CUA  - Single CUA

Similar Messages

• How to add/delete single role to/from CUA

  Hi All,
  I want to add/delete single role from CUA system. I found one FM to change roles i.e BAPI_USER_LOCACTGROUPS_ASSIGN , In function module documentation said that it will overwrites all existing roles with the roles in the table parameter.I dont want to do that. I need a FM to add/delete role to CUA system. Please help me with your suggestions.
  Thanks,
  Suman

  I am not aware of another BAPI based way to do it. You will need to get the details of the Roles AND manual profiles assigned, and then re-assign the new set in the call.
  Cheers,
  Julius

• Push single role to CUA

  Hi,
  Created the single role in child system and not able to find the same in CUA system so please let me know the process to push this role from child to CUA.
  Thanks,
  Lisa Pl

  Thanks for that Jurjen.
  I agree on your comment if you are assigning the role(child role) to the user in CUA directly then only text comparison will do!!!
  >This actually copies the whole role from the child.
  This only copies the description and role menu from the Child system not the entire role.
  >For CUA purposes the CUA master only needs to know about the existence of the role on a child system. In SU01 on the CUA master go to the tab where you assign roles to the user and look for the 'text comparison' button.
  But when composite roles exsist in CUA and further single roles from the child system are mapped to the composites in CUA, In that case you need to perform an RFC read of the single role so as to refresh the menu of  the composite role.
  Rakesh

• How to define the RFC in CUA

  Hello expert,
  We ran into a practical problem with defining the RFC connections for using CUA.
  We are creating Composite roles in CUA which include the various Signle Roles of the child systems. These single roles are created in the CUA PFCG with the reference to the child system's RFC in the field "Target System".
  Obvviously we want these Composites and single roles to be transported to the QA and PRD systems. However, currently the RFC connections are defines as "DE1CLNT110", "QE1CLNT110", etc. When transporting this is obviouslly going to cause problems as the RFC DE1CLNT110 does not exist in QA system.
  Is there any best practice or SAP method to cover this 'gap' in CUA enviroments?
  I see a few option:
  1) Create the RFCs under an alias which is the same accross the landscape. (e.g CUA_ECC for ECC RFC, CUA_SRM for SRM RFC, etc..)
  2) Only transport empty Composite roles and include the single roles manually in each system.
  Transport Composites including single with RFC format "<system.client> (DE1CLNT110) and adjust the target system RFC manually in the next system.
  In our view option 1 comes closed to a workable solution. However, we would like to have an expert advice on best practice as we cannot imagine this is not an known issue.
  Thanks in advance,
  Thomas

  >
  Thomas van Haaren wrote:
  >
  > I see a few option:
  > 1) Create the RFCs under an alias which is the same accross the landscape. (e.g CUA_ECC for ECC RFC, CUA_SRM for SRM RFC, etc..)
  >
  a.) prerequsite: you adapt every destination in every system (landscape) in SM59 in a different way, let's say:
  ERP_DEV, destination CUA_ECC has IP-address XXX.XXX.X.1, in ERP_QAS the same destination CUA_ECC has IP-address XXX.XXX.X.2 and so on and in every target destination the same in reverse. you would have to adapt every port in every locgical system and i think this is where it all gets pretty yuk ... transparancy?? btw. if you are refreshing your QAS-systems via system-copy you will have to do this all over again with every copy.
  b.) you can proceed in this way, if the major condition for such a concept is fulfilled = in all the  target systems (children) the role addresses with this name is exactly the same = the role, once changed in (for example) SRM_DEV is immediately transported to SRM_QAS and SRM_PRD. if the role of the same name differes in the children, things get even more confusing than under a.), since you are addressing different roles by 'on the surface' using the same name and the same destination name, only a different IP in the destination. that makes for some cruel searching in case of errors.
  >
  Thomas van Haaren wrote:
  > 2) Only transport empty Composite roles and include the single roles manually in each system.
  > Transport Composites including single with RFC format "<system.client> (DE1CLNT110) and adjust the target system RFC manually in the next system.
  >
  > In our view option 1 comes closed to a workable solution. However, we would like to have an expert advice on best practice as we cannot imagine this is not an known issue.
  >
  > Thanks in advance,
  >
  > Thomas
  or ... adapt only the destination in single roles on tab 'menu', field target destination. i have my LSMW for that purpose.
  not an ideal solution either, i admit.
  am curious now, how do others do that?

• Table used for storing roles/profiles assignment in CUA lansscape

  Hi,
  following is my cua setup
  master client - 999 of SRM 4.0
  child client - 101 of ECC 5.0
  child client - 202 of SCM 4.1
  in cua all distribution works on its logical name assign to respective client.
  here is my question
  lets say user 'XYZ' in master client assign single as well as composite role and composite profiles assigned in the master as well as child system.
  please tell me in which table this relationship is maintain in sap that Composite roles/profile is from which cua client.
  from my finding the tables which store the role and profiles from master and child system are i.e. USRSYSACT & USRSYSPRF.
  but i am not able to find table which store the roles to user and user to profiles assigment in CUA setup,can someone please help me.
  Thanks,
  John.

  Hi Check the tables
  <b>USR10  -role definition
  AGR_PROF   -Profile for Roles
  AGR_TEXTS  - Role descriptions
  AGR_USERS  - Assignment of roles to users
  AGR_DEFINE - Auth profiles</b>
  if needed see other tables with USR* and AGR_*
  Reward points if useful
  Regards
  Anji

• CUA: SCUG - Transfer Users errors with Output Device does not exist

  Greetings,
  I'm currently setting up CUA on our ECC 6.0 boxes and ran into an issue when I run SCUG and try to transfer the users. We're in the process of upgrading to ECC. The target systems are upgraded copies of our current 4.7 target systems.
  Currently we have CUA connecting to our DEV,TEST, PreProd, and Prod Systems.
  The output devices only reside on the target systems. There are no output devices on our production CUA box.
  I'm trying to setup the ECC CUA box and modeling all the settings to our current environment. Once I set the CUA setting, including the RFC's and ALE connections I ran scug and ran into the issue.
  I only get the error where the Default Output Device is populated. Users with no Default Output transferred without any issues. I looked up notes in OSS and can't seem to find any on this subject.
  Side note: If I remove the output device it transfers without error. Obviously this is not a solutions, I was merely testing out the scenario.
  Any help would be greatly appreciated

  Hi Alex,
  there is just a little comment in SAP note #399917 (point 4).
  As from my knowledge, the SCUM settings are not considered during SCUG. So setting
  'output device' to local will not be a solution.
  The standard way is to transport the ouput device information to your CUA-master system before taking over the users. (create transport in  SPAD).
  I have also another workaround for you gurus, but this will need to modify the standard coding for the time of taking over your users. Using this modification, only a warning message will appear and unknown printers will not be taken into CUA-master system.
  Pls test this proposal carefully (coding is rather old....), this is just a suggestion !
  Include LSUUCF01                                                 
  FORM DEFAULTS_CHECK                                              
  Spool: Ausgabegerät                                            
    IF NOT DEFAULTSX-SPLD IS INITIAL AND                           
       NOT USER_DEFAULTS-SPLD IS INITIAL.                          
      SELECT SINGLE * FROM TSP03 WHERE PADEST = USER_DEFAULTS-SPLD.
      IF SY-SUBRC <> 0.                                            
        PAR1 = USER_DEFAULTS-SPLD.                                 
        CALL FUNCTION 'BALW_BAPIRETURN_GET2'                       
             EXPORTING                                             
                  TYPE       = 'W' "'E' "Warning instead of error                                                                               
  CL         = '01'                                
                  NUMBER     =  29                                 
                  PAR1       = PAR1                                
            IMPORTING                                              
                 RETURN = ERRORTABLE                               
             EXCEPTIONS                                            
                  OTHERS     = 1.                                                                               
  APPEND ERRORTABLE.                                         
      ENDIF.                                                       
    ENDIF.                                                         
  I strongly recommend to undo this modification after you have finished SCUG.
  Good luck, b.rgds, Bernhard

• Best place for CUA

  We've got ECC, BW, XI, EP, SolutionManager installed and want to implement CUA.
  I want to know your comment on:
  One CUA or more CUAs, we have 3 systems (DEV, QAS, PRD) landscape for each system.
  *Where is the best place for CUA?
  TIA.

  Hi Team FI,
  There are other factors that may be considered when deciding where to put CUA.  For example:
  Are you using Indirect Assignment of roles also?  If so, then simplicity would say, put the CUA on the same system as the HR module (saves having to ALE over the PD object -> Role relationships to different CUA system).
  High availability - normally your ECC system would have the highest availability due to the critical nature and impact on business, so it would make sense to put it on your ECC system if this is the leading factor.
  What is your role integration strategy like?  I know some clients that have excellent integration across all systems such that a 'role' is defined as all of the access that you require inclusive of all SAP systems, and LDAPs.  If this is the case, then you can have a single CUA system.  Assign ONE composite role to the user, which then provisions out single roles to all of the other SAP systems (including non-prod) and synchronises with your LDAP.  If your role integration is not as 'good' as this, then you may consider having two CUA systems.  One for the prod systems, and the other for the non-prod systems.

• CUA for ABAP and JAVA Systems

  i have a AS-ABAP System and AS-JAVA system.
  Can i have a single CUA for AS-ABAP system and aS-JAVA system or i should have seperate CUA for ABAP and JAVA

  Hello Balaji,
  Yes, you can connect the JAVA user adminsitration with the Single CUA.
  Make use of the JAVA UME feature for this.
  http://help.sap.com/saphelp_nw04/helpdata/en/49/9dd53f779c4e21e10000000a1550b0/content.htm
  Regards,
  Ammey Kesarkar

• CUA Landscape

  Does Position Level Security really work with CUA?
  I would like to setup two landscapes for CUA.
  One CUA for Test/Sandbox and put it on Solution Manager using User Level Security.
  One CUA for Prod/QAS using Position Level Security residing on the ECC 6.0 Dev Box.
  I realize the HR ORG Model is needed for Indirect Role Assignments or Position Level Security, so I'm told CUA should reside on the same client as the HR ORG Structure.
  Our Tech Lead here wants to use one CUA for all of the clients and put it on Solution Manager. 
  My question to you folks, how much sense does this make to use one CUA and place it on Solution Manager?

  > I'm not sure what you mean by DEV being a bit of
  > shambles, but I would think if you are provisioning
  > users, you would want to use User Level Security in
  > one CUA and Position Level Security in the other CUA
  > to keep the provisioning methods separate.
  I just mean that  the level of thought and design that goes into a production system, doesn't seem to go into the non-production systems.  So, position based security is less feasible due to design.  You are right in that if you want user level security in non-prod, then best to use a non-prod CUA for that.   Have a prod CUA for the position based security.
  > Justin, are you using two CUA's?
  I work for many clients, so I have used both 1 CUA system and 2.
  >
  > Did you need to set up a lot of composite roles?
  Not normally.  I design top-down.  That is, I define 'job' level roles rather than activity level roles.  I would normally end up with about 100 roles for a large organisation, which are then derived as per their business units.  I would expect no more than 1000 roles for a very large organisation.
  >
  > One last question, do you have a list or cookbook on
  > how to set up the composite roles with Indirect user
  > assignments or know where I can find them?
  Unfortunately, the information on this in help.sap.com is just impossible to understand.  I just re-read it then and it still doesn't make sense to me!  If you have CUA set up in a sandbox or something, I would just run PFCG, and there is a menu item called 'read from RFC' or something like that.  Run that, and then the single roles from the child systems are available to you to put into your composites.
  >
  > Sounds like you have CUA working really good there!
  >
  > Your answers have been helpful!
  >
  > Thanks!

• CUA still necessary/recommended with Access Enforcer?

  Hello forum members,
  we are planning to implement SAP GRC Access Control for one of our clients. There are 5 R/3 Systems in the landscape, one of them a HR System. Currently there is no CUA in place an all users and roles are maintained separately in each system. Now with the introduction of GRC Access Control there is the question, if we should at the same time also have a CUA introduced or if it is better to directly provision the Users and Roles from Access Enforcer to the target systems.
  What are the pros/cons to have a CUA in between? Does Access Enforcer also provide overview on all users in all system and the assigned roles?
  Thanks for your replies.

  This is a question that I'm asked all the time.  For some environments, using CUA with AE is really nice.  For other environments, it's just not feasible to have CUA as the security authorisation strategies are too inconsistent across systems.
  For example:
  a. There are three systems (ECC, BI, and SRM) implemented with a consistent top-down (job) approach to defining roles.  So, a AP clerk will receive the 'AP Clerk' role in ECC, 'AP Clerk' role in BI, and 'AP Clerk' role in SRM (for simplicity).   Obviously, the roles are different as they are for different systems, but the point is, it is easy to categorise the authorisations for a particular job across each of the systems.  If security is consistent like this, then CUA can be implemented and the three single roles for the three systems can be grouped together in a cross-system composite role called 'AP Clerk'.  When AE is implemented over the top of this, a user only has to request the 'AP Clerk'  role (composite).  AE performs the workflows, risk analysis etc and then finally passes the request to CUA, which then provisions out to the other two systems.  Very easy from a user point of view as they only have to request one role, which is their job.
  b.  If however due to inconsistency between the systems, it is not feasible to group access into cross-system composites, it may just be better to go with AE without CUA.  In this scenario, a user must request the applicable roles from each of the three systems.  It is more flexible, but a little more difficult for the end user.
  I normally spend quite a bit of time developing the Access Controls strategy during the blueprint phase of the implementation just to make sure that I'm coming up with the optimal design.  A bit of prototyping helps also!

• CUA problem with composite role

  Hello experts, I have a problem with a composite role in my CUA parent system. If you look at the roles tab you will see one of the child roles has a name of child CUA system in the 'target sys' column. the rest all have 'user system'. Can anyone explain how this 'target sys' column is defined?
  Thanks
  Dave Wood

  I do not know if you have solved this issue, but the target system is defined within your single role on you menu tab.
  No what happens is that in transaction SM30 table SSM_RFC you define system variable linked to your logical system.
  This variable determines that when you import roles from another system by means of transaction PFCG > Read from other system from RFC and you select your variable the system will automatically default in the target system field the system it is suppose to go back to.
  So this way when you distibute the roles it will only go back to that particular target system, and you do not need to specify and guess where the role came from.
  Try removing that table entry in SM30 SSM_RFC and see if that way you will be able to remove the target system from the role.
  However it is not a bad thing to have activated. If you are working with position base authorizations and you have more than 1 system, you define 1 composite role for all the roles, for all the systems and you will be able to see where the composite resides by means of the target value.
  Hope this makes sense.
  Regards
  Sonja

• CUA With Two  R/3 server Implementation

  Hai All,
  Currently we are using EP5.0 with SAP R/3 4.6C with two R/3 (P01,P02)servers. User id is managed in LDAP. That is,
  1. user u will be accessing P01 R/3 system we will create a user id in LDAP and a SAP userid IN P01 R/3 system
  2. user u will be accessing P02 R/3 system we will create a user id in LDAP and a SAP userid IN P02 R/3 system
  3. user u will be accessing P01 & P02 R/3 system and  we will create a user id in LDAP and one  SAP userid in P01 R/3 system and another userid IN P02 R/3 system.
  This the current framework, using single sign on the user are logged into different R/3 box.
  Now we plan to upgrade to EP7 and use CUA,
  a. If we use CUA whether user id's for  P01 and P02 can be created from P01 itself.
  b. Is it possible to achive scenaio 3. Whether there will be any technical issue. If I assign P01 as CUA and I create a userid  ZUSER1 in P02. When the user login to portal he will use the password of P02 system. After sometime if the same user is going to access P01 system. Then i will create a userid ZUSER1 in P01 system. Now the for P01 R/3 system the password generated is different from P02 system.Is there any way that P01 ZUSER1 password is synchronized with P02 ZUSER1 password.
  c. Is CUA supported with SAP R/3 4.6 C
  Thanks & Regards,
  H.K.Hayath Basha.

  Hai,
  Le'ts say i have created new client 400 in P01 and i am using that as my CUA.
  If I need to create two user in P01, client 300 as ZUSER1 and ZUSER2, When i create these user id's using CUA in client 400 of P01 server. Whether these userid's created in client 300 and 400 of server P01 and which clients password is used when i login to portal.
  If I need to create two user in P02, client 300 as YUSER1 and YUSER2, When i create these user id's using CUA in client 400 of P01 server. Whether these userid's created in client 300 of server P02 and 400  of server P02 and which clients password is used when i login to portal.
  Since you said that i need to point UME source to CUA master client, can i assume that whenever user id is created the CUA master client will store all user id's  of P01 and P02 server.
  If a person YUSER3 is going to login to P01(Userid ID YUSER3) and P02 server (Userid is YUSER3) and if password is not synchornized between all CUA clients(in our example P01 & P02) how can he login to portal with the same user id and access both P01 and P02 server.
  Thanks & Regards,
  H.K.Hayath Basha.

• CUA with HR-Org - How to assign systems for role

  Dear all,
  we are planning to use CUA with HR-Org assignment. Can please anyone explain to me how or where the system for the role comes from.
  I mean, normaly in SU01 -> Role Assignment I have in the first colum the system and in the second colum the role. It the role assigment come from HR-ORG there is always the local logical system in the system colum. This is not what we want.
  CUA is on Solution Manager, HR-ORG is replicated from R/3 HR Systeme and the user needs the roles in ECC production systeme.
  So how can we manage the system/role combination assignment?
  Thanks for any hints.
  Best regards
  Roman

  Hi,
  If I understand your problem you want to do role assignment from the HR-Org structure on a system that is using CUA.
  I have only managed this successfully when the CUA master is also the system with the HR-Org structure on it. Otherwise you have lots of issues with replicating data between systems. I did this for a UK council's SAP solution where we allocated all the roles from the HR system, including roles on ECC, SRM(EBP), CRM and BI - so it does work.
  PO13 on the system with the org. structure will only allow you to allocate a role that exists on that system, but if the roles that you are allocating are composite roles that include single roles on other systems, you can achieve this sort of business role allocation without having to go the IdM route.
  Darren Hague (no relation) gave a presentation at SAP Tech Ed 07 on such a scenario, that explains how the composites would be set up far better than I can, but in essence you use the CUA connectivity and the rights of the CUA master system (which includes the org. structure) to allocate roles on other systems / clients in your CUA landscape.
  Have a search through SAP Tech Ed 07 presentations and you should find what you are looking for.

• CUA with  QAS and TRAINING

  Hi,
  i have a CUA with a child system, but the child system has 2 clients (for exemple 100 and 200) one client for tests and the other for training.
  the CUA is also a data source for our EP7's UME.
  my question:
  how can i create a user_test for the child system but only for the client 100 (not authorized to have access to client 200) and vice versa
  best regards

  >
  Steve Bodell wrote:
  > We have a range of child clients in our 1 single instance of CUA, our CUA sits on server with 1 other client that requires very little outage.  We have also retained the ability to do resets locally and have emergency accounts in place should CUA be down for an unexpected amount of time. 
  >
  > Steve
  This will not work in our facility.  We have a Portal UME pointing to an ECC 6.0 (Master CUA) which is also using HR position base security.  All portal use must go to ECC 6.0 and have to have an account.  In order to properly simulate Portal and HR base position security, it is necessary to have a CUA in each landscape.
  > Steve
  > By having multiple clients in the same CUA instance - Dev, QA, Prod etc does not mean your users have to exist in all clients.
  > Steve
  True but we don't want unnecessary iDocs and also our PROD User IDs are all generated automatically via HR security (IT 105).  It is important to make PROD to be CUA master on its own landscape and not burden it with unnecessary child systems.
  Again there is a number of ways to design a CUA but putting everything in one CUA IMHO is not a good approach when you have the flexibility of multiple CUAs.  Itu2019s not difficult to built CUAs so I donu2019t really see the benefit of not having one per landscape.
  Another problem we encountered is during a refresh of QA from PROD is the source client must not have any CUA reference, so if PROD is the CUA master for QA & DEV this will pose another challenge.
  There are some who choose 1 CUA for everything and making Solution Manager the master, this is fine as long as they can support it.  As a consultant you can design the CUA for the customers and not have to support it.  As a customer I have lived with supporting CUAs in DEV, QA & PROD.
  I only recommend CUAs for each landscape and not pushing it as the only solution.  It all depends on your business requirements and available resources.
  Good Luck!
  Regards,
  -John N.

• UME synch with CUA

  What are any issue with UME synch with ABAP CUA? If I have one CUA should I point all of my UMEs (Java instances to a single ABAP instance).
  Does anyone have any experience with CUA and java? What architecture issues should I be aware of>
  Thanks
  Mikie

  Theoretically you can do this for ABAP UME users, but there is a big "gotcha":
  Java systems don't have the same client concept as an ABAP system, and what is behind the ABAP role mapping on the Java side is not known to the ABAP system and may even differ.
  The consequence is that if you point multiple Java UME's to one ABAP CUA system's client dependent user store... then assigning a role to the user will assign it in all Java systems, depending on what is mapped behind it.
  Using a <SID> naming conventions for Java systems within the ABAP roles is not scalable and there are many standard roles anyway.
  A consideration I have heard of was to use a multiple of ABAP clients, one for each Java system, but that might not be scalable as a solution either unless you are sure you will only have limited number of Java landscapes and systems.
  Instead of trying to support such a workaround yourself, you will be better off looking into an IdM. See the thread at the top of the forum page about Identity Management (IdM).
  Cheers,
  Julius