CUA and EHP4
Hello All,
We have to implement EHP4 in Production environment which has CUA.
Is it necassary to disable CUA before starting EHP4? Also, what could be the errors/ consequences that could occur due to CUA? If we disable CUA, what phases do we need to disable the CUA?
Please advise asap.
Thanks,
Antarpreet
Hi,
As such there is no separate procedure for EHP4 upgrade for those system on which CUA is also there. But after upgrade, some security related issues come which you can check in SU25. For these issues, you need to give some attention as your system is CUA.
Also, as per SAP note 1245473, below issue can come:
If after the enhancement package installation you face an issue with the CUA load in your SAP system, delete the CUA load using report "RSLANG20" as described in SAP Note 110910.
Thanks
Sunny
Similar Messages
-
Hello,
I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
1. Connected CUABOX to GRCBOX like a plug-in system.
2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
Any help in this regard is very helpful.
Thank you,
PawanHi Alessandro,
I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
2. Approvals provided to assign the ECC role.
3. I see the following in GRFNMW_DBGMONITOR_WD.
Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_SECURITY
New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
T-CUA_CHILD User does not exist in target system CUA
GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
Thank you for your help!
Pawan -
How to create automatically users&roles in CUA and in chlid systems?
Hi,
i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
are there any standard BAPI or Funcion modules that can do this job?
is the role created automatically in CUA can be seen automaticall in the portal child system?
any help?
Thanks&Best regardsYou can use one of the various ways Java EE provides you, e.g. container managed authentication.
It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/]. -
How to create automatically users&roles in CUA and child systems
Hi,
i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
are there any standard BAPI or Funcion modules that can do this job?
is the role created automatically in CUA can be seen automaticall in the portal child system?
any help?
Thanks&Best regardsThank you all. I got the solution.
Regards
Rajesh -
Integrate Password CUA and Active Directory (AD)
Hello Everybody,
We have integrated AD with our CUA system.
Is it possible integrated the same password CUA and AD?
How can I configure this?
Thank you,
LucianaLuciana,
I am not sure if you are aware, but the Active Directory domain controller uses a protocol called Kerberos to authenticate a user when they logon to the domain. Therefore, to logon to SAP in the way you require it is best to use Kerberos so that the credentials for the user already available on the workstation, in the credentials cache can be used to securely authenticate the same user to the SAP system, e.g. CUA ABAP via SAP GUI. This means that no passwords need to be transmitted or stored anywhere, and the only authentication needed is that already done using Active Directory when the user logs onto their Workstation. Also, you can use this method to encrypt the communications - giving you added benefit, rather than just using the authentication provided.
This is achieved using an interface which SAP provided in SAP GUI and in SAP application servers called SNC (Secure Network Communications). For SNC to work, you need a GSS-API library installed on each workstation where SAP GUI is installed, and on the app servers you want to logon to using this secure authentication method. SAP provide SNC libraries, but they are only available if your SAP app server is on Windows. In your case where SAP is on HP/UX, you need to use an SNC library available from a SAP partner. This partner will provide you with all the software and support you need to make the solution work, and meet your needs.
I would like to recommend one such partner, but I am biased because I work for the vendor providing this product :-). The partner is called CyberSafe. You can make contact with me offline and I can arrange a free evaluation of the products, or you can visit the CyberSafe website at <a href="http://www.cybersafe.com/links/snc.htm">this site</a> to find out more. Or, you may decide to look for other partners who have solutions to help you, in which case you need to look on the SAP website for SAP SNC partners.
I hope this is useful ?
Thanks,
Tim -
Delete the old CUA and build a new CUA on the Solution Manager
Hello together,
I'm about to delete the old CUA and build a new CUA on the Solution Manager.
The users are in multiple systems almost the same.
This raises the following questions:
If I export the printers from the old CUA in a file and import into the new CUA (Solution Manager, then the printer can be administered directly in Solman?
Furthermore, if I depended on the second or third child System and attached to the new CUA, the user description data are not overwritten, as bsp: with the description data of the last-connected system?
By delete the CUA child system in which users are blocked. Can you handle it?
I thank you in advance
Mirsad> If I export the printers from the old CUA in a file and import into the new CUA (Solution Manager, then the printer can be administered directly in Solman?
-->the assignment of printers, not the printers themselves of course....
> Furthermore, if I depended on the second or third child System and attached to the new CUA, the user description data are not overwritten, as bsp: with the description data of the last-connected system?
If you mean adress data, already existing adresses are not overwritten. Such users will show up in scug as 'identical' or different' and can be handled accordingly.
> By delete the CUA child system in which users are blocked. Can you handle it?
Users without assignement to the central system get a global lock if the cua is removed in the central system. They still exist in usr02 in the central system, but with the global lock flag as indication, that they existed only for adminstrative means. The local lock flags in the child systems stay untouched. So if you take over these users into the new CUA they get the correct lock flag form the child system.
b.rgds, Bernhard -
Synchronisation of CUA and satelite system
we have implemented CUA and 3 satelite systems (PROD, TEST, QAS). By accident the complete user-access information has been deleted in QAS. Is there any possibility to push the information from CUA again into QAS to synchronize CUA and satelite system?
HI Dagmor,
Find CAU cookbook:http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/fe4f76cc-0601-0010-55a3-c4a1ab8397b1?quicklink=index&overridelayout=true
But it would be good if more elaborate your problem "user-access information has been deleted" like what you did in system. So that we can check and support you with better solution.
Hope this helps.. -
Technical news brought with EHP3 and EHP4 compared to ECC6
Hello,
I was looking through the release notes for EHP3 and EHP4.
But I'm unable to focus on the technical news. It is sorted by functional modules or industries.
Can someone provide me the main tehnical news (printing forms, abap codes, ..) that are included ?
Or do you know how I can find the technical improvements of these packages ?
Thanks in advance for your helpHello,
Thanks for your help but those sites are more functional oriented.
I already knew the release notes, but the solution browser is really helpful.
I rather meant the technical tools like PDF forms for example
Are they improvements in the différent editors, or new methods to help coding.
Thanks in advance
Regards -
Hi All,
In my project, client had asked to work on EHP4, now the requirements have changed to install few reports in EHP3.
but there are some financial reports tht i have installed and loaded data and they are working fine in the BI system w.r.t EHP4.
Now I need to install some EHP3 Financial reports
Please respond if there will be any issues to have both EHP4 and EHP3 reports in the same BI system?
thnx
sneha
Edited by: Sneha Santhanakrishnan on May 12, 2010 9:58 AMAs I understood, EHP3 and EHP4 are two sorcxe system and you want to run the reports in the same BI box w.r.to these two source system. This can be done. There should not be a proble. You will be having two datasource that will corresponds to these two siurce syatem respectively.
Thanks.
Shambhu -
CUA and SU10: unexpected deletion in all child systems
Hi,
I am facing with a problem with SU10 and CUA.
I have updated a lot of users with SU10 in CUA. For 20 users in a child system, I first add a new role, everything is fine. Then I perform a remove of a old role (I know that the end date will be changed), everything is fine except for one user. All roles were removed from all systems where the user is defined ! However, when I look in each child systems, it is not the case, the roles are well present except in the child sytem for which I do the remove.
This problem occurs twice, for different users. It is a real problem because we have to adapt a lot of users.
I have reinstalled the 'missing' roles with SCUG and with the change document for users but it can be a workaround because I have discovered this by chance. I can imagine check all users after each run of SU10.
Hope someone can help me.
RegardsHi Olivier,
that sounds like you are facing the problem corrected with sap note #1117530......
The removal shows up only at the next change of a user, the actual deletion of role assignements because of the copy might have happend already some time ago.....
b.rgds, Bernhard -
We have installed GRC 5.3 AC and using it with CUA. Connector names are same as names in CUA.
While doing Risk Analysis for user in Master system, it shows violations. For same user, when I do risk analysis in child system (which has same roles) it does not show any violations.
Are we missing anything?
Thanks,Thanks,
I checked those notes but it talks about Analysis from CUP where as I'm currently looking into Risk Analysis from RAR only.
I checked with another user-id with different roles but it shows violation in both Master and Child system. Wehre as earlier user-id still shows violation in Master system only even though roles are same in both systems.
So, i suspect some of rules are not generated (i ran rule generation again).
Is there any way to check/generate rules for particular system? -
Has anyone used E-Recruiting with CUA? Or does it need to be left out of our landscape for CUA?
The issue is when an external candidate attempts to register thru E-Recruitment, we receive an error mesage that you are not authorized to create a user.
Is this simply an authorization error or is it because CUA controls each landscape?Hi Doug,
Theres lots of different notes and info in this <a href="http://sap.ittoolbox.com/groups/technical-functional/sap-hr/erecruitment-setup-to-the-portal-810614">Thread.</a>
Regards
Juan -
Help with CUA and modifying user "own profile".
Hey guys,
We just implemented CUA in our enviornemnt, and have run into the system.
I understand why all accounts now get modified in the central system, however, our users are asking to be able to still modify thier account defaults (i.e. hour format, numbering format, etc) in SU3 (system ->user profile -> own data)... however the CUA has removed this option from all clients connected to it.
Is it possible to still have this functionality?
Thanks everyone for any info.
RichardHi Richard,
It is possible to change multiple attributes and the changes are executed according to
the setting associated with each attribute. Therefore, global attributes are changed in
the central system and distributed and those attributes that are to be maintained locally
are filtered out and not changed.Local attributes should be maintained using the maintenance functions
(SU3) in the child systems. So you will have to change the settings in The central system to allow this to be maintained from the child system.
Many Regards,
Harimander Singh. -
Hi forum,
I have a CUA configured where I want the profile and the role assignment to be distributed global from the central system. I can create new roles with PFCG assign, users there, but I dont see these new roles in the user details in SU01.
What am I doing wrong?
Thank you!Hi Chris,
Seems pretty simple to me. Since it is a new role you need to do a text comparision.
In the central system of CUA execute the report SUSR_ZBV_GET_RECEIVER_PROFILES in SE38 transaction.
In receiving systems give all the systems that are part of CUA including the central system (in this particular case only central system can be input since the new role is present in central system) Now execute it and then do the role assignment wither through SU01 or PFCG once again. Check once more.
After every new role creation this report needs to be executed. This is what is known as Text comparison of roles which can also be done in SU01. Check for the pushbutton for text comparision under tabsrtip Roles within SU01.
Regards.
Ruchit. -
SPDD & SPAU and EhP4 before or after ?
Hello all
We intend to go for upgrade from 4.6c to ECC6 with EHP4 ..We are planning to have SPDD & SPAU first then install EhP4 and then again SPDD & SPAU. But my question is in order to save time can we skip the initial SPDD & SPAU analysis n fixation part and directly go to EhP4 installation and then do the SPDD & SPAU analysis .?
Please help
Thanks & Regards
NileshHello Friend,
Rgrding the SPAU and SPDD...I would suggest that the way you have taken is correct...
Because you are upgrading ECC6 from 4.6c and i can expect there are lot of customization!
so first to SPAU & SPDD after ECC6 again after ENh4 (because enhancement package can bring some new feature alongside the ECC6)...
In that way it is easy to maintain the system and existing code...
good luck
Rgrds
Krish
Maybe you are looking for
-
I'm trying to play a game on facebook, but when I go to play it, it comes up with a message saying I need to install adobe flash player 12 or later. I installed version 15 but it still keeps getting that message to install version 12 or later. I chec
-
How do I trans ogfer all the songs in my Iphone to the itunes on my new laptop without loosing any of the songs and to start syncing the songs on my iphone with itunes?
-
Exchange 2013 migration ends as Failed but the migration is OK
Hi After Exchange 2013 SP1 I started getting this error when migration users to 2013 or within 2013. We are now at CU5 and the problem remains. When a migrations has come to the Synced or Successful state the ECP shows status Failed! If you view deta
-
In a nutshell, I have three buttons - each button has a rollover effect AND should also trigger a swap image. When you move off the button the rollover returns, but the picture stays the same. What am I doing wrong? On this one the button rolls over
-
Shared server/dedicated server process doubt?
when oracle database is not configured for shared server is it compulsay to include SERVER=DEDICATED clause in the connect descriptor.? Thankx.