cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Replicate users created in Gateway System to Backend System(S4HANA) (or) Vice-versa

Go to solution
Karthik_Gali
Participant

on ‎03-17-2019 2:50 PM

0 Kudos

Dear Community,

The basic prerequisite of Gateway HUB deployment is to create the users with the same names in both Gateway and the Backend System. Therefore, I assume there must be any standard functionality readily available for replicating the users created in the Gateway system using SU01 to Backend system (or) vice-versa (or) is the custom development the only way forward? How do you handle this in your landscapes?

P.S: Currently, use of CUA (or) Identity management is out of scope as our user creation and landscape requirements are quite unique.

The SAP User Management Self service API's(/IWBEP/USERREQUESTMANAGEMENT) offers the functionality to automatically create users created in the Backend system in the Front end system with few IMG customizations and RFC connection. However, we are already using this functionality for a specific type of Users who need to create their own user credentials using a custom UI application. Therefore, I would like to is there any similar option available for the users(other than internet users) created using SU01.

Thanks for your time 🙂

Regards,

Karthik

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎03-17-2019 9:36 PM
0 Kudos

For your specific scenario I think that custom development might be the best option because you are using SAP Fiori Launchpad in a single system (the SAP Gateway Hub) anyway.

In short the following setup could be a solution.

1. Create the same OData Service that creates users using BAPI_USER_CREATE1 in all backend systems.

(I would recommend to create a service that uses CDS views for reading the data and the BAPI to create the user)

2. Publish the OData Service in the Hub and create system aliases for all Clients

3. Assign the system aliases to that service together with distinct roles so that your admins are automatically routed to the respective backend.
As a result your Service would have System aliases and roles assinged

System alias role

sys_alias_sys_1 employee_comp_1

sys_alias_sys_2 employee_comp_2

Admins from Company 1 would have role employee_comp_1 assigned in the hub while admins from Company 2 would have role employee_comp_2 assigned in the hub.

As a result the admin of company 1 will only see users of the client he or she is responsible for and if he or she calls the service to create a user it will be created in the client of company 1 only.

Your service implementation (DPC_EXT in the backend) can in addition to the user creation in the backend perform an RFC call to the hub system to create the same user there as well leveraging the trusted trusting system relationship.

If you would use BAPI_USER_CREATE1 just to create users in the backend and would have CUA configured BAPI_USER_CREATE1 would automatically create a user in the CUA central system first and would only then create a user in the backend, assuming the SAP Gateway Hub would be the central system of a CUA.

Regards,

Andre

Show replies
Show replies
Karthik_Gali
Participant
‎03-18-2019 8:33 AM
0 Kudos

Thanks Andre for the detailed explanation.

Initially, we had the plan to use the enhancement options of standard user management capabilities(SU01) of Front end system and implement the same logic which you suggested to use in 'DPC_EXT in the backend' to create users in the Backend. We planned to offer the web GUI of SU01 from FIORI LPD.

If i understood correctly, your solution requires custom UI to be developed for User management.We would like to go for this option after we learn and analyse concrete and exact functionalities(add roles, generate auth profile etc.) the end user might require of SU01 and later come up with the FIORI application version of Su01/02/03.

Thanks again.

Regards,

Karthik

Answers (1)

Answers (1)

Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎03-17-2019 3:12 PM
0 Kudos

Hi Karthik,

SAP Gateway uses the standard user management capabilities of the SAP AS ABAP.

You have already mentioned the options offered by SAP you have to replicate users from one SAP ABAP system to another SAP ABAP System, namely CUA or SAP Identity Management.

If as you wrote your "user creation and landscape requirements are quite unique" so that they (as you claim) can not be covered by the SAP standard tooling I don't understand why do expect to have another process in place that would cover these?

I would recommend to check whether it is really not possible to use either SAP CUA or SAP Identity Management before looking into custom development.

Regards,

Andre

Show replies
Show replies
Karthik_Gali
Participant
‎03-17-2019 6:44 PM

Thanks Andre for your Quick reply, I really appreciate it.

As per our requirements, the end user(customer side user admin) is allowed to create their organisation users using SU01. Our landscape is based on One system with multiple customers each with their own client. In this scenario, if the end users have access to the CUA, it is difficult to control and ensure that the end user will create users only in their clients and not other clients.

To the best of my knowledge, the end users can create users in all the clients available in the CUA interface, this again requires custom development to filter the clients.

The other reason why CUA does not fit for our requirements is that all the business applications are accessed using a single point of access (FIORI LPD URL) and not with SAP GUI, you can call it a cloud solution. Now using CUA adds an additional point of access which is not in line with our strategy.

At the moment, the user needs to manually create the same user in both Front End and backend system. Therefore, I was looking for any standard replication alternative before we think about custom development.

Do you still see any alternatives apart from Custom development?

Thank you.

Ask a Question