CUA to IDM migration

Hi all,
Can you suggest me how to go with below questions
1) how do we migrate CUA to IDM ? any step guide available.
IDM SAP insder document approach says
    u30FBu3000Install SAP NetWeaver Identity Management on top of CUA.
    u30FBu3000Start connecting the ABAP systems to SAP NetWeaver Identity Management and
    u3000u3000disconnecting   them from CUA.
    u30FB When you have disconnected the last ABAP system from CUA, you can then
     u3000shut down CUA to complete a successful migration
>> my understanding is CUA Is SU01 transaction in ABAP, what does it mean by install iDM on top of CUA and shutdown CUA after migration..
Need clarification on this
2) for IDM setup, Seperate server is must? and does it require seperate licence other than Netweaver.

Hi Jaichan,
1) During CUA migration to IDM, Does it require any settup inside CUA system required or not.
No Changes in current CUA required. IDM will be installed separately.
This article might be useful for you.(Page 14)
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0ad23d3-3664-2a10-8aa7-e9c3c8616d48
2) Does the collecting process from Non-SAP/SAP to IDM system is just copying to User master tables or its really mapping one to one(and synchronising automatically). Need more details technically.
No. In IDM, HCM or any other system can supply the basic data. However before connecting other systems, it will be better idea to take all users data from CUA.
Once the Users are in IDM, have to do role/priv settings and provisioning the same to other systems.
This article might be useful for you.
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e04a0800-1cdf-2b10-218a-94ba2cfeb2dd
3) Also i would like to know technically how Non-SAP-ADS source can be synchronised with IDM.
Can you specify the document name for this.
4) I think customers Using LDAP with Java to synchronise with CUA, how LDAP part is
taken care by IDM. Suggestion please
This article might be useful for you.
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a73a89d3-0901-0010-5a8b-f2e03467117f
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/706065c4-3564-2a10-2382-a52fcbd7eefb
These Documents will also help you.
[Installation Overview|https://websmp205.sap-ag.de/~sapidb/011000358700000062312008E]
[Installing the Management Console and Runtime Components|https://websmp205.sap-ag.de/~sapidb/011000358700000061872008E]
[Operations Guide |https://websmp205.sap-ag.de/~sapidb/011000358700001876292008E]
Hope this helps,
+ An

Similar Messages

  • Question: CUA to IDM Migration Guide?

    Is there a guide/document that talks about Migrating from CUA to IDM
    Thanks!

    Hi
    This one: Identity Management for SAP System Landscapes: Architectural Overview
    and this one: Identity Management for SAP System Landscapes: Configuration Guide
    talk briefly about the integration into an existing CUA landscape.
    AFAIK one connects the IdM to the CUA system and reads all the data. Afterwards you remove the systems step by step from CUA and allow IdM to handle them.
    Hope I could help
    Michael

  • [Initial Password] CUA vs IdM

    Hi,
    Please correct me if I am wrong: when the CUA cha,ges to password in the child systems, they are set as initial. It means that, on the first logon, the user has to change it.
    Is there a possibility for IdM to set "definitive" password. It seems so to me after reading
    |                     |        CUA        |  Identity Management       |
    | Password management | Initial passwords | yes incl. workflow support |
    in https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/7037d982-40aa-2a10-e283-a76a9dfc93ab, page 29
    Thanks in advance.
    Best regards,
    Guillaume

    IdM can only do what SAP permits.  Depending on how one is authenticating determines the password policy.  An initial password, an expired password and a password reset by an administrator all set the same flag.  The user must change their password on next logon.  The only way around this to write directly to the db with SAP's hash.  A terrible idea and a big security risk. 
    UME uses a delegated model so the password policy depends on what you are authenticating against.  This question is normally asked because a company wants to do password synchronization; one is better off doing SSO.

  • CUA Vs IDM Vs GRC

    Hello All,
    We are implementing a brand new SAP software.
    We have GRC and IDM license.
    There is overlap of functionality (CUA,IDM,GRC).
    What is the best approach of effectively using these tools ?
    We configured the GRC-RAR now.
    Thank you in Advance for the recommendations...

    Hi Saayi,
    You can have multiple scenarios, either you can have GRC as the leading provisioning system or IdM as the leading provisioning system.
    SAP IdM -> GRC AC -> CUA
    Have a look at the GRC AC 5.3 Configuration guide, it has a dedicated unit on "Access Control and Identity Manager Integration", which describes the two scenarios very well.
    PS : Please do not cross post, you have the same question in the GRC Forum
    Cheers !!
    Zaheer

  • GRC, CUA and IDM

    We are in process of installing GRC 10.0 in our landscape. We have following questions?
    1. Can I run my CUA from GRC box instead of say Solman?
    2. Can I hook GRC with LDAP so I import the users from active directory?
    3. Do we need IDM, if active directory is hooked up to the system where we have the CUA?
    Regards,
    Kedar
    Edited by: Kedar Joshi on Aug 8, 2011 5:57 PM

    Hi Kedar,
    The easy answer to your question is yes to all of them!
    1. It is technically possible to run CUA from the GRC box as it is an ABAP based environment.
    Depending on your user provisioning processes though, you may want to consider the scope of using CUA.
    For example, you may want to retain CUA for pre-production access but may want to have automated Access Request Management (CUP) for the production environments. Alternatively, if you are going down the full IDM route, you may wish to have everything provisioned via GRC rather than having the additional manual assignments through CUA.
    2. Yes, you can still connect to LDAP Active Directory from GRC. There is a technical change in setting up the connection as it uses an RFC destination rather than a JCo but it's still possible and actually advisable for creating a single user master source.
    3. This is slightly more difficult to say without further knowledge of your organisation. Generally, IDM is focussed on a more holistic view of User Access across the enterprise estate. IDM is still of use when managing SAP and Non SAP applications and managing the roles from a business perspective. Whilst GRC is able to offer the business role concept inherently, it is still slanted towards the management of risk rather than pure Identify Management and therefore the tools do perform a separate yet integrated function.
    I hope this helps.
    Simon

  • Additional fields required for CUA to IDM IDOC

    Hi,
    I am deploying the Remote Loader for Novell IDM 3.5on my SAP system. (not using the HR driver.)
    But I need to add additional fields to allow the logic within the Driver to differentiate between external users and internal users.
    How can I amend the IDOC produced by the CUA framework within SAP to add the additional fields, my developer has already created a BADI to grab the additional information to populate into the IDOC.
    I just need a way to add it to the IDOC for processing into the Remote Loader.
    TIA
    Chris

    Chris,
    you simply have to extend the schema mapping rule inside your driver configuration.
    At the mapping rule, you can map your new infotypes to Novell eDirectory attributes manually without changing your HRMDA_xx.meta file.
    To make the mapping more handy, you can edit your HRMDA_xx.meta file and re-read it during the schema mapping process. Afterwards you can use the GUI wizard to process the mapping definition.
    - Holger

  • SAP IDM or CUA

    Hello Gurus,
    We have GRC 10 implementation project going on, there are like 5 systems which we proposed to be added to CUA and then connected to GRC for role provisioning.
    We have some confusion as to whether to go for IDM to manage the accounts centrally or to choose CUA.
    Please can you advise whether CUA or IDM is beneficial.
    Regards,
    Pooja Saste

    Hello Pooja,
    My personal suggestion is to use IDM.
    Even our own SAP IT moved from CUA to IDM for several reasons - easy maintanance, better provisioning and simplified maintanance.
    IDM 7.2 goes with GRC integration framework that works like charm and many more other connectors for both SAP and non-SAP systems, so it would be easier for you if you will have to integrate with another system in the future.
    Regards
    Todor

  • IDM-SAP CUA Integration

    I have been under the impression that instead of creating accounts on each SAP child systems (SAP ECC, SAP Portal, SAP BI etc), we can create the accounts in SAP CUA using IdM and then provide information to SAP CUA such that it does further provisoining on SAP child systems
    Is this possible ?
         So, far I have not been able to create such account. I am successful in creating accounts in SAP CUA, however, no matter which attribute I use (cuasystems, activityGroups etc) to represent a list of SAP child systems to be passed to SAP CUA to create account, it does not work.
    I am definitely out of ideas and looking for some help.
    Thanks,
    Rajesh

    I think there is a setting on the SAP CUA system and the child systems that needs to be set correctly.
    We have an environment where we provision a user to CUA and assign the user roles (direct activity groups) that map to BI and ECC.
    CUA then uses those roles and the systems they map to in order to provision to those child systems.
    Check your SAP configuration, because this worked fine for us. One thing to note, is that changing an existing user's password in CUA will NOT replicate to child systems. So you may have to manage those child systems directly to change passwords.

  • Regarding Initial load for CUA

    we are testing CUA migration in  IDM7.0 version.
    Already below systems exists in my place
    1)IDM7.0
    2)CUA System(ABAP)
    3)ABAP systems(Child for CUA system)
    Now how to integrate CUA with IDM7.0 and Migrate CUA User information. Instead of Connecting each abap system with IDM, we plan to connect CUA and take all the data to IDM.
    so how to do this? Executing Initial load for CUA system will solve this problem ? or any particular process available.
    please suggest us.
    regards

    hi mathew,
    thanks for your reply
    Actually our initial step is to find to what extend CUA system information can be taken ove(Migrate) to IDM.
    I feel It would be better to take all the Child system user info from CUA at one point rather than connecting each abap system with IDM. so that i can disconnect CUA once IDM is established.
    So wondering how to integrate CUA system with IDM7.0, Executing Initial load for CUA system is same
    as executing initial load fo ABAP system.
    please shed light on this.
    regards

  • Regarding CUA System

    hi guys,
    we are planning to Connect CUA system with IDM and execute Initial load to collect users, roles, groups,  assignment of roles to users, groups to users.....etc.
    Now I believe IDM will have all the info including CUA system Users, Groups etc  and Other child ABAP systems Users, Groups.
    1) Later if we remove CUA from IDM and if Child systems directly connected with IDM(Executed Initial load), the Old CUA System Local users and Groups will be removed?
    2)How the rules in CUA system can be transferred to IDM system.
       (do we need to Create the CUA system rules again in IDM freshly again??)
    regards
    jaichan

    thanks

  • Can IDM 8.1 support MS Exchange 2010 ?

    Hellos
    Is there ANY way we can introduce Exchange 2010 support into our IdM solution?
    Customers are migrating directly from Exchange 2003 to Exchange 2010.
    What is the status re Active Directory "connectors" is there any sort of IdM migrating tool to switch from AD Gateway approach to AD Connector.
    What we are faced with is the sudden REWRITE of ALL AD provisioning.
    a pissed off GF

    Hi everyone.
    I did a little bit more digging and found the following piece of information that I think you'll all find beneficial.
    A few months ago one of my customers asked the following:
    If a customer is planning on using the Active Directory connector with Exchange 2007 support
    enabled, how will that affect IDM provisioning to Exchange 2010? Is that a configuration that's
    supported?
    I then received the following answer:
    The connector provides the same functionality for Exchange 2010 that it did for Exchange 2007 (no
    more, no less).
    See the connector documentation for specifics: http://wikis.sun.com/display/IdentityConnectors/Exchange+Connector
    What is doesn't do is support specific 2010 functionality (such as the ability to set Out of Office
    Messages, that used to exist pre Exchange 2007 and was added back in for Exchange 2010).
    Having said that, there is still the issue of the 8.1.1 release notes not stating specific support for Exchange 2010.
    But for all intents and purposes, I've seen a few indications that it should work without issue. I am currently awaiting clarification on the subject, which I will be sure to post once I receive it.
    I hope this helps.
    Regards,
    Alex

  • CUA security question

    Hi,
    My company has decided to use only one cua for both productive and non productive systems (dev. , test, ...). What are the security issues or risks of this kind of set up? Same question for SAP SolMan for both production and non productive systems.
    Thanks.
    Regards.
    Philippe.

    Hi
    From a security point of view Julius is quite right, furthermore, by creating one CUA for Test and Developemnt, and another for productive use, you will also gain the option to test changes to your CUA landscape before migrating them to production.
    From a more pragmatic point of view I must admit that I have created many "only-one-CUA-Solutions". This will give you the advantage of a Single point of user maintenance, but if you do so, make sure that your master system is installed on a system with the highest possible security level, and that is I guess your productive system, or dedicated CUA System.
    And remember, a new client on test, development or solman, will not provide that level of security, unless your can ensure that level of security on all clients on the system.
    Regards
    Morten Nielsen

  • Role assignment to user in child system

    Hi,
    We have a CUA with role assignment in SCUM defined as global. There is any way of assigning roles to users in child system when CUA system is not available? There is any way to allow roles assignement  in both Parent and  child systems?
    Many thanks for your help!!
    Raquel

    One way would be to temporarily delete the CUA assignment in the child and then maintain locally, but you will need to attach it again... and decide whether you want the CUA master to know about what you have done.
    Plan B on older Support Packs is to take a look at the correction instructions of [SAP Note 1504495|https://service.sap.com/sap/support/notes/1504495] but for this you need full access () to the S_USER objects, in which case you could detatch the CUA anyway.
    However as a temporary workaround in Test systems it could have been usefull.
    Plan C: Allow reference user assignments locally and authorize the role indirectly. Via the available authorizations of and access to the reference users you can then contain the scenario. Works fine for me if the concept of reference users is understood.
    However in most cases you should do it via the CUA and will end up doing this anyway via the CUA - that is what you have a CUA for. So... logon to your CUA in the morning, give the SAPGui scheme a nice bright colour and administrate the users and role assignments there. This is a small price to pay compared to not having a CUA or IdM...
    Cheers,
    Julius

  • Migrating CUA on SSM 3.1 to SSM 7.00

    Guys,
    We have a completely empty (ie no SSM related customising) SSM 3.1 system running Central User Admin.
    We want to move to the latest SSM incl EHP1.
    Rather than perform an upgrade (CU & UC conversion required I guess) I think it would be quicker and easier to just perform a new install of 7.
    My question is ....can I then simply perform a client copy to use CUA on the new system or am I being too optimistic
    Your experience/ knowledge/feedback is greatly appreciated!
    Regards
    Alan

    Hi,
    I have some experience of CUA migration. All data for users is still available in satellite systems so the best way is to set-up the new solution manager and then configure cua again.
    1. disconnect satellite client from current CUA system ( transaction SCUA)
    2. connect it to new CUA (again SCUA)
    3. transfer all user and company addresses to new cua (transaction SCUG).
    4. repeat this for all central managed clients
    5. configure where user attributes are maintained (transaction SCUM).
    Regards,
    Frank

  • How to migrate user from IDM 5.5 to 6

    Our current users in IDM 5.5 have many attributes, admin roles and defer tasks. Does anyone know what is the best way to migrate the users withought missing user information from 5.5 database to 6?

    hi,
    u need to export each each user xml from idm 5.5 and import that idm 6.0. thats all i know.
    if anything we can do other than this plz let me know.

Maybe you are looking for

  • Multiple Stacks - Loading into Photoshop Layers?

    Hey all, is there a way to use Bridge in order to stack multiple images - into multiple layered files? Let me give you an example: I have the following files - Image_001_a.tif Image_001_b.tif Image_002_a.tif Image_002_b.tif Image_003_a.tif Image_003_

  • Profit cente wise profit&loss account

    Plz tell me profit center wise profit &loss account tell me TC for this Very urgent

  • In Built Clock  iphone5s

    the CLOCK which is in built app we want to give an option for user to write/note the country name or city name for users easy remembering.as of now app has pre written name .... which is most of them are not user friendly eg: MOROCCO but in app its R

  • MESSAGE:Before 2011.09.02, rental unit is not in status Unoccupied

    TCODE:FOV1 , have a message. MESSAGE: Before 2011.09.02, rental unit is not in status Unoccupied Message no. 62553 Diagnosis As a requirement for your entry, the rental unit must be in status Unoccupied on 2011.09.02. However, this is not the case. S

  • Verifying the burned data failed.

    I am trying to burn a disc using the "Burn" tab in iPhoto. There are 648 photos and 17 videos for a total of 3.3GB on a 4.7 GB DVD+R disc. The following appears Burning to the Super Drive drive Writing track1 Verifying Disc BURN FAILED The burn to th