Skip to Content

Need guidance On how to Connect CUA with sap idm

Dear sap experts,

Is there any material or document available on how to connect cua to sap idm. We have a requirement to connect cua to sap idm whete from cua provisioning will happen..

Regarda, Dp

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • May 16, 2017 at 12:44 AM


    CUA should never be connected to IDM unless it's a case of IDM taking over for CUA. I think one of the landscape documents talks about this scenario.

    CUA is no longer and active or supported product. SAP recommends using IDM only.

    Please PM me for more information.


    Add comment
    10|10000 characters needed characters exceeded

    • Yes Steffi,

      we have already provided the road map, and we are working on it. in mean time i have seen a constant in repository CUA_MASTER, and thought whether provisioning can happen via CUA.

      Is there any possibility to connect cua only to read the data? If yes then how to get the systems assigned to teh users info.



  • May 17, 2017 at 01:24 AM

    Hi DP,

    You need to pick a centralized repository of your identities between IDM and CUA, it is part of the set up steps to disconnect sytems from CUA before connecting it to IDM. I am not sure of the licensing conflict you have described in your question. You would want to ask your client which is their priority in using, all I can think is you use IDM to provision on Non-ABAP systems as well as Non-SAP. You now use your CUA as provisioning tool for ABAP Systems. With this set up you will defeat the purpose of IDM being the centralized repository of all of your organization's identity.

    For the requirement of 90 days, you may want to create an abap program to suffice the requirement and have it run, I am not sure if we have an SAP Standard program who does that, but you may want to check on the Security Page in SCN.

    Hope this helps.



    Add comment
    10|10000 characters needed characters exceeded

    • Oh no, not that "90 days stuff" again. We had this requirement, too. In simple words we did this:

      • Use the ABAP program which retrieves the logged on state. Forgotten its name though.
      • Write an own program which contacts ALL systems for each user and gather up their states. Ensure that ALL are connected correctly!
      • Write the result using PI into an IdM table
      • Check the state of the identity vs. the delivered data in an IdM batch job
      • Lock the user in CUA and remove all roles

      However, don't lock them immediately as this messup up quite a few users which shouldn't have been locked. We tested it in dev, worked. Transporting to prod and some connections were missing. -> Too many users were locked and stripped of their roles.

      This job now runs automatically which locks around 2-10 users each month which seems like a healthy number to me. I've added several exceptions like:

      • Don't lock anyone twice
      • Leave out already locked
      • Leave out Sales field staff as they only look into SAP every half a year or so
      • 100 instead of 90 days.
      • Don't do anything if roles from one of our two GRC systems is present
      • No one from IT
  • May 22, 2017 at 04:22 AM

    Dear Experts,

    how to read data from the CUA system, like in order to get the systems assigned to the users?



    Add comment
    10|10000 characters needed characters exceeded

    • I treat the CUA as "just another" SAP ABAP system. Some differences:

      • CUA MASTER repository constant has to be TRUE
      • Provisioning of license data doesn't work at all
      • The roles have to be prefixed. For examples see the roleAssign table which the initial load job delivers

      I'm quite thankful that we're still using CUA with our 140 clients. There are downsides indeed, but well... I don't have one or two years time of stripping each system out of the CUA by. My best estimate is half a year, but I doubt it could even be done in one. If we would hire someone new even with SAP IdM knowledge I'd say two years at least.