on 11-06-2012 5:20 AM
Hi GRC Experts,
I have searched sdn and internet and got some information about GRC AC 10 working with CUA, but not exactly what I am looking for.
My requirement is -
1. CUA is currently in place in landscape on solman,
2. Some of the SU01 activities will be done directly through CUA Master e.g. User creation/ modification in Dev and Test systems, User lock, unlock, password reset, so we want to keep CUA with GRA Access Provisioning.
3. User Creation, Change in Prod systems will be done through ARQ via CUA.
4. We want to move CUA from Solman to GRC box. Reason is that GRC is having failover, but not solman. So in case solman is not available, CUA will not work, but GRC will be running even when primary server is not available.
My query is -
Is is technically possible to configure CUA on GRC box itself? I have read in one of the discussions that it is possible, but want to know if it is correct. Based upon this other queries are -
1. Should we use different clients for GRC and CUA?
2. Is plug-in required on GRC along with GRC add-on? My understanding is yes, but want to know if it is correct.
3. What are the advantage and disadvantage of using CUA on GRC box itself? We have to convince client regarding this.
Waiting for your reply. Thanks,
Sabita
Experts :
One quick question on similar lines. GRC and CUA on Same box works BUT my client is looking to have it on same client as well. In my view the ARA, EAM will not have any problems. Can you please confirm if ARM works as well when you have GRC, CUA coexistence on same client.
Thanks
Abhijeeet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Gautam : Thanks for your reply.
Did you use same connector names for GRC back end systems and CUA child systems.
Did SAP provided any custom code to have this set up working.
If you don't mind can you please share SCUM settings for roles and user defaults.
What did you maintain in GRC SPRO--> USER Provisioning --> Maintain CUA settings.
Thanks
Abhijeet
Please find the below answers to your questions.
Yes, we did use the same connector names for GRC backend and CUA (RFC connections - SM59) child systems.
No custom code was provided by SAP to make it work and we didn't do any customization.
The SCUM settings for roles tab was Global and for user defaults certain settings were global and some were proposal as we do allow users to change the default settings through SU3 t-code.
You just need to maintain the CUA Global System with one entry and the CUA Model Distribution with the child systems.
I hope this helps.
Thanks,
Gautam.
Thanks Gautam for your reply.
I happen to get the chance to test this and it looks like the connector name for GRC and CUA has to be same. Appreciate your help.
Satellite system having different connector name for GRC application and CUA will not get provisioned. Rather it will not be available in Access Request screen while creating the request.
Now after using same connector names it looks like working.
Thanks
Abhijeet
I would actually like to understand why anyone wants to stick with CUA if you are using GRC 10.x. Is there some advantage to it that I'm missing? I was looking forward to retiring CUA if we implement GRC here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kevin
the main one I can see is interim measure based on existing security design. If you have CUA composite roles in place the you can provision to the CUA
Also, non production landscape might have some benefits
I would prefer to to decommission CUA. IDOC failure rate can be high and puts extra monitoring in the another system outside of GRC. But I guess it might be something customers can do over time.
Regards
Colleen
Kevin,
We still use CUA for our DEV and Test clients. We do not require the SOD checks and the role approvals that are configured in the GRC system for provisioning to the PROD clients. Maybe someday we will move provisioning to DEV and Test clients over to GRC, but honestly, that is not as high on our priority list right now. We are still doing exploitation projects to roll out more GRC functionality and also upgrading to 10.1. Getting rid of CUA is not as important right now.
Gretchen
Hi Sabita,Anthony & Gautam
In GRC Ac 10.0 it is possible to integrate CUA with GRC.There are few steps which needs to be done for CUA to work properly with GRC.
1.Create RFC Connections between GRC box and CUA box.
2. In the path SPRO-->User Provisioning-->Maintain CUA Settings
Define your CUA system under CUA Global System and all your CUA connected child systems under CUA Model Distribution.
3.Make sure all your child system are defined in GRC connector settings.
4.Also do the connection mapping for all scenarios.Remember for action 4(Provisioning) only CUA connector should be mapped .
Let me know if this resolves your query.
Regards
Pradeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Gautam,
This is going back a few years, but SAP always used to recommend that your CUA should be on a box that is the newest release, because provisioning errors were seen when CUA was attempting to provision to a system on a higher release. Now, considering the "uneven quality" of SPs on GRC 10, do you really want to be updating it all that often? We have had our CUA on our SolMan box for some years now, and that has worked out pretty well. The Basis team keeps it up to date, and we use the DEV client for CUA. Just a suggestion based on my experience.
Good luck,
Gretchen
Hi Gautam
Just to add to Gretchen point.It's not a good practice to have CUA and GRC on the same box as the chances of unavailability will increase.But still you want to go ahead and have them on the same box yes you can different client for CUA and GRC.So now you can have both connectors talking to each other via RFC connection and rest is same.
But I strongly recommend not to have both on the same box.
Hope this helps and answers your question.
Regards
Pradeep
Hello Pradeep,
I have performed the below outlined steps and imported the roles from CUA Child System to GRC. However, when I create an access request I do not see the CUA child system role for selection to provision access in CUA Child system. Am I missing something here? Please help.
1.Create RFC Connections between GRC box and CUA box.
2. In the path SPRO-->User Provisioning-->Maintain CUA Settings
Define your CUA system under CUA Global System and all your CUA connected child systems under CUA Model Distribution.
3.Make sure all your child system are defined in GRC connector settings.
4.Also do the connection mapping for all scenarios.Remember for action 4(Provisioning) only CUA connector should be mapped .
Thanks,
Pawan
Hi Pawan
Have you uploaded those CUA roles via CUA Composite roles option without which system won't be able to recognize those roles and if those roles are not Composite only Singles then you while uploading those roles you need to mention the system and Landscape properly and based on that you will be able to see those roles.
Also make sure all those roles which you want to see during creation of Access Request have status marked as 'Production'.
Let me know if it works for you.
Regards
Pradeep
Hi Pradeep,
Thank you for your response.
I have upload the role choosing the below criteria:
Step1: Define Criteria
Role Type: Technical Role
Role Attribute Source: User Input
Role Authorization Source: Backend System
Application Type: SAP
Landscape: SAP ECCS (CUA Child System)
Source System: ECCBOX
Role From: <Role Name>
Step2: Select Role Data
Attribute Selection: User Defined Attributes
Project Release: <proj rel name>
Role Status: Production
BP: <name>
SBP: <name>
Add approvers
Step3: Review
Preview all roles
Step4: Schedule
Foreground
Success Role Imported:1
The above imported does show up in access request if I remove the CUA settings under User Provisioning -> Maintain CUA Settings.
We are GRC 10.1 SP05.
Thanks,
Pawan
Hi Sabita
Did you find a solution for this scenario? I reached out to SAP and they said that it's possible for CUA to be in same box as GRC but it's not a recommended approach.
Thanks
Anthony
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sabita,
We are going through the same situation and have the similar questions. I hope you have already found the solution to your questions listed above.
Please let me know for the same.
Thanks,
Gautam.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.