CUA Landscape

Similar Messages

• How to cleanup the CUA entries

  Hi all,
  I'm in the process of doing some client cleanup prior to an upgrade project.  I am also just learning about the CUA system so have been reading through the docs.
  Our landscape:
  UTL - Solution Manager and CUA  (7 ehp1)
  DEV - Development (ecc5)
  QAS - Quality (ecc5)
  PRD - Production (ecc5)
  This was set up about 5 years ago during intial implementation, and little has been done to manage the CUA child entries to match up with client useage changes over that time.  At this point, security uses CUA for some clients and local user admin for others.  When I use t-code SCUA I get the message the "CUA definition is inconsistant, for repair see long text."  And I beileve the issue it is complaiing about is there are child systems still defined in CUA that don't exist, or no longer have a connection.
  I'm wanting to remove these old child systems, and will delete the actual clients where then exist after removing them from CUA.
  What I'm not to clear on yet is what happens after I go through the steps on the central system
  a.     T-CODE SCUA
  b.     T-CODE WE20
  c.     T-CODE BD64
  Since I'll be deleting the associated clients on the respective system, do I need to do the steps for deleting a CUA child on the local system as well?  Then delete the client?
  At some point I'll be adding the new CUA child entries for the actual/used clients as well.  But I thought I'd go through the delete process first.
  Any corrections or clarifications as to what I'm attempting to do will be much appreciated!
  Thanks
  Laurie McGinley

  Thank you Bree,
  So as I understand you, I do not need to run through the WE20 and BD64 transactions to remove them from the distribution model IF there may be a chance we could recreate the associated client on the source system. 
  So... for example...
  I want to get rid of DEV:700 now because we no longer use it.  The CUA child is DEVCLNT700.  I can use the report RSDELCUA and delete the child which removes it from the CUA list.  I can then delete the actual client DEV:700.  In a year, when we decide we want that client back for testing, I can create the client, and add it back to the CUA landscape screen and run SCUG.
  If, however, we decide we won't be recreating that client in the future...
  I would need to run the report, delete the cua child... and here is where I'm unclear.  Do i need to run WE20 and BD64 in the central system before doing the actual client delete?  And if so, do I need to do the steps at the client system for removing a child from CUA before I actually delete the DEV:700 client.
  Hope this isn't too confusing...
  Thanks
  Laurie

• System copy - CUA how to keep (merge) some of the old target system users ?

  Hi,
  can anyone suggest if the following is possible and if so, the best way to enable the following within a CUA landscape :-
  Standard SAP System Copy of Production to QA.
  Cleanup of "Production" user master records in the QA system to remove users not required in QA.
  Resend a set of test user id's which existed in the pre-system copy QA system (and still in the QA CUA master system) to the newly copied QA system to merge with the cleaned up  QA user master.
  Re-link the new QA system with the QA CUA master system to transfer the "merged" list of QA users into the QA CUA.
  I've simulated the above on a test server but the process of sending down the sub-set of old QA test id's from the CUA master (using report RSCCUSND) does not create the users in the QA client even though the report itself appears to have transferred the users. Checking SU01 on the target CUA client shows no user has been created and there are no idocs passed from Master --> Client.
  Other than either exporting the QA users to a transport before the system copy (for re-import after the system copy to replace the copy of the production user masters with the old QA list), or using the "production" users in QA following the system copy I can't seem to find a way of merging some of the old QA users with a cleaned up list of production users in the QA system post system copy.
  If anyone knows of a way to do what I'm suggesting then please let me know.
  Brian.

  Hi Brian,
  I don't think there is an option, directly.
  However what I would do is.
  Before System Copy
  On the QA Side:
  1) Create a new client in the QA and only copy user masters in the empty client.
  2) In this new client, keep only those users I need after client copy.
  3) Take help from ABAP guys to include all usr* table entries (with MANDT field selected only for the new client) into a transport request and save it for later use.
  On the Production Side:
  1) Export user masters of the production client
  2) Create a new client in Production and re-import the user masters
  3) Work on the new client to cleanse the unwanted users.
  4) Re-export the new user master of the new client and save it for later use.
  After System Copy
  1) Import the exported user masters from the production server , thus overwriting the client with the users selectively chosen from the production user master.
  2) Import the transport request to merge the older users from the QA.
  I know this is a crude way.. anyways..
  Hope that helps,
  Siddhesh

• CUA has lot of problems !! Please help

  Hello all,
  We have 10 systems(multiple clients in few systems) configured in CUA. Sometimes the roles dont get replicated, sometimes the IDOCs are not passed from parent to child,
  I added a new system to the Parent CUA and when I was assigning roles to a user for that child system thru CUA, the CUA surprisingly deleted all the other roles the user had in other system. The new system access was not touched
  *Question 1: I have 3 jobs running PFCG_TIME_DEPENDENCY, RBDAPP01 and SUSR_ZBV_GET_RECEIVER_PROFILES in all the child systems. I know PFCG is a needed job for user comparison. Do I need the other jobs ?*
  I have RBDAPP01 to process IDOCs and SUSR for the user comparison of roles.
  Since there are a lot of issues in our current CUA environment( our CUA is on Solution Manager 4.0), I am thinking of deleting the current CUA and configuring it again. Its very difficult to do trouble shooting going in SCUL logs and pin point what really happened.
  In RSDELCUA there are 3 options. Can I select " Delete CUA" and will it delete the CUA landscape or I would still need to go in WE20 and delete the partner profiles and do other steps?
  What I am looking for is a way where I can configure CUA from scratch by deleting the current CUA
  ( It sits on Sol Man 4.0). I am thinking if I configure if properly, it will function smoothly
  Any comments?

  Hi,
  "In RSDELCUA there are 3 options. Can I select " Delete CUA" and will it delete the CUA landscape or I would still need to go in WE20 and delete the partner profiles and do other steps?"
  For deactivating the Child system you need to run RSDELCUA from se38. We can delete the Child system from SCUA but that is not recomended. It creates a problem related to the Partner Profiles and related Ports for which the Icons in respective Child may not be active. For this we need to run WE20.
  The job PFCG* should be scheduled to run at a particular time. As for the other 2 jobs you mentioned I dont see any harm in running those but in most cases PFCG* is sufficient. (Ans to Ques 1).
  Any reason that you want to recreate the CUA? It may be the case that SCUM is not configured properly for the new system that you have added. Instead of starting from scratch I beleive its best you check with the new system where the other roles are getting deleted.
  Please let me know if any issue.
  Regards
  Aveek.

• Could not access the central system - CUA problem

  Hi all,
  Please help me with this problem.
  Its just a test scenario, when everything will be good here, i have to do the same for Production.
  We just did upgrade our R3 system from 4.6 to ECC6.0.
  I created CUA on DB1100 ( Dev BW 4.6 ) with two child systems 1) DC1150 ( Dev CRM 4.6)
  2) DE1400 ( DEV ECC 6.0 ).
  Now everything is working fine between DB1100 and DC1150..
  It works like CUA ( DB1100) and child (DC1150) systems as it should be.
  But connection between DB1100 and DE1400 is not working fine. When you go to SU01 in DE1400, it does not allow me to change anything. It means connection is there and DB1100 is taking DE1400 as child system but when i am updating any user information or roles in DB1100 it is not updating child system DE1400.
  And when i went to tcode SCUA in DE1400 it gave me this error.
  "Could not access the central system DB1100".
  I dont know whats happening. I did same config in DE1400 as i did in DC1150. DC1150 is working fine but not DE1400. 
  The most weird thing is that DB1100 is thinking DE1400 as child system and i can not make any changes to DE1400 directly.
  please help me with this. What i can do to make this working between DB1100 and DE1400??
  i need to do the same in production if it gets passed.
  Thanks in Advance.

  Hi mala_swa,
  seems that you have a problem with the rfc-connections....
  Please check in both directions. The connection have to work without problems.
  Check SCUL in DB1100 - what is the status of the distributed users? Errors, unconfirmed?
  Check idocs in DE1400. Are there some? What is their status?
  The most common error is coming from not working rfc-connections. That brings for instance problems while generationg partner profiles, etc. Also the strict naming convention (log. system name=system name in CUA landscape = name of used RFC-connections) has to be considered....
  So that are some points, that you could check.
  good luck,
  Bernhard

• User roles un-assigned in CUA but acces in child system is ok

  hi
  i am have a really weird issue. a user who has access in roles in child clients, suddenly his roles disappeared from CUA. it did not effect access in child systems. any suggestions how to investigate this.
  thanks

  Did you click the Naughty Button in SCUL? Check OSS Note 1074552...
  Could also be a cause of failing idocs.
  Regards,
  Trond
  PS: The above note is for cases where users loose their visible role assignments in CUA, although roles remain assigned in the child system(s), not for cases where role assignments from CUA never trickles through to the child systems. The mentioned OSS note is a direct result of a case worked on by yours truly in 2007. I include below a warning I posted on sapfans about the issue:
  Word of warning: RSUSR_CUA_CLEANUP_USZBVSYS is faulty!!!
  The program RSUSR_CUA_CLEANUP_USZBVSYS is available as a standard SAP program from at least version 6.20. It can be run from SE38/SA38 or launched from a pushbutton (far right) on the "results" screen of transaction SCUL.
  The program is intended to delete "obsolete" entries from table USZBVSYS, which contains log entries for assigned child systems in a CUA environment. The program is run in the main CUA system, and supposedly deletes entries for systems where users no longer have access.
  There is a serious problem with the program, as acknowledged and confirmed by SAP in an OSS note I opened a few days ago. Under certain circumstances (more than 500 entries for any child system in the CUA landscape), the program wipes clean the whole table, instead of just the obsolete entries.
  The consequences are dire. Table USZBVSYS is used for several fundamental CUA functions, such as remote password reset from the CUA master system. After the wipe, executing SU01 and attempting to reset a users password in a child system will no longer work. The assigned child systems are no longer visible in the reset password pop-up (nor anywhere else in SU01, including the Roles tab). You'll have to edit the user via SU01, and click on the annoying pop-up showing "new system assigned to user" for each system where the user has access...
  The only way to fix the issue is to re-run SCUG for all systems in the CUA landscape. We had to do this across 6 CUA's, each containing 30+ child systems/clients and 10000+ users, which was very time-consuming and annoying. Also, there seems to be cases where roles have been wiped out from users on the CUA master systems, possibly due to consequences of the empty USZBVSYS table.
  SAP has conceeded the program is faulty, and have proposed a new version (note 1074551). Without applying this correction, the program should NOT be run.
  Note that users can still log in to and work in the child systems, it's just the "visibility" from the CUA master system which is missing. Tables USLA04/USL04 are still intact.
  Just wanted to warn the community; we've spent some considerable time discussing with SAP and rectifying the mess created by RSUSR_CUA_CLEANUP_USZBVSYS...
  Edited by: Trond Stroemme on Aug 5, 2008 3:03 PM

• CUA with HR-Org - How to assign systems for role

  Dear all,
  we are planning to use CUA with HR-Org assignment. Can please anyone explain to me how or where the system for the role comes from.
  I mean, normaly in SU01 -> Role Assignment I have in the first colum the system and in the second colum the role. It the role assigment come from HR-ORG there is always the local logical system in the system colum. This is not what we want.
  CUA is on Solution Manager, HR-ORG is replicated from R/3 HR Systeme and the user needs the roles in ECC production systeme.
  So how can we manage the system/role combination assignment?
  Thanks for any hints.
  Best regards
  Roman

  Hi,
  If I understand your problem you want to do role assignment from the HR-Org structure on a system that is using CUA.
  I have only managed this successfully when the CUA master is also the system with the HR-Org structure on it. Otherwise you have lots of issues with replicating data between systems. I did this for a UK council's SAP solution where we allocated all the roles from the HR system, including roles on ECC, SRM(EBP), CRM and BI - so it does work.
  PO13 on the system with the org. structure will only allow you to allocate a role that exists on that system, but if the roles that you are allocating are composite roles that include single roles on other systems, you can achieve this sort of business role allocation without having to go the IdM route.
  Darren Hague (no relation) gave a presentation at SAP Tech Ed 07 on such a scenario, that explains how the composites would be set up far better than I can, but in essence you use the CUA connectivity and the rights of the CUA master system (which includes the org. structure) to allocate roles on other systems / clients in your CUA landscape.
  Have a search through SAP Tech Ed 07 presentations and you should find what you are looking for.

• Error with CUA

  Hi Gurus,
  I have successfully linked 5 child system to the CUA.. All the changes are also flowing to the child system but we when i see the CUA log all the changes appear as unconfirmed except for the parent system.. ...
  I have check teh RFC connection, CUA landscap ... All seems to be working fine
  Can anyone tell the solutions....
  Parveen

  Hi Parveen,
  your problem can have various causes....
  The most common is, that the user in your rfc-destinations from the child system to the cua-central has not sufficient authorizations. Pls check sm58 on the child systems.
  Temporarily try, if you have a change of behaviour, if you assign sap_all to that user.
  You could also run ST01 for that user to find out, if authoriaztions are missing.
  Another common failure is caused by wrong definition of rfc-destinations. Change the rfc-user to 'dialog' and perform a login with that rfc-connection. Are you logged on the the central system then?
  Pls check idoc status in the child systems (bd87). Are they really processed without errors?
  b.rgds and good luck,
  Bernhard

• Role creation in CUA

  Hi All,
  We have a CUA environement in our lab.
  There is CUA admin sytem and one cua child system.
  Admin system :HR6CLNT800
  Child system :HR4CLNT800
  I wanted to know how to create the role in CUA.
  If i create locally on CUA admin system by going to Menu Tab ,specifying the
  Target system "HR6CLNT800".
  I get the following error
  "Role TestRole has been edited in the system .HRCLNT800 distribution cancelled".
  Please let me know if any one has come across this problem.
  best Regards
  Manoj

  >
  sap.sec.akshay wrote:
  > Hi,
  >
  > I have a list of around 1000 existing users whose password need to be changed in different systems(selective).For example if user is having access to 20 systems his password need to be changes in just 2 systems. All the systems are connected to one Central system.
  >
  > I agree for user creation/role assignment in CUA landscape is possible through Ecatt. But password change in CUA landscape doesn't seems to work with ecatt as there are multiple systems to select.
  I agree but not because of the "multiple systems to select" but the lack of a consistent pattern that you stated in your example.
  -John N.

• Need advise on CUA strategy

  Hi All,
  I would like to come out a CUA strategy for a ECC three system landscape (D,Q,P). As i understand the best practice is to have CUA master on each landscape, D, Q and P, but as far as i know this is helpful on complex environment, and the other advantage is testing and verification can be done.
  Since we are using ECC component, what's the best strategy to setup CUA? should we have only single central CUA for for the entire ECC landscape?
  Any feedback is mostly welcome.
  Thanks.

  Hi Nicholas,
  There is no mandate that the CUA should setup in D,Q & P system seperately. However, it is advised to do so since the amount of change documents in the central system are more. Infact, if it one of the reason why most of the times the Central system is setup in D systems.
  Further remember the following points:
  1. What is your userbase?
  2. How many clients will be participating in the CUA setup?
  3. Amount of the changes done in a day (to consider whether to breakup the CUA or setup a single CUA landscape).
  4. Roles that are assigned to the users? If there is a major change in the roles that you assign from D to P, then setting up individually is recommended.
  5. Bandwidth - How well you can manage the setup.
  Hope this clarifies!!
  Best Regards,
  Raghu

• Could I set-up CUA from sap 4.7 to sap NW04s

  Hi Gurus,
  Could I set-up CUA from sap 4.7 to sap NW04s?
  I mean, CUA system in version 4.7 and one of the child systems NW04s.
  Please let me know the possibility and any dependency?
  Regards,
  Surya

  In principle you can mix systems of different releases in one CUA landscape; and you can also freely choose any of them to be the CUA master.
  However, you should keep in mind that new features and thus potentially also new user master data attributes will be added with newer releases. Therefore it is generally advised that the CUA master system should have a newer release. Otherwise the CUA master system would not be capable of storing and providing user master data attributes which might be demanded by some CUA client systems.
  Cheers, Wolfgang

• CUA Installation issue

  Hi Forum folks,
  I have the CUA cookbook, and have followed the setup steps detailed in it.  My test CUA system is almost working but I have one error, and a few questions, to which I haven't yet been able to find the answer.  I was wondering if you'd be able to help me.
  First, the scenario:
  CUA Master: ECDCLNT400
  CUA Child: SRDCLNT110
  CUA users have been setup, and tested, and at this point, CUA Master can retrieve the user and role assignments from the child, and apparently, vice versa.
  I have transferred all users from the child system to the master, and have reviewed a number of users to validate that it worked.  The role/profile assignments from the child system are represented in the master as expected.
  However when I do a text comparison from the master, I get the following error:
  Central System ECDCLNT400: Canceled
                         User CUA_ECD has no RFC authorization for function group SUU6.
  Duh ... I had to regenerate the roles, and this error went away.
  Second, when I go into SU01 on the master, and try to assign a role for a user in the child system, it tells me that the role doesn't exist (when in fact it does) and if I were to try to expand the list of available roles, it doesn't have any entries.  It seems that even though the text comparison comes back with all greens, it's not pulling in the roles and profiles from the child system.
  I've checked the usual suspects (BD64, SCUL, WE02) and I don't see anything jumping out at me indicating a problem.
  Where do you think I should look?
  My Question
  1. The CUA Master is housed on ECD 400.  Does ECD 400 have to be setup as a child of the CUA master for it to work in SCUA, or is it automatically (as it currently seems to be) a child in the CUA landscape?
  Thanks,
  Santosh

  Summary of steps and associated issues that I've gone through thus far:
  1. In my CUA master, I went into SA38 and ran RSDELCUA, to reset the CUA
  2. I did the same in my test child client (which is now different from the client I had used when I first started this post)
  3. I then went back to my CUA master, and ran SCUA, and in the new landscape named CUA_400, I added the child system.  I pressed enter, it went green, no complaints.
  4. When I hit save, I got the following error:
  Child system SIDXXX_CUA: Activation of Central User Administration
                     ALE distribution model was saved
                     Error when generating partner profile in system SIDXXX_CUA; see long text
                     Central User Administration activated
  5. I checked the long text.  It instructed me to go to the target system (SIDXXX_CUA) and start BD64.  It tells me to choose Environment > Generate Partner Profiles.
  6. When I go into BD64, I note that under Central User Administration, it displays the name of the CUA Master, but it also show 3 entries - two for other CUA clients that don't exist, and one for this target system.
  7. Adjacent to the two entries of CUA clients that don't exist, there is a message that says, "No short text exists".  Such a message is absent adjacent to the entry for this target system.
  8. I expand the entry for this target system, and I see two items:
  USER.Clone                     CUA: Distribute Users with ALE-IDOC
  UserCompany.Clone              Clone user company (especially address)
  9. I click on SIDXXX_CUA from the list, and then select Environment > Generate Partner Profiles from the menu. 
  10. I don't change anything in the next screen, and hit execute
  11. It says:
  Log for Partner Profile Generation
  Distribution model                        No messages have been defined for the selection conditions in the model
  As far as I can tell, nothing happened.
  Have you any idea where to go next?
  Santosh
  Edited by: Julius Bussche on Apr 3, 2010 9:50 PM
  Formatting corrected. Please use quote tags.

• CUA - Programs adding and deleting User Rolls

  Good Day;
  We are currently bring CUA up and using a sandbox as a test child system. Once fully deployed, we will have CUA controling all systems (Sandboxes, Dev, Quality), except production.
  Issue - We currently have an application that allows for the adding or deleting of Rolls through the portal. When this was testing, the program failed.
  We need to be able to test in both the development and quality systems.
  Question. Is there a way (config maybe) that a program would be able to add and delete Rolls as well as have CUA active.
  Regards

  Don,
  Thanks and I wish you luck on your adventure to CUA.
  I think the documentation you will find will not cover CUA landscape design.  It will only cover technical configuration.
  I based my design on functionality and some common sense.  I'll give you the reasonging for our design due to our project scenario.
  Production:
  We are using HR position base security and CUA.  The master is the ECC 6.0 system.  We have about 37,000 user IDs and IT 105s (HR info type for communition which is the user ID).
  Do I really want to mix my live users with DEV or QA?  The answer is NO.
  Our production portal UME points to ECC 6.0 and the iViews will point to other system such as SRM or BI. 
  QA:
  QA CUA will have the same configuration as Production.  Why?  When you run "Integration Testing" - PROD is similar to QA - there will be no surprises on your testing after you move it to production.
  DEV:
  This will also be the same setup was QA & PROD.  DEV will have less users not 37,000 only a couple of hundred for test users and Project Team Members.
  Something to think about.  Lets say DEV, QA & PROD are in the same CUA and you have to run major service pack testing.  This will impact CUA and users that you need to SCUG back after.  Let's say the master CUA goes down, you will affect DEV, QA & PROD administration until that system goes up.    Just very messy.
  There are lot of ways to design CUA, choose one that will work for your current situation.
  Good Luck!
  Edited by: John Navarro on Feb 25, 2008 7:52 PM

• CUA Project Propsal Questions

  Hi Experts,
  I am doing research on CUA and have been asked to provide answers to the following questions.  If you have been though a CUA Config/implementation recently, I would appreciate your feedback.  We are a company of 10,000+ SAP Users (approx. 1500 dev/QA users we would be using for CUA)
  •Will Security save time by making Central Changes to user masters?
  •Cost savings?  Other benefits?
  •How much time to configure each system? 
  •How much Basis involvement?
  •Any other resources required? 
  •Will users benefit from Single Sign On with CUA?
  •Will Basis have more work after system refreshes?
  •What is Virsa's role/how does it integrate with CUA?
  •Are there any known showstopper functionality deficits with CUA that would prevent us from using it
  •We will use ourSolution Manager server for this project and for eventual production usage.  Any suggestions or feedback regarding this?
  •Hours the project would take?
    1.BASIS
    2.Security
    3.Change Management
  •Will a Refresh schedule be changed because CUA is implemented?
  •Have you come across any issues with refreshes?
  There are alot of questions and I will be more than happy even if only one question is answered.  As always, thank you for your expertise and advise.
  Teresa Wilson

  Hi Teresa
  > •Will Security save time by making Central Changes to user masters?
  Yes if you have a broad landscape - i.e. lots of clients and systems
  > •Cost savings?  Other benefits?
  User admin will be easier, CUA landscape monitoring will take additional overhead.  Personally I would use say you could save 25% of time when administering users if your landscape is conducive to using CUA. 
  > •How much time to configure each system? 
  Once you have done one, it should take no longer than an hour for each system (less once you get the hang of it)
  > •How much Basis involvement?
  Not much - maybe get them to set up the RFC destinations (specific CUA ones are good, but watch out for people trying to use them for remote CATT execution etc).  Basis may want to schedule the job which processes the userclone idocs in the target system.  It depends how you do things in your place.
  > •Any other resources required? 
  No
  > •Will users benefit from Single Sign On with CUA?
  I will defer to the far more knowledgable Mr Alsop on this one as I haven't a clue
  > •Will Basis have more work after system refreshes?
  Usually limited to removing, re-adding in the CUA system.  It may save them time as the users can be pushed out of the master again if required (though will need to reprocess loads of failed idocs when they get locked)
  > •What is Virsa's role/how does it integrate with CUA?
  What do you mean by Virsa? company doesn't exist any more.  If you use compliance calibrator then has no impact at all.  If you use Access Enforcer then there might be, but without knowing what you are doing, it's hard to say.
  > •Are there any known showstopper functionality deficits with CUA that would prevent us from using it
  It can be a bit flakey, though has improved over the years.  It is not a magic pill which will solve all your problems.  You will get frustrated with it.  You have to do change reporting out of the CUA master otherwise you will only get change logs by the idoc processing batch user ID.  You need to keep on top of the idocs and log monitoring.  If you have a simple setup with few clients then might not be worth it.
  > •We will use ourSolution Manager server for this project and for eventual production usage.  Any suggestions or feedback regarding this?
  I would recommend 3 separate CUA's - one for dev, one for test, one for prod.  Do not have one covering all because if the CUA master goes down for whatever reason then you have extra work.  Assuming R/3 is your main system (with lets say a BW and an APO) then I generally prefer to set the R/3 system as the master as there are usually fewer problems when doing role admin for that client.  That is only a personal preference though & lots of different parties recommend different things.
  > •Hours the project would take?
  >   1.BASIS
  >   2.Security
  >   3.Change Management
  Impossible to say without knowing all details of your landscape.  Basically, you should be able to set up and test a reasonably complex CUA in less than a day.
  > •Will a Refresh schedule be changed because CUA is implemented?
  I don't think so, though CUA should be taken into account as part of the activities
  > •Have you come across any issues with refreshes?
  Yes, BASIS people messing up the CUA config or not doing the post refresh steps they were supposed to do.
  Good luck.  It can be very useful and very frustrating at times.  There are loads of installation guides out there.  As I have said earlier, it will not be the answer to all of your problems and does require extra monitoring.  In a project rampup situation where you have lots of users setup/changing in different clients then it can really help take a bit of the manual processing burden.
  Hope that helps
  Cheers
  Alex

• ECC Upgrade  CUA

  Hi,
  We have R/3 4.6c,620 versions in CUA landscape.
  It was proposed to upgrade one of child system to ECC.
  Is Central system can be on old version ? Please advice.
  Thank you,

  This is not really a portal related question - you might want to ask in the security forum.
  My view is that upgrading a child system shouldn't be a problem - the BAPI that is used to update the users and roles should still work, but there might be some things that you can't move the other way...
  Cheers