CUA - role

Similar Messages

• CUA Role deletion

  Hi All,
  I'm supposed to  delete a role from the Child systems.When I'm trying to  delete role from  Central sys(CUA),role is not reflecting for the user,but user has the role in Child system.
  Thanks  in Advance!
  Regards,
  Naveen

  Hi Mili,
  Can you just check what naveen has just said? He mentioned that he do not want to delete the composite role rather he just need to remove it from the user's access. Also he is not able to see the composite role assigned to the user in CUA, so he cannot delete it from there.
  Naveen,
  You can re-assign the composite role and check if the Idocs are moving to your child system. If it did, then this time re-login to CUA again and now remove this composite role. It should remove it from your child system as well.

• CUA Roles residing in Child system are not showing in Central System

  I just hooked up CUA today and have linked 8 child systems to the central system.  The 8 child system users and roles have already been established in the child systems.  Do I need to run program susr_zbv_get_receiver_profiles in each of the child systems to get the roles in the child systems to show up in the Central System for each user?  I tried this in one child system and it worked.
  Or is there something else I need to do without going into each child system?
  I tried this program susr_zbv_get_receiver_profiles in the Central system but it did not work.

  are you looking for roles or profiles? profiles will not show up in the central system. If you run SCUL do you see anything? when you first added the child system did you use an SAP user that had the proper permissions? In both the child and the parent? There are two roles that the user must belong to to add the child to the parent they are SAP_BC_USR_CUA_SETUP_CENTRAL and SAP_BC_USR_CUA_CENTRAL.
  If you have any question about the permissions of these user at the time you added the child to the parent I'd delete the child and re-add with either the above roles or a user with SAP_ALL in BOTH the child and the parent systems

• CUA roles sometimes do not match the target system

  Hi,
  We are using CUA on Solution manager to assign roles to our different systems.  Every now and then what is in CUA does not match the target System.
  I know that you can look at the idocs using WE05 and see what the root cause was, fix it and then re-assign the role.
  The problem is that when you assign the role using CUA, it doesn't warn you that the transmission failed on the target system.
  We just went live last week, so I am added and removing roles from many different users using SU01 and SU10 and I do not think it is a valuable use of time to sift through the idoc logs every time I make a change.  Especially, since most of the time it works.
  Is there a better way to monitor the Idoc logs?  Can you have it send a notification (email for example) when there is an error?  Is there a better process then WE05?
  Thank you in advance for the help!
  Neil

  Neil. It was a long time I played around with CUA. But I am remembering some transaction where you had the logs. Think it is SCUL.
  I searched saphelp and got the following hits for you:
  http://help.sap.com/saphelp_nw70/helpdata/EN/c1/db4063fd3111d5997a00508b6b8b11/frameset.htm
  http://help.sap.com/saphelp_nw70/helpdata/EN/cc/50b43be7492354e10000000a114084/frameset.htm
  Best of luck to you!
  Regards Fredrik

• Roles created in CUA are not distributing?

  Hi,
    I have configured CUA in my system between 3 clients.when am creating a user it is reflecting in the child systems but where as roles created are not reflecting in the child systems.
  Even i have check in SCUM roles are maintained GLOBALLY.what  may be reason....and how o check the IDOC in WE05?
  Thanks in Adavance

  Hello:
  A CUA is a 'central user administration'.
  A CUA does not cover a central role administration. Therefore you need to maintain your roles as usual, means locally in each child system of your CUA.
  role assignements ot users can of course been maintained centrally in the central system.
  b.rgds, Bernhard

• Error in job for connection to CUA System

  I have a problem with the two jobs in the u2018AS ABAP - Initial loadu2019 for a CUA system. According to the log is seems to be a memory issue!!!!
  Extract from the logfile:
  u2026u2026u2026
  26.03.2009 09:57:31 :I:Initializing custom pass FromSAP: ReadABAPRoles
  26.03.2009 09:57:31 :I:Initializing MX SAP BAPI object
  26.03.2009 09:57:31 :W:Filter not supported when Listing CUA Roles. Ignoring :*
  26.03.2009 09:57:35 :E:Unhandled Error in DSERuntime
  java.lang.OutOfMemoryError: Java heap space (failed to allocate 84038672 bytes)
  u2026u2026u2026
  This error is related to the both the jobs: ReadABAPRoles and ReadABAPProfiles.  
  Please note:
  Setting the %$rep.CUA_MASTER% equal u2018falseu2019 using the repository constant works for the both jobs (only the roles and/or profile in u2018localu2019 system the is read meaning no data from the subsystems in the CUA is read )
  Any suggestions for handling this problem??
  Best Regards
  Tom Svarre

  The text you enter in the dispatcher script after JAVAOPTIONS= is passed on as one parameter to the java executable. When you set JAVAOPTIONS=-Xmx256M -Xmx256M the effect is like the commandline java "-Xmx256M -Xms256M" java interprets this as an illegal heap size and refuses to start.
  If you want to specify more than one javaoption, you also have to set MXDISPATCHER_EXECSTRING=1
  This option causes the dispatcher to pass the arguments to the java executable as one string instead of split into separate parameters.
  The reason this option is not turned on by default, is that this can cause problems with paths and parameters containing special characters that causes the command line interpreter to fail.
  In your case, only specifyng the -Xmx is probably the best solution. Specifying -Xms will cause heavier load on the system also for jobs thatdoes not need a large heap.

• CUA: Idocs USERCLONE remain in Status 64

  Hello experts,
  I'm setting up a CUA at the moment.
  Basically everything works fine, but in case of mass maintenance activites (e.g. TA SU10 or when distributing via report RSCCUSND), the child system only processes some of the received USERCLONE-Idocs, the left ones remain in status 64.
  I know that they can be processed via report RBDAPP01 periodically in batch-mode, but I want to have them triggered immediatly.
  Can you tell me what's the reason for this behavior? Is this a general ALE-Setting or based on my partner settings in WE20?
  Thanks for your help!

  Thanks Bernhard,
  I knew that this might be a resource issue, but actually my problem was that the CUA-Batch-User had no authorition for releasing Batch Jobs, this is mentioned in the SAP Note...
  After adding this to the CUA-Role, everything works fine!
  BR
  Werner

• [CUA] Compatibility with Analysis Authorizations (RSECADMIN)

  Hello,
  I have two questions for you, BI experts :
  1) Could someone please confirm that it is not possible to centrally maintain Analysis Authorizations (trx RSECADMIN) from the CUA ?
  2) Does it make sense to start a CUA project now with the Identity Management solution coming soon ? What are the pros & cons of each ?
  Thanks in advance.
  Best regards,
  Guillaume

  Hi,
  I had a look at the Roles and Profiles tables used by CUA.
  I found that it uses special tables such as :
  USRSYSACT     CUA: Roles in Distributed Systems
  USRSYSACTT     CUA: Roles in Distributed Systems
  USRSYSPRF     CUA: Profiles in Distributed Systems
  USRSYSPRFT     CUA: Profile Text in Distributed Systems
  USLA04          CUA: Assignment of Users to Local  Roles
  USL04          CUA: Assignment of Users to Local Profiles
  There is no analogous table for RSECADMIN tables such as :
  RSECAUTHGENERATD     BI AS Authorization Reporting: Generated Authorizations
  RSECLOG               Storage for Authorizations Logs xml
  RSECTXT               Authorization Texts
  RSECUSERAUTH          BI AS Authorizations: Assignment of User Auth
  RSECVAL               Authorization Value Status
  This, I conclude that it is not possible to maintain BI analysis authorizations from the CUA central system.
  This kind of authorizations has to be performed in the child system directly.
  Unless, SAP has something to draw out of its pocket soon... 
  I indeed read that some development was done on the CUA, parallel to the SAP NW Identity Management solution.
  Best regards,
  Guillaume

• CUA configuration question

  Hi guys,
  I am in the process of "refreshing" our sandbox SRM 4.0 environment using R/3 as a backend. In order to allow for a realistic design where a SRM is added to an existing R/3 infrastructure, I decided to remove the previous (incorrectly installed) CUA schema (srm was central here), and to setup CUA again with R/3 backend acting as central system.
  Everything is quite clear, I just have some understanding problems with the issue of naming the RFC destinations exactly as the logical systems.
  In our environment, those rfc destinations already existed before using a login with SAP_ALL privileges for remote logon. The SAP documentation advises to use newly created users with limited privileges or to add the CUA roles/profiles to the existing users (SAP_BC_USR_CUA_***).
  This obviously doesn't make sense if the respective logon already has SAP_ALL.
  So to questions arise:
  1. What to do for this concrete issue (e.g. not creating any additional users or roles, just stick with superuser as RFC remote logon) ?
  2. What's the general preferred design for RFC destinations ? Does one create multiple RFC destinations to the same logical system, using different user depending on the distribution model ?
  Thx in advance
  Nick

  Hello Bapujee,
  You are certainly right. Infact i was rethinking on it after I posted my answer.Probably my way of explanation was not correct. It is definitely not a rule to have logical system name same as that of RFC though it is highly advisable and resolves any confusion. My answer to your second question will further clarify it.
  Regarding your second question where you have pointed out that you didnot understand my sentence the answer is simple. A large use of logical system is for data distribution between two SAP and ALE ditribution is an important mechanism in this. So let me explain this with the help of ALE model. Let us assume your host system is abc and also that we you have another SAP system XYZ. You can create any number of of RFC destinations XYZ,XYZ1,XYZ2 etc for system XYZ.
  Now suppose the logical system for XYZ is XYZ. Now when we create an ALE model for data distribution between our system ABC and XYZ then we need to use logical systems ABC and XYZ.  Lets also assume that the data is flowing from ABC to XYZ.
  Now when you try to do generate the partner profile  the model view SAP will look by default for RFC destination XYZ. If it finds it then it will generate the partner profiles successfully and also will allow you to distribute the ALE model view. If it doesnot find XYZ it won't allow you to generate the partner profiles and then you need to do it manually through WE20 and WE21 which is very tedious. You can try to do this by creating a dummy logical system in SALE and then a dummy ALE model view in BD64. It will really help you to understand the scenario. First just create a logical system TEST and don't create an RFC destination TEST for it. In second step create RFC destination TEST and then check for the results. In the third scenario create another RFC destination TEST1 which would be a copy of TEST and check again.
  Also one more and very important aspect of this is that every client of an SAP system should have a logical system assigned to it naturally. Now lets us take a scenario where system XYZ has  client 100 . Let us say we have a logical system XYZ100 assigned to client 100 of XYZ. Now you can again create any number of RFC destinations pointing to client 100 of XYZ but SAP by default will pick only that RFC destnation which is name as XYZ100 . If you don't have any such RFC destination created then you again need to do manual work as described above.
  However when no logical system is involved the issue become pretty simple. For example you have an ABAP program which fetches data through RFC calls from other systems.Suppose you are executing the program in ABC to fetch data from XYZ. here you can use any RFC destination XYZ, XYZ1 or XYZ2 since you will be feeding the same information while creating the RFC destinations. Here there is no need for a unique RFC destination.
  I hope this resolves your questions. Please let me know if you have any more questions on this topic. You are most welcome.
  Ands if you are satisfied with the answers please award points accordinly if possible for you to do so.
  Regards.
  Ruchit.

• Mapping SAP R3 role to EP role for WD ABAP Application

  Hi,
  I have a WD ABAP application which uses POWL component.
  I have assigned this application to a role in SAP R3 system.
  Now, I have created an iview in portal for this WD ABAP application.
  I want to map this SAP R/3 role to Portal Role so that only people having that role can see the application on portal.
  How do I handle this?
  Thanks and regards,
  Amey

  Hi,
  Scenario 1:
  You need to maintain 2 roles one from Portal and one from R/3
  On the portal end:
  Assign the role which have the WDA application to all the users who should have access.
  On the R/3 end:
  Assign the R/3 role which you have created to access the WDA application to all the users for whom you have added the Portal Role.
  Scenario 2:
  If using CUA (Central User Administration) as UME for Portal and also R/3 then you can maintain the roles from one place that is from CUA.
  You create a role in CUA and this role is shown as group in Portal now add the Portal role to the group or the CUA role.
  And create another role which gives access to the WDA application. Now add these 2 roles to all the users who are supposed to have access to the application.
  Hope this helps.
  Cheers-
  Pramod

• Cluster Aware Updating - Failed to restart - The RPC Server is unavailable

  I have a 3 node Windows Server 2012 R2 Failover Cluster, and I'm having trouble getting Cluster Aware Updating to work properly. I have been able to successfully apply updates that do not require a reboot, however, anytime I have updates that
  do require a reboot, the process fails. The error message says:
  Failed to restart <ServerName>:(ClusterUpdateException) Failed to restart <ServerName>:(Win32Exception) The RPC server is unavailable ==> (Win32Exception) The RPC server is unavailable
  I have verified that the firewall rule to allow automatic restarts is configured according to Technet: Requirements and Best Practices for Cluster-Aware Updating
  I have also made sure that the CAU AD account has local admin rights, as well as "Force shutdown from a remote system" rights on each of the cluster nodes. In this case, I have been applying updates manually from my workstation (which is not a
  member of the cluster) while logged in with Domain Admin rights (as opposed to letting the cluster update itself based on a schedule). I'd like to verify that the entire process works properly before letting it update itself. What am I missing?

   Hi Duct tape and super glue,
  Could you offer us more information about your environment status now, such as
   CUA Role name is online or not, firewall settings and the event ID, “The RPC server is unavailable” is the typical caused by the WMI or DCOM communication was not running or block, please verified that the firewall was set correctly, WinRM
  is enabled.
  More information:
  What is Cluster Aware Updating in Windows Server 2012? (Part 2) [VIDEO]
  http://blogs.technet.com/b/mspfe/archive/2013/03/07/what-is-cluster-aware-updating-in-windows-server-2012-part-2-video.aspx
  Configure Remote Management in Server Manager
  http://technet.microsoft.com/en-us/library/hh921475.aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Active Directory Access and Synchronization with R/3

  Dear All,
  What I have understood till now about users being maintained in Active Directory is: there are no Roles in Active Directory, users are to be assigned to Groups in the Active Directory.
  My requirement is: I have to maintain the users in Active Directory, and ensure they are in sync with my BW system CUA.
  First question is: Can we maintain users and roles in CUA?
  If I want to synchronize between Active Directory and CUA, do I always need the EP to play a part? If not, what are my alternatives?
  My second requirement is: I have to get the users and roles ( partly from Active Directory  via LDAP Connector, and partly from BW CUA ), the challenge being, I am getting users from the Active Directory, how will I determine the role it is assigned to in CUA?
  I will have the group of the user from Active Directory, where and how do I determine what is the role assigned to this user?
  Please suggest.
  Regards,
  Prosenjit.

  Prosenjit,
  My apologies, I didnt really understand your scenario.
  For your query -- I have to fetch the users from AD, check their roles, and display some relevant data.
  You create the role in portal as assign it to the group (group can be anything either AD Groups, CUA Roles which would be groups on the portal or simple portal groups). Now the role will display the reports as links in the TLN and Detail level navigation however it would only be the authorizations which control what data will be visible to the end user.
  Syncronization between AD - ABAP (CUA) would allow you to sync the user details between both the data sources roles dont come into the pitcure as far as I know and have seen (might be wrong also)
  How will I conclude to which role the user is entitles in the BW side, just by getting the group?
  I suppose you must have developed and then published reports on the portal. You will have to create a user - report matrix and then assign users to approproate groups.
  Do clarify the requirement in further detail if this doesnt solve your issue.

• How to copy a role from one client to another in a system using the CUA?

  Dear all,
  I have a question about transporting roles. We have CUA configured on our SAP system. Our development environment contains several clients. Recently I created a role by using PFCG in the development environment named E1D-100. Later there was a need to affect a user by this role but on another client of the development environment named E1D-200.
  How can I transport a role from a client of the development environment to another client of the same environment.
  While I use SU01 to assign the role, after clicking on "user comparing", I can see that the new created role exists on E1D-100 (the client of the development environment where the role was created), but I see that the role doesn't exist on the other client E1D-200.
  How should I proceed?
  Thanks in advance,
  Dariyoosh

  Hello again,
  Thank you very much for all of your answers. I tried both solutions and both worked pretty well. Thanks a lot for your help.
  Kind Regards,
  Dariyoosh

• Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

  Hello,
  I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
  1. Connected CUABOX to GRCBOX like a plug-in system.
  2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
  3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
  After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
  Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
  Any help in this regard is very helpful.
  Thank you,
  Pawan

  Hi Alessandro,
  I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
  1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
  2. Approvals provided to assign the ECC role.
  3. I see the following in GRFNMW_DBGMONITOR_WD.
             Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                 New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                 T-CUA_CHILD User does not exist in target system CUA
  GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
  However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
  So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
  Thank you for your help!
  Pawan

• Indirect Role Assignment with HR-ORG in a system landscaper with CUA

  Hi all,
  we have 2 SAP systems:
  1) SAP ECC6 (with composite roles)
  2) SAP HR with PA and OM
  We would like to assign SAP ECC6 roles through HR-OM.
  Since HR-OM is not on the same ECC6 system, we would like to try the logic: HR-OM -> CUA -> ECC6
  There are several documents that describe this situation (ex. SCUR351).
  From PFCG point of view, we should create a composite role in CUA system which include simple roles of child system.
  If we try to create a composite role in CUA central system, we can insert only simple roles available in central system (and not in child).
  Any experience on this scenario ?
  Pros vs cons ?
  Are the different possible scenarios ?
  Many thanks...
  Andrea

  Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
  CUA has its own pros -
  Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
  on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
  It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
  Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
  Rakesh