Skip to Content
0

Need guidance On how to Connect CUA with sap idm

May 15, 2017 at 04:42 PM

140

avatar image

Dear sap experts,

Is there any material or document available on how to connect cua to sap idm. We have a requirement to connect cua to sap idm whete from cua provisioning will happen..

Regarda, Dp

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Matt Pollicove May 16, 2017 at 12:44 AM
0

DP,

CUA should never be connected to IDM unless it's a case of IDM taking over for CUA. I think one of the landscape documents talks about this scenario.

CUA is no longer and active or supported product. SAP recommends using IDM only.

Please PM me for more information.

Thanks

Show 4 Share
10 |10000 characters needed characters left characters exceeded

Hello Matt,

Thank you for your response. Currently few systems are connected to heidm and few and connected to CUA. In future the CUA systems would be connected to IDM and this would take time. In mean time we have received a requirement where if any user is not logged in for 90 days we need to revoke the access for them. If systems are connected to CUA, then how to proceed further. because as part of license activity we want to implement this automation. For idm connected systems, we believe it would be easy.

Regards,

DP

0

DP,

Not aware of any use case for that scenario. Sorry.

Matt

0

About how many systems still connected to CUA are we talking here? Adding SAP systems to IDM is one of the easier tasks IMO. It would make more sense to start shifting those to IDM now one after the other instead of implementing a complicated workaround that could generate more issues.

.

Regards,

Steffi.

0

Yes Steffi,

we have already provided the road map, and we are working on it. in mean time i have seen a constant in repository CUA_MASTER, and thought whether provisioning can happen via CUA.

Is there any possibility to connect cua only to read the data? If yes then how to get the systems assigned to teh users info.

Regards,

Deva

0
Santi Obejero May 17, 2017 at 01:24 AM
0

Hi DP,

You need to pick a centralized repository of your identities between IDM and CUA, it is part of the set up steps to disconnect sytems from CUA before connecting it to IDM. I am not sure of the licensing conflict you have described in your question. You would want to ask your client which is their priority in using, all I can think is you use IDM to provision on Non-ABAP systems as well as Non-SAP. You now use your CUA as provisioning tool for ABAP Systems. With this set up you will defeat the purpose of IDM being the centralized repository of all of your organization's identity.

For the requirement of 90 days, you may want to create an abap program to suffice the requirement and have it run, I am not sure if we have an SAP Standard program who does that, but you may want to check on the Security Page in SCN.

Hope this helps.

Thanks,

Santi

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Oh no, not that "90 days stuff" again. We had this requirement, too. In simple words we did this:

  • Use the ABAP program which retrieves the logged on state. Forgotten its name though.
  • Write an own program which contacts ALL systems for each user and gather up their states. Ensure that ALL are connected correctly!
  • Write the result using PI into an IdM table
  • Check the state of the identity vs. the delivered data in an IdM batch job
  • Lock the user in CUA and remove all roles

However, don't lock them immediately as this messup up quite a few users which shouldn't have been locked. We tested it in dev, worked. Transporting to prod and some connections were missing. -> Too many users were locked and stripped of their roles.

This job now runs automatically which locks around 2-10 users each month which seems like a healthy number to me. I've added several exceptions like:

  • Don't lock anyone twice
  • Leave out already locked
  • Leave out Sales field staff as they only look into SAP every half a year or so
  • 100 instead of 90 days.
  • Don't do anything if roles from one of our two GRC systems is present
  • No one from IT
0
Deva Prakash B May 22, 2017 at 04:22 AM
0

Dear Experts,

how to read data from the CUA system, like in order to get the systems assigned to the users?

Regards,

DP

Show 1 Share
10 |10000 characters needed characters left characters exceeded

I treat the CUA as "just another" SAP ABAP system. Some differences:

  • CUA MASTER repository constant has to be TRUE
  • Provisioning of license data doesn't work at all
  • The roles have to be prefixed. For examples see the roleAssign table which the initial load job delivers

I'm quite thankful that we're still using CUA with our 140 clients. There are downsides indeed, but well... I don't have one or two years time of stripping each system out of the CUA by. My best estimate is half a year, but I doubt it could even be done in one. If we would hire someone new even with SAP IdM knowledge I'd say two years at least.

0