Central User Administration using EP
Hi,
Can any body tell me how we can do central user Administration using EP. My landscape has multiple SAP systems, BW system and EP system. How should we go about it?
Any help?
regards,
Sujesh
HI Sujesh,
EP is not able to serve as a hub for central user administration in my opinion.
You can connect EP to several user stores like LDAP servers (including Microsoft ActiveDirectory) and SAP Systems.
So
a) you store all your users in an LDAP and connect all your SAP systems to that LDAP
b) you declare one of your SAP systems as central user administration (CUA) "master", connect all other as "slaves" and connect the EP UME to the master
But in any way - there is no GUI inside the EP where you can administer all user related things like roles from all systems, etc. This can only be done in an ABAP system.
Hth,
Michael
Similar Messages
-
Central User Administration Idoc's for a XI system
Hello,
We are setting up a Central User Administration (CUA) in Solution Manager. One of the systems that needs to be a child of this CUA is a SAP XI 2.0 system.
The distribution of the Users is done by IDocs.
Everything is working fine from the CUA to a SAP R/3 system.
But when we make the XI 2.0 a child all the IDoc's are caught by the XI IDoc adapter in stead of going directly to the IDoc inbound handler of the XI system.
Has anyone been able to send an IDoc to an XI 2.0 and bypassing the IDoc adapter and sending them directly to the XI IDoc Inbound handler?
Any kind of info will be greatly appriciated.
With kind regards,
Leon BoeijenHi Leon,
to bypass the IDoc Adapter for specific IDocs you can specify these IDocs using the report IDX_SELECT_IDOCTYPE_WITHOUT_IS.
Kind regards,
Andreas -
Hello,
i want to realize a central user administration between two different SAP Systems.
In an testing environment i realized it between two logical systems with different mandants in one SAP system.
Now it should work between two hosts. For example SAP1 192.168.150.1 and SAP2 192.168.150.2. What are the differences i have to consider?Lets take two systems with SIDs: SA1 and SA2.
1. Cerate logical system name SA1MNDT100 on SA1 identifying mandant 100 on SA1
2. Assign it to mandant 100 in system SA1
3. Then on SA2 you have to tell that there is system named SA1MNDT100 ready for communication, so you must create logical system name SA1MNDT100 in SA2 but you dont assign it to any mandant (because from SA2 point of view it is a remote system)
4. Then on SA2 create the RFC Destination with exactly the same name as your logical system defined in step 1 SA1MNDT100 pointing to hostname or ip of SA1/mandant 100 (this links remote logical system name with remote SAP system SA1)
5. Then on SA2 create different system name SA2MNDT500 indentifying mandant 500 on SA2
6. Assign it to mandant 500 in system SA2
7. Then on SA1 you have to tell that there is system named SA2MNDT500 ready for communication, so you must create logical system name SA2MNDT500 in SA1 but you dont assign it to any mandant (because from SA1 point of view it is a remote system)
8. On SA1 cereate the RFC Destination named SA2MNDT500 pointing to SA2/manadt 500.
Hope this clarifies your doubt.
-- Grzegorz -
Central User Administrator in SAP 4.7
Which the steps for configuration of the CUA (Central User Administrator) in version SAP R3 4.7... Nobody know....
Try this:
http://help.sap.com/saphelp_nw2004s/helpdata/en/08/ed591f9ff00343952f11a7b707f28a/frameset.htm
Hope it helps. -
Process Administrator - Enable User Administration using LDAP
I'm using Oracle BPM 10gR3 connected to an LDAP. I would like to have business participants to be able to manage the Absence Periods (PTO) for participants, but I don't want them to have general admin privileges. I think the "Enable User Administration" checkbox on the participant screen will allow someone to do just that. But, the box is disabled due to the LDAP connection (I think). So, does anyone know:
1. If a user has Enable User Administration checked will they be able to manage the Absence Periods for participants?
2. How to check the box while using an LDAP to manage participants?
I read in the the Adminstration Guide how to: Assigning Administrative Privileges to LDAP Groups. But that's not my intent, it's only to enable the "Enable User Administration" checkbox.
Thanks in advance.I solved the problem and I posted the solution into my blog, visit http://rodrigozuchetto.blogspot.com/
-
Problem setting up Central User Administration
I'm having an issue setting up CUA successfully. I have all of the systems setup in SALE, all of the RFC's are working properly, all green lights setting up and saving the child system in SCUA. When I create a new user in the Central system, I have the new, "Systems" tab. I choose the child system, then go into Roles but everytime I try to add a role, I get the error, "Role Z_* does not exist in system QASCLNT300 (child). I've executed the, "Text comparison from child sys" several times. I choose QASCLNT310 (Central) for the Receiving system, execute and get a green light for, "Central System QASCLNT310:OK". I am still unable to add any roles to the child client and the roles definately exist in the child client.
Hello Bob,
If this issue is frequent you can schedule jobs to syncorinise role information from chid to central system:
1.You execute the report SUSR_ZBV_GET_RECEIVER_PROFILES in the central system using transaction SA38, or schedule it regularly as a background job to collect the changed roles and profiles from the child system. You can specify the receiving system using the input help
2. You execute the report SUSR_ZBV_GET_RECEIVER_PROFILES in the child system using transaction SA38, or schedule it regularly as a background job to send the changed roles and profiles to the central system. You can leave the input fields empty, as the data of the child system is always sent to the central system, regardless of the entries.
Hope this will help you but advisable is to re-confiure CUA again because it should not prompt for text comparion unless frequent role creation is occuring.
Cheers,
Rupali Bajpai -
Central User Administration (CUA): Remote Change of User
Dear experts,
I have following CUA scenario within my company:
We have a CUA which provides a couple of R/3 daughter systems/clients. Further we have a HR system stand-alone-system which is also integrated in our CUA.
I tried to create a ABAP on the HR system which is changing the user masta data (especially the roles of a user) on the CUA system via RFC BAPI´s on a regular basis. Unfortunately it´s doesn´t works, because I don´t know the correct BAPI´s to change die CUA data. BAPI_USER_ACTGROUPS_ASSIGN changes only the locale R/3 user roles...
In my opinion the CUA specific user roles are in table USLA04 - which will be doesn´t changed.
Maybe somebody had the same requirements in the past and can help me? Thank you in advance!
My coding so far:
REPORT zzh_t_role_change_zbv.
PARAMETER: i_pernr TYPE pernr-pernr DEFAULT '90000007',
i_usrid TYPE sy-uname DEFAULT 'SCHEFFLM',
i_date TYPE sy-datum DEFAULT sy-datum.
DATA: lt_bapi_return TYPE STANDARD TABLE OF bapiret2,
lt_profiles TYPE STANDARD TABLE OF bapiprof,
lt_activitygroups TYPE STANDARD TABLE OF bapiagr.
DATA: ls_bapi_return TYPE bapiret2,
ls_profiles TYPE bapiprof,
ls_activitygroups TYPE bapiagr.
DATA: lv_zbv_sysid TYPE sy-sysid,
lv_zbv_clnt TYPE sy-mandt,
lv_zbv_logsys TYPE uszbvlndsc-sendsystem,
lv_zbv_rfc_dest TYPE rfcdes-rfcdest,
lv_usrid_zbv_get(10).
lv_usrid_zbv_get = i_usrid.
*--- Zentrale Benutzerverwaltung: Zentralsystem des Users ermitteln ---*
CALL FUNCTION 'SUSR_ZBV_CENTRALSYSTEM_GET'
EXPORTING
delivery_model = lv_usrid_zbv_get
IMPORTING
central_system_sysid = lv_zbv_sysid
central_system_clnt = lv_zbv_clnt
central_system_logsys = lv_zbv_logsys
central_system_rfc_dest = lv_zbv_rfc_dest
EXCEPTIONS
duplicate_central_system = 1
new_system = 2
OTHERS = 3.
*** Errorhandling
IF sy-subrc NE 0.
ENDIF.
*--- Existenz des Benutzers prüfen ---*
CLEAR: ls_bapi_return.
CALL FUNCTION 'BAPI_USER_EXISTENCE_CHECK' DESTINATION lv_zbv_logsys
EXPORTING
username = i_usrid
IMPORTING
return = ls_bapi_return.
*** Errorhandling
IF ls_bapi_return-id EQ '088'. "Benutzer existiert nicht
*** close RFC connection
CALL FUNCTION 'RFC_CONNECTION_CLOSE'
EXPORTING
destination = lv_zbv_logsys.
EXIT.
ENDIF.
*--- Rollenzuordnungem zum Benutzer lesen ---*
CLEAR: lt_bapi_return.
***************SUSR_ZBV_ROLES_RESOLVE
CALL FUNCTION 'BAPI_USER_GET_DETAIL' DESTINATION lv_zbv_logsys
EXPORTING
username = i_usrid
* IMPORTING
* ADDRESS =
* LASTMODIFIED =
* ISLOCKED =
TABLES
profiles = lt_profiles
activitygroups = lt_activitygroups
return = lt_bapi_return.
*** Errorhandling
LOOP AT lt_bapi_return INTO ls_bapi_return.
ENDLOOP.
IF ( ls_bapi_return-type EQ 'A' ) OR
( ls_bapi_return-type EQ 'E' ).
*** close RFC connection
CALL FUNCTION 'RFC_CONNECTION_CLOSE'
EXPORTING
destination = lv_zbv_logsys.
EXIT.
ENDIF.
*** Gültigkeitszeitraum von Rollenzuordnung setzen
CLEAR: ls_activitygroups.
LOOP AT lt_activitygroups INTO ls_activitygroups.
ls_activitygroups-to_dat = i_date.
MODIFY lt_activitygroups FROM ls_activitygroups.
CLEAR: ls_activitygroups.
ENDLOOP.
*--- gesamte Aktivitätsgruppenzuordnung ändern (zeitlich abgrenzen) ---*
CLEAR: lt_bapi_return.
*SUSR_USER_LOCAGR_ACTGROUPS_ADD
*SUSR_USER_CHANG
*CALL FUNCTION 'BAPI_USER_ACTGROUPS_ASSIGN' DESTINATION lv_zbv_logsys
* EXPORTING
* username = i_usrid
* TABLES
* activitygroups = lt_activitygroups
* return = lt_bapi_return.
*--->SUSR_USER_LOCAGR_ACTGROUPS_PUT
*--->SUSR_USER_PROFS_BUFFER_SAVECHK
*--->SUSR_ZBV_USER_SYSTEM_SAVE
*--->SUSR_USER_BUFFERS_TO_DB
*--->SUSR_USER_GROUP_BUFFERS_TO_DB ????
*--->SUSR_USER_PROFS_BUFFER_TO_DB ????
*--->SUSR_USER_LOCPRO_BUFFER_TO_DB ????
*--->SUSR_UM_USR_AGR_BUFFERS_TO_DB ????
*--->SUSR_UM_USR_SYS_BUFFERS_TO_DB ????
*--->SUSR_USER_AGR_BUFFER_TO_DB ????
*--->SUSR_USER_LOCAGR_BUFFER_TO_DB ????
*Anmerkung: Profile werden nicht berücksichtigt, da diese eigentlich nicht
*mehr in Verwendung sein sollten (nur noch Rollen)
*--- Rückverteilung der geänderten Userdaten an Tochtersysteme ---*
*SUSR_ZBV_USER_SINGLE_SEND
*SUSR_ZBV_USER_SEND_BACK
*SUSR_USER_DISTRIBUTE
*** close RFC connection
CALL FUNCTION 'RFC_CONNECTION_CLOSE'
EXPORTING
destination = lv_zbv_logsys.Try BAPI_USER_LOCACTGROUPS_ASSIGN
-
NWA 7.1 - User Administration with regards to Roles/Groups
Hello,
Environment = NWA 7.1 , Java Stack Only , No Central User Administration
Situation = One group of individuals responsible for developing and maintaining Java Roles & Groups
(Permissions). Another group of individuals responsible for maintaining Users and
allocating the above Roles & Groups to the Users.
In accordance with various documentation (ie. http://help.sap.com/saphelp_nwpi711/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm) I have set up a Role which includes the actions: UME.Manage_Roles, UME.Manage_Groups, UME.Manage_Users, UME.Manage_All_User_Passwords & UME.Read_All. This Role is intended for the second group of individual mentioned above.
The problem is however that with the mentioned actions they can not only allocate an user to a Role or Group but also delete the Role/Group from the system. Without the above actions in the Role it is not possible to assign Users to a Role/Group.
This leads me to the question if it is possible to split these two various areas of responibility or does NWA 7.1 view both activities as residing in only group (documentation to this effect would be helpful). If not, which actions will ensure that only Users can be administered but the rights to the system (Roles/Groups) can not be tampered with.
Many thanks in advance,
JayHi Jay,
UME.Manage_All Provides permissions required by an overall user administrator.
These include:
u2022 Administration of users belonging to any company and
possibility of assigning users to companies
(In a multitenant portal, even if a tenant user is assigned this
action, he or she will still only have access to users, groups,
and roles in his or her tenant.)
u2022 Group management
u2022 Role assignment
u2022 User mapping
u2022 Import and export of user data
u2022 Manual replication of user data
To set up delegated user administration, overall user administrators
must belong to a role to which the UME.Manage_All action is
assigned.
In portal installations, any role that includes the UME.Manage_All
action automatically has Role Assigner permissions on all portal roles in the portal installation.
Try this.
Regards,
Gowrinadh -
Use of the Standard settings tab under 'User administration'
Hi all
In cFolders 3.1 , user administration --> Standard Settings tab page:
One can define the default settings for users that will be created
The default settings defined by the user administrator here are the default settings for each user when they enter cFolders.
My question is :- after making this setting as above ,Will all the users created using su01 inherit the default settings ?
What about users replicated from other systems using a batch program which copies them?
regards
KedarHi Kedar,
I think I replied your other post as well. Anyway, to answer your question - YES, these setting will apply to all users. The way it works is, once the user (created in su01) logs in, these settings will be applied as the defaults. Therefore, it should also work for users replicated from other systems using a batch program.
Cheers,
Lashan -
Use of Companies in User Administration (EP6SP2)
Hi All,
We had initially thought of not using the "Companies" concept in our project...I have around 200 user ids already created..but just recently we decided to go ahead with the use of Companies to aid in Delegated Administration. Now I am in a peculiar position..
1) If I create companies, how would the earlier users be
affected...do I need to add companies in them seperately ?
2) Can one super user administrator upload all users for all companies or each delegated administrator needs to upload users for his companies.
Can someone share light on the same.
Regards,
Rajan.KHi Rajan,
1. When you create companies in the portal, the portal itself creates groups with same names as the companies. Hence, you will not need to maintain company in each of the users you created but just add the users to the right group.
2. I have never tried this but I believe a user with super admin rights should be able to upload users belonging to any companies.
See link below for documentation on delegated admin
http://help.sap.com/saphelp_nw04/helpdata/en/a9/76bd3b57743b09e10000000a11402f/frameset.htm
Regards,
Aniket -
Restrict permissions to use the groups/users/roles in User Administration
Hello gurus,
I want to find out if there is a way we can restrict permissions to use the GROUPS in User administration. We want to assign the user administration role to the users, but do not want the users to have permissions to DELETE groups from User administration page.
Please also let me know, if we can just have users use the NWA to do the user administration instead of from the Portal?
Thank you,
~~MKHi MariaKutty,
Koti is right, you need to create custom User administration role from standard role and restric the access in the custom role and assgined to the users.
>Please also let me know, if we can just have users use the NWA to do the user administration instead of from the Portal?
Then can to do from NWA also, if the user not required to have the portal access.
Hope it helps
Regards
Arun -
User administration in SRM when using SUS
Hello,
i've some understanding-problems concerning the user-administration within the SUS-EBP-Szenario with activated business function supplier collaboration (SRM_SUCO_1) and customizing switch for SUS-Registration (SRM_701_SUCO_SUP_REG).
A new potential supplier carries out the self-registration within SUS. After answering the questionaire, I see the new supplier with corresponding contact person within the sus-user administration.
1. Does the purchaser normally approve the suppliers within the SUS or the SRM-system ?
2. In my current szenario the purchaser can log on to the SUS-system and accept or decline the suppliers within the preselection-screen. Is this correct ? I Would prefer to do this in the SRM-system.
3. In the SRM-System a purchaser can
(under stratetic purchasing-business partners-central functions-preselect suppliers) preslelect suppliers Which windows should open now: the preselect-scrreen form the SRM-System or directly from the SUS-System ?
4. if I configure the system so that the preselection-screen from the SRM-System opens i can see the accepted suppliers within a OPI-bases supplier directory - but now it's not possible to mark and tranfer users to SRM-System! What could be my problem ?
I hope someone can describe me the process in more details. I've already read the corresponding documentation but without getting the full understanding of the correct process and it configuration.
Best regardsHello,
sorry, for answering so late and thank you for you answer, but as I've not solved my problem I'll try to explain my current configuration and my problem.
At the moment I've changed the role /SAPSRM/ST_PURCHASER_EHP1 in SRM, so that, if the purchaser goes on menupoint "Businesspartner-central functions-preselect supllier" the preselection screen form the SUS-System is shown in a separate window.
In this screen "Preselect Suppliers" I can see the suppliers from SUS, but Ive no possibilitiy to mark them and to transfer them to my SRM. There ar no buttons make any other action than searching and no possibilitie to mark the shown entries !
As I'm with this screen within the SUS-system why do I have to configure the supplier directory within the SRM-system ?
Where should I see the supplier directory to transfer suppliers to the SRM.
If there's a possibility to send you some screenshots for a better illustration, please let me know.
Sorry for asking so many questions and thanks for your patience in advance.
Bests regards
Axel -
Allowing non-Administrator "Users" to use AEBS (1)
I'm getting tired of always having to "Authorize" other "Users" on my computer without Administrator Privilege when they wish to connect to my "Closed" AEBS. How can I work around this issue so all "Users" can conect to the AEBS?
It seems that I have originally stated the happenings incorrectly. It should been titled.
Allowing non-Administrator (or Standard) "Users" to use the Airport Card freely
I am both the 'Administrator' and the 'User' in this scenario.
I log in as the 'User', without "Allow user to Administer this computer" checked in System Preferences. This is for enhanced security while surfing at home and also when using open networks on the road. This way an Authentication by the Administrator is required every time when changes to Mac OS X are about to occur.
And, as far as I am aware, MY 'User' keychain has all the passwords I need to do what I need to do.
It's when I am logged in as the 'User' and I go to 'Turn Airport on' (in the Apple Menu) that I get the 'Authenticate' window asking me to "Type an Administrator's name and password to make changes to Mac OS X".
How do I get around having to 'Authenticate' every time 'User" needs to turn the Airport on? -
Central System Administration in Workcenter - Remote Logon Issue
Hi,
We have a problem in our Solution Manager and we would like to know if is possible to fix it.
We have configured Central System Administration correctly for our satellite systems. We have configured some tasks and we are able to do remote logon to run some transactions in the stallete systems.
The problem comes in the Workcenter via web. In the workcenter we access to the Central System Administration and when we try to do remote logon to the satellite system nothing happens.
Anyone knows if it is possible to do remote logon to the satellite systems using workcenters?
Thanks,
RobertoFrom the transaction SOLMAN_WORKCENTER, navigate to the System Administration tab.
From the menu on the left select the task "Administration Tools".
Select your system from the table on the right
At the bottom of the screen you will see "Details for system <SID>"
Select the client and the RFC from the drop down menu.
You should see a list of Tools for Application Server with corresponding TCODES. If your selected RFC is functioning properly and the user ID specified in the RFC has the correct authorizations you should be able to log on remotely by clicking on the link provided. -
Central system administration (CSA) in solution monitoring
Hello,
I want to configure my solution manager for central system administration (CSA) which is a service provided under solution monitoring of transaction dswp.
I couldnt find any documents for this configuration.
Could you please help me out..
Regards,
Gurudath PaiHi Gurudath,
If you have an s-user id, step-by-step tutor files with screenshots are available at
https://service.sap.com/rkt-solman > Solution Manager > Solution Manager 7 > Technology Consultant & System Administrator > System Monitoring, Administration
Before configuring CSA, you have to:
1. Perform basic settings for Solman (use wizard based approach)
2. Setup the system landscape
3. Create solution
4. Now you can configure CSA
Revert if you need clarifications
Prasad
Maybe you are looking for
-
I know Apple doesn't like us to crack the case, but if I want to upgrade to mavericks, I need 2Gig memory. I have plenty of available space on my hard drive.
-
Missing LIFNR and NAME1 when display G/L line items (FBL3N)
Hi Guys, When displaying line items of a GR/IR account with transaction FBL3N, vendor number (LIFNR) and vendor name (NAME1) are shown in good receipt documents. But not in invoice verification documents. Do y' know why? Rgrds
-
How can i make the text bigger?
How can i make the text bigger?
-
JFileChooser interpreting zip file as a folder
I have an app that reads and writes data to zip files. When opening one, I use a JFileChooser with a file filter for zips and directories. This works fine except except on XP. If the zip file is on a remote (Novell) file server, the JFileChooser trea
-
Synchronised contacts not visible in Phone Browser
Started Nokia 6300 + PCSuite 6.84. After synchronization with Outlook 2003 I got all the contacts from PC to 6300 succsefully. But I do not see them in Phone Browser, so there is no possibility to adjust them directly. The only contacts I can see are