Try this:

Francesc,

See my previous post on the subject:

https://www.sdn.sap.com/irj/sdn/profile?userid=3581645

You do need to recreate, in the central system, the single role name and description and then fill out the target system under the menu tab. No need to distribute from the central system to the child.

Then create the composite in the central system. Add roles and the systems you set in the target system of the single roles will be listed.

Add composite role to user in central system and it will automatically add the other roles to the user.

Then look in the child systems and you should see the roles it added.

Cheers,

Ben

You create a single role in the Central client with the same Name and Desc as the role in the backend but do not put in the authorizations. In the menu you fill in the target system, then you assign this role to the composite role.

Yes

How do you avoid clobbering the roles in the child system if the the role in the central client does not have all of the authorizations values filled in and you happen to click on text comparison?

Text comparison will not wipe it out. However if you click distribute from the central instance it will be. There is a warning screen after the button has been clicked.

What procedure do you go through for assigning cross system composite roles? The procedure would depend on the processes needed at your company. Approvals, etc.

Do you upload the roles from the child system to the central system so the auth values are the same? You could, but they would likely get out of sync fairly fast unless a large effort is in place to keep them consistent.

Cheers,

Ben

Text comparison does not overwrite in the environment I work on. Only if you click distribute.

Run a test on your system to verify.

Cheers,

Ben

Text compare only informs the parent CUA of the roles in the child systems. Now if you run SCUG, Pick a child system and choose the tab 'already central user' this will overwrite what the 'parent' system has for role assignments for the users. (but just for that one child system)

None of the roles need to exist unless you are trying to do cross system composite roles.

Cheers,

Ben

Doug,

Your roles will not show up in PFCG for assignment in composite roles by running text comparison. Text comparison only makes them show up for user assignment in the respective system.

Cheers,

Ben

Benjamin's right Doug. you won't see the roles in PFCG from your other clients BUT when you run SU01 you will be able to see the both the composites and the master roles for each child system. Now if you try to doubleclick on the role while assigning it to a user you'll get the error the role does not exist(this is normal as the role does not exist in the parent)

Once you start using CUA you'll figure all this out very quickly

Doug, you don't need any roles at all in your central client. first make sure roles are manged centrally by checking SCUM. Then go into SCUG and choose the child system you're having problems with. Click on the "user" box with the down arrows and make sure the first three tabs have no users in them. if they do select each user and click the transfer button. Now to sync roles to users choose the fouth tab "already central user" select all users and click the "role assignments" button. now go into SCUL and execute to see if any errors out there. Some times CUA gets a little out of whack and you'll need to select all the users again and hit the re-distribute button.

Once you've confirrmend there are no errors go into su01 and the roles tab and see if you can pick a child system. If you don't see any roles now do a "text comparision fron chil sys" and look below your see the clock checking all the rfc connections. If you still don't see anything then I'd suggest checking your RFC logon connections and removing and readding the child with an account that has SAP_ALL

I don't have a problem with SU01, its PFCG where I can't see the roles in child systems for assignment to composite role. SU01 looks fine.

You'll have to do the composite assignments in the child clients and then you'll be able to see them in the CUA parent. You can't manage roles for child clients in the CUA master. CUA is only used to manage users

I'm sorry, my previous post was misleading. I said you can only manage users not roles. What I meant was in the master you can manage user properties, addresses, roles and profile assignments. In the Parent you cannot manage roles themselves in the CHILD systems. Meaning you cannot run PFCG in the parent CUA and edit the roles that are in the child systems. When you run PFCG in the parent you will only see roles that exist in the parent.

This should not restrict you in any way from assigning users to composite roles in the child systems

Create a single role in the Central client with the same Name and Desc as the role in the backend but do not put in the authorizations. In the menu you fill in the target system, then you assign this role to the composite role.

Then assign composite role to end user in backend system.

Yes

Cheers,

Ben