Skip to Content
author's profile photo Former Member
Former Member

Using CUA on GRC System-pros and cons

Hi GRC Experts,

I have searched sdn and internet and got some information about GRC AC 10 working with CUA, but not exactly what I am looking for.

My requirement is -

1. CUA is currently in place in landscape on solman,

2. Some of the SU01 activities will be done directly through CUA Master e.g. User creation/ modification in Dev and Test systems, User lock, unlock, password reset, so we want to keep CUA with GRA Access Provisioning.

3. User Creation, Change in Prod systems will be done through ARQ via CUA.

4. We want to move CUA from Solman to GRC box. Reason is that GRC is having failover, but not solman. So in case solman is not available, CUA will not work, but GRC will be running even when primary server is not available.

My query is -

Is is technically possible to configure CUA on GRC box itself? I have read in one of the discussions that it is possible, but want to know if it is correct. Based upon this other queries are -

1. Should we use different clients for GRC and CUA?

2. Is plug-in required on GRC along with GRC add-on? My understanding is yes, but want to know if it is correct.

3. What are the advantage and disadvantage of using CUA on GRC box itself? We have to convince client regarding this.

Waiting for your reply. Thanks,


Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

5 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Aug 11, 2016 at 08:33 AM

    Experts :

    One quick question on similar lines. GRC and CUA on Same box works BUT my client is looking to have it on same client as well. In my view the ARA, EAM will not have any problems. Can you please confirm if ARM works as well when you have GRC, CUA coexistence on same client.



    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Thanks Gautam for your reply.

      I happen to get the chance to test this and it looks like the connector name for GRC and CUA has to be same. Appreciate your help.

      Satellite system having different connector name for GRC application and CUA will not get provisioned. Rather it will not be available in Access Request screen while creating the request.

      Now after using same connector names it looks like working.



  • author's profile photo Former Member
    Former Member
    Posted on Aug 12, 2013 at 10:11 PM

    Hi Sabita,

    We are going through the same situation and have the similar questions. I hope you have already found the solution to your questions listed above.

    Please let me know for the same.



    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Aug 26, 2013 at 02:33 PM

    Hi Sabita

    Did you find a solution for this scenario? I reached out to SAP and they said that it's possible for CUA to be in same box as GRC but it's not a recommended approach.



    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Aug 27, 2013 at 11:16 AM

    Hi Sabita,Anthony & Gautam

    In GRC Ac 10.0 it is possible to integrate CUA with GRC.There are few steps which needs to be done for CUA to work properly with GRC.

    1.Create RFC Connections between GRC box and CUA box.

    2. In the path SPRO-->User Provisioning-->Maintain CUA Settings

    Define your CUA system under CUA Global System and all your CUA connected child systems under CUA Model Distribution.

    3.Make sure all your child system are defined in GRC connector settings.

    4.Also do the connection mapping for all scenarios.Remember for action 4(Provisioning) only CUA connector should be mapped .

    Let me know if this resolves your query.



    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Pradeep Agarwal

      Hi Pradeep,

      Thank you for your response.

      I have upload the role choosing the below criteria:

      Step1: Define Criteria

      Role Type: Technical Role

      Role Attribute Source: User Input

      Role Authorization Source: Backend System

      Application Type: SAP

      Landscape: SAP ECCS (CUA Child System)

      Source System: ECCBOX

      Role From: <Role Name>

      Step2: Select Role Data

      Attribute Selection: User Defined Attributes

      Project Release: <proj rel name>

      Role Status: Production

      BP: <name>

      SBP: <name>

      Add approvers

      Step3: Review

      Preview all roles

      Step4: Schedule


      Success Role Imported:1

      The above imported does show up in access request if I remove the CUA settings under User Provisioning -> Maintain CUA Settings.

      We are GRC 10.1 SP05.



  • Posted on Jun 14, 2016 at 11:56 PM

    I would actually like to understand why anyone wants to stick with CUA if you are using GRC 10.x. Is there some advantage to it that I'm missing? I was looking forward to retiring CUA if we implement GRC here.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member


      We still use CUA for our DEV and Test clients. We do not require the SOD checks and the role approvals that are configured in the GRC system for provisioning to the PROD clients. Maybe someday we will move provisioning to DEV and Test clients over to GRC, but honestly, that is not as high on our priority list right now. We are still doing exploitation projects to roll out more GRC functionality and also upgrading to 10.1. Getting rid of CUA is not as important right now.


Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.