SU10 with CUA

hi
I have implemented CUA and trying to change roles for some users through SU10, which is not hapenning, but when i do the changes through su01 to individual users the effect take place. I am not able to do a Mass User change.
Any Suggestions
Thanks/Jonu

Hi Jonu;
Check in transaction SCUL in parent system. You may find entries there. This will hqppen because you when you are  assigning the same role to multiple user the role gets locked in child system for a single user qnd thus other users wont get the role. to solve this issue process scul entries. for permanent solution put userclone message type in background processing mode in child system qnd schedule a periodic job to execute the idocs.
if u dont find entries in scul check bd87 in child system for userclone message type qnd look for errors.
please award points accordingly.
Regards.
Ruchit.

Similar Messages

  • Central maintenance of info with CUA

    Dear all,
    We are planning to implement CUA in our landscape. I guess, we can maintain initial passwords and lock status of users centrally with CUA.
    Could we also maintain centrally the definiton of authorization profiles and completely definiton of user roles? and  the information of "which user is allowed to logon to what client" with CUA?
    Which of the above informations can be maintained centrally using CUA?
    Your help will be appreciated. Thanks in advance.

    Hi
    I guess, we can maintain initial passwords and lock status of users centrally with CUA - correct
    Could we also maintain centrally the definiton of authorization profiles and completely definiton of user roles - you can centrally maintain the allocation of roles and profiles.
    and the information of "which user is allowed to logon to what client" with CUA - Yes.  You maintain user to role mapping centrally and that also means you can control the systems and clients which they log into
    You can also centrally distribute Parameter ID's (though that is not without it's "features" - nothing that can't be easily fixed), User Data, Printers, User Groups (same "features as PID's"). 
    CUA does a job which is quite narrow, you may want to look at Netweaver IdM which can do some of what CUA does but is a proper IdM tool.  Could be overkill for what you want but could also be the basis of a strategic solution for managing SAP accounts.  Both have their place.

  • UME synch with CUA

    What are any issue with UME synch with ABAP CUA? If I have one CUA should I point all of my UMEs (Java instances to a single ABAP instance).
    Does anyone have any experience with CUA and java? What architecture issues should I be aware of>
    Thanks
    Mikie

    Theoretically you can do this for ABAP UME users, but there is a big "gotcha":
    Java systems don't have the same client concept as an ABAP system, and what is behind the ABAP role mapping on the Java side is not known to the ABAP system and may even differ.
    The consequence is that if you point multiple Java UME's to one ABAP CUA system's client dependent user store... then assigning a role to the user will assign it in all Java systems, depending on what is mapped behind it.
    Using a <SID> naming conventions for Java systems within the ABAP roles is not scalable and there are many standard roles anyway.
    A consideration I have heard of was to use a multiple of ABAP clients, one for each Java system, but that might not be scalable as a solution either unless you are sure you will only have limited number of Java landscapes and systems.
    Instead of trying to support such a workaround yourself, you will be better off looking into an IdM. See the thread at the top of the forum page about Identity Management (IdM).
    Cheers,
    Julius

  • Portal with CUA userbase

    Hi,
    Our Scenario:
    We are using portal with CUA userbase.
    But, now we want to use the portal for a Non-CUA system users ( this system is not part of CUA)
    How can I set up the portal authentication ? Can I setup two user bases ?
    Please advice

    Are you talking about the same portal or different portal systems ?
    If you are talking about the same portal, the only option I see is to add the other users to the CUA. If you are talking about a two portal installations, there is no problem, except that for SSO, the users have to have the same name in both installations.
    Regards,
    Patrick

  • Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

    Hello,
    I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
    1. Connected CUABOX to GRCBOX like a plug-in system.
    2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
    3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
    After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
    Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
    Any help in this regard is very helpful.
    Thank you,
    Pawan

    Hi Alessandro,
    I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
    1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
    2. Approvals provided to assign the ECC role.
    3. I see the following in GRFNMW_DBGMONITOR_WD.
               Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                   New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                   T-CUA_CHILD User does not exist in target system CUA
    GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
    However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
    So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
    Thank you for your help!
    Pawan

  • Portal Integration with CUA

    I am implementing CUA for my SAP landscape and would like to incorporate our portal but I am unsure how to do this.
    I have changed my portal UME to point to the ABAP system as it's datasource.
    I am unsure how I can get my portal roles assigned to my portal users from the ABAP system.
    When I create a user I need the ERP users creating with ABAP roles and the Portal user creating with Portal roles, which are not the same in both systems.
    How can I acheive this.  I do not have an LDAP.
    Regards
    Graham

    Hi,
    interesting questions. Portal is running on top of Netweaver platform (Java stack). Hence no Apache web server. I doubt that it supports any Apache modules. You can use Apache as reversed proxy in front of SAP portal. Check note 480520 with attached configuration guide. I don't know answer for your question regarding REMOTE_USER setting.
    SAP portal supports all standard [authentication methods|http://help.sap.com/saphelp_nw70/helpdata/en/8a/cb136e68592f478266d19bb2b89766/frameset.htm] supported by Netweaver. Probably the only possible way is to use [SAML|http://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/frameset.htm]. [Here|http://www.ibm.com/developerworks/tivoli/library/t-cssosap/index.html] is a how-to guide how to set up SSO based on SAML between Tivoli and Netweaver applicaiton server.
    Also search on net. I found links to interesting presentations (e.g. [this one|http://www.switch.ch/aai/support/presentations/ws-sap-2010/ETHZ_AAI_SAP_SAML_Artifact.pdf]).
    Cheers

  • Indirect Role Assignment with HR-ORG in a system landscaper with CUA

    Hi all,
    we have 2 SAP systems:
    1) SAP ECC6 (with composite roles)
    2) SAP HR with PA and OM
    We would like to assign SAP ECC6 roles through HR-OM.
    Since HR-OM is not on the same ECC6 system, we would like to try the logic: HR-OM -> CUA -> ECC6
    There are several documents that describe this situation (ex. SCUR351).
    From PFCG point of view, we should create a composite role in CUA system which include simple roles of child system.
    If we try to create a composite role in CUA central system, we can insert only simple roles available in central system (and not in child).
    Any experience on this scenario ?
    Pros vs cons ?
    Are the different possible scenarios ?
    Many thanks...
    Andrea

    Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
    CUA has its own pros -
    Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
    on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
    It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
    Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
    Rakesh

  • BBPMAININT with CUA

    We have a landscape with SRM 5.0 and CUA in two different systems and intend to use BBPMAININT to create Users and need the user to be replicated or created in CUA.
    We already implemented note 402592, but the user is created only in SRM and without any Role.
    Regards, Roberto

    Hi Robert
    We are creating user -ids in  CUA which replicates the user ids in SRM / R3 and CRM and other systems.
    After that through Users_gen we map the user -id to the Org structute  in SRM .
    We tried creating users in SRM and replicating to CUA but it didnt went well.
    SO now userid for the first time are created in CUA and replicated to all systems and after that we use Users_gen option Create users from Existing SU01 and mapp the user to SRM Org Struture.
    regards,
    Nimish Sheth

  • How to delete users in the child systems with CUA?

    Hi All,
    We have:
    1.  My SAP ERP 2005  (ECC 6.0)+ Windows 64bit + Oracle 10
    2. EP 7.0 + Windows 64bit + Oracle 10
    3. BI 7.0 + Windows 64bit + Oracle 10
    4. Solution Manager 4.0 (CUA)
    We managed all our QA and DEV users in ECC, EP using CUA from the Solution Manager server (Productive servers  and all the BI  7.0 System Landscape aren't in the CUA).
    My problem is when i want to delete a user. Sometimes if you delete a user in the solution manager (where the CUA is defined) the user still  exists in the Child Systems. In fact you can  see it with the SU01 only in the child system. I guess the idea is that if you delete the user in the CUA them  the user is delete in the child system.
    I found this information in the SAP Help:
    As well as the authorizations already mentioned, you also need another authorization in the central system for object S_USER_SYS. You can only assign new systems to a new user with this authorization. ( No Problem with this )
    When a user is deleted in the central system, the system entry for the user is retained until the deletion is confirmed. If an error occurs, you can repeat the deletion by canceling the system (in the child system).
    What does mean: deletion is confirmed? 
    Best Regards,
    Erick Ilarraza

    Hi, thanks a lot for your reply.
    We used the SAP Transaction SCUG to solve CUA Problem.
    It is something about the refresh of the user in the Parent / Child systems, you need to Re-Refresh users and delete it again.
    Best Regrads,
    Erick Ilarraza

  • Technical upgrade to ERP2005 6.0 and CRM2007 with CUA on 640?

    We are in the planning stages of a technical upgrade to ERP2005 6.0 and CRM2007. Our CUA system is not being considered for this upgrade; it's currently at kernel release 640, patch level 80, ABAP load 1521, CUA load 15.
    I've searched all over for recommendations, and all I've found is this from the SAP Help pages: "Use the most up-to-date system in your system landscape as your central system (if possible with a release status of 4.6C or higher). In this way, the newest functions in CUA are available to you." In Frank's NetWeaver Identity Management 7.0 Technical Overview Presentation, he states "IdM will replace the CUA in the long run, however, SAP will continue to support CUA in its current functionality according to SAP maintenance rules."
    Will we have a problem if our CUA system is at a lower release than the rest of our systems?
    thanks,
    Mary-Anne

    possibly not. still i would test the scenario on a sandbox system which is already on ERP 6.0 and another one with CRM2007 on it. you could for that purpose simply add them to your ALE-scenario (BD64). after such a test you can be sure whether everything is still o.k.
    that recommendation from SAP makes sense though: distributing from a system which is running on the latest software is preferable, since you would have a source which is likely to be more 'reliable' than the target.
    why don't you upgrade your CUA central? what are the reasons for this?

  • Help with CUA and modifying user "own profile".

    Hey guys,
    We just implemented CUA in our enviornemnt, and have run into the system.
    I understand why all accounts now get modified in the central system, however, our users are asking to be able to still modify thier account defaults (i.e. hour format, numbering format, etc) in SU3 (system ->user profile -> own data)...  however the CUA has removed this option from all clients connected to it.
    Is it possible to still have this functionality?
    Thanks everyone for any info.
    Richard

    Hi Richard,
    It is possible to change multiple attributes and the changes are executed according to
    the setting associated with each attribute. Therefore, global attributes are changed in
    the central system and distributed and those attributes that are to be maintained locally
    are filtered out and not changed.Local attributes should be maintained using the maintenance functions
    (SU3) in the child systems. So you will have to change the settings in The central system to allow this to be maintained from the child system.
    Many Regards,
    Harimander Singh.

  • Error with CUA

    Hi Gurus,
    I have successfully linked 5 child system to the CUA.. All the changes are also flowing to the child system but we when i see the CUA log all the changes appear as unconfirmed except for the parent system.. ...
    I have check teh RFC connection, CUA landscap ... All seems to be working fine
    Can anyone tell the solutions....
    Parveen

    Hi Parveen,
    your problem can have various causes....
    The most common is, that the user in your rfc-destinations from the child system to the cua-central has not sufficient authorizations. Pls check sm58 on the child systems.
    Temporarily try, if you have a change of behaviour, if you assign sap_all to that user.
    You could also run ST01 for that user to find out, if authoriaztions are missing.
    Another common failure is caused by wrong definition of rfc-destinations. Change the rfc-user to 'dialog' and perform a login with that rfc-connection. Are you logged on the the central system then?
    Pls check idoc status in the child systems (bd87). Are they really processed without errors?
    b.rgds and good luck,
    Bernhard

  • Problem with CUA

    Hi Team,
    we implemented CUA in our CRM system such as NCSCLNT300 was made as CUA and NCSCLNT200 as child system.
    CUA works well in most cases except for the below issue.
    1. For some roles available in client NCSCLNT200, when we try to add it to a user in CUA, system throws a error 'The central system does not have any information about the existence of role SAP_CRM_COMPETITOR in child system NCSCLNT200'
    we have performed a text comparison but it didn't help. Thanks to help.

    Hi,
    if the text comparison does not work, there are only 2 possible causes:
    1. the logical system name of the child system is not defined correctly (review table t000!)
    2. the rfc-connection from child to central system is not configured correctly.
    In most cases cause 1 is applicable. the fact, that you think that the text comparison works perfectly for other roles could be also that you have another system in the landscape with the same logical system name containing that same roles.
    Simple test: create  a role form scratch in child and trigger the text comparison direktly in pfcg of the child system.
    Is the role thena available in the central system?
    An indication for cause 2 would also be no confirmed status in SCUL.
    b.rgds, Bernhard

  • Problems with CUA

    Hi,
    I have a problem with the CUA.
    We have scheduled the report RBDAPP01 for IDoc inbound processing. Oubound IDOCs are triggered immediately. The job RBDAPP01 is scheduled every five minutes.
    We have scheduled the Report PFCG_TIME_DEPENDENCY as well once a day at 22:00.
    Role assignment is only allowed in the central system.
    Now, we have the problem, that an empolyee has deleted several roles. With the report RBDAPP01 this delete has taken affect. But at 22:05 the roles that were deleted before, were assigned to the user again.
    Do you have any idea about this effect?
    Best regards and thank you for your help.
    Bjoern

    Hi Bjoern,
    You are likely to get more help in the Security Forum.  This is for the SAP NetWeaver Identity Management tool.
    Best Regards,
    Matt

  • Logical systems in production with CUA

    Hi,
    We have recently implemented CUA and are rolling out ECC 6.0.  We created the logical systems for development, QA, and production in the development system and transported them to QA and production. 
    The solution manager system is the CUA master. 
    We normally only have production logical systems defined in production and would like to remove the development, QA, and solution manager systems.  If we attempt to delete these definitions in production in SALE, it complains that the logical system is still used in distrubution model CUA, although solution manager, not production, is the CUA master.
    If we are using CUA, do we have to have all logical systems defined in all client systems?
    TIA,
    Russ

    Hi Pradeep,
    I don't think that's quite it.  SM1 is the master.  I'm in the production system (PE1) trying to delete the development system (DB1).  I am not trying to delete SM1.  I'm getting the following message.
    Logical system DB1CLNT300 must not be deleted
    Message no. B1199
    Diagnosis
    The logical system DB1CLNT300 is still used in distribution model CUA (client 800).
    System Response
    The deletion cannot be carried out.
    Procedure
    Confirm that the logical system DB1CLNT300 is really no longer used. Delete it first from distribution model CUA (client 800), then delete it here.
    Thanks and best regards,
    Russ

Maybe you are looking for

  • MacBook Pro to TV via VGA to Components gives garbled image

    Hello everyone, I'm the proud owner of a new unibody MacBook Pro and so far I'm loving it. There is, however, one problem. I would really like to connect the MBP to my HD TV, which happens to be a Sony FD Trinitron WEGA. At first I bought the Apple m

  • Importing video from Canon ZR45mc into iDVD

    The issue I'm having is when I connect it to my MacBook Pro and perform a "one-step DVD" in the program "iDVD," it records, but it is very jumpy. To better explain, it is not a smooth recording, but instead jumps forward every second or two. So, need

  • Logic won't open after i installed it

    Hey there,                after i installed logic pro 9 on snow lepoard, it won't open along with all my other applications that were fine before i installed logic. It gives me a problem report that i don't really understand. i need help!!!

  • I've downloaded the current itunes 10.5 but the sync ipod is grey.

    I've connected the Iphone to Itunes, but the Iphone icon is not shown..I have downloaded the Itunes 10.5 on the computer.

  • Can  not get any color swatches into Gradient Swatch panel.

    I've tried dragging, clicking dragging and only get the circle/line-thru-it.  And there is no New Gradient Swatch option anywhere that I can see. Listen:  I've now spent over 4 hours online -- today alone! -- reading instructions that simply do not w