CUA and EHP4

Hello All,
We have to implement EHP4 in Production environment which has CUA.
Is it necassary to disable CUA before starting EHP4? Also, what could be the errors/ consequences that could occur due to CUA? If we disable CUA, what phases do we need to disable the CUA?
Please advise asap.
Thanks,
Antarpreet

Hi,
As such there is no separate procedure for EHP4 upgrade for those system on which CUA is also there. But after upgrade, some security related issues come which you can check in SU25. For these issues, you need to give some attention as your system is CUA.
Also, as per SAP note 1245473, below issue can come:
If after the enhancement package installation you face an issue with the CUA load in your SAP system, delete the CUA load using report "RSLANG20" as described in SAP Note 110910.
Thanks
Sunny

Similar Messages

  • Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

    Hello,
    I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
    1. Connected CUABOX to GRCBOX like a plug-in system.
    2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
    3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
    After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
    Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
    Any help in this regard is very helpful.
    Thank you,
    Pawan

    Hi Alessandro,
    I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
    1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
    2. Approvals provided to assign the ECC role.
    3. I see the following in GRFNMW_DBGMONITOR_WD.
               Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                   New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                   T-CUA_CHILD User does not exist in target system CUA
    GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
    However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
    So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
    Thank you for your help!
    Pawan

  • How to create automatically users&roles in CUA and in chlid systems?

    Hi,
    i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
    i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
    are there any standard BAPI or Funcion modules that can do this job?
    is the role created automatically in CUA can be seen automaticall in the portal child system?
    any help?
    Thanks&Best regards

    You can use one of the various ways Java EE provides you, e.g. container managed authentication.
    It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
    You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
    Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/].

  • How to create automatically users&roles in CUA and child systems

    Hi,
    i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
    i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
    are there any standard BAPI or Funcion modules that can do this job?
    is the role created automatically in CUA can be seen automaticall in the portal child system?
    any help?
    Thanks&Best regards

    Thank you all. I got the solution.
    Regards
    Rajesh

  • Integrate Password CUA and Active Directory (AD)

    Hello Everybody,
    We have integrated AD with our CUA system.
    Is it possible integrated the same password CUA and AD?
    How can I configure this?
    Thank you,
    Luciana

    Luciana,
    I am not sure if you are aware, but the Active Directory domain controller uses a protocol called Kerberos to authenticate a user when they logon to the domain. Therefore, to logon to SAP in the way you require it is best to use Kerberos so that the credentials for the user already available on the workstation, in the credentials cache can be used to securely authenticate the same user to the SAP system, e.g. CUA ABAP via SAP GUI. This means that no passwords need to be transmitted or stored anywhere, and the only authentication needed is that already done using Active Directory when the user logs onto their Workstation. Also, you can use this method to encrypt the communications - giving you added benefit, rather than just using the authentication provided.
    This is achieved using an interface which SAP provided in SAP GUI and in SAP application servers called SNC (Secure Network Communications). For SNC to work, you need a GSS-API library installed on each workstation where SAP GUI is installed, and on the app servers you want to logon to using this secure authentication method. SAP provide SNC libraries, but they are only available if your SAP app server is on Windows. In your case where SAP is on HP/UX, you need to use an SNC library available from a SAP partner. This partner will provide you with all the software and support you need to make the solution work, and meet your needs.
    I would like to recommend one such partner, but I am biased because I work for the vendor providing this product :-). The partner is called CyberSafe. You can make contact with me offline and I can arrange a free evaluation of the products, or you can visit the CyberSafe website at <a href="http://www.cybersafe.com/links/snc.htm">this site</a> to find out more. Or, you may decide to look for other partners who have solutions to help you, in which case you need to look on the SAP website for SAP SNC partners.
    I hope this is useful ?
    Thanks,
    Tim

  • Delete the old CUA and build a new CUA on the Solution Manager

    Hello together,
    I'm about to delete the old CUA and build a new CUA on the Solution Manager.
    The users are in multiple systems almost the same.
    This raises the following questions:
    If I export the printers from the old CUA in a file and import into the new CUA (Solution Manager, then the printer can be administered directly in Solman?
    Furthermore, if I depended on the second or third child System  and attached to the new CUA, the user description data are not overwritten, as bsp: with the description data of the last-connected system?
    By delete the CUA child system in which users are blocked. Can you handle it?
    I thank you in advance
    Mirsad

    > If I export the printers from the old CUA in a file and import into the new CUA (Solution Manager, then the printer can be administered directly in Solman?
    -->the assignment of printers, not the printers themselves of course....
    > Furthermore, if I depended on the second or third child System  and attached to the new CUA, the user description data are not overwritten, as bsp: with the description data of the last-connected system?
    If you mean adress data, already existing adresses are not overwritten. Such users will show up in scug as 'identical' or different' and can be handled accordingly.
    > By delete the CUA child system in which users are blocked. Can you handle it?
    Users without assignement to the central system get a global lock if the cua is removed in the central system. They still exist in usr02 in the central system, but with the global lock flag as indication, that they existed only for adminstrative means. The local lock flags in the child systems stay untouched. So if you take over these users into the new CUA they get the correct lock flag form the child system.
    b.rgds, Bernhard

  • Synchronisation of CUA and satelite system

    we have implemented CUA and 3 satelite systems (PROD, TEST, QAS). By accident the complete user-access information has been deleted in QAS. Is there any possibility to push the information from CUA again into QAS to synchronize CUA and satelite system?

    HI Dagmor,
    Find CAU cookbook:http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/fe4f76cc-0601-0010-55a3-c4a1ab8397b1?quicklink=index&overridelayout=true
    But it would be good if more elaborate your problem "user-access information has been deleted" like what you did in system. So that we can check and support you with better solution.
    Hope this helps..

  • Technical news brought with EHP3 and EHP4 compared to ECC6

    Hello,
    I was looking through the release notes for EHP3 and EHP4.
    But I'm unable to focus on the technical news. It is sorted by functional modules or industries.
    Can someone provide me the main tehnical news (printing forms, abap codes, ..) that are included ?
    Or do you know how I can find the technical improvements of these packages ? 
    Thanks in advance for your help

    Hello,
    Thanks for your help but those sites are more functional oriented.
    I already knew the release notes, but the solution browser is really helpful.
    I rather meant the technical tools like PDF forms for example
    Are they improvements in the différent editors, or new methods to help coding.
    Thanks in advance
    Regards

  • EHP3 and EHP4 compatibiltiy

    Hi All,
    In my project, client had asked to work on EHP4, now the requirements have changed to install few reports in EHP3.
    but there are some financial reports tht i have installed and loaded data and they are working fine in the BI system w.r.t EHP4.
    Now I need to install some EHP3 Financial reports
    Please respond if there will be any issues to have both EHP4 and EHP3 reports in the same BI system?
    thnx
    sneha
    Edited by: Sneha Santhanakrishnan on May 12, 2010 9:58 AM

    As I understood, EHP3 and EHP4 are two sorcxe system and you want to run the reports in the same BI box w.r.to these two source system. This can be done. There should not be a proble. You will be having two datasource that will corresponds to these two siurce syatem respectively.
    Thanks.
    Shambhu

  • CUA and SU10: unexpected deletion in all child systems

    Hi,
    I am facing with a problem with SU10 and CUA.
    I have updated a lot of users with SU10 in CUA. For 20 users in a child system, I first add a new role, everything is fine. Then I perform a remove of a old role (I know that the end date will be changed), everything is fine except for one user. All roles were removed from all systems where the user is defined ! However, when I look in each child systems, it is not the case, the roles are well present except in the child sytem for which I do the remove.
    This problem occurs twice, for different users. It is a real problem because we have to adapt a lot of users.
    I have reinstalled the 'missing' roles with SCUG and with the change document for users but it can be a workaround because I have discovered this by chance. I can imagine check all users after each run of SU10.
    Hope someone can help me.
    Regards

    Hi Olivier,
    that sounds like you are facing the problem corrected with sap note #1117530......
    The removal shows up only at the next change of a user, the actual deletion of role assignements because of the copy might have happend already some time ago.....
    b.rgds, Bernhard

  • CUA and Risk Analysis

    We have installed GRC 5.3 AC and using it with CUA. Connector names are same as names in CUA.
    While doing Risk Analysis for user in Master system, it shows violations. For same user, when I do risk analysis in child system (which has same roles) it does not show any violations.
    Are we missing anything?
    Thanks,

    Thanks,
    I checked those notes but it talks about Analysis from CUP where as I'm currently looking into Risk Analysis from RAR only.
    I checked with another user-id with different roles but it shows violation in both Master and Child system. Wehre as earlier user-id still shows violation in Master system only even though roles are same in both systems.
    So, i suspect some of rules are not generated (i ran rule generation again).
    Is there any way to check/generate rules for particular system?

  • CUA and E-Recruiting

    Has anyone used E-Recruiting with CUA?  Or does it need to be left out of our landscape for CUA?
    The issue is when an external candidate attempts to register thru E-Recruitment, we receive an error mesage that you are not authorized to create a user.
    Is this simply an authorization error or is it because CUA controls each landscape?

    Hi Doug,
    Theres lots of different notes and info in this <a href="http://sap.ittoolbox.com/groups/technical-functional/sap-hr/erecruitment-setup-to-the-portal-810614">Thread.</a>
    Regards
    Juan

  • Help with CUA and modifying user "own profile".

    Hey guys,
    We just implemented CUA in our enviornemnt, and have run into the system.
    I understand why all accounts now get modified in the central system, however, our users are asking to be able to still modify thier account defaults (i.e. hour format, numbering format, etc) in SU3 (system ->user profile -> own data)...  however the CUA has removed this option from all clients connected to it.
    Is it possible to still have this functionality?
    Thanks everyone for any info.
    Richard

    Hi Richard,
    It is possible to change multiple attributes and the changes are executed according to
    the setting associated with each attribute. Therefore, global attributes are changed in
    the central system and distributed and those attributes that are to be maintained locally
    are filtered out and not changed.Local attributes should be maintained using the maintenance functions
    (SU3) in the child systems. So you will have to change the settings in The central system to allow this to be maintained from the child system.
    Many Regards,
    Harimander Singh.

  • CUA and role assignment

    Hi forum,
    I have a CUA configured where I want the profile and the role assignment to be distributed global from the central system. I can create new roles with PFCG assign, users there, but I don’t see these new roles in the user details in SU01.
    What am I doing wrong?
    Thank you!

    Hi Chris,
    Seems pretty simple to me. Since it is a new role you need to do a text comparision.
    In the central system of CUA execute the report SUSR_ZBV_GET_RECEIVER_PROFILES in SE38 transaction.
    In receiving systems give all the systems that are part of CUA including the central system (in this particular case only central system can be input since the new role is present in central system) Now execute it and then do the role assignment wither through SU01 or PFCG once again. Check once more.
    After every new role creation this report needs to be executed. This is what is known as Text comparison of roles which can also be done in SU01. Check for the pushbutton for text comparision under tabsrtip Roles within SU01.
    Regards.
    Ruchit.

  • SPDD & SPAU  and EhP4  before or after ?

    Hello all
                  We intend to go for upgrade from 4.6c to ECC6 with EHP4 ..We are planning to have SPDD & SPAU first then install EhP4 and then  again SPDD & SPAU. But my question is in order to save time can we skip the initial SPDD & SPAU analysis n fixation part and directly go to EhP4 installation and then do the SPDD & SPAU analysis .?
    Please help
    Thanks & Regards
    Nilesh

    Hello Friend,
    Rgrding the SPAU and SPDD...I would suggest that the way you have taken is correct...
    Because you are upgrading ECC6 from 4.6c and i can expect there are lot of customization!
    so first to SPAU & SPDD after ECC6 again after ENh4 (because enhancement package can bring some new feature alongside the ECC6)...
    In that way it is easy to maintain the system and existing code...
    good luck
    Rgrds
    Krish

Maybe you are looking for