CUA Implementation

Dear Experts,
Currently we are planning phase to implement CUA in our IT landscape.
We have systems like   ECC, CRM, BI and solution Manager. We plan to implement Solution manager server as Parent system.
Each child system we have separate roles.
ECC ->ZECC_ROLES (Total 6 roles)
CRM ->ZCRM_ROLES (Total6 roles)
BI -> ZBI_ROLES (Total8 roles)
Some users we create only  at ECC, some of them only create in ECC & CRM and some of them in all system.
1.In case to (parent system) create/distribute a user(test01) for all the child system, how to assign the roles to a user in Parent system. We want user(test01) should be assigned only ECC 6 roles in ECC System. the Same user at CRM should be assigned to only CRM related 6 roles. similar way BI also.
Could you please someone let us know how to handle the role allocation separately in CUA Central system(parent system) ?.
Thanks
Malai

Hi Thirumalai ,
Yes , you will be able to assign roles to user profile with respect to what system  and roles does user requires access. After setting up central system and completing all configuration steps with child systems , you will be able to find an extra tab " SYSTEM " in central system which you cannot find in decentralized system. In this field you can enter the logical system name of the system (ECC / CRM /BI) in which does user access is requested. There after in role tab you need to enter the logical system name in system field and respective role namesin the role filed respectively and then save the user profile.
Please note that when ever you create any role in the child system landscape(i.e for example in ECC systems) you need to complete the text comparision from central system to child system , else the newly created roles will not be replicated to central system and you will not be able to perform any role assignments in the respective child systems.
Regards
Kantikiran

Similar Messages

  • Profiles tab after CUA implementation

    Hello All,
    I have a query in SU01 transaction. After implementing the CUA, my central system does not show any profiles (in PROFILES tab) for Composite Roles and single roles assigned for the user. Is it Normal or is it something to do with CUA implementation. I can see the related system generated role profiles for the roles assigned to user in the respective child systems. We are on SAP R/3 4.7 version.
    Thanks in advance for the time.
    Br,
    Sri

    Hello Raghu,
    This should not cause any concerns for you. However if you want to display the profiles please change the settings in SCUM from GLOBAL to LOCAL. Then you should be able to see the profiles. But I would advise against it cause then it will be possible to assign profiles in child systems directly.Not a good thing.
    Please award points for useful answers.
    Regards.
    Ruchit.
    Message was edited by: Ruchit Khushu
    Message was edited by: Ruchit Khushu
    Message was edited by: Ruchit Khushu

  • CUA Implementation - Resetting of passowrds not affected in Child Systems

    Hi all,
    I have implemented CUA in SOLMAN.
    We are having 6 child systems, when i try to change the passowrd in SU01(in SOLMAN) and select all the systems, its getting affected only to SOLMAN and one more system.
    Rest 4 of the systems are not getting affected....In SCUL it didnt pop up any errors...i m unable to find the reason..
    Could you please guide me to find the error..
    Thanks,
    Subbu

    Hi Tom,
    In WE02 i see some information in Outbound IDocs and everything is GREEN...But in Inbound IDocs i didnt see any information..'
    But whne i change the password in central system, its not getting affected...
    In SCUL transaction, everything is GREEN...didnt receive any errors...
    IN SCUM transaction i tried keeping initial Password parameter as Global, Local and Evrywhr but it didnt solve my problem...
    Any idea what is wrong??
    Thanks,
    Subbu

  • CUA Implemention scenario...

    Hello All,
    We are  about to implement a CUA in landscape..
    There are two scenarios that are currently in focuss..
    Scenario 1:  To  have DEVELOPMENT CLIENT act as CUA for  clients of all systems in the landscape.
    Scenario 2:  To  have DEV CLIENT as CUA for  clients of all Developement systems  , QA client as CUA for  clients of all QA systems and PRD  CLIENT as CUA for  clients of all Production  systems .
    Please let me know the pros/cons of having either of scenarios for the landscape.
    Regards,
    Ajit

    Hi,
    As per my knowledge, CUA will simplify the Security admin's job.
    in your case, if you have many SAP system landscapes - more production systems...and large number of users... then set a seperate CUA client for PRD systems. or if there are different bussiness entities, then go for different CUA clients respectively.
    if you setup a CUA client for each environment, means you are minimising the clients you access each time. but the work time/load will not impact as expected benefit from CUA. if you setup single CUA client, the security admin job will be done in a single shot.
    otherwise;
    ->if you have Solution manager, setup CUA client there and integrate with other systems like ECC and BI.
    it will help at the time of license audits and earlywatch checks also.
    ->if you are not using Solution manager then you can use Quality client or Dev client for all your landscapes.
    Note; At the time of new user creation, the CUA system will not create the usermasters in all systems by default.  Based on our systems selection, it will create the user masters in respective systems. (Majority users will have only production access).
    To understand the more CUA benifits refer to; CUA Project Propsal Questions
    You can see the CUA  Integration doc; http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/8302a929-0501-0010-05b5-d48f544bc572&overridelayout=true
    Hope that helps
    Cheers
    Praveen.

  • Rename 600+ users in CUA implemented 3 system landscape

    Hello All,
    Task ahead :
    Rename around 600+ users in my Production system which is my CUA central system as well. I am having a simple 3 system landscape.
    Advice on :
    What can be the pitfalls for this activity ?
    Since CUA is ON, there would not be a Rename Option available any more...so How to proceed with this activity ?
    Is there any negative impact for such renaming actions in the system.
    Any inputs would be rewarded handsomely...
    Thanks for your time.
    Br,
    Sri

    Hi Happyman,
    How do i perfrom the Rename in my central system ? Its OK, i can delete child systems from the centrral CUA and perfrom a rename and then re add it back to CUA...bt my query is how to tackle this issue in central PRD system.
    does that means i need to delete the existing CUA altogether and recreate it again after utilising the rename option ?>
    Thx for the inputs...
    Br,
    Sri

  • CUA : To implement or not to Implement for Production

    Hi all,
    We have CUA implemented for our non production systems. The Basis team wants to implement CUA for our 5 production environments (R3, BW, CRM, SEM and APO). What are the pros and cons of implementing CUA in production? An opinion of someone who has CUA implemented at their company would be most helpful.
    Thanks.
    Sashank

    Hi Sashank!
    We had a central user administration for a small 3-system landscape (from the beginning on).
    Advantage: the central handling. Inconsistencies between the systems won't be a topic.
    Disadvantage: Without experience it's possible to create quite a mess (once the user for distribution lost the authority to change profiles: nearly killed our system in this situation).
    Also having different users and authorities in different systems is nothing which will be easier with a central maintenance - on the other hand it's not more difficult either.
    Since your basis team has already experience with this tool, you can give it a go. We had no technical issues, only handling and organizational problems occured. Even workload was for a test system once a topic.
    Regards,
    Christian

  • RFC destinations for CUA - clarification required.

    Greetings, Gurus!
    I'm in the planning-going-testing phase of CUA implementation for our landscape, and it appears I've run into something of a snag.
    According to everything I've read, including various SAPnotes and documentation available in SAP Library, I understand that it is not possible to configure the CUA to use specific RFC destinations. Instead, CUA will attempt to use an RFC destination that has the same name as the logical system it is calling. I.e. central system ADMCLNT070 is making an RFC call in context of CUA to PRDCLNT510, for this purpose, RFC destination named PRDCLNT510 will be used.
    Q1: Have I understood this correctly?
    Q2: Is there any way to specify an RFC destination I want to use?
    Thanks for your time!

    would like yiu to go through the below link too,
    As the complication of using diffrent name and etc has been mentioned, and fixing has been hit and trial method for me when i did it..
    logical system name vs. destination name - CUA -
    Thanks,
    Prasant K paichha
    Edited by: Prasant K Paichha on Mar 5, 2010 12:52 PM

  • CUA & solution manager

    Hi Experts,
    I have difference modules implemented for my client like ECC,HSCM,SRM,PI ect..... with huge landcale and clients want to gr for CUA. My query is can we use Solution Manager as a CUA for managing all the security related task centrall for all above mentioned system?
    Have any one of you come across the GRC CUA option and what is the best practise for CUA?
    Please provide me with document if you have any for any of the option.
    Thanks,
    Security consultant

    Hi,
    You could use your solman as a CUA system (in the same productive client or in a seperate client of solman). But this means that your solman would by a HA system, in case restart needed, the whole landscape will be impacted......
    By the way, CUA would be totally replaced by IDM in the future because of his limit ( only manage abap systems, no workflow....)
    I would not recommend any CUA implementation in the landscape.  Hope this helps you.
    BRs,
    jiamin pan

  • Should Special User's Be In CUA?

    Hello.
    We are dangerously close to completing a CUA implementation, but I have a gut feeling that we need to think through one last decision:  Should any users be left out of the CUA central system?
    For instance, is there any reason to keep system user-types out of the CUA like RFC users?  SAP*?  DDIC?  Basis people? ALE Users?  What considerations might there be?
    Or should we just go ahead and bring all users into the central system and not worry about it?
    Thank you,
    John

    Thank you for the feedback.
    In thinking about the risks of a centralized approach (eggs all in one basket), the following comes to mind:  What happens when CUA is down or not functioning properly?
    Assumption:
    ++++++++++++++++++++++++++++++++++++++++++
    If CUA is down, the only thing impacted is the ability to add/maintain users.  Connectivity to the child system is not impacted at all. 
    Concern:
    ++++++++++++++++++++++++++++++++++++++++++
    Under these circumstances, I understand that there is no way at all to perform any security related tasks in the child system.  So if there was a crisis, there would be no way to modify any security to help solve the crisis without CUA.
    How might having a non-CUA ID in the child system help?
    ++++++++++++++++++++++++++++++++++++++++++
    If one ID in the child system we left out of the CUA, then we would not be totally stuck with few options in a crisis.  For instance, this emergency ID could be updated to receive the appropriate security to handle the situation.
    Let's take DDIC as an example.  It is required apparently to perform certain system tasks.  Let's say for the sake of argument that if the ID was locked, the child system could not function properly.  And if it was locked by CUA and the CUA was down, the child system would be non-functional until the CUA was returned to operation.
    Too far fetched of a concern?
    ++++++++++++++++++++++++++++++++++++++++++
    Perhaps I am over thinking this and you might think that no such scenario exists or is likely enough to happen?  I am a novice and I just want to think this through and not leave my company in a lurch due to some single point of failure that I cannot easily idenify.  I have been around long enough to see ERP software back me in a corner, and so far most consultants that I have met do not think of these concerns because they are not around to support the software after go-live.
    Thanks,
    John Klaassen

  • User Inactivity

    Hello Guru's,
    Good morning. We are performing license measurement twice a year and perform user inactivity every quarter. To save time on user inactivity and to achieve accuracy, planning to have a new custom program developed. However, not sure if SAP has any plans to develop such a funactionality. We have CUA implemented in Solution manager (SAP EHP 1 for SAP Solution Manager 7.0, SAP basis component SAPKB70104).
    As part of user inactivity, we filter the inactive users from all servers and set thier valid to date to last login date and lock them. Due to recent support package implementation we have additional functionality in report "RSUSR200" in CUA master. Which ideally gives the inactive users from all systems. However, we need to evaluate the user's again on individual basis since it is not complete. That means if user is part of 5 systems and inactive in 1 system, the user is shown in the report as inactive.
    We have recently implemented another new functionality in CUA "RSUSR_SYSINFO_LICENSE". This report provides no of users based on the license category from selected systems.
    Now the question is, do you know if any new support packages has the functionality Or ever heard from SAP
    for performing user inactivity. That means, simply lock the user, set validity date to past or last login date if the user is inactive in all systems.
    It will also be good if you share on how are you performing this activity?
    Regards,
    Gowrinadh
    Edited by: Gowrinadh Challagundla on Apr 27, 2010 9:47 AM

    Hi Bernhard,
    Thanks for the reply. Let me explain in details about that.
    USER A is now a CRM user and before worked in ECC. The user is not using ECC any more, and only active in CRM. When I run this report, USER A is reported inactive in ECC. Which is right. However, I can't lock this user globally and set valid to date in past because the same user is active in CRM.
    Since I know User A is a CRM user, I can avoid locking this user. The same way I need to determine all the user's reported here. The functionaity I am looking here is "report should check in all systems and say whether user is inactive and all respective systems". If the user is active in any one of the system, it should not be shown.
    Hope it clarifies.
    Regards,
    Gowrinadh

  • Redistribution thru SCUL.

    Hi all,
    We have CUA implemented in our systems. I would like to have few clarifications.
    1) Is it advisable to redistribute the data from SCUL?
    2) is it possible to trace old idocs related to user master changes? I believe the idoc related to a user gets overwritten when a new change occurs. is that correct or does it create a new idoc (if so then is there a easier way to find out other than WE05 where idocs are named in numbers and you need to click on each to find the content. ) ?
    Appreciate your help.
    Thanks & Regards,
    Jona

    Hi Jona,
    1) Is it advisable to redistribute the data from SCUL?
    Before redistribution check the error in scul . why the particular entry is stucked. Solve the particular error first for ex: User group missing in child system, printer missing etc. Then again got to Su01 and save the user in change mode. This will automatically execute the scul entry.
    2) is it possible to trace old idocs related to user master changes? I believe the idoc related to a user gets overwritten when a new change occurs. is that correct or does it create a new idoc (if so then is there a easier way to find out other than WE05 where idocs are named in numbers and you need to click on each to find the content. ) ?
    = Check entry in BD87 it create entry with different idoc number Be careful while using BD87(Do not process idocs without any justified requirement). You can also check the idocs in we02.
    Hope this helps

  • Error when synchronising data with Active Directory - URGENT

    Hi,
    We are currently running on ECC 6, and have a CUA implemented. I am attempting to synch my user data on the CUA with the Active Directory, I'm only updating the SAP database and not writing back to AD.
    I have mapped the fields in LDAPMAP, and using the find function through transaction LDAP I'm able to read the data for the relevant fields so the AD user id does have the correct read access to AD
    However when I run the RSLDAPSYNC_USER program, the user is created but only the Surname field is populated. Does someone perhaps now what could cause this problem?
    Thanks in advance
    Sujeet

    I think I know what you're problem may be.. There is a hard limit or 1000 results for a LDAP search against active directory. And I think you're hitting this limit. One way to test is to narrow your search to one small OU with only 10 users in the OU.
    This setting can be changed at the controller and is called "MaxValRange". here's a link to more info <a href="http://support.microsoft.com/kb/315071">http://support.microsoft.com/kb/315071</a>
    Before you make this change on your domain controller I'd try narrowing the search to a single OU first.

  • USMM - License classification via reference user

    Hello all,
    I am trying to group users for licensing by using a reference user rather than User Group for authorizations.
    I am following the instructions in the Help section, however, I do not have the option for "Extended List" and the Reference User is not appearing in the "Ref. User" field I added when I choose "User Classification".
    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/b2b8d0ca643d88e10000000a421937/frameset.htm
    We do not have CUA implemented. Is that what is causing this error? 
    I would like to figure out a way to group users by their work area, because unfortunately this USMM report will not group users by "User Group", only "User Group for Authorizations" which does not meet our requirements.
    Any help would be greatly appreciated.

    The documentation states that you cannot classify users by reference users?!
    Reference users are actually comparable to composite roles and composite profiles in one entity, which you can assign to the user which can logon. They the user has both their own authorizations and those of the reference user.
    Cheers,
    Julius

  • Error when implementing CUA

    Hi,
    I wanted to implement a test of CUA with my DEV systems (DEV R3, DEV BW, and DEV SRM). When i've created the model distribution in my central system (DEV R3 client 030), and saved the model, i had the following error in my child system (DEV SRM) : "ERROR when starting the text comparison". I didn't have any error in the other systems (DEV R3 and DEV BW).
    I've checked my RFC connections, I don't know how to sove this problem.
    Thanks in advance for your aswers...
    Regards,
    Mohamed

    OK, I've solved the problem by myself.
    In fact, I didn't have an RFC user connection between my child system DEV SRM and my central system DEV R3. I had just RFC users connection between my central system and my child systems...
    Mohamed

  • SAP SSO using CUA for Transport Express implementation

    I am implementing Transport Express application as part of a larger project on a Dual Track environment. The business want TE to be integrated into the SSO landscape. This is where I am having difficulties. I need advice from anyone having implemented BTI's Transport Express into SAP requiring SSO with CUA as part of the business landscape? Our Domain Controller is Solution Manager. The TE settings in SolMan allow for a Web UI email notification, this contains a hyperlink to a user Dashboard. The expectation with SSO is that clicking on the hyperlink will automatically connect us to the Web UI Dashboard. Currently this does not work. Any suggestions?
    I have also been given three options to concider; 1. Our Portal manages ABAP and Java SSO, 2. SPNego is for ABAP systems, 3. A system to system config might work.

    Hi,
    Now SPNego is working on ABAP stack as well as Java stack.
    If you want to use this solution, the following videos may help.
    Single Sign-On with Kerberos
    Best regards,
    Shuai

Maybe you are looking for

  • Duplicate target database not working

    Hi All, I want to clone my exisitng DB to other. I was refering the below link to do the same. [http://web.njit.edu/info/limpid/DOC/backup.102/b14191/rcmdupdb006.htm|http://web.njit.edu/info/limpid/DOC/backup.102/b14191/rcmdupdb006.htm] OS:Solaris 10

  • Adobe Photoshop cs3 64 bit?

    Hi guys, could I ask if there was a 64bit version of photoshop cs3 that was released? - thanks in advance

  • How to track data changes in SAP

    Hello experts, Iu2019m working on a project with a team of NON SAP architects and weu2019ve been asked to come up with some idea to keep a track of all the changes happened in SAP system by any user. So for instance let say if use makes a change and

  • Maximum size of a Java String

    Hello Can anyone please tell me what would be the maximum size for a java string.... Thanks Tapan

  • How can I combine itunes libraries for a shared music setup?

    I wanted multiple users on my computer to share the same itunes music folder and library. I put an itunes folder (with an itunes music folder and library data file inside the itunes folder) into the computer's shared folder. I set each users preferen