Skip to Content
avatar image
Former Member

CUA Implemention scenario...

Hello All,

We are about to implement a CUA in landscape..

There are two scenarios that are currently in focuss..

Scenario 1: To have DEVELOPMENT CLIENT act as CUA for clients of all systems in the landscape.

Scenario 2: To have DEV CLIENT as CUA for clients of all Developement systems , QA client as CUA for clients of all QA systems and PRD CLIENT as CUA for clients of all Production systems .

Please let me know the pros/cons of having either of scenarios for the landscape.

Regards,

Ajit

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 26, 2009 at 09:42 AM

    Also I wont prefer option 1 when number of systems in entire landscape is large.

    Better to have a separate CUA for each environ.

    We preferred this in our security implementation.

    Though separate CUAs are configured, it would be not be much tough to maintain them. Instead of combining your DEV, QA and PROD systems in one CUA better go for separate CUAs.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      >

      > Also I wont prefer option 1 when number of systems in entire landscape is large.

      >

      > Better to have a separate CUA for each environ.

      >

      > We preferred this in our security implementation.

      >

      > Though separate CUAs are configured, it would be not be much tough to maintain them. Instead of combining your DEV, QA and PROD systems in one CUA better go for separate CUAs.

      I vote #2, different CUA for each landscape. Some advantages will be during testing, if a scenario works in a CUA in DEV and QA it should work in PROD.

  • Oct 26, 2009 at 04:28 PM

    Hi,

    As per my knowledge, CUA will simplify the Security admin's job.

    in your case, if you have many SAP system landscapes - more production systems...and large number of users... then set a seperate CUA client for PRD systems. or if there are different bussiness entities, then go for different CUA clients respectively.

    if you setup a CUA client for each environment, means you are minimising the clients you access each time. but the work time/load will not impact as expected benefit from CUA. if you setup single CUA client, the security admin job will be done in a single shot.

    otherwise;

    ->if you have Solution manager, setup CUA client there and integrate with other systems like ECC and BI.

    it will help at the time of license audits and earlywatch checks also.

    ->if you are not using Solution manager then you can use Quality client or Dev client for all your landscapes.

    Note; At the time of new user creation, the CUA system will not create the usermasters in all systems by default. Based on our systems selection, it will create the user masters in respective systems. (Majority users will have only production access).

    To understand the more CUA benifits refer to; CUA Project Propsal Questions

    You can see the CUA Integration doc; http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/8302a929-0501-0010-05b5-d48f544bc572&overridelayout=true

    Hope that helps

    Cheers

    Praveen.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      It would obviously depend on the number of systems in the landscape. I would tend to keep production separate if you have a complicated solution landscape.

      I would also try wherever possible to consolidate Dev and QA.

      However if it is fairly small and simple, I would consolidate them all for ease of administration.

      If you have a Solution Manager system, that is the ideal place to store a consolidated CUA system as it will already have the required connectivity to all systems in the landscape (hopefully).

      Just remember that whichever system you use as your CUA parent, it needs to be highly available and stable as otherwise you will be continually spending your life playing with the CUA settings trying to break and re-connect it. You can almost guaranttee that it will break just at the time you don't want it to as well!!

  • avatar image
    Former Member
    Oct 26, 2009 at 07:18 AM

    I'd vote against no 1 as that would demand more guaranteed uptime for your DEV system.

    How about a third alternative: Make your QA system CUA for both QA and DEV, and let PRD have their own CUA. One CUA less to maintain and still an acceptable separation from productive and nonproductive systems.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 26, 2009 at 11:13 PM

    Hello,

    standard scenario for CUA is through SAP Solution Manager (a separate client).

    However, CUA, although still supported, but slowly dying. Is appropriate only for the ABAP stack systems. Became a full-fledged successor SAP NetWeaver Identity Management, which is designed for ABAP and JAVA stack.

    Take care,

    Jiri Vacha

    Add comment
    10|10000 characters needed characters exceeded