>

>
> I saw the note  320449  and found that the corrections are given for SAP_BASIS Release 610 to 640. but our release is 701. will it suit us. 

The note is classified as 'Recommendations/Additional Info'. So yes, it will suit you.

>

>
1. what will the fail over stategy that we can maintain to avoid such downtime.
2. Can we implement 2 CUA groups in the two systems.

<ol>

<li>You cannot avoid all downtimes, but apart from 'usual maintenance' a SolMan is one of the systems in a landscape that you can keep a little more quiet when it comes to downtimes or jo-jos. It doesn't change so very often for: instance parameters, re-arringing of file-systems, database-restarts due to parameters etc. etc. which all other systems -IMHO- face more frequently than a SolMan. I don't know about that (in)famous Hotpackage 18, but seems there was a 'minor' catastrophe. Does that answer your question or did you mean something else by 'fail-over-strategy'?

<li>Please explain what do you mean with 'CUA-groups'??

</ol>

I'm sorry, but I never heard of 'CUA groups'. Can you please provide a link to that document where you read that? I would like to study it myself, so as to get an impression what exactly it means ... thanks in advance.

Hi CUA,

is slowly being phased out, why not find out if you are going to use GRC 5.3 / IDM 7.1 .

In our previous project implementation we had CUA and solution manager on one system as users started growing system was going down atleast 3-4 four times a week.

Then we realised it was the user to role assignment in bulk, this was impacting the functioning of Solution manager also.

we finally had to create a zprogram which will force security team to make changes to specific logical systems in the landscape. Of course we did not plan to have CUA for the production, GRC 5.3.

Remember CUA works only on the ABAP . GRC 5.3 can provision on both ABAP + JAVA Systems

Edited by: Franklin Jayasim on Jul 28, 2010 6:43 PM

>

> 
> is slowly being phased out, why not find out if you are going to use GRC 5.3 / IDM 7.1 .
> 

Yes, some of the SAP salespersons (sorry Bernhard, but it's true - ours tried the same) are using arguments along those lines ("will one day run out of maintenace, since it is to be substituted with ...") to get IdM sold. Franklin, if you had tried to verify such by searching SMP, SDN and a couple of other places, you would have found out that there's no real data on this assumption (as of now).

Anyway - instead of stating (yet another) unveryfied phrase, you could have asked the board here - I am absolutely convinced that the SAP moderators of this board would have found out for you and answered.

>

> 
> In our previous project implementation we had CUA and solution manager on one system  as users started growing system was going down atleast 3-4 four times a week.
> 
> Then we realised it was the user to role assignment in bulk, this was impacting the functioning of Solution manager also.

If such a problem occurs, wouldn't that be exactly what 'Basis people' are for? Find the cause and a solution? It can be solved ...

@Subhashini: good luck - it will be interesting to read your opinions when you update this!

> If such a problem occurs, wouldn't that be exactly what 'Basis people' are for? Find the cause and a solution? It can be solved 
>

I have seen the problem many times before. The basis team are not being given enough biscuits and other treats.

Hi All,

I have very bad experience with CUA. Not just me our whole team had to run around the Basis team in circles.

can it be corrected using HA/Alternative plans(yes) , will the company/Client be ready to invest to do it when they can get the work done using GRC/IDM?

The question asked at one of the clients place during discussion is why do I need CUA , GRC & IDM all at the same time?

Can I assume from this advice that you have not done any performance testing and tuning with GRC and IdM either?

> The question asked at one of the clients place during discussion is why do I need CUA , GRC & IDM all at the same time?

Basis folks love such surprises from "discussions"... and biscuits won't get you very far. Chocolates and more CPU power maybe...

An imaginable scenario is to provision all non-PROD systems from CUA and PROD environments from IdM with the users. GRC is optional then depending on the components used and how the roles (concept) are built in the first place...

Cheers,

Julius

> 
> Basis folks love such surprises from "discussions"... and biscuits won't get you very far. Chocolates and more CPU power maybe... 

British caramel shortcakes, more CPU, more memory and faster disks )

I remain unconvinced. I cannot see where IdM, GRC should have no issues at all, while CUA on SolMan is a problem child. Obviously there was something very wrong with that SolMan installation - performancewise.

May you fare better with IdM and GRC - consider making them HA and do some performance-testing/tuning while you're at it - so that your CUA problems will not return ...

Edited by: Mylène Dorias on Jul 30, 2010 8:48 AM

Come to think of it - I would appreciate it very much, if you could make that Z-Abap available to us - could be a live-saver!!

Regarding GRC performance and High availability & automatic provisioning I have not found any technical issues.

two customers are happy with the stable performance so far and they do not have CUA,

Hi Julius,

GRC yes , experienced few issues related to risk analysis, but SAP supported and corrected some of the settings and gave steps on how to enable logging in a clustered environment.

IDM only one implementation so far, I do not want to comment until I HR trigger.

CUA- is question mark due to the progression of tools from SAP to administer on both JAVA & ABAP with automization.

In the present project the plan is to check out authentication methods for SSO. There is a performance/Infrastructure team who is planning to handle the hardware , performance & tuning

Hi Julius,

"An imaginable scenario is to provision all non-PROD systems from CUA and PROD environments from IdM with the users. GRC is optional then depending on the components used and how the roles (concept) are built in the first place..."

At the clients place where CUA was an issue, NON-PROD ( CUA with that Zprogram is used) but password resets until the "GO LIVE phase" is through GRC5.3 ( this saves a lot of time for security team). IDM( POC state) scoped for production only after Go LIVE phase.

Hi Mylène Dorias ,

With Help of SAP who resolved performance & tuning issues(of course my configuration mistakes) GRC has been stable at three of the client sites its being used successfully

IDM is a very big challenge( since I am new maybe ) to install & configure , but one of the client in Atlanta ( famous soft drinks company guess !!!!) when they talked over the phone they told me that they have more than 100 ( IDM 7.0 ) repositories well configured and stable for the past two plus years , user and role administration is very successful.

I am not a supporter of GRC or IDM please do not misunderstand , I am just throwing the decisions made by some of my clients. CUA issue was only with one client ( in the year 2008).

The biggest advantage I see in GRC/IDM is provisioning on the Java side

Thank you, Subhashini, for the link. That was an interesting read. I never considered having more than one CUA - I mean that loses me the 'C' of the thing, no - make it a DcUA (de-central)?

What I did not really understand, was the statement of John Navarro, claiming - I quote:

I don't want all those user IDs in DEV and QA. 

I cannot wrap my brain around this statement - why would I not want my PRD-users in my QAS?? I mean, I can understand not wanting them in my DEV, but QAS - for gods sake ... that's where I exspect them to test ... all of them (not at the same time, maybe, but ...). How would one go about CUA-attributes that were to be 'redistributed'? For example: I have set the users last name and a couple of other data on the 'address'-screen to 'redistribute' (same for all values in tabstrip 'parameters') - because I am too lazy to maintain users every time they marry, get divorced, move around in the company building, switch departments, having new telephone-numbers etc., so they are to maintain those data themselves and I redistribute them to the CUA master. If I were to have -say- two masters: one for the PRD-systems, one for the QAS-systems ... how would I get them to synchronise the redistributed values?

I have no idea. Really. Take into account, having more than 10 portals on the landscape that need several backend-systems at once - o.k. this is getting too complicated.

So: no - I would keep all of them central in one SolMan and make that SolMan a HA-solution and take great pains to get the sizing right. We are talking a SolMan-landscape here - two at least: DEV and PRD, where PRD is HA. Three would be better - for testing aspects.

> What I did not really understand, was the statement of John Navarro, claiming - I quote:
> " I don't want all those user IDs in DEV and QA. "
> 
> I cannot wrap my brain around this statement - why would I not want my PRD-users in my QAS?? I mean, I can understand not wanting them in my DEV, but QAS

I had issues with my forum points and decided to search for my name and voilau2026 I saw this thread

Sorry Iu2019m late on the party I can see your point on possibly wanting your Prod users in QA for testing but in my case I donu2019t need 40k users in DEV for unit testing but itu2019s your choice. There is always a number of ways to configure CUA and each CUA design is based on system limitation or other business requirements.

We have HR position base security and the HR data is managed in PROD ECC 6.0 and not in Solution Manager, thatu2019s one reason we have our own CUA for PROD (ECC 6.0, SRM 5.0, BI 7.0, SUS, etc). In our shop having CUA in multiple landscapes (DEV, QA and PROD) is beneficial. We can almost expect the same results in security as we move through different environments.

Somebody posted a nice discussion page on the Pros and Cons of CUA and I canu2019t seem to find it, it was a good read on CUAu2019s.

Mylene, sorry if you lost sleep on my old post but I can see your point on how you came about your CUA design.

Edited by: John Navarro on Aug 27, 2010 11:28 PM - ECC 6.0 for PROD

Do not rely solely on what I write

Hopefully there are others to join this thread ...

And no - I would keep all of the system-landscapes (DEV/PRD/QAS) together in one big SolMan ...

HI Sridhar,

Sorry to respond so late, I was on travel.

when I come back to Arizona, I will surely let you know the program name(I dont remember)

I will have to search my emails and give you the correct information.

I can do this probably Monday/Tuesday.