cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM & CUA - Could somebody explain me the concept

Former Member

on ‎03-26-2014 8:33 AM

0 Kudos

Dear all,

I want to conect my IdM 7.2 (SP8) to our CUA (after a long testing periode), but I don't unterstand the result. Could somebody explain me the concept the function between CUA and IdM?

I did the inital load. The IdM create only a privilege for my CUA system, so I don't understand, how I  assign a satelliete system in my IdM.

Example:

The User Smith need an account in our ERP system.

Old environment:

CUA: Put an entry an Tab system in the transaction SU01. The CUA create an account in my ERP system.

New environment:

Create an entry in the IdM, or?

Thank you for your help.

Best regards,

Hans

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (8)

Answers (8)

Former Member
‎04-01-2014 7:09 AM
0 Kudos

Ok, thank you for this informationen. But which technology do you use? You assign the PRV:CUA:SYSTEM:ROLLE to an account, so the account will assign to the SAP system "SYSTEM". Where you assign the license information to the user (CUA or IDM)?

Best regards,

Hans

Show replies
Show replies
Former Member
‎04-01-2014 3:20 PM
0 Kudos

Hans:

Look through task createABAPUser

The line uClassLicType that is where IdM populate licence on the back end system.

Andy

Former Member
‎03-31-2014 3:28 PM
0 Kudos

Dear Andy,

I search for the point to set the license in IdM. The attributes SAPC_IDEN_REP_LICENSE_TYPE_XXXX are not filled.

Best regards,

Hans

Show replies
Show replies
Former Member
‎03-31-2014 6:59 PM
0 Kudos

Hans,

Sorry I can't help here since I don't use RDS provisioning tasks. You might find information about this on RDS documentation.

I guess you have to fill the attribute it seems this attribute is repository specific constant that you specify value for it at repossitory level

SAPC_IDEN_REP_LICENSE_TYPE_XXXX

For example SAPC_IDEN_REP_LICENSE_TYPE_CUA=54

Regards

Andy

Former Member
‎03-31-2014 9:59 AM
0 Kudos

Dear Andy,


Thank you for this information. I have a look to my system and found roles.

I'm sorry, but I have a little question to the topic license:

When I assign a system role to a new account, which license in the system get the users?

It is alwas mySAP Business Suite Professional?

Best regards,

Hans

Show replies
Show replies
Former Member
‎03-31-2014 3:09 PM
0 Kudos

Hans

I am not sure about your question. I guess everytime you create an account on SAP system then it will be a license for your account.

Regards,

Andy

Former Member
‎03-28-2014 9:58 AM
0 Kudos

Dear Andy,

Ok, I found my issue in Inital load. (The attribute "SAPC_PRIV_CREATED_BY" is set to "<IDM_UPLOAD>" and not a mskey value), maybe. It is a bug in RDS).

So, now, I have a lot of role.

Please give me an advice:

I want only create an account in my subsystem without assign a role. Which role I have to use?

My search for PRIV:ROLE:CUA:SYSTEM:ONLY hadn't success.

Thank you for your help!!

Best regards,

Hans

Show replies
Show replies
Former Member
‎03-28-2014 1:16 PM
0 Kudos

Hans:

From what I know you can't create an ID on sub system without assign a role to user from IdM. It is how IdM works just like you want to create an ID on your CUA system without assigning CUA account privilege to the user.

For the system and account privilege by default it was created as following format

PRIV:SYSTEM:REPOSITORYNAME -> System Privilege

PRIV:REPOSITORYNAME:ONLY -> Account Privilege

E.g If the name of your CUA system is CUA then the privileges created as

PRIV:SYSTEM:CUA

PRIV:CUA:ONLY

By default search on IdM is using display name, when you search for these privilege it is helpful to do search like this

PRIV*CUA*ONLY

Regards,

Andy

Former Member
‎03-26-2014 5:03 PM
0 Kudos

Hans:

We have been running similar environment for the past three years. It's quite straightforward for IdM for this setup.

+ Old Landscape

CUA->Sub SystemA->RoleA

       ->Sub SystemB->RoleB

+ New lanscape

IdM->CUA->Sub SystemA

                 ->Sub SystemB

When you finish the initial load for CUA system. Basically you will have some account privileges and regular privileges from CUA and sub system.

e.g.

PRIV:SYSTEM:CUA

PRIV:CUA:ONLY

Privileges from Sub System A should have naming similar as followed

PRIV:CUA:SUBSYSTEMA:ROLEA

So when you assign account privilege (PRIV:CUA:ONLY) to an idenity IdM will create ID on CUA.

If you want to create ID on sub system (e.g Sub System A) then assign privilege PRIV:CUA:SUBSYSTEMA:ROLEA then IdM will create ID on subsystem A as well as assign ROLEA to user there.

Regards

Andy

Show replies
Show replies
Former Member
‎03-27-2014 7:57 AM
0 Kudos

Dear Andy,

Which Inital Load, do you use? I start the inital load from RDS 7.2 SAPC AS ABAP Inital Load. But there is no PRIV:CUA:XXXXX.

We don't manage roles in our CUA for the subsystem.

Best regards,

Hans

Former Member
‎03-27-2014 2:06 PM
0 Kudos

Hans:

I am using the initial load from job wizard but it should not be much different. Make sure when you setup repository you have to set the repository as CUA.

I am not sure I understand you. You don't assign roles to sub system via CUA?

Since IdM manage CUA and CUA manage sub system there is only way that IdM can create ID on sub system is that the user need to have ID on CUA first. Then either assign a sub system privilege from IdM to the ID or log in CUA and assign a role or system.

The initial load job always create two privileges for each repository account & system. if you don't see these privilege on UI may be they are invisible you can go to idenity store to make them visible.

Be careful if you use IdM just for creating Id but not for assigning role as we do at my company then you need to disable role/privilege assignment from framework for ModifyABAPUser otherwise IdM will overwrite your roles assignment in the CUA system.

Regards,

Andy

Former Member
‎03-26-2014 12:44 PM
0 Kudos

Hans,

We use both an IdM solution and CUA in our SAP landscape.This arrangement has worked out well for us. The IdM solution creates the user IDs upon request from the manager of the account, and provisions the accounts with basic access in both ABAP and Java clients. The CUA landscape is used to provision extra access in the DEV and TEST ABAP clients, and also for creation and provisioning of test accounts. At this time we have CUA turned off for testing of the GRC10 system, but it is our intention to reconnect it after the go-live, with some luck some time in Q2 (keeping my fingers crossed, rubbing a rabbit's foot, etc), as we only use GRC CUP/ Acess Request to provision to PROD clients.

Cheers,

Gretchen

Show replies
Show replies
Former Member
‎03-26-2014 11:57 AM
0 Kudos

Dear Steffi,

Yes, it is a redundant, but I need the CUA protection of user attributes, because our security manager change direct roles assignments  in the SAP system with SU01 and shouldn't change user attribute (like firstname, last name, etc.) and I want always use some function of the idm

(To move the tasks in the idm, I need a lot of people and time - so we put in the project queue).

Ok, I understand, first I have create the account in the idm and then I assign the ERP system to the account.

Best regards,

Hans

Show replies
Show replies
former_member2987
Active Contributor
‎03-26-2014 12:08 PM
0 Kudos

Hans,

By "project queue" I assume you mean that you intend to bring this functionality from CUA to IDM. This would be a good idea since CUA is no longer under active support. I believe that has written about this a few times.  Also the fact that CUA does not support JAVA systems and has no real workflow or approval concepts makes it much less appealing.

Of course, none of this means that CUA is bad, just not as useful.

Best of luck on your project!

Matt

Steffi_Warnecke
Active Contributor
‎03-26-2014 12:14 PM
0 Kudos 


Yes, it is a redundant, but I need the CUA protection of user attributes, because our security manager change direct roles assignments  in the SAP system with SU01 and shouldn't change user attribute (like firstname, last name, etc.) and I want always use some function of the idm

Hello Hans,

yes, I thought about that and therefor had removed my comment about the redundancy, but you were faster in responding. I have edited it back in, so your answer makes sense again.

Of course, when you already have a landscape with CUA that is working and not enough time to replace it with IdM, it is at least a good start to bring the IdM in play and piece by piece move the systems from CUA to IdM.

BTW: You can handle the same sort of permissions (can just assign roles, but not change user data) in IdM pretty easily by working with the masks and access controls. But I know... the time has to be there.

I'll nod to Matt's post and wish you all the best with the big project in the future.

Regards,

Steffi.

Former Member
‎03-26-2014 11:05 AM
0 Kudos

Hi,

I read again the URL

Integrating a Central User Administration System - SAP NetWeaver Identity Management Provisioning Fr...

and the question is:

Have I

1. create an identity (z.B. SMITH) in my IdM with the PRIV:CUACLNT100

2. Login to my CUA

3. Assign the system ERPCLNT100 to the account SMITH

So, I need two steps to create an identiy in a CUA environment?

Best regards,

Hans

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎03-26-2014 11:40 AM
0 Kudos

Hello Hans,

you want to use the IdM to create an account for a user in your CUA to create an account in a backend?

For your question I'd say: "No." You just need one step. Because the first step will create the identity in the CUA. The second step is the creation of the account in the ERP. Since you want to do that via your CUA, it will be two steps.

Or are you looking for a solution, where you just trigger the creation of the identity in CUA and it should also create an account in the ERP for that new identity?

It's a bit confusing for me, that you use the IdM to manage another IdM (what the CUA is). Isn't that a bit redundant?

Regards,

Steffi.

Ask a Question