CUA- Deleting user IDs from Child systems

Is there a possibility of configuring CUA in such a way that user IDs can be created and access can be updated from CUA but deleting user IDs should be taking place only in the child system (Not in all the child systems)?

Generally good advice to keep the uniqueness of UIDs over time, also after Elvis has left the building
What you could consider is a CUA RFC user which is not authorized to delete UID's and schedule a purge job for those IDOCs which deleted only them.
However these sorts of "workaround" solutions are not the best advise, to be honest. What happens it someone temporarily assigns SAP_ALL because there is a big problem and authorizations should be excluded as the cause to get it working again?
Also, every time a new child system is added to the CUA you will be flooded.
My advice: Rather change your procedure (as discribed by Jurgen).
What would be interesting to test is whether you are authorized to move a user (change the authorization relevevant group which they currently have) to a group which the CUA user is no long able to subsequently administrate? But theen you will still be hunting down IDOCs from time to time, most likely.
If your shop is big enough to have these systems you have described, then you might want to consider an IdM system to replace your CUA at some time.
If you wish, I will move this thread to the IdM forum.
Cheers,
Julius
ps: Please do not cross-post.

Similar Messages

  • How to delete users in the child systems with CUA?

    Hi All,
    We have:
    1.  My SAP ERP 2005  (ECC 6.0)+ Windows 64bit + Oracle 10
    2. EP 7.0 + Windows 64bit + Oracle 10
    3. BI 7.0 + Windows 64bit + Oracle 10
    4. Solution Manager 4.0 (CUA)
    We managed all our QA and DEV users in ECC, EP using CUA from the Solution Manager server (Productive servers  and all the BI  7.0 System Landscape aren't in the CUA).
    My problem is when i want to delete a user. Sometimes if you delete a user in the solution manager (where the CUA is defined) the user still  exists in the Child Systems. In fact you can  see it with the SU01 only in the child system. I guess the idea is that if you delete the user in the CUA them  the user is delete in the child system.
    I found this information in the SAP Help:
    As well as the authorizations already mentioned, you also need another authorization in the central system for object S_USER_SYS. You can only assign new systems to a new user with this authorization. ( No Problem with this )
    When a user is deleted in the central system, the system entry for the user is retained until the deletion is confirmed. If an error occurs, you can repeat the deletion by canceling the system (in the child system).
    What does mean: deletion is confirmed? 
    Best Regards,
    Erick Ilarraza

    Hi, thanks a lot for your reply.
    We used the SAP Transaction SCUG to solve CUA Problem.
    It is something about the refresh of the user in the Parent / Child systems, you need to Re-Refresh users and delete it again.
    Best Regrads,
    Erick Ilarraza

  • CUA user master table updates from child system

    Hi Experts,
    In my system although there are roles assigned to users in child system they are not showing up in CUA for few user.
    Is there any program in CUA which i can use to  update the user master tables for only a limited set of users from child systems.
    Regards,
    Sandeep

    Hi Sandeep,
    Just want to check below queries....if this solves your problem..
    Is these are the new systems assigned to CUA or moved from other CUA as you said that role assignment is available in child system but not in CUA ? Another  thing that  I want you to check the User Group  assigned to user in child system and in CUA.If user gorups assigned to users are different in CUA and child system or particular group is missing in any one of the system then idoc will not move. Also check the Output device type along with address data...Any mismatch of these will stop the idoc.
    After that run the SCUG for all users, in CUA as suggested by akshay, this you can run for all 10 child system from CUA, no need to go in every child system.....

  • User update in Child system through CUA

    Hi,
    I created a role in child system and assigned it to the users in the parent system
    However, users are not getting updated in the child system
    Plz suggest

    Did you run text comparison after creating the role ?
    If not do that .
    [SU01 --> enter user --> Roles --> Text comparison from child system OR run report SUSR_ZBV_GET_RECEIVER_PROFILES ]
    Thanks
    Prince Jose
    Message was edited by:
            Prince Jose

  • Unable to see user created in Child system

    Hi There,
    I am facing a peculiar issue with CUA.
    1) A user created in CUA is not appearing in Child system.
    2)When I checked the IDOC status it is Green(03) in both the systems.
    3)When I remove the system in the CUA for that client , it  is fine.
    4)When i again added the system it is fine in IDOCs as well and when I reset the password the status of IDOC in child system  says user does not exist.
    Please let me know if anybody had similar issue and any solutions I could look into

    Just to make things more clear.
    1)logical systems would not be an issue because the idocs would not appear in child system had it been the case.
    2)I tried the option to remove the particular child system from the user profile under systems ,saved and then added the system.
    When I went to child system, the idoc  says user created but again when I reset the password in the CUA for  that system   and check the idoc in child systems it fails saying user does not exist.

  • Exporting the user IDs from R/3 to a flat file

    I need to generate a flat file with all the user IDs from an ABAP system. How can I do that? is there something available out-of-the-box or I need to develop something?
    Also, is there a quick way to bering all the user IDs from R/3 into the Portal?

    Hi,
    Goto SE16 - click on the Table contents button in the screen and execute the table.it will list out the user details - > Edit > Download-> Spreadsheet ->give the name and location for the file.
    REward with points if it is useful
    Regards,
    Sangeetha.A

  • Restrict User Logon from multiple systems

    I want to know how can I restrict a user logon from multi systems. That means user 'manager' must be connected to the server only from 1 client system at a time. Is it possible? If yes then how?
    @VHNG

    hi,
    I'm afraid this is not possible current versions,In future releases SAP will restrict 1 session for a user id,
    For details Check it in SAP Business One 8.8 Central Information
    https://websmp201.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000705857&_SCENARIO=01100035870000000183&_ADDINC=011000358700001192682007E&
    Jeyakanthan

  • How to create a SSIS package to delete word documents from local system

    Hi All,
    How to create a small SSIS package to delete word documents from local system. Word documents might be one or two weeks ago.
    Thanks in advance for your help.

        Dim filename As System.IO.FileSystemInfo
            filename = My.Computer.FileSystem.GetFileInfo("c:\temp.doc")
            If (Now.DayOfYear - filename.CreationTime.DayOfYear) > 3 Then
                'filename.Delete()
            End If
    Best Regards,Uri Dimant SQL Server MVP,
    http://sqlblog.com/blogs/uri_dimant/
    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Consulting:
    Large scale of database and data cleansing
    Remote DBA Services:
    Improves MS SQL Database Performance
    SQL Server Integration Services:
    Business Intelligence

  • Deleted dtp's from quality system

    hi experts,
    i have deleted dtp's from quality system can i get them back. i want to restore my dtps back in to my system please any body can help me
    thanks and regards
    vijay

    Hi,
    It is advisable to create DTP's in development and transport across all systems.Normally if you make process chain in development and transport to QA or Prod you need to have same DTP's.Try to always synchronise metadata across all systems.You can find overwrite option in T-code STMS_IMPORT in target system.In your case you dont need to check that option. Try to collect all DTP's in new request again and transport.
    Regards
    Chandu

  • Users created in CUA does not distribute to child systems

    Hi
    I searched this forum and after pulling my hair for 2 days I am asking this question. I created a user in CUA and gave him child system access with the necessary roles.
    I was under the impression that the user will get replicated / distributed automaticlaly to the child systems which i selected at the time of user creation in CUA
    But it does not happen. I login the child system and search for the user. It says User does not exist. I saw SCUL in CUA and the log shows a grey icon next to the username and when I place my cursor on the icon, the tect comes " Distribution unconfirmed"
    What am I missing? Everything looks ok to me
    Why is the user or users not geting replicated or distributed to the child systems with the necessary roles / profiles?

    >
    Jackofalltrades wrote:
    > 2. Also the communication user from Client to CUA is getting locked very frequently. When I do a text comparison from CUA, it always pops the username and password login screen and then I have to enter it and the text comparison happens. I don't know what that happens
    >
    > Any ideas for point 1 and 2 ?
    Hi,
    that is an indication, that the RFC-connection is not defined properly. As soon it does not work, you will get the login screen (on the login screen the default client (503) is filled automatically, but that has nothing to do with the problem you have).
    First check the password of the RFC-user you use. Simply change this user to type 'dialog' and try to log on with the password you know. If that works, reenter this password in SM59. Perform the authorization test in SM59 afterwards. Mind possible upper/lowercase problems with the password depending on the releases your systems are.
    You can also try to perform a remote login through sm59 to make sure, tath you can log on with that RFC-user (as long he is of type dailog this will work). If the rfc-user gets locked frequently, then something is wrong with the rfc configuration. In most cases the entered password is simply wrong.
    Check this first!
    b.rgds, Bernhard

  • CUA - how can I disable child system user record RENAME?

    I have setup CUA.  How can I disable SU01/RENAME from the child system?  If a user is Renamed directly in the child system, the new record is unlocked and can be edited in the child system.  These new records are now out of sync with CUA master data.
    I dont see an option for 'rename' in SCUM.
    Is this how CUA is supposed to work, or can the rename function be disabled?
    Thanks.

    Ben,
    We have installed CUA on solution manager 4.0, the back end (child) system is R3 4.7.
    My CUA SCUM shows seperate tabs for Address and Logon data.
    On the Address tab Ive set everything to global, its a long list.
    On the Logon tab all fields, except for inital password, are set to 'global', inital password is set to 'everywhere', to allow changes directly in the child system.
    Just about everything seems to be working, except this RENAME problem.  The users are greyed out in the child system, the create button doesnt even exist anymore in SU01 in the child system.  Syncing between the CUA and Child systems is working as I expect.
    Any suggestions?
    Thanks for the quick response.

  • Delete option coming in child System

    We have recently implemented CUA in our landscape.Now that we are able to see delete option available in one of the child system which is not there in the initial stages and not in any othere child systems.Can any one help me in finding the reason for its occurance and make it consistent with other systems.

    Hi Naveen,
    Do one thing. Try to save the CUA model through SCUA once again and look out for errors. Let yus know the errors you get. Also do one thing. Try remote login from the master ssytem into child system using the RFC destination. I think the ALE user in the RFC destination is either locked or has wrong password maintained.
    regards.
    Ruchit.

  • AGR_USERS still shows deleted User IDs

    Hi There,
    Can someone kindly help me to understand how a few User IDs that have been deleted in the system still continues to show up in the table AGR_USERS ?
    This table information is being extracted into BW and it ends showing non-existent IDs in the report.
    Regards,
    Manick

    Hi Ravi,
    Yes - the CUA is active in another system; the deleted IDs are in the child system. However, the User Role assignments are still being shown in the T-Code PFCG (in either of the systems).
    Regards,
    Manick

  • Is it possible to Delete BP's from production system

    Hi All,
    Is it possible to delete old BP numbers from production system?
    if yes please let me know the procedure and impact on the system.
    if no please let me know ,how to prevent user from entering old BP number into order.
    Thanks in advance for your help.
    Regards,
    Shaik

    Hi Shaik,
    You can delete the BP using transaction BUPA_DEL.
    Just enter the number of the BP you want to delete and then execute.
    Make sure that all the checkboxes on the selecton screen are clear.
    In case the BP has dependencies and deletion is not alowed, you will get an error message informing you of the same.
    Best Regards,
    Rishu.

  • RECOVERING USER SETTINGS FROM PREVIOUS SYSTEM

    I had problems with my HD and I had to re-install the system. I had to create a new user account to do that, now... how do I get back my user settings from the previous system??? like my email, keyboard sortcuts... etc.....????
    I see my previous system folder with the info but... what do i do with it??
    ANY HELP WOULD BE GREATLY APPRECIATED!!

    Create another admin account using the same username/password combo used on the original one, Log into it, drag your stuff from the Previous System folder, replacing the new stuff, open Accounts, and delete the user your created when reinstalling.
    BTW, typing in all caps is considered shouting and bad netetiquette, so please, stop doing that.

Maybe you are looking for

  • Purchase Order - Goods receipt processing time (User Exit)

    Hi All, I would like to know if there is any User Exits available for this scenario. In the Delivery tab of PO, we see GRPT & Planned Delivery Time, this information is picked up from the material master. In my case i have included the transport time

  • Blocking a Bank Key

    Hi Experts, I know we can mark a bank for DELETION but is there any way to just BLOCK a Bank from payments?  Or do you just have to block at the vendor/employee master level (of the vendor/employee who has selected that Bank Key)? The reason I am ask

  • IDOC concept and configuration

    hi forum plssssssssss  clarify me the concept.......... if i need to send idoc from sender (SAP r/3) to Receiver (XI) i need to do the following configuration:            In the sender R/3 system i need to do the following configuration            1.

  • Problem to install Xfce4-RC3 with the installer...

    Hi, I'm using Archlinux and I tried to install Xfce4-RC3 but I get error. The installation wizard stops with this error:  Xfce Window Themes Running configure... done Running make all... done Running make install... failed And the error log says:  >s

  • I rented an iTunes movie, but it won't play on my MacBook

    I rented an iTunes movie, but it won't play on my MacBook. All software is updated and current.