What is Central User Administration, and what can I do with it?
Central User Administration (CUA) consists of one central system where you maintain user master records, and any number of child systems to which changes in the data are distributed automatically. This gives you an overview in the central system of all user data in the entire system landscape.
CUA data is distributed asynchronously between the application systems in an Application Link Enabling (ALE) environment. The central system in the CUA ALE environment is linked to each child system in both directions. The child systems are not linked to one another. When distributing data from the CUA and one system is down, ALE technology tries at regular intervals to send the data until it is successful. You can also manually trigger IDocs to be sent.
For users, you can do the following centrally:
- Create, lock, change, assign roles, assign profiles
- Set in which systems field attributes can be changed
Users are distributed via ALE. Passwords are not distributed, but can be reset to initial. Otherwise, passwords can only be changed locally.
Authorization objects and fields reside locally, not in the central system. Therefore, before you assign roles and profiles centrally, they have to be created and tested in the development systems and transported to the production system. You then assign users per logical system.
Central User Administration is a standard part of SAP user management. It first became available with R/3 Release 4.5, but SAP recommends that you implement Basis Release 4.6C or higher for the central system. Client systems between R/3 Release 4.5 and Web Application Server Release 6.20 can connect to the CUA by means of Application Link Enabling (ALE). You can integrate systems with different releases, for example, you can have CUA running under 4.6C with one child system running under 4.5B and another under 6.20. However, SAP recommends that the central system in any given configuration has the highest release.
Can the users on systems with SAP R/3 4.0 and lower be administered with Central User Administration on SAP R/3 4.5 and higher?
No.
The system offers you a reasonable degree of flexibility about where you maintain roles. If you are using this feature to assign a role to objects in the organizational structure, such as positions, users, and so on, you should keep in mind the target systems and where you would like to maintain the allocation to the organizational structure.
Setting up a CUA system does not provide any form of single sign-on functionality. For information on single sign-on using SAP Logon Tickets, see the documentation in the SAP Help Portal under mySAP Technology Components -> SAP Web Application Server -> Security -> SAP Web Application Server Security ->User Authentication.
To set up a CUA, you use the migration tool provided (transaction SCUG) to migrate existing local users. At present, users’ company addresses have to be synchronized manually, see SAP Note 439122. As soon as an automatic synchronization function for company addresses is complete, it will be available for all releases of CUA.
SAP recommends that you have a standalone Web Application Server with the CUA in one client. This configuration has the following benefits: Basis-only upgrades are possible (which gives you access to new functions quickly). It is easier to apply patches.
We are working on this, and at present there are two scenarios in which you can successfully use HR Organizational Management and Central User Administration together:
HR-Org in the child systems of the CUA, and local role assignment
In this scenario, both direct role assignment (transactions SU01, SU10, and so on) and assignment via the HR organizational structure are performed locally. You need to set the switch in transaction SCUM of the central system to local role assignment. HR-Org in the central CUA system, and global role assignment In this scenario, both direct and indirect role assignment are performed only in the central system. To do this, the HR organizational model has to be migrated from the HR system to the central system (for more information on how to do this, see the documentation on role maintenance). In this scenario, single roles for a specific target system cannot be assigned via the HR organizational structure. You can, however, assign collective roles that consist of single roles for specific target systems.
How can I link indirect role assignment using organizational management in HR with central user administration?
There are two scenarios in which you can successfully use HR Organizational Management and Central User Administration together:
- HR-Org in the child systems of the CUA, and local role assignment: Both direct role assignment (transactions SU01, SU10, and so on) and assignment via the HR organizational structure are performed locally. You need to set the switch in transaction SCUM of the central system to local role assignment.
- HR-Org in the central CUA system, and global role assignment: Both direct and indirect role assignment are performed only in the central system. To do this, the HR organizational model has to be migrated from the HR system to the central system (for notes on how to do this, see the CUA documentation). In this scenario, single roles for a specific target system cannot be assigned via the HR organizational structure. You can, however, assign collective roles that consist of single roles for specific target systems.
You can no longer create Internet users in transaction SU05. You now create reference users in transaction SU01 with the appropriate user type. However, you can use transaction HRUSER to create Employee Self Service users.
The mySAP Enterprise Portal uses CUA to integrate with user management information defined in existing SAP systems. CUA enables administrators to store all SAP user data in a central system that can be synchronized with the corporate LDAP directory. This synchronization functionality is available in Web Application Server 6.10 and above.
There is a development planned for the WebAS release higher than 6.30 to use the CUA to distribute the user classification required by the system measurement tools, including the License Administration Workbench (LAW). To use this functionality, you will need a minimum of WebAS release higher than 6.30 for the central system and WebAS 6.20 plus the relevant support package for the client systems. In general, you can run the LAW and CUA in the same central system, but the two do not communicate directly. No license measurement is carried out by the CUA itself, because the LAW requires more information than the CUA can provide, for example, with regard to engines (an engine is a chargeable software component that is not exclusively calculated for each user).
You can find the complete documentation in the SAP Help Portal (http://help.sap.com) under mySAP Technology Components -> SAP Web Application Server -> Security-> Users and Roles. Of particular interest for integration with HR Organizational Management is Users and Roles -> Role Maintenance -> Indirect Role Assignment Using HR-ORG.
There is an SAPTutor and a cookbook on CUA available at http://service.sap.com/security, under Security in Detail -> Identity Management. If you are experiencing difficulties with CUA, see the composite SAP Note 159885. If you have any questions regarding CUA or other security issues, feel free to contact the SAP Security Team at security@sap.com.
No comments:
Post a Comment