01-26-2012 4:24 PM
Hi all,
we have 2 SAP systems:
1) SAP ECC6 (with composite roles)
2) SAP HR with PA and OM
We would like to assign SAP ECC6 roles through HR-OM.
Since HR-OM is not on the same ECC6 system, we would like to try the logic: HR-OM -> CUA -> ECC6
There are several documents that describe this situation (ex. SCUR351).
From PFCG point of view, we should create a composite role in CUA system which include simple roles of child system.
If we try to create a composite role in CUA central system, we can insert only simple roles available in central system (and not in child).
Any experience on this scenario ?
Pros vs cons ?
Are the different possible scenarios ?
Many thanks...
Andrea
02-06-2012 2:11 PM
Hi Andrea,
you may want to have a look at the "Role Manager" (/ISDFPS/ROLE_MANAGER). From my point of view, it has a good integration with OM. But it is also good for applying a parent-child methodology.
Concerning your problem with your roles that are not available in the parent system. You need to synchronize the role names before you can use them in CUA. Not sure what the exact name of this button is. But it has something to do with get or synchronize names... After that you can use the role names from the child system in your parent system.
Kind regards
Matthew
02-06-2012 2:17 PM
I found the name of the function. It's called "text comparison". Please also have a look here:
http://help.sap.com/saphelp_nw70/helpdata/en/9d/bdbba36f55db43ab8e8272e1d5d97b/frameset.htm
02-06-2012 3:55 PM
> If we try to create a composite role in CUA central system, we can insert only simple roles available in central system (and not in child).
You need to create a simple role in the CUA and associate it with the child role (PFCG->MENU->Target System->Dest). You can then include this new simple role on your composite role. If you like this design you might need to look into creating variables for your child systems.
On a different note, I would rather have your HR system as the CUA so when you assign roles to Org or Position the composite role is available. That is another topic.
Good luck.
02-07-2012 2:50 AM
Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
CUA has its own pros -
Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
Rakesh