cancel
Showing results for 
Search instead for 
Did you mean: 

Using CUA on GRC System-pros and cons

Former Member
0 Kudos

Hi GRC Experts,

I have searched sdn and internet and got some information about GRC AC 10 working with CUA, but not exactly what I am looking for.

My requirement is -

1. CUA is currently in place in landscape on solman,

2. Some of the SU01 activities will be done directly through CUA Master e.g. User creation/ modification in Dev and Test systems, User lock, unlock, password reset, so we want to keep CUA with GRA Access Provisioning.

3. User Creation, Change in Prod systems will be done through ARQ via CUA.

4. We want to move CUA from Solman to GRC box. Reason is that GRC is having failover, but not solman. So in case solman is not available, CUA will not work, but GRC will be running even when primary server is not available.

My query is -

Is is technically possible to configure CUA on GRC box itself? I have read in one of the discussions that it is possible, but want to know if it is correct. Based upon this other queries are -

1. Should we use different clients for GRC and CUA?

2. Is plug-in required on GRC along with GRC add-on? My understanding is yes, but want to know if it is correct.

3. What are the advantage and disadvantage of using CUA on GRC box itself? We have to convince client regarding this.

Waiting for your reply. Thanks,

Sabita

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
0 Kudos

Experts :

One quick question on similar lines. GRC and CUA on Same box works BUT my client is looking to have it on same client as well. In my view the ARA, EAM will not have any problems. Can you please confirm if ARM works as well when you have GRC, CUA coexistence on same client.

Thanks

Abhijeeet

GBP
Explorer
0 Kudos

Hi Abhijeet,

We have our GRC and CUA on the same box and same client. Everything is working fine so far and the only thing that we are not using is BRM except whatever is required as part of ARM.

Thanks,

Gautam.

Former Member
0 Kudos

Hi Gautam : Thanks for your reply.

Did you use same connector names for GRC back end systems and CUA child systems.

Did SAP provided any custom code to have this set up working.

If you don't mind can you please share SCUM settings for roles and user defaults.

What did you maintain in GRC SPRO--> USER Provisioning --> Maintain CUA settings.

Thanks

Abhijeet

GBP
Explorer
0 Kudos

Please find the below answers to your questions.

Yes, we did use the same connector names for GRC backend and CUA (RFC connections - SM59) child systems.

No custom code was provided by SAP to make it work and we didn't do any customization.

The SCUM settings for roles tab was Global and for user defaults certain settings were global and some were proposal as we do allow users to change the default settings through SU3 t-code.

You just need to maintain the CUA Global System with one entry and the CUA Model Distribution with the child systems.

I hope this helps.

Thanks,

Gautam.

Former Member
0 Kudos

Thanks Gautam for your reply.

I happen to get the chance to test this and it looks like the connector name for GRC and CUA has to be same. Appreciate your help.

Satellite system having different connector name for GRC application and CUA will not get provisioned. Rather it will not be available in Access Request screen while creating the request.

Now after using same connector names it looks like working.

Thanks

Abhijeet

0 Kudos

I would actually like to understand why anyone wants to stick with CUA if you are using GRC 10.x. Is there some advantage to it that I'm missing? I was looking forward to retiring CUA if we implement GRC here.

Colleen
Advisor
Advisor
0 Kudos

Hi Kevin

the main one I can see is interim measure based on existing security design. If you have CUA composite roles in place the you can provision to the CUA

Also, non production landscape might have some benefits

I would prefer to to decommission CUA. IDOC failure rate can be high and puts extra monitoring in the another system outside of GRC. But I guess it might be something customers can do over time.

Regards

Colleen

Former Member
0 Kudos

Kevin,

We still use CUA for our DEV and Test clients. We do not require the SOD checks and the role approvals  that are configured in the GRC system for provisioning to the PROD clients.  Maybe someday we will move provisioning to DEV and Test clients over to GRC, but honestly, that is not as high on our priority list right now. We are still doing exploitation projects to roll out more GRC functionality and also upgrading to 10.1. Getting rid of CUA is not as important right now.

Gretchen

Former Member
0 Kudos

Hi Sabita,Anthony & Gautam

In GRC Ac 10.0 it is possible to integrate CUA with GRC.There are few steps which needs to be done  for CUA to work properly with GRC.

1.Create RFC Connections between GRC box and CUA box.

2. In the path SPRO-->User Provisioning-->Maintain CUA Settings

     Define  your CUA system under CUA Global System  and all your CUA connected child systems                under CUA Model Distribution.

3.Make sure all your child system are defined in GRC connector settings.

4.Also do the connection mapping for all scenarios.Remember for action 4(Provisioning) only CUA connector should be mapped .

Let me know if this resolves your query.

Regards

Pradeep


GBP
Explorer
0 Kudos

Thanks Pradeep for the input.

Actually we are looking for the scenario where GRC 10 and CUA are on the same box/system.

Thanks,

Gautam.

Former Member
0 Kudos

Gautam,

This is going back a few years, but SAP always used to recommend that your CUA should be on a box that is the newest release, because provisioning errors were seen when CUA was attempting to provision to a system on a higher release.  Now, considering the "uneven quality" of SPs on GRC 10, do you really want to be updating it all that often? We have had our CUA on our SolMan box for some years now, and that has worked out pretty well. The Basis team keeps it up to date, and we use the DEV client for CUA. Just a suggestion based on my experience.

Good luck,

Gretchen

Former Member
0 Kudos

Hi Gautam

Just to add to Gretchen point.It's not a good practice to have CUA and GRC on the same box as the chances of unavailability will increase.But still you want to go ahead  and have them on the same box yes you can different client for CUA and GRC.So now you can have both connectors talking to each other via RFC connection and rest is same.

But I strongly recommend not to have both on the same box.

Hope this helps and answers your question.

Regards

Pradeep

Former Member
0 Kudos

Hello Pradeep,

I have performed the below outlined steps and imported the roles from CUA Child System to GRC. However, when I create an access request I do not see the CUA child system role for selection to provision access in CUA Child system.  Am I missing something here? Please help.

1.Create RFC Connections between GRC box and CUA box.

2. In the path SPRO-->User Provisioning-->Maintain CUA Settings

     Define  your CUA system under CUA Global System  and all your CUA connected child systems                under CUA Model Distribution.

3.Make sure all your child system are defined in GRC connector settings.

4.Also do the connection mapping for all scenarios.Remember for action 4(Provisioning) only CUA connector should be mapped .


Thanks,

Pawan

Former Member
0 Kudos

Hi Pawan

Have you uploaded those CUA roles via CUA Composite roles option without which system won't be able to recognize those roles and if those roles are not Composite only Singles then you while uploading those roles you need to mention the system and Landscape properly and based on that you will be able to see those roles.

Also make sure all those roles which you want to see during creation of Access Request have status marked as 'Production'.

Let me know if it works for you.

Regards

Pradeep

Former Member
0 Kudos

Hi Pradeep,

Thank you for your response.

I have upload the role choosing the below criteria:

Step1: Define Criteria

Role Type: Technical Role

Role Attribute Source: User Input

Role Authorization Source: Backend System

Application Type: SAP

Landscape: SAP ECCS (CUA Child System)

Source System: ECCBOX

Role From: <Role Name>

Step2: Select Role Data

Attribute Selection: User Defined Attributes

Project Release: <proj rel name>

Role Status: Production

BP: <name>

SBP: <name>

Add approvers

Step3: Review

Preview all roles

Step4: Schedule

Foreground


Success Role Imported:1


The above imported does show up in access request if I remove the CUA settings under User Provisioning -> Maintain CUA Settings.


We are GRC 10.1 SP05.

Thanks,

Pawan

Former Member
0 Kudos

Hi Sabita

Did you find a solution for this scenario?  I reached out to SAP and they said that it's possible for CUA to be in same box as GRC but it's not a recommended approach.

Thanks

Anthony

GBP
Explorer
0 Kudos

Hi Sabita,

We are going through the same situation and have the similar questions. I hope you have already found the solution to your questions listed above.

Please let me know for the same.

Thanks,

Gautam.