I found the name of the function. It's called "text comparison". Please also have a look here:

http://help.sap.com/saphelp_nw70/helpdata/en/9d/bdbba36f55db43ab8e8272e1d5d97b/frameset.htm

> If we try to create a composite role in CUA central system, we can insert only simple roles available in central system (and not in child).

You need to create a simple role in the CUA and associate it with the child role (PFCG->MENU->Target System->Dest). You can then include this new simple role on your composite role. If you like this design you might need to look into creating variables for your child systems.

On a different note, I would rather have your HR system as the CUA so when you assign roles to Org or Position the composite role is available. That is another topic.

Good luck.

Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.

CUA has its own pros -

Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.

on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.

It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.

Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.

Rakesh