in SALE, all of the RFC's are working properly, all green lights setting up and saving the child system in SCUA. When I create a new user in the Central system, I have the new, "Systems" tab. I choose the child system, then go into Roles but everytime I try to add a role, I get the error, "Role Z_* does not exist in system QASCLNT300 (child). I've executed the, "Text comparison from child sys" several times. I choose QASCLNT310 (Central) for the Receiving system, execute and get a green light for, "Central System QASCLNT310:OK". I am still unable to add any roles to the child client and the roles definately exist in the child client.

    Hello Bob,
    If this issue is frequent you can schedule jobs to syncorinise role information from chid to central system:
    1.You execute the report SUSR_ZBV_GET_RECEIVER_PROFILES in the central system using transaction SA38, or schedule it regularly as a background job to collect the changed roles and profiles from the child system. You can specify the receiving system using the input help
    2. You execute the report SUSR_ZBV_GET_RECEIVER_PROFILES in the child system using transaction SA38, or schedule it regularly as a background job to send the changed roles and profiles to the central system. You can leave the input fields empty, as the data of the child system is always sent to the central system, regardless of the entries.
    Hope this will help you but advisable is to re-confiure CUA again because it should not prompt for text comparion unless frequent role creation is occuring.
    Cheers,
    Rupali Bajpai

  • Central User Administration (CUA): Remote Change of User

    Dear experts,
    I have following CUA scenario within my company:
    We have a CUA which provides a couple of R/3 daughter systems/clients. Further we have a HR system stand-alone-system which is also integrated in our CUA.
    I tried to create a ABAP on the HR system which is changing the user masta data (especially the roles of a user) on the CUA system via RFC BAPI´s on a regular basis. Unfortunately it´s doesn´t works, because I don´t know the correct BAPI´s to change die CUA data. BAPI_USER_ACTGROUPS_ASSIGN changes only the locale R/3 user roles...
    In my opinion the CUA specific user roles are in table USLA04 - which will be doesn´t changed.
    Maybe somebody had the same requirements in the past and can help me? Thank you in advance!
    My coding so far:
    REPORT  zzh_t_role_change_zbv.
    PARAMETER: i_pernr TYPE pernr-pernr DEFAULT '90000007',
               i_usrid TYPE sy-uname DEFAULT 'SCHEFFLM',
               i_date  TYPE sy-datum DEFAULT sy-datum.
    DATA: lt_bapi_return    TYPE STANDARD TABLE OF bapiret2,
          lt_profiles       TYPE STANDARD TABLE OF bapiprof,
          lt_activitygroups TYPE STANDARD TABLE OF bapiagr.
    DATA: ls_bapi_return    TYPE bapiret2,
          ls_profiles       TYPE bapiprof,
          ls_activitygroups TYPE bapiagr.
    DATA: lv_zbv_sysid     TYPE sy-sysid,
          lv_zbv_clnt      TYPE sy-mandt,
          lv_zbv_logsys    TYPE uszbvlndsc-sendsystem,
          lv_zbv_rfc_dest  TYPE rfcdes-rfcdest,
          lv_usrid_zbv_get(10).
    lv_usrid_zbv_get = i_usrid.
    *--- Zentrale Benutzerverwaltung: Zentralsystem des Users ermitteln ---*
    CALL FUNCTION 'SUSR_ZBV_CENTRALSYSTEM_GET'
      EXPORTING
        delivery_model           = lv_usrid_zbv_get
      IMPORTING
        central_system_sysid     = lv_zbv_sysid
        central_system_clnt      = lv_zbv_clnt
        central_system_logsys    = lv_zbv_logsys
        central_system_rfc_dest  = lv_zbv_rfc_dest
      EXCEPTIONS
        duplicate_central_system = 1
        new_system               = 2
        OTHERS                   = 3.
    *** Errorhandling
    IF sy-subrc NE 0.
    ENDIF.
    *--- Existenz des Benutzers prüfen ---*
    CLEAR: ls_bapi_return.
    CALL FUNCTION 'BAPI_USER_EXISTENCE_CHECK' DESTINATION lv_zbv_logsys
      EXPORTING
        username = i_usrid
      IMPORTING
        return   = ls_bapi_return.
    *** Errorhandling
    IF ls_bapi_return-id EQ '088'. "Benutzer existiert nicht
    *** close RFC connection
      CALL FUNCTION 'RFC_CONNECTION_CLOSE'
        EXPORTING
          destination = lv_zbv_logsys.
      EXIT.
    ENDIF.
    *--- Rollenzuordnungem zum Benutzer lesen ---*
    CLEAR: lt_bapi_return.
    ***************SUSR_ZBV_ROLES_RESOLVE
    CALL FUNCTION 'BAPI_USER_GET_DETAIL' DESTINATION lv_zbv_logsys
      EXPORTING
        username            = i_usrid
    * IMPORTING
    *   ADDRESS              =
    *   LASTMODIFIED         =
    *   ISLOCKED             =
      TABLES
       profiles             = lt_profiles
       activitygroups       = lt_activitygroups
       return               = lt_bapi_return.
    *** Errorhandling
    LOOP AT lt_bapi_return INTO ls_bapi_return.
    ENDLOOP.
    IF ( ls_bapi_return-type EQ 'A' ) OR
       ( ls_bapi_return-type EQ 'E' ).
    *** close RFC connection
      CALL FUNCTION 'RFC_CONNECTION_CLOSE'
        EXPORTING
          destination = lv_zbv_logsys.
      EXIT.
    ENDIF.
    *** Gültigkeitszeitraum von Rollenzuordnung setzen
    CLEAR: ls_activitygroups.
    LOOP AT lt_activitygroups INTO ls_activitygroups.
      ls_activitygroups-to_dat = i_date.
      MODIFY lt_activitygroups FROM ls_activitygroups.
      CLEAR: ls_activitygroups.
    ENDLOOP.
    *--- gesamte Aktivitätsgruppenzuordnung ändern (zeitlich abgrenzen) ---*
    CLEAR: lt_bapi_return.
    *SUSR_USER_LOCAGR_ACTGROUPS_ADD
    *SUSR_USER_CHANG
    *CALL FUNCTION 'BAPI_USER_ACTGROUPS_ASSIGN' DESTINATION lv_zbv_logsys
    *  EXPORTING
    *    username       = i_usrid
    *  TABLES
    *    activitygroups = lt_activitygroups
    *    return         = lt_bapi_return.
    *--->SUSR_USER_LOCAGR_ACTGROUPS_PUT
    *--->SUSR_USER_PROFS_BUFFER_SAVECHK
    *--->SUSR_ZBV_USER_SYSTEM_SAVE
    *--->SUSR_USER_BUFFERS_TO_DB 
    *--->SUSR_USER_GROUP_BUFFERS_TO_DB ????
    *--->SUSR_USER_PROFS_BUFFER_TO_DB ????
    *--->SUSR_USER_LOCPRO_BUFFER_TO_DB ????
    *--->SUSR_UM_USR_AGR_BUFFERS_TO_DB ????
    *--->SUSR_UM_USR_SYS_BUFFERS_TO_DB ????
    *--->SUSR_USER_AGR_BUFFER_TO_DB ????
    *--->SUSR_USER_LOCAGR_BUFFER_TO_DB ????
    *Anmerkung: Profile werden nicht berücksichtigt, da diese eigentlich nicht
    *mehr in Verwendung sein sollten (nur noch Rollen)
    *--- Rückverteilung der geänderten Userdaten an Tochtersysteme ---*
    *SUSR_ZBV_USER_SINGLE_SEND
    *SUSR_ZBV_USER_SEND_BACK
    *SUSR_USER_DISTRIBUTE
    *** close RFC connection
    CALL FUNCTION 'RFC_CONNECTION_CLOSE'
      EXPORTING
        destination = lv_zbv_logsys.

    Try BAPI_USER_LOCACTGROUPS_ASSIGN

  • NWA 7.1 - User Administration with regards to Roles/Groups

    Hello,
    Environment = NWA 7.1 , Java Stack Only , No Central User Administration
    Situation      = One group of individuals responsible for developing and maintaining Java Roles & Groups
                          (Permissions). Another group of individuals responsible for maintaining Users and
                          allocating the above Roles & Groups to the Users.
    In accordance with various documentation (ie. http://help.sap.com/saphelp_nwpi711/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm) I have set up a Role which includes the actions: UME.Manage_Roles, UME.Manage_Groups, UME.Manage_Users, UME.Manage_All_User_Passwords & UME.Read_All. This Role is intended for the second group of individual mentioned above.
    The problem is however that with the mentioned actions they can not only allocate an user to a Role or Group but also delete the Role/Group from the system. Without the above actions in the Role it is not possible to assign Users to a Role/Group.
    This leads me to the question if it is possible to split these two various areas of responibility or does NWA 7.1 view both activities as residing in only group (documentation to this effect would be helpful). If not, which actions will ensure that only Users can be administered but the rights to the system (Roles/Groups) can not be tampered with.
    Many thanks in advance,
    Jay

    Hi Jay,
    UME.Manage_All Provides permissions required by an overall user administrator.
    These include:
    u2022 Administration of users belonging to any company and
    possibility of assigning users to companies
    (In a multitenant portal, even if a tenant user is assigned this
    action, he or she will still only have access to users, groups,
    and roles in his or her tenant.)
    u2022 Group management
    u2022 Role assignment
    u2022 User mapping
    u2022 Import and export of user data
    u2022 Manual replication of user data
    To set up delegated user administration, overall user administrators
    must belong to a role to which the UME.Manage_All action is
    assigned.
    In portal installations, any role that includes the UME.Manage_All
    action automatically has Role Assigner permissions on all portal roles in the portal installation.
    Try this.
    Regards,
    Gowrinadh

  • Use of the Standard settings tab under 'User administration'

    Hi all
    In cFolders 3.1 , user administration --> Standard Settings tab page:
    One can define the default settings for users that will be created
    The default settings defined by the user administrator here are the default settings for each user when they enter cFolders.
    My question is :-  after making this setting as above ,Will all the users created using su01 inherit the default settings ?
    What about users replicated from other systems using a batch program which copies them?
    regards
    Kedar

    Hi Kedar,
    I think I replied your other post as well. Anyway, to answer your question - YES, these setting will apply to all users. The way it works is, once the user (created in su01) logs in, these settings will be applied as the defaults. Therefore, it should also work for users replicated from other systems using a batch program.
    Cheers,
    Lashan

  • Use of Companies in User Administration (EP6SP2)

    Hi All,
    We had initially thought of not using the "Companies" concept in our project...I have around 200 user ids already created..but just recently we decided to go ahead with the use of Companies to aid in Delegated Administration. Now I am in a peculiar position..
    1) If I create companies, how would the earlier users be
    affected...do I need to add companies in them seperately ?
    2) Can one super user administrator upload all users for all companies or each delegated administrator needs to upload users for his companies.
    Can someone share light on the same.
    Regards,
    Rajan.K

    Hi Rajan,
    1. When you create companies in the portal, the portal itself creates groups with same names as the companies. Hence, you will not need to maintain company in each of the users you created but just add the users to the right group.
    2. I have never tried this but I believe a user with super admin rights should be able to upload users belonging to any companies.
    See link below for documentation on delegated admin
    http://help.sap.com/saphelp_nw04/helpdata/en/a9/76bd3b57743b09e10000000a11402f/frameset.htm
    Regards,
    Aniket

  • Restrict permissions to use the groups/users/roles in User Administration

    Hello gurus,
       I want to find out if there is a way we can restrict permissions to use the GROUPS in User administration. We want to assign the user administration role to the users, but do not want the users to have permissions to DELETE groups from User administration page.
    Please also let me know, if we can just have users use the NWA to do the user administration instead of from the Portal?
    Thank you,
    ~~MK

    Hi MariaKutty,
    Koti is right, you need to create custom User administration role from standard role and restric the access in the custom role and assgined to the users.
    >Please also let me know, if we can just have users use the NWA to do the user administration instead of from the Portal?
    Then can to do from NWA also, if the user not required to have the portal access.
    Hope it helps
    Regards
    Arun

  • User administration in SRM when using SUS

    Hello,
    i've some understanding-problems concerning the user-administration within the SUS-EBP-Szenario with activated business function supplier collaboration (SRM_SUCO_1) and customizing switch for SUS-Registration (SRM_701_SUCO_SUP_REG).
    A new potential supplier carries out the self-registration within SUS. After answering the questionaire, I see the new supplier with corresponding contact person within the sus-user administration.
    1. Does the purchaser normally approve the suppliers within the SUS or the SRM-system ?
    2. In my current szenario the purchaser can log on to the SUS-system and accept or decline the suppliers within the preselection-screen. Is this correct ? I Would prefer to do this in the SRM-system.
    3. In the SRM-System a purchaser can
    (under stratetic purchasing-business partners-central functions-preselect suppliers) preslelect suppliers Which windows should open now: the preselect-scrreen form the SRM-System or directly from the SUS-System ?
    4. if I configure the system so that the preselection-screen from the SRM-System opens i can see the accepted suppliers within a OPI-bases supplier directory - but now it's not possible to mark and tranfer users to SRM-System! What could be my problem ?
    I hope someone can describe me the process in more details. I've already read the corresponding documentation but without getting the full understanding of the correct process and it configuration.
    Best regards

    Hello,
    sorry, for answering so late and thank you for you answer, but as I've not solved my problem I'll try to explain my current configuration and my problem.
    At the moment I've changed the role /SAPSRM/ST_PURCHASER_EHP1 in SRM, so that, if the purchaser goes on menupoint "Businesspartner-central functions-preselect supllier" the preselection screen form the SUS-System is shown in a separate window.
    In this screen "Preselect Suppliers" I can see the suppliers from SUS, but Ive no possibilitiy to mark them and to transfer them to my SRM. There ar no buttons make any other action than searching and no possibilitie to mark the shown entries !
    As I'm with this screen within the SUS-system why do I have to configure the supplier directory within the SRM-system ?
    Where should I see the supplier directory to transfer suppliers to the SRM.
    If there's a possibility to send you some screenshots for a better illustration, please let me know.
    Sorry for asking so many questions and thanks for your patience in advance.
    Bests regards
    Axel

  • Allowing non-Administrator "Users" to use AEBS (1)

    I'm getting tired of always having to "Authorize" other "Users" on my computer without Administrator Privilege when they wish to connect to my "Closed" AEBS. How can I work around this issue so all "Users" can conect to the AEBS?

    It seems that I have originally stated the happenings incorrectly. It should been titled.
    Allowing non-Administrator (or Standard) "Users" to use the Airport Card freely
    I am both the 'Administrator' and the 'User' in this scenario.
    I log in as the 'User', without "Allow user to Administer this computer" checked in System Preferences. This is for enhanced security while surfing at home and also when using open networks on the road. This way an Authentication by the Administrator is required every time when changes to Mac OS X are about to occur.
    And, as far as I am aware, MY 'User' keychain has all the passwords I need to do what I need to do.
    It's when I am logged in as the 'User' and I go to 'Turn Airport on' (in the Apple Menu) that I get the 'Authenticate' window asking me to "Type an Administrator's name and password to make changes to Mac OS X".
    How do I get around having to 'Authenticate' every time 'User" needs to turn the Airport on?

  • Central System Administration in Workcenter - Remote Logon Issue

    Hi,
    We have a problem in our Solution Manager and we would like to know if is possible to fix it.
    We have configured Central System Administration correctly for our satellite systems. We have configured some tasks and we are able to do remote logon to run some transactions in the stallete systems.
    The problem comes in the Workcenter via web. In the workcenter we access to the Central System Administration and when we try to do remote logon to the satellite system nothing happens.
    Anyone knows if it is possible to do remote logon to the satellite systems using workcenters?
    Thanks,
    Roberto

    From the transaction SOLMAN_WORKCENTER, navigate to the System Administration tab.
    From the menu on the left select the task "Administration Tools".
    Select your system from the table on the right
    At the bottom of the screen you will see "Details for system <SID>"
    Select the client and the RFC from the drop down menu. 
    You should see a list of Tools for Application Server with corresponding TCODES.  If your selected RFC is functioning properly and the user ID specified in the RFC has the correct authorizations you should be able to log on remotely by clicking on the link provided.

  • Central system administration (CSA) in solution monitoring

    Hello,
    I want to configure my solution manager for central system administration (CSA) which is a service provided under solution monitoring of transaction dswp.
    I couldnt find any documents for this configuration.
    Could you please help me out..
    Regards,
    Gurudath Pai

    Hi Gurudath,
    If you have an s-user id, step-by-step tutor files with screenshots are available at
    https://service.sap.com/rkt-solman > Solution Manager > Solution Manager 7 > Technology Consultant & System Administrator > System Monitoring, Administration
    Before configuring CSA, you have to:
    1. Perform basic settings for Solman (use wizard based approach)
    2. Setup the system landscape
    3. Create solution
    4. Now you can configure CSA
    Revert if you need clarifications
    Prasad

Maybe you are looking for