User role assignments deleted in CUA child systems

Similar Messages

• User roles un-assigned in CUA but acces in child system is ok

  hi
  i am have a really weird issue. a user who has access in roles in child clients, suddenly his roles disappeared from CUA. it did not effect access in child systems. any suggestions how to investigate this.
  thanks

  Did you click the Naughty Button in SCUL? Check OSS Note 1074552...
  Could also be a cause of failing idocs.
  Regards,
  Trond
  PS: The above note is for cases where users loose their visible role assignments in CUA, although roles remain assigned in the child system(s), not for cases where role assignments from CUA never trickles through to the child systems. The mentioned OSS note is a direct result of a case worked on by yours truly in 2007. I include below a warning I posted on sapfans about the issue:
  Word of warning: RSUSR_CUA_CLEANUP_USZBVSYS is faulty!!!
  The program RSUSR_CUA_CLEANUP_USZBVSYS is available as a standard SAP program from at least version 6.20. It can be run from SE38/SA38 or launched from a pushbutton (far right) on the "results" screen of transaction SCUL.
  The program is intended to delete "obsolete" entries from table USZBVSYS, which contains log entries for assigned child systems in a CUA environment. The program is run in the main CUA system, and supposedly deletes entries for systems where users no longer have access.
  There is a serious problem with the program, as acknowledged and confirmed by SAP in an OSS note I opened a few days ago. Under certain circumstances (more than 500 entries for any child system in the CUA landscape), the program wipes clean the whole table, instead of just the obsolete entries.
  The consequences are dire. Table USZBVSYS is used for several fundamental CUA functions, such as remote password reset from the CUA master system. After the wipe, executing SU01 and attempting to reset a users password in a child system will no longer work. The assigned child systems are no longer visible in the reset password pop-up (nor anywhere else in SU01, including the Roles tab). You'll have to edit the user via SU01, and click on the annoying pop-up showing "new system assigned to user" for each system where the user has access...
  The only way to fix the issue is to re-run SCUG for all systems in the CUA landscape. We had to do this across 6 CUA's, each containing 30+ child systems/clients and 10000+ users, which was very time-consuming and annoying. Also, there seems to be cases where roles have been wiped out from users on the CUA master systems, possibly due to consequences of the empty USZBVSYS table.
  SAP has conceeded the program is faulty, and have proposed a new version (note 1074551). Without applying this correction, the program should NOT be run.
  Note that users can still log in to and work in the child systems, it's just the "visibility" from the CUA master system which is missing. Tables USLA04/USL04 are still intact.
  Just wanted to warn the community; we've spent some considerable time discussing with SAP and rectifying the mess created by RSUSR_CUA_CLEANUP_USZBVSYS...
  Edited by: Trond Stroemme on Aug 5, 2008 3:03 PM

• Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

  Hello,
  I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
  1. Connected CUABOX to GRCBOX like a plug-in system.
  2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
  3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
  After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
  Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
  Any help in this regard is very helpful.
  Thank you,
  Pawan

  Hi Alessandro,
  I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
  1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
  2. Approvals provided to assign the ECC role.
  3. I see the following in GRFNMW_DBGMONITOR_WD.
             Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                 New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                 T-CUA_CHILD User does not exist in target system CUA
  GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
  However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
  So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
  Thank you for your help!
  Pawan

• CUP:Deletion of account in CUA child system leaves system assignment in CUA

  Hello all CUP experts,
  I face a problem with CUA connected systems, more precisely in the account deletion process. The account is deleted in the CUA child system, but it leaves the system assignment in the CUA system.
  Is there a way to get CUP to delete also the CUA system assignment, which I understand has to happen before the child system account deletion?
  Br,
  Stefan Ericsson
  +358-50-4867527

  Hi Naveen,
  1. I have synchronized the company address in central system to all the child systems.
  2. This particular child system has an additional company address "XYZ" (which is causing the problem). This address is not being copied to the central system from transaction SCUG. It throws an error saying that the address is incorrect (Missing Country Information). So, when I want to edit the address to get this thing fixed, in the child system, it won't let me do that. I can neither edit it nor delete it. I get the error messages as I have posted earlier.
  So I have changed the company address of all the users who were using address "XYZ" to a different address so that I can delete the company address "XYZ". But, I am still not able to delete the address.
  If you could guide me on how can we edit or delete the company addresses in a  child system (other than from Transaction SUCOMP), it would be great.
  Thank You for your time on this thread.
  Any input I will appreciate.
  Jaya

• User roles were deleted for the mass change in CUA system.

  Dear Team,
  I have assigned a role to a set of users in CUA via SU10 to a specific child system, as like I have executed the task 3 to 4 times for the assignment of the different roles to a set of users and some users may repeated in each execution .
  And when I check in child system after few hours the old roles were deleted and contains the role which I have assigned in the mass change.
  It was happened only to few users not more than 20 users, then I expected that may be the users who get repeated in SU10 more than one time for the different role assignment it get impacted.
  But that is not a problem, because I verified some of the users who repeated more than one time in child system and they didnu2019t get deleted  the old roles and it was appended with the new role to the existing rights of the user.
  Still some of the IDOC were showing in SCUL transaction with Yellow signal triangle shape
  So please help me out what would be the issue.
  Kindly let me know if need more information....
  SV

  Hi,
  It is a problem related to IDOC issue. Please contact Basis Team regarding pushing of the Idocs. I am giving an over view of the steps that needs to be executed for idoc push. Please contact Basis with the same.
  Run RBDAGAIN report (se38)
  Give Idocs and save as variant.
  Now go to sm36 specify a job name and start.
  This will change the Idoc status from 02 to 30. For 03 to 30 it needs a different report. Please check and let me know if any issue. As long as idocs are not pushed properly it will give an error. At times also check the CUA user is ok or not. It gets locked at times. To know which one is the CUA user->Login to child system->su01->See the change executed by the user->Get the user name.
  Let me know if any issue.
  Regards
  Aveek.

• New role in CUA user record not getting pushed to child system

  I added a new child system to our CUA setup.  I've confirmed that the RFC connections from both sides are working properly (test connection succeeds) and I've successfully completed the user transfer function in SCUG.  All exisitng roles assigned to the users in the child system are now appearing in the CUA central system as expected.  I added a new role to a user via SU01 in the central system to this child system, but when I go to the child system, it does not appear in the user's SU01 record.  Any ideas why this would not be syncing properly?
  Thanks,
  Michael

  Hi,
  Whenever you create a new role in child system, it has to be sync up with the central system.
  To sync up with the central system, login to central system goto su01>enter any user name>go to roles tab- click on Text comparision from chiled system. Its navigate to another screen, there you have to mention the child system and click on execute. it syncs up with child sytem. Hope it will help you out to resolve the issue.
  If still you are getting the same issue login to the central system.. goto SE38-- enter the program name as "RSCCUSND" and click on execute there mention the user name and the logical system id of the Child system name, select the parameters which you wanted to distribute to child system and execute it.
  Best Regards
  Mani

• CUA and SU10: unexpected deletion in all child systems

  Hi,
  I am facing with a problem with SU10 and CUA.
  I have updated a lot of users with SU10 in CUA. For 20 users in a child system, I first add a new role, everything is fine. Then I perform a remove of a old role (I know that the end date will be changed), everything is fine except for one user. All roles were removed from all systems where the user is defined ! However, when I look in each child systems, it is not the case, the roles are well present except in the child sytem for which I do the remove.
  This problem occurs twice, for different users. It is a real problem because we have to adapt a lot of users.
  I have reinstalled the 'missing' roles with SCUG and with the change document for users but it can be a workaround because I have discovered this by chance. I can imagine check all users after each run of SU10.
  Hope someone can help me.
  Regards

  Hi Olivier,
  that sounds like you are facing the problem corrected with sap note #1117530......
  The removal shows up only at the next change of a user, the actual deletion of role assignements because of the copy might have happend already some time ago.....
  b.rgds, Bernhard

• Delete Role Assignments directly from an ABAP System

  Hi folks!
  I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
  Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!
  However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
  I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
  I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
  Thanks for your help!
  Matt

  Hello Matt,
  so you want to remove local administrated role?
  If the object really is to undo the local administration, I would do this:
  Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
  At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
  The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
  Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
  Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
  Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
  Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
  Best regards
  Dominik

• Deletion doent reflect child system

  Hi All,
  We have deleted a composite role from CUA,but to our suprise single role still exist in child system. How to delete these now?
  We have tried to re-distrubute the idoc- unsuccessful
  We cant use PRGN_COMPRESS_TIMES  as CUA is conneted.
  Any help will be appreciated.
  Thank you,
  Sri

  Hi,
  What is the status of the Idocs in Central system and Child systems? Are they processed properly? If yes and still you see the Single Roles in the child system then do the following:
  1. Check the Composite role first in the child system (and in central also if it is existing there too). If the role is not ok to see then first take of it.
  2. Do a text comparison in the Central system for the Respective Child system(s) and save the user once more by getting into change mode.  Now check whether the roles are gone or not.
  3. if the single roles are still there then assign the composite role once more and save and then remove it again. Check the SCUL status for the user id and process it if not processed already.
  4. process the IDocs manually in BD87 if not processed in the central and / or Child system(s).
  Let us know how it goes.
  regards,
  Dipanjan

• Missing user role assignments

  Hello Gurus,
  We have a strange issue in our ECC production environment. The role assignments for a few users are missing. The roles were assigned to these users almost a year back. The change documents do not show any record of the role assignment being deleted.
  In SU01 in display mode the profiles for the roles are still assigned to the user, but when one tries to edit the user master data the profiles also get deleted from user and the change is shown against the name of the admin who has tried to edit the user master.
  This problem is seen to happen randomly for various roles and various users.
  What could be causing such an issue?
  Thanks in advance for your replies.
  Regards,
  Subbu

  Hi Subra,
  Prgn_compress_time removes the expired roles .Also check USH* tables like USH02, USH04 ...for Change history.
  The role assignments for a few users are missing. The roles were assigned to these users almost a year back.
  Did you transport the roles to the production properly after making changes. (if any).
  re-transport the roles once again.
  Thanks,
  Sri

• RSEOUT00 - CUA Child system disconnecting.

  Is RSEOUT00 mandatory while disconnecting a child system from CUA. Please help me in understanding? I'd always done this while disconnecting CUA with one of the clients (organization) I worked for. However today, when I and my colleagues were discussions, one of them suggested that he had never done this step, for the client (organization) he worked for. Is there an alternative to RSEOUT00?

  to delete the cua then you have to use rsdelcua report.
  more infor on the report RSEOUT00
  399271 - CUA: Tips for optimizing ALE distribution performance

• How to find the user - role assignments in the database for EP6 SP9?

  L.S.,
  We have a quite specific requirement: to see which users have access to our portal environment (EP6 SP9). It does not immediately matter (though would probably still be nice to know if possible) which roles users have exactly.
  I've been looking in the database to find user-to-role assignments there, but I'm unable to find any. The closest I got is the PID filed in the UME_STRINGS table, but users remain listed there even when all their portal roles are revoked afterwards. Any ideas?
  Kind Regards,
  Steven Dijkman

  hi Steven,
       Sorry but you will have to write some code. the following lines of code will work for you.
  IRoleSearchFilter rolefilter = UMFactory.getRoleFactory().getRoleSearchFilter();
            ISearchResult result = UMFactory.getRoleFactory().searchRoles(rolefilter);
            while (result.hasNext()) {
                 String rolestr = (String) result.next();
                 IRole r = UMFactory.getRoleFactory().getRole(rolestr);
                 response.write(r.getDisplayName());
                 response.write("<br>");
                 Iterator users = r.getMembers(true);
                 while (users.hasNext()){
                      String userstr = (String)users.next();
                      IUser user = UMFactory.getUserFactory().getUser(userstr);
                      response.write(user.getDisplayName());

• Post-refresh steps for a CUA child system

  Hi,
  I implemented CUA in our non-prod system.
  I will copy my DEV system (CUA enabled) to a SBX machine (also CUA enabled).
  our CUA Master is installed on our Solution Manager machine.
  I searched the web for possible solutions. One of them is:
  1.export users from SBX
  2. refresh SBX
  3. import users back into SBX
  4. run SCC7
  Any other possible solutions such as forcing data from CUA master to be "implemented" into my refreshed system?
  Thanks.

  Hi Eric,
  Not much aware, hope this might be helpfull.
  http://wiki.sdn.sap.com/wiki/display/Security/Bestpractice-HowtoperformaclientcopywhenCUAisactive
  http://sapbasisnotes.blogspot.com/2009/05/how-to-perform-client-copy-when-cua-is.html
  Cheers
  Deepanshu

• Id deleted in child system

  Hi Gurus
  A user id has been deleted in cua child system . Is there any way to trace who deleted the user id ?
  Change document shows its deleted by CUA_ADMIN , but we cant trace the original id with which the user has been deleted . Please help!!!!!

  You have to check it in the CUA (domain) not in the chid system..... always in the child system is going to appear the RFC user used to distribute the changes from CUA.
  SU01 - enter user - Go to >Information>Change documents for users
  Regards,
  Marco

• How to delete users in the child systems with CUA?

  Hi All,
  We have:
  1.  My SAP ERP 2005  (ECC 6.0)+ Windows 64bit + Oracle 10
  2. EP 7.0 + Windows 64bit + Oracle 10
  3. BI 7.0 + Windows 64bit + Oracle 10
  4. Solution Manager 4.0 (CUA)
  We managed all our QA and DEV users in ECC, EP using CUA from the Solution Manager server (Productive servers  and all the BI  7.0 System Landscape aren't in the CUA).
  My problem is when i want to delete a user. Sometimes if you delete a user in the solution manager (where the CUA is defined) the user still  exists in the Child Systems. In fact you can  see it with the SU01 only in the child system. I guess the idea is that if you delete the user in the CUA them  the user is delete in the child system.
  I found this information in the SAP Help:
  As well as the authorizations already mentioned, you also need another authorization in the central system for object S_USER_SYS. You can only assign new systems to a new user with this authorization. ( No Problem with this )
  When a user is deleted in the central system, the system entry for the user is retained until the deletion is confirmed. If an error occurs, you can repeat the deletion by canceling the system (in the child system).
  What does mean: deletion is confirmed? 
  Best Regards,
  Erick Ilarraza

  Hi, thanks a lot for your reply.
  We used the SAP Transaction SCUG to solve CUA Problem.
  It is something about the refresh of the user in the Parent / Child systems, you need to Re-Refresh users and delete it again.
  Best Regrads,
  Erick Ilarraza