Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

CUA with QAS and TRAINING

Former Member
0 Kudos

Hi,

i have a CUA with a child system, but the child system has 2 clients (for exemple 100 and 200) one client for tests and the other for training.

the CUA is also a data source for our EP7's UME.

my question:

how can i create a user_test for the child system but only for the client 100 (not authorized to have access to client 200) and vice versa

best regards

8 REPLIES 8

Former Member
0 Kudos

>

> Hi,

> i have a CUA with a child system, but the child system has 2 clients (for exemple 100 and 200) one client for tests and the other for training.

> the CUA is also a data source for our EP7's UME.

> my question:

> how can i create a user_test for the child system but only for the client 100 (not authorized to have access to client 200) and vice versa

> best regards

Under SU01create user ID.

Go to ->Roles->System (choose client 100), Roles (choose roles).

Save.

0 Kudos

Hi John,

thanks for your answer.

i have not created yet the child system in CUA.

I would like to know if i must create two child systems corresponding to each client (even if i have one system R/3 but 2 clients).

BEST REGARDS

0 Kudos

>

> Hi John,

> thanks for your answer.

> i have not created yet the child system in CUA.

> I would like to know if i must create two child systems corresponding to each client (even if i have one system R/3 but 2 clients).

> BEST REGARDS

I'm actually glad you haven't built you CUA yet, I not to fond of your design.

My CUA Design

============

Training - Not in CUA

- Why? This client will be restored very often due to required fresh data for training.

- IMHO a bad idea to be a child CUA.

DEV CUA - Only DEV clients.

- Why? You will be able to simulate PROD when unit testing.

- Example: Master CUA ECC 6.0, child SRM, BI, SUS, etc.

QA CUA - Only QA clients.

- Why? You will be able to simulate PROD when integration testing.

- Example: Master CUA ECC 6.0, child SRM, BI, SUS, etc.

PROD CUA - Only PROD clients

- Why? You don't want all the users in PROD to be part of child CUA's in DEV or QA.

- Why? If this is a part of DEV or QA CUA, it will be affected during CUA maintenance or outage

- I have about 40K user IDs in PROD and I don't want to push it down to DEV & QA.

- I have other reasons why PROD should be in its own CUA.

- Example: Master CUA ECC 6.0, child SRM, BI, SUS, etc.

Good Luck!

Former Member
0 Kudos

We have a range of child clients in our 1 single instance of CUA, our CUA sits on server with 1 other client that requires very little outage. We have also retained the ability to do resets locally and have emergency accounts in place should CUA be down for an unexpected amount of time.

By having multiple clients in the same CUA instance - Dev, QA, Prod etc does not mean your users have to exist in all clients. It depends on the size and scale of your landscape as to whether you want multiple CUA instances, we chose not to as there was no benefit to us, and as we have some users that exist in multiple clients (with differing access) its easier for us to manage them from one place, especially factoring in license management. We have 26 clients all as individual child clients spread across multiple Dev, QA, Training and Prod, these numbers are dwarfed by larger companies who can have hundreds of clients, that would then make more sense to me then to seperate your CUA instances.

The only training clients we have are our training master clients, we dont bother with the rest of the training clients as they are indeed regularly refreshed from the master training client.

Good Luck

Steve

0 Kudos

>

> We have a range of child clients in our 1 single instance of CUA, our CUA sits on server with 1 other client that requires very little outage. We have also retained the ability to do resets locally and have emergency accounts in place should CUA be down for an unexpected amount of time.

>

> Steve

This will not work in our facility. We have a Portal UME pointing to an ECC 6.0 (Master CUA) which is also using HR position base security. All portal use must go to ECC 6.0 and have to have an account. In order to properly simulate Portal and HR base position security, it is necessary to have a CUA in each landscape.

> Steve

> By having multiple clients in the same CUA instance - Dev, QA, Prod etc does not mean your users have to exist in all clients.

> Steve

True but we don't want unnecessary iDocs and also our PROD User IDs are all generated automatically via HR security (IT 105). It is important to make PROD to be CUA master on its own landscape and not burden it with unnecessary child systems.

Again there is a number of ways to design a CUA but putting everything in one CUA IMHO is not a good approach when you have the flexibility of multiple CUAs. Itu2019s not difficult to built CUAs so I donu2019t really see the benefit of not having one per landscape.

Another problem we encountered is during a refresh of QA from PROD is the source client must not have any CUA reference, so if PROD is the CUA master for QA & DEV this will pose another challenge.

There are some who choose 1 CUA for everything and making Solution Manager the master, this is fine as long as they can support it. As a consultant you can design the CUA for the customers and not have to support it. As a customer I have lived with supporting CUAs in DEV, QA & PROD.

I only recommend CUAs for each landscape and not pushing it as the only solution. It all depends on your business requirements and available resources.

Good Luck!

Regards,

-John N.

0 Kudos

Hi John,

thank you for your helpul answers.

I have some questions

We have a Portal UME pointing to Master CUA .

This CUA has multiple clients child systems connected to it (for QA and training).

I have to build a tool (may be a web application or abap application) to create automatically users and corresponding roles in the CUA and in the desired client chlid systems.

If i use the bapi_user_create1 from one client child system, the user will be created in the CUA and the CUA will push this user to all the clients connected to this one, that what i think, no?

my question is :

- how to limit the user's creation to the client child systems i want.

Other challenge:

If add roles for the user created with BAPI_USER_LOCACTGROUPS_ASSIGN in the child systems and in the CUA, how can i push automatically this role into the portal.

Is this bapi will create automatically this role in the portal.

dont forget that i have Portal UME pointing to Master CUA .

Thank you and best regards

0 Kudos

Hi John,

thank you for your helpul answers.

I have some questions

We have a Portal UME pointing to Master CUA .

This CUA has multiple clients child systems connected to it (for QA and training).

I have to build a tool (may be a web application or abap application) to create automatically users and corresponding roles in the CUA and in the desired client chlid systems.

If i use the bapi_user_create1 from one client child system, the user will be created in the CUA and the CUA will push this user to all the clients connected to this one, that what i think, no?

my question is :

- how to limit the user's creation to the client child systems i want.

Other challenge:

If add roles for the user created with BAPI_USER_LOCACTGROUPS_ASSIGN in the child systems and in the CUA, how can i push automatically this role into the portal.

Is this bapi will create automatically this role in the portal.

dont forget that i have Portal UME pointing to Master CUA .

Thank you and best regards

0 Kudos

>

> Hi John,

> thank you for your helpul answers.

> I have some questions

> We have a Portal UME pointing to Master CUA .

> This CUA has multiple clients child systems connected to it (for QA and training).

> I have to build a tool (may be a web application or abap application) to create automatically users and corresponding roles in the CUA and in the desired client chlid systems.

When you stated "automatically"; what would triger the creation of the user/users? Will it be an HR action or just a request to create a user?

> If i use the bapi_user_create1 from one client child system, the user will be created in the CUA and the CUA will push this user to all the clients connected to this one, that what i think, no?

> my question is :

I'm not familiar with bapi_user_create1. However, I have used composite roles with the simple role using a variable pointing to the child system. This has worked very well with our HR based position security.

> - how to limit the user's creation to the client child systems i want.

Just make sure you don't assign the system or a role on that system for the user.

> Other challenge:

> If add roles for the user created with BAPI_USER_LOCACTGROUPS_ASSIGN in the child systems and in the CUA, how can i push automatically this role into the portal.

> Is this bapi will create automatically this role in the portal.

> dont forget that i have Portal UME pointing to Master CUA .

> Thank you and best regards

I'm sorry but the portal is not an area of my expertise.