Skip to Content
avatar image
Former Member

Centralized User Authrorization

Hi

I wanted some help to implement CUA.

Needed some guide line how to go about.

Please Help

Thanks

Nidhi

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

12 Answers

  • Best Answer
    avatar image
    Former Member
    Jan 14, 2008 at 09:04 PM

    From a high level you need to start with a design.

    If you are using HR base position with structural authorization you need to make the ECC 6.0 system the parent not Sulotion Manager [I will debate this to no end, base on my experience and current production system in place]. If you are using Portal, you have to decide on the UME, usually the parent CUA.

    Tcodes you need to be familiar with..

    SU01 - make sure CUA parent and client accounts are on all systems. Generate delivered CUA roles and assign to parent and child accounts.

    SM59 - create RFC connections - this is client independent

    SCUA - create CUA in master client and define child system

    BD64 - generate partner profile

    SCUM - set global CUA settings

    SCUG - user clean up.

    BDLS - new RFC connection

    Somebody that have pointed out 7-8 hours is not far off. This is a project for somebody that have at least an intermidiate-to-expert level of security experience.

    Good Luck!

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 14, 2008 at 05:21 PM
    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 15, 2008 at 02:31 AM

    To what John had said....here is my promised note !

    Hi Folks, As promised…

    Why CUA:

    It reduces the maintenance that otherwise faces the Security administrator, for example if a user is changed in one client then this user will need to be changed in all other clients. From this sentence we can build the fundamental of CUA.

    In CUA, we change only in one client and the changes are then effective “ everywhere” ! How does this take place ? well its one of the clients in the landscape is maintained as the “sender “..this holds the complete authorizations for the landscape the “other” clients naturally are termed as the “receiving” systems

    Now we talked about sending and receiving system whats now absent is the connection for which we need “ALE”  Application Link Enable

    Now to have an ALE , we need to have an Admin user ( System user ) Which can be created by Su01. This needs to be repeated for all the systems in the CUA

    Now that we have created the users for all the systems we now need to “ Name the Systems in Landscape” Tcode  SALE ( Easy to rememeber ALE becomes SALE !!)

    2. In this Tx when you expand the nodes you will find “ naming the logical systems” exeute that ….follow the screens ( & Ur Gut feel and ofcourse SDN if u are in doubt !)

    Now we have named the Logical systems after which you need to ASSIGN the logical systems – How is this done ? Below the node “ Name logical systems , you will find assign logical systems – follow that !

    Now we need to Define the RFC connection how is that done ? Go to the node below the one “ Assign ..” you will see “ Sys tem Network” expand do the needul !

    Now there are few more points ..generating the partner profiles ? Distribuing te view .

    Now log on to the Central system and executg ethe tcode SCUA ….follow the screen and prompts !

    I guess I have given you a fairly OK idea on CUA !! Thanks

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 15, 2008 at 09:51 AM

    hi

    thanks for these guidelines.I will start implementing CUA.based on these guidlines.i will get back on this thread where ever i am stuck or else i will be back to let you people know that i have done it and give points

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      This what you have read si just one part of the CUA. there are few others again. I have posted the ALE part only in detail as when you complete that we can get into SCUA in detail

  • avatar image
    Former Member
    Jan 16, 2008 at 11:25 AM

    hi,

    you can find a good procedural documentation in the below sites:

    www.sapsecurityonline.com

    http://sapbasisnotes.blogspot.com/2007/11/central-user-administration.html

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 22, 2008 at 10:08 AM

    Hi i am back ..things about the users are working fine now.

    YES IT WAS PROBLEM WITH RFC.

    thanks for all the support.............now i have some doubt.

    1. while transfering user from child (336 server) to central (236 server) through SCUG. The messaged pooped saying not all the user has been transfered.

    still some thing missing while transfering or i have to do some setting in 336.

    2.Can i maintain roles child server specific from the central system.I will not have access to pfcg to any child server.and still can create or maintain roles.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 22, 2008 at 10:56 AM

    Hi Nidhi,

    In order to perform the user and role admin tasks centrally, CUA is used. therefore, you cannot maintain the roles or users once the CUA is configured. you can do the user and role admin through the parent client to which all the child systems are connected.

    You can only reset the password of the users in specific child system.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 14, 2008 at 05:21 PM

    Hi.

    If you can give me some time, I can give you a vivid desciption. say another 7 - 8 Hrs ! In the mean time you can browse the posts here.

    Thanks

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 16, 2008 at 11:18 AM

    I just needed to know that.

    1. I have 3 server here for HR (Dev , quality & Prod )

    2. I have 3 server here for Erec (Dev , quality & Prod )

    Can i have my CUA active in development.server in HR and control all the server through dev HR server including dev HR server ' authorization.

    or do i need to get a new server for CUA and get all the server connected to it.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 21, 2008 at 05:53 AM

    Hi

    I am back tried doing something with the help of you guys and some notes.

    I was able to find the user IDs of Server 336 in Sever 236 which is CUA.

    I attached the roles to the user ID from server 336 but it does not work.

    I dont know where i gave gone wrong..Is there any idea what all i would have missed out.

    please help me.

    Add comment
    10|10000 characters needed characters exceeded