User roles un-assigned in CUA but acces in child system is ok

Similar Messages

• CUA on PRD without child systems

  Hi,
  We are planing to implement CUA on PRD without child systems. And also DEV as the parent for all non-productive systems. Anybody provide pros/cons making PRD as parent without child systems? Is it recommended?
  Thanks
  Craft

  Hi,
  CUA without child system is of no use. One of the use that I can explain it to you is say:-
  For example:- If you want to assign 10 similar roles to 100 similar user in DEV,Quality or Prod
  1.If CUA is present:-
  You can assign all roles to all user in DEV,Quality or Prod via CUA which will save your time
  2.If CUA is not present:-
  You have to assign all roles to all user first in DEV and then Quality and then in Production which will be more time consuming. You have to log in to individual system and then assign.
  Even maintainance of user becomes easy if you have CUA system. Even removal of roles becames easier
  CUA system without a child system will not be called as CUA system. It will be normal system.

• Table used for storing roles/profiles assignment in CUA lansscape

  Hi,
  following is my cua setup
  master client - 999 of SRM 4.0
  child client - 101 of ECC 5.0
  child client - 202 of SCM 4.1
  in cua all distribution works on its logical name assign to respective client.
  here is my question
  lets say user 'XYZ' in master client assign single as well as composite role and composite profiles assigned in the master as well as child system.
  please tell me in which table this relationship is maintain in sap that Composite roles/profile is from which cua client.
  from my finding the tables which store the role and profiles from master and child system are i.e. USRSYSACT & USRSYSPRF.
  but i am not able to find table which store the roles to user and user to profiles assigment in CUA setup,can someone please help me.
  Thanks,
  John.

  Hi Check the tables
  <b>USR10  -role definition
  AGR_PROF   -Profile for Roles
  AGR_TEXTS  - Role descriptions
  AGR_USERS  - Assignment of roles to users
  AGR_DEFINE - Auth profiles</b>
  if needed see other tables with USR* and AGR_*
  Reward points if useful
  Regards
  Anji

• User role assignments deleted in CUA child systems

  Hi All,
  i have the following problem
  newly started CUA from one newly created client in development. According the setup guide from SAP and best Practices in SCN.
  RFC's all OK users in RFC are Service users, as dialog users are requested by system setting to change password every 60 day's.
  PW all ok
  connections setup OK
  connection to the first 5 clients all OK but then a client with a existing LS connection to another SAP system the setup went wrong
  I had to use BD64 to complete model creation or WE20 to select.
  In SCUA -setup clients the traffic light came up green after a second save.
  and more client were connect with OK result
  2 more clients did not connect properly now they are after intervention with BD64
  All user download were done, Text comparison for the role assingements and profile assignements and checked some of the clients if role activation and changes were possible.
  All clients but 3 were OK.
  From the 3 clients i had to use BD64 for creation of distribution model are the roles missing from the clients
  I cannot read any role or assign any role
  All SCUl error are redistributed
  EDI ports on clients point to Central System.
  Pls advice
  Kind regards
  Hans

  Hi,
  This is SAP business one system administration forum. Please find correct forum and repost above discussion to get quick response.
  Please close this thread here with helpful answer.
  Thanks & Regards,
  Nagarajan

• How to create SR Queue and Custom User Role for technician only see which SR assigned Him/Her and Resolve

  Hi 
  I have created workitem SR advance and Criteria with ID [Assigned To ME] and created user role in Advance operators.
  But in technician Console showing which SR he/she created not service desk assigned to him/her.
  Please suggest...
  Regards
  Sheetla Maurya

  I have find out Solution .......Create Queue with Service Request Advance and we not need to create any criteria option, After that create custom User role on Advance
  operators with View "Assigned To ME"
  Regards
  Sheetla Maurya

• Users created in CUA does not distribute to child systems

  Hi
  I searched this forum and after pulling my hair for 2 days I am asking this question. I created a user in CUA and gave him child system access with the necessary roles.
  I was under the impression that the user will get replicated / distributed automaticlaly to the child systems which i selected at the time of user creation in CUA
  But it does not happen. I login the child system and search for the user. It says User does not exist. I saw SCUL in CUA and the log shows a grey icon next to the username and when I place my cursor on the icon, the tect comes " Distribution unconfirmed"
  What am I missing? Everything looks ok to me
  Why is the user or users not geting replicated or distributed to the child systems with the necessary roles / profiles?

  >
  Jackofalltrades wrote:
  > 2. Also the communication user from Client to CUA is getting locked very frequently. When I do a text comparison from CUA, it always pops the username and password login screen and then I have to enter it and the text comparison happens. I don't know what that happens
  >
  > Any ideas for point 1 and 2 ?
  Hi,
  that is an indication, that the RFC-connection is not defined properly. As soon it does not work, you will get the login screen (on the login screen the default client (503) is filled automatically, but that has nothing to do with the problem you have).
  First check the password of the RFC-user you use. Simply change this user to type 'dialog' and try to log on with the password you know. If that works, reenter this password in SM59. Perform the authorization test in SM59 afterwards. Mind possible upper/lowercase problems with the password depending on the releases your systems are.
  You can also try to perform a remote login through sm59 to make sure, tath you can log on with that RFC-user (as long he is of type dailog this will work). If the rfc-user gets locked frequently, then something is wrong with the rfc configuration. In most cases the entered password is simply wrong.
  Check this first!
  b.rgds, Bernhard

• CUA- Deleting user IDs from Child systems

  Is there a possibility of configuring CUA in such a way that user IDs can be created and access can be updated from CUA but deleting user IDs should be taking place only in the child system (Not in all the child systems)?

  Generally good advice to keep the uniqueness of UIDs over time, also after Elvis has left the building
  What you could consider is a CUA RFC user which is not authorized to delete UID's and schedule a purge job for those IDOCs which deleted only them.
  However these sorts of "workaround" solutions are not the best advise, to be honest. What happens it someone temporarily assigns SAP_ALL because there is a big problem and authorizations should be excluded as the cause to get it working again?
  Also, every time a new child system is added to the CUA you will be flooded.
  My advice: Rather change your procedure (as discribed by Jurgen).
  What would be interesting to test is whether you are authorized to move a user (change the authorization relevevant group which they currently have) to a group which the CUA user is no long able to subsequently administrate? But theen you will still be hunting down IDOCs from time to time, most likely.
  If your shop is big enough to have these systems you have described, then you might want to consider an IdM system to replace your CUA at some time.
  If you wish, I will move this thread to the IdM forum.
  Cheers,
  Julius
  ps: Please do not cross-post.

• User Roles and Authorizations

  As we know in MM different user have different roles to play and they need different SAP transaction and related activies.
  In SAP we define the particular user who are actually allow to access only certain transactions only?
  What are the steps to do this in SAP?
  Secondly in which stage of implementation we define those user roles and assign duties to them in SAP ?
  bEST Regards,
  Kapil

  u can create the user role using tcode su01 and pfcg for authorization management

• Control center user role - hide worksets

  Dear gurus,
    The control center user role is assigned to all the users by default. Could somebody please tell me how to hide selected worksets in the role.
  I have an option to delete items that are not configured in that role, I am trying to find out a means of hiding some of the worksets and pages, so that I donot have to delete or modify SAP delivered role and be able to make those items visible when required at a later stage.
  any help is appreciated.

  There are two roles involved. One is the SAP template, and should not be changed as it can be overwritten by patches etc. The other way can be editted the same as any role. It is the one with the id pcd:portal_content/every_user/cc_user/ccur.
  In here you can remove worksets, change the sequence etc or hide its visibility in the navigation area etc.

• CUA: Model view not created automatically in Child System

  Hi, I try to create a CUA with just a child system thru txn SCUA. The result of generation is good and all green. The part that is not right is I do not see the model view created in txn BD64 of child system, I can see it created in master system. Both RFC of master and child system are working fine. I do not see errors at WE20 & WE21 as well. Under this situation, I can see CUA active in master system but not child system. Hence, CUA is not working as it says in master system.
  I have setup CUA couple of times before but this is the first time that I encounter such a weird situation. Does anyone has any clue where could have gone wrong?
  Edited by: Annie Chan on Jul 25, 2008 5:23 PM

  Hi Everyone,
  It is indeed a RFC issue but it was a silly mistake with the incorrect hostname that I am suppose to connect to. Hence, the Distribution Model doesn't exist in the child system. Nervertheless, your advise does point to the right direction.
  Thanks so much for your input. Points are granted as accordingly.
  Regards,
  Annie

• Problem assigning internet user Role through portal

  Hi All,
  Please could someone help me with the following:
  I am creating a registration process that creates a new CRM Business partner with contact person and internet user roles. When i run the Bapi from with in CRM everything works fine however when i run my jsp dynpage application and call the same bapi, the internet user that i create does not have any of the logon details or roles. Does anyone know why this is? i am using the same user when running in crm and the portal.
  Many thanks in advance
  Calvin

  Hi Sunil,
  Thanks for your reply. answers to your questions:
  1. Yes, all portal users are maintained and have the same roles as CUA users. Portal authenticates against CUA.
  2. Yes the user is created correctly on the backend. i have created a BAPI that creates users, BP's and assigns roles. This Bapi works perfectly when run in CRM but as soon as it is accessed via the portal the internet user role does not have all the required information.
  Many thanks
  Calvin

• Role assignment to user in child system

  Hi,
  We have a CUA with role assignment in SCUM defined as global. There is any way of assigning roles to users in child system when CUA system is not available? There is any way to allow roles assignement  in both Parent and  child systems?
  Many thanks for your help!!
  Raquel

  One way would be to temporarily delete the CUA assignment in the child and then maintain locally, but you will need to attach it again... and decide whether you want the CUA master to know about what you have done.
  Plan B on older Support Packs is to take a look at the correction instructions of [SAP Note 1504495|https://service.sap.com/sap/support/notes/1504495] but for this you need full access () to the S_USER objects, in which case you could detatch the CUA anyway.
  However as a temporary workaround in Test systems it could have been usefull.
  Plan C: Allow reference user assignments locally and authorize the role indirectly. Via the available authorizations of and access to the reference users you can then contain the scenario. Works fine for me if the concept of reference users is understood.
  However in most cases you should do it via the CUA and will end up doing this anyway via the CUA - that is what you have a CUA for. So... logon to your CUA in the morning, give the SAPGui scheme a nice bright colour and administrate the users and role assignments there. This is a small price to pay compared to not having a CUA or IdM...
  Cheers,
  Julius

• Indirect Role Assignment Within CUA

  Hi Experts,
  Weu2019re implementing indirect role assignment in SAP HR and exploring the feasibility to include this client as part of CUA. Has anyone implemented this before? Appreciate if you could share.
  I understand that CUA able to distribute DIRECT role assignment made from central client to the child client(s), but not so sure if it is possible for INDIRECT role assignment approach. My previous project exclude client with indirect role assignment from the CUA distribution landscape and I wonder why.
  Appreciate your input in this matter and looking forward for further discussion.
  Best regards and million thanks in advance.

  Hi,
  So I worked on a CUA managed landscape that had systems that featured indirect org assignment hooked in.  The association between the User ID and the HR org based position was still maintained locally as the local system contained the HR Org structure, but direct access was still blocked by CUA The roles assigned indirectly were visible from CUA in a different colour.  You can still maintain users directly from CUA on top of this.  This may be an alternative to consider.
  If the local system does not contain the HR Org structure you are probably going to have to export the structure, so if that is the case you might as well import it to CUA if all org relevant users are maintained there and manage it centrally via the advised link anyway.
  Cheers
  Steve

• CUA: User & Role Master Data Change Document

  Hi Team,
  I would like to know is there any way to find out CUA user master & role assignment change document data from CUA Central System & All Targets Systems.
  I am looking for user friendly tool similar to SUIM.
  I have looked into other methods of CUA change document tips and tools but it is not so fruitful to convenes my Audit team.
  FYI.  System Users (CUA_ADMIN) is not the user which i want to see in my change document window, i want to know actual security consultant ids within that.
  Kindly get back to me.
  Appreciate, for your response.
  Regards,
  Asif

  HI Matt:  Your understanding is correct for CUA Tier2 Setup.
  FYI.
  We have successfully configured trusted relationships between SAP Systems with the help of my BASIS & UNIX team.
  To do this:  We have performed following actions:
  u2022     Trusted System trust relationships for the RFC Connection has been maintained from the Central to the Child System and from All Child to Central System via transaction code SMT1.
  u2022     UNIX Database level trusted relationship entries has also been added with the help of UNIX Team
  u2022     RFC Destinations has been reconfigured with Current user option (SM59).
  u2022     For Security Administrator special authorizations has been provided in order to get trusted relationship RFC authorizations. 
  Note:
  I have added Full Authorizations under these new special objects S_RFC, S_ICF, S_RFCACL, & S_RFCADM  and same was assigned to all our Security Administrators.  Remote Logon & Trusted Connectivity is working fine for all of us.
  We are 4 Security Administrator here, And for All of us this new concept of Trusted RFC for CUA is working fine.
  New Authorizations updated on both CUA and the Child System.
  Our ids are replicating as a log in the last change by field of SU01 and change document of SUIM. Happy to see this. 
  But unfortunately there are strange ABAP dumps are started generating from CUA (SolMan) System soon after this Implementation.
  When we look into ST22, runtime errors CALL_FUNCTION_SINGLE_LOGIN_REJ &  CALL_FUNCTION_SYSCALL_ONLY are keep generating.
  Following are the example of dump logs and all the dump are with similar fashion but with different user-ids within that.:
  Short text:  No authorization to logon as trusted system (Trusted RC=0).
  What happened?  : Error in the ABAP Application Program The current ABAP program "SAPMSSY1" had to be terminated because it has come across a statement that unfortunately cannot be executed.
  Error analysis:  An RFC call (Remote Function Call) was sent with the invalid user ID "(End user user-ids)".  Or the calling system is not registered as trusted system in the target system.
  How to correct the error: The error code of the trusted system was 0.
  Meaning: 0    Correct logon as trusted system mode
  1 No trusted system entry for the calling system "BIP " (like other child System) or the  security key entry for the system "BIP " is invalid
  2 User "111552 " (Type of End user) does not have RFC authorization (authorization object
       (S_RFCACL) for user "End User id " witl client 100.
  3    The timestamp of the logon data is invalid
  The error code of the SAP logon procedure was 6. (6    No external user check)
  My Point: I think All these End users are trying to connect CUA Trusted RFC connections through individual different child Systems..
  Why they need to Connect to CUA and for what reason they need special Trusted RFCu2019s authorization???
  Pls help me to fix this problem.
  I have gone through the old SDN posts related to the same topic and few SAP notes and help link but it wont help.
  Note 1579570 - Problem with trust relationship after using HMAC
  Note 128447 - Trusted/trusting systems
  Note 131387 - No authorization to log on as a trusted system
  Note 986707 - No authorization to log on as a trusted system (RC=1)
  Few More SAP Notes: 986707, 333441, 1151790 & 128447
  http://help.sap.com/saphelp_nw04/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/frameset.htm
  We donu2019t see any logs under SCUL, BD87 & ST01.
  Please anyone can assist me on this.
  Regards,
  Asif

• New role in CUA user record not getting pushed to child system

  I added a new child system to our CUA setup.  I've confirmed that the RFC connections from both sides are working properly (test connection succeeds) and I've successfully completed the user transfer function in SCUG.  All exisitng roles assigned to the users in the child system are now appearing in the CUA central system as expected.  I added a new role to a user via SU01 in the central system to this child system, but when I go to the child system, it does not appear in the user's SU01 record.  Any ideas why this would not be syncing properly?
  Thanks,
  Michael

  Hi,
  Whenever you create a new role in child system, it has to be sync up with the central system.
  To sync up with the central system, login to central system goto su01>enter any user name>go to roles tab- click on Text comparision from chiled system. Its navigate to another screen, there you have to mention the child system and click on execute. it syncs up with child sytem. Hope it will help you out to resolve the issue.
  If still you are getting the same issue login to the central system.. goto SE38-- enter the program name as "RSCCUSND" and click on execute there mention the user name and the logical system id of the Child system name, select the parameters which you wanted to distribute to child system and execute it.
  Best Regards
  Mani