Hey thanks a lot for your response...but it was a typo..we have 2000 users.....

2000 users is fine

You can use it in HR though you should have a think about whether you need to depending on how access in provisioned in there (e.g. position based assignment)

>

This strategy (CUA) is dead end. CUA support only ABAP stack and have a problem with mass user modifications through iDocs in large landscape.  

If CUA is a dead end why is it still released and supported (if not developed) by SAP.

There are no problems with mass modifications if you do it correctly

IdM does cool stuff but is not without it's own set of problems

Anitha

As Alex said SAP IDM has own set of issues and CUA also has its own set of issues. CUA has been used for so long by SAP and IDM is the latest one.

It is designed not only to work with SAP systems but also other systems, instances, and applications in a heterogeneous global IT environment.

SAP NetWeaver Identity Management is role-based, so it knows what systems to which each user requires access to do his or her work. If a user changes positions, SAP NetWeaver Identity Management can change access rights accordingly. Administrators set up the roles, and the software synchronizes permissions across different systems and directories.

Where as in CUA we can have the options of role based and user based.

Please consider the facts before you start the implementation of CUA.

Thanks and Regards

Arun R

Hi Shaun,

The question about CUA being phased out was asked at TechEd earlier this week. The SAP guys said that it wasn't being phased out, rather that they were no longer developing it and it would continue to be included in future ABAP stack releases.

Cheers

Alex

That is what I say. CUA is not a vision of the future and addressing the central user administration. In the event that now Anitha decide which product to choose for the central user administration, then I see this as a reasonable choice of SAP IDM.

The fact that the future may use other capabilities of the solution - management in a heterogeneous environment, Reporting&Auditing, Identity Virtualization, Data Synchronization, etc.

Regards,

Jiri Vacha

When you can do a full implementation of IdM into SAP systems in 1/2 a day then it will have a future. At the moment it is overkill for what most companies need or want. Lets face it, things like SSO and hooking up CUA to LDAP is already beyond most companies.

IDM and CUA are not comparable, if you really, really need an IdM product then fair enough. Most companies are not ready for that though and there are plenty of alternatives to SAP IDM which are proven at the enterprise level.

For provisioning into ABAP systems then CUA is much more suitable than IDM is at this stage in it's development. Just because something works and is (finally) stable, does not render it obsolete. The SAP IDM product has (in my opinion) a long way to go before it is a suitable replacement for CUA for provisioning into SAP systems.

Alex,

The vast majority of enterprises running on SAP also uses JAVA stack. CUA is not able to address the central user administration of non-ABAP stack.

I also did not see a requirement that the implementation of solid and stable solutions with a vision for the future should be ready for 1 / 2 day.

Therefore, many customers have already implemented CUA and migrate to SAP IDM, to be able to meet even the central administration of users in ABAP and JAVA stack SAP environment (and consequently non-SAP environment).

Regards,

Jiri

The majority of clients I have worked at do not have Java stack. Those that do usually have very few users in there. That will possibly change in the future at which point it is good to re-evaluate with the best option.

There is a big difference between technology availability and technology adoption, this can be seen at sites all over the world where companies are still investing in the core functionality which allows them to do their job.

The speed of deployment is very much a valid concern. You can set up a reasonably complex CUA landscape in 1/2 a day. Lots of admins & project managers know this and are familiar with this. With another 1/2 days testing you have a reliable, tested, solid and stable solution deployed. How many project managers will approve 2-3 weeks setup of another product which to them offers little benefit over an existing proven solution? This is compounded if you have GRC which will provision into ABAP, EP and with the right connectors, plenty of other ERP's. Potentially,rumoured new licencing models will make it easier to get GRC which will do the job for you and more easily.

Identity management is great in the right context. For provisioning into SAP I don't think it's there yet but we all have our opinions

Deploying JAVA is relevant to business - I have customers (except one, which is the upgrade from release 4.6C) using ABAP and JAVA.

I agree with you regarding the full implementation of SAP IDM and maximum use of available solutions, which are (may be) beneficial to society.

But if I had to implement a central message in the range of functions CUA, then I implemented the same extent SAP IDM - then I have a basis for further development and rapid response to emerging demands.

I also do stand behind it, the CUA often have problems with mass distribution iDocs (iDocs processing of the target system) due to mass modification. But I agree, everything can tune after some time.

Should I install a new CUA?

It depends on the scope of your project and your current stage: You can quickly and easily connect ABAP-based systems to a new CUA. This enables you to manage several thousand users and their individual role assignments.

However, if you require automatic cross-system rule-based access management, workflow support, or connectivity for a heterogeneous system landscape, you should consider using SAP NetWeaver Identity Management.

SAP recommends using SAP NetWeaver Identity Management for any new identity management project. If you are already using CUA and want to use any of the new features of SAP NetWeaver Identity Management, you should plan for a migration path.

Why should I migrate from CUA to SAP NetWeaver Identity Management?

In the past, CUA was SAP's solution for managing users and roles in a typical large ABAP-based SAP system landscape. The solution has significantly reduced the complexity of managing such landscapes compared to a separate user administration in each system.

Moving to the SAP NetWeaver Identity Management component from CUA offers the following advantages:

Supports all relevant systems, including SAP and third-party software

Supports sophisticated business roles definition and management

Provides self-service password resets, reducing the workload for help-desk staff

Enables workflow-based requests for approvals, automating user provisioning in multiple back-end systems

Supports LDAP directories and databases, as well as standards such as SPML

Supports tight integration with SAP Business Suite 7.0

Anitha, please read this informations from SAP portal:

/docs/DOC-8818#section34 [original link is broken]

Your ability to copy and paste sales material from SDN is impressive but still does not address my points around time to deploy and suitability for purpose.

CUA has limitations, as does IDM. The IDOC performance issues you talk about are not relevant if CUA is set up properly. The products do their respective tasks well but using IDM for managing a few SAP systems is like using a sledgehammer to crack a walnut. CUA and CUP have both been developed to provision SAP systems. Maxware->SAP IDM is an enterprise level Identity Management tool and should be used as such.

>

I answered Anitha as a consultant for SAP NW and the man who follows trends and progress. 

The value of consultancy is offering advice that fits the client requirements, not what happens to be fashionable at the time.