Central User Administration(CUA) Configuration

The following queries will be addressed in this blog post:

Why do we need CUA ?

What is the Benefits of Central User Administration ?

What are use cases for CUA ?

How to setup CUA ?

How to monitor CUA ?

 

Overview of SAP's Central User Administration (CUA)

SAP has a tool called Central User Administration that simplifies managing numerous user accounts across several clients in an environment with many SAP systems. When the same user accounts are generated and handled on many clients, this functionality is admirable. The central system handles user management centrally (client with CUA). Child clients are any other users who are under the supervision of the central system. According to the aforementioned, the central system functions as the "parent client”. The advantage of CUA is the ability to limit a user's access to particular clients in an environment with several SAP systems. Application Link Enabling (ALE) is a technology that the system uses to communicate master data across clients. ALE is a technology that enables asynchronous and dispersed business processing.

Why do we need Central User Administration (CUA) ?

Central use administration, or CUA, is set up to administer huge populations of users that share characteristics across a variety of systems in the landscape while using less resources. This application enables us to centrally manage all user master records from a single system client.

Complex system environments

Manual upkeep of user data across all systems accessible

Hard administrative work

Complex administrative tasks might result in security issues

Benefits of Central User Administration (CUA)

Once CUA is configured, only the central system may add or remove users.

Solely locally, only centrally, or both locally and centrally can be used to retain user characteristics.

As a result, all child systems must have the necessary roles and authorizations in place and operational.

Each user may now be managed centrally only once, giving the administration a much clearer picture of all users and authorizations.

Use cases for central user administration

Management of users throughout the board (including production servers)

Managing users while there is no production (sandbox, development, acceptance)

User management in client 000

Assume a new basis person joins and you have a wider landscape with 100 SAP systems. Good luck generating 100 accounts for users... This is completed in a single step when using CUA.

Additionally, you must sometimes visit Client 000. You either lost your password or your account was automatically locked there after xx days due to security settings. You can easily log on and reset your password with CUA.

Verify whether SAP-GRC access control is being used. CUA may be at odds with this.

Steps by Step Process:

1. Multiple clients on a single SAP landscape or system is required.

2. Access to SAP and the tcodes SU01, BD54, BD64, SCC4, SCUA, SCUM, and SM59 should be available to the administrator.

3. System users must be created for both the core system and its subsidiary systems.

Create logical systems by creating RFC linkages between systems in 4.

6. Assign the appropriate clients to the logical system

7. Develop a model view

9. Create partner profiles and distribute the model view 10. Add BAPI to the model view

10. Develop a distribution and CUA model

11. Keep settings consistent across the central and child systems

Preparation:

For the configuration, we would first need two client systems.

I'll give you an example of an ECC system with two clients: Central client: 800; 820 (Child System)

1)  Create system user:

These system users were necessary for setting up RFC between two clients. To send the data here, these RFC are necessary. The following must be established in each client with the responsibilities listed below:

Client 1:    This is a central system, 800 User: CUA_ECC800
Client 2:    This is a child system, 820 User: CUA_ECC820

Note: Both users are created as “Service user” type.

The usernames established in clients 800 and 820, respectively, with the responsibilities listed above.

User CUA_ECC800 with the following roles (roles in the central system)

SAP_BC_USR_CUA_CENTRAL
 SAP_BC_USR_CUA_CENTRAL_BDIST
 SAP_BC_USR_CUA_CENTRAL_EXTERN

User CUA_ECC820 with the following roles (roles in the child system)
 SAP_BC_USR_CUA_CLIENT
 SAP_BC_USR_CUA_SETUP_CLIENT 

 

2.) Create RFC connections between systems:

Step 1. Select ABAP connections from the SM59 t-code.

Step 2. Press F8 or click the "Create" option.

Step 3. Select connection type 3 (which indicates ABAP connections) and enter the RFC connection name (i.e., ECCCLNT800&ECCCLNT820).

Step 4. Type the RFC's description, such as "RFC connection for CUA," and save.

Step 5. Next, enter the target host as the system name (also known as the computer name) of the ECC system, or enter the system's IP address and system number (like 00)

Step 6. The "Technical Settings" page must be used to make all of the aforementioned adjustments.

Step 7. After that, select "Logon & Security"

Step 8. Type in the target customer's ECC system's client number, i.e.

Step 9. Additionally, input the login and password that were first generated in the ECC target client.

Step 10. Both the language and the Unicode option on the Unicode tab are optional.

Step 11. If the destination system is a Unicode system, you can leave the "Unicode" option selected.

Step 12. When you save the settings, a popup reading "Connection will be utilised for Remote login" will appear.

Step 13. Press Ctrl+F3 to access "OK" and "Connection Test."

3) Create logical system: 

For each client or system, you must develop a logical system and ensure that it does not rely on RFC connections.

Set up logical systems by going to t-code BD54.

4.) Assign logical system to corresponding clients:

To allocate the logical systems to each client/system individually, use the t-code SCC4.

5.) Create model view:

These actions must be carried out within the Central system.

1. Login to the central client of the system

2. Go to transaction BD64 and click on change button.

3. Create a Model with Technical Name ZCUA_USER

6.) Add BAPI to model view:

Select the model view and click “Add BAPI”.

Sender/Client : ECC850 ( As your Client System)

Receiver/Server : ECCCLNT820 (As your Central Server)

Obj. Name/interface : USER

Method : Clone

7.) Generate partner profiles and distribute Model View:

The construction of model views and BAPI are complete. We must now create partner profiles. Choose create partner profiles under Environment.

Return to the BD64 screen, choose the model view, and then pick Distribute from the Edit ModelView --> Select Distribute. This will provide children access to your model view.

We have finished creating and distributing model views now.

Installation:

8.) Create CUA and distribution model:

Create a distribution model by using the t-code SCUA. Click the create button as indicated in the below image after entering the name of the model view that was previously built in BD64.

Add your child System. After choosing the system name, click save.

If everything is done correctly, you will see the screen below, which indicates that your CUA setting was successful.

9.) Maintain parameter between central and child systems:

Once we have mastered CUA configuration, we must set up parameters from the central system, such as which components are retained in the central and child systems.

Go to the SCUM tcode and choose the parameter maintenance mode switch.

It will give you a general notion of which parameters may be maintained worldwide and which ones should be centrally managed.

Ex. Role addition has to be done from the central system, and both the central and local systems can retain password resets and defaults.

Run the RSADRCK2 report to sync-up the company address.

 

Verify the people in the central user database using T-code SCUM

SU01: Confirm that the user is listed in the systems.

For both the CUA system and its descendant systems, to alter the user password.

Please use " Change password " to reset your password globally; if you select "Logon data," your password will only be reset for the CUA.

We are only able to assign responsibilities in CUA to child systems. To sync the roles information to CUA, click " Text Comparison. "

Note: Roles may only be assigned to child systems; CUA cannot alter roles.

Choose all of the CUA systems to get information about roles so that CUA may assign responsibilities to users.

Information to verify the CUA distribution logs in addition.

Run RSUSRLOG and enter the user name to access the log.

Please run the RSADRCK2 report in order to synchronise the firm name between platforms.