cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role assignment not happening properly after rsldapsync_user is executed

Go to solution
Former Member

on ‎01-12-2012 6:13 PM

0 Kudos

Hi Experts,

We are using CUA-LDAP sync report to get users from ldap to cua. From CUA, we have configured 2 child systems one is client 340, another is client 360 of our ECC system. We have also maintained proper mapping table for both 340, 360.

Now , when report rsldapsync_user is executed from se38, I can see that proper role assignemnet is happening for all users in 360 client but some users are skipped in 340. These users are present in 340 but no roles is assigned to them. Where as in CUA, all users have proper role assignment.

I am getting below error in scul for 340.

Role GPD_HCM_EMPLOYEE is locked by user CUA_QEH_340

Role GPD_HCM_EMPLOYEE_MANAGER is locked by user CUA_QEH_340

Role assignment to user GPDSEEMP1008 not executed completely

There are some users which are properly synchronized in 340 but many are not ( from 500 users, 142 are not synchronized and all these users have same error).

One turnaround for this is to run report RSCCUSND but I dont want to run this report. Also I am not sure if all users will be synchronized with this report.

My question is why is this happening for only client 340? in 360 all users are synchronized properly. My CUA rfc are load balancing for both clients.

Please help me to resolve this issue.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-12-2012 10:02 PM
0 Kudos

Hi Arjun and Ashu,

In my mapping table, I have to maintain entries for both clients. That is, when is run the ldap sync report, users from Active directory should be created in both clients with same role. this is working perfectly in 360 not in 340.

How can I check if serial processing is going on in 360 but not in 340 ?? I have checked in we20, and I can see that properties are same for inbound idocs.

I'll check the notes that you guys have given and will post again if it solves the issue.

Thanks,

Ankit

Show replies
Show replies
Former Member
‎01-13-2012 5:06 AM
0 Kudos

Hi Ankit,

In my mapping table, I have to maintain entries for both clients. That is, when is run the ldap sync report, users from Active directory should be created in both clients with same role. this is working perfectly in 360 not in 340.

LDAP sync and pushing roles from CUA to child system are 2 diff things.I believe you get users from active dir i.e LDAP to CUA and then from CUA to other child system.If you have maintained RFC's,users and mapping perfectly for both clients and getting lock error while pushing updates to other client, then it leads to parrallel idoc processing error.Which is very well described in the note:Note 399271 - CUA: Tips for optimizing ALE distribution performance

----

Parallel processing of user administration IDocs (Message type USERCLONE ) may result in locking problems in two instances:

1. If several IDocs are to be processed in parallel for the same user, the system only waits for a maximum of one minute for the lock to be released. After this, an error status is set.

2. If several IDocs are to be processed in parallel for different users and these contain user assignments for the same roles (direct assignments or indirect single role assignments because of assigned composite roles), a warning message is issued in transaction SCUL, indicating that the IDoc has still been posted correctly.

-

Note 557610 - CUA: Lock problem with serial IDOC processing

How can I check if serial processing is going on in 360 but not in 340 ?? I have checked in we20, and I can see that properties are same for inbound idocs.

I wanted to check if you just send idocs to client 340 separately,is it getting pushed into? OR you still getting lock error.

Go through these notes,they should be useful in your scenario.

Regards,

Ashutosh

Answers (4)

Answers (4)

Former Member
‎01-28-2012 4:37 AM
0 Kudos

Solved.

Show replies
Show replies
nagamalleswararao_bokkisa
Discoverer
‎07-09-2013 7:42 PM
0 Kudos

Ankit,

Can you please let me know how you have solved the problem?

Thanks,

Naga

Former Member
‎07-10-2013 2:59 PM
0 Kudos

Hi Naga,

refer to following notes.

399271 - CUA: Tips for optimizing ALE distribution performance

557610 - CUA: Lock problem with serial IDOC processing

898213 - CUA: Change documents for role and profile assignments

They should solve this issue.

Regards,

Ankit

Former Member
‎01-13-2012 3:49 PM
0 Kudos

Hi,

I am still not able to solve this problem. report RBDAPP01 was scheduled in the system for parallel processing. I stopped this job, and started the sync report. But still, role assignemnt is failing in 340 , not in 360. I have checked inbound idoc processing in we20 and both are same for 340, 360.

Please let me know if i am missing any trick here or things needs to be done differently.

Regards,

Ankit

Show replies
Show replies
Former Member
‎01-12-2012 7:27 PM
0 Kudos

Hi Ashutosh,

All idocs are in green in WE05 in 340. Users are getting created in 340. Its just roles are not being assigned to some users.

Regards,

Ankit

Show replies
Show replies
Former Member
‎01-12-2012 9:35 PM
0 Kudos

HI Ank,

Role GPD_HCM_EMPLOYEE is locked by user CUA_QEH_340

Role GPD_HCM_EMPLOYEE_MANAGER is locked by user CUA_QEH_340

Role assignment to user GPDSEEMP1008 not executed completely

The error message clearly says that ROLE Is locked by the user.

Did you try to execute the Role assignment client after client ? and a possible workaround is to switch to serial processing (inbound). Please refer to SAP Note 399271 for further information.

Regards,

Arjun

Former Member
‎01-12-2012 9:50 PM
0 Kudos

Hi,

Check in both source and target system for idocs and trfc's.

My assumption is, they are not getting transmitted due to lock issue.

Can you try pushing the roles to 340 first and 360,instead of pushing roles to both of them parallely?

Check for few SAP notes :

399271 - CUA: Tips for optimizing ALE distribution performance

557610 - CUA: Lock problem with serial IDOC processing

898213 - CUA: Change documents for role and profile assignments

Regards,

Ashutosh

Former Member
‎01-12-2012 7:18 PM
0 Kudos

Hi,

Check for Idoc's getting stuck in system and process them manually.

SM58,BD87,WE05 select from the date range and process Idoc or Execute LUW.

Regards,

Ashutosh

Show replies
Show replies
Ask a Question