http://help.sap.com/saphelp_nw70/helpdata/en/bf/b0b13bb3acd607e10000000a11402f/frameset.htm

From a high level you need to start with a design.

If you are using HR base position with structural authorization you need to make the ECC 6.0 system the parent not Sulotion Manager [I will debate this to no end, base on my experience and current production system in place]. If you are using Portal, you have to decide on the UME, usually the parent CUA.

Tcodes you need to be familiar with..

SU01 - make sure CUA parent and client accounts are on all systems. Generate delivered CUA roles and assign to parent and child accounts.

SM59 - create RFC connections - this is client independent

SCUA - create CUA in master client and define child system

BD64 - generate partner profile

SCUM - set global CUA settings

SCUG - user clean up.

BDLS - new RFC connection

Somebody that have pointed out 7-8 hours is not far off. This is a project for somebody that have at least an intermidiate-to-expert level of security experience.

Good Luck!

To what John had said....here is my promised note !

Hi Folks, As promised…

Why CUA:

It reduces the maintenance that otherwise faces the Security administrator, for example if a user is changed in one client then this user will need to be changed in all other clients. From this sentence we can build the fundamental of CUA.

In CUA, we change only in one client and the changes are then effective “ everywhere” ! How does this take place ? well its one of the clients in the landscape is maintained as the “sender “..this holds the complete authorizations for the landscape the “other” clients naturally are termed as the “receiving” systems

Now we talked about sending and receiving system whats now absent is the connection for which we need “ALE”  Application Link Enable

Now to have an ALE , we need to have an Admin user ( System user ) Which can be created by Su01. This needs to be repeated for all the systems in the CUA

Now that we have created the users for all the systems we now need to “ Name the Systems in Landscape” Tcode  SALE ( Easy to rememeber ALE becomes SALE !!)

2. In this Tx when you expand the nodes you will find “ naming the logical systems” exeute that ….follow the screens ( & Ur Gut feel and ofcourse SDN if u are in doubt !)

Now we have named the Logical systems after which you need to ASSIGN the logical systems – How is this done ? Below the node “ Name logical systems , you will find assign logical systems – follow that !

Now we need to Define the RFC connection how is that done ? Go to the node below the one “ Assign ..” you will see “ Sys tem Network” expand do the needul !

Now there are few more points ..generating the partner profiles ? Distribuing te view .

Now log on to the Central system and executg ethe tcode SCUA ….follow the screen and prompts !

I guess I have given you a fairly OK idea on CUA !! Thanks

hi

thanks for these guidelines.I will start implementing CUA.based on these guidlines.i will get back on this thread where ever i am stuck or else i will be back to let you people know that i have done it and give points

I just needed to know that.

1. I have 3 server here for HR (Dev , quality & Prod )

2. I have 3 server here for Erec (Dev , quality & Prod )

Can i have my CUA active in development.server in HR and control all the server through dev HR server including dev HR server ' authorization.

or do i need to get a new server for CUA and get all the server connected to it.

hi,

you can find a good procedural documentation in the below sites:

www.sapsecurityonline.com

http://sapbasisnotes.blogspot.com/2007/11/central-user-administration.html

Hi

I am back tried doing something with the help of you guys and some notes.

I was able to find the user IDs of Server 336 in Sever 236 which is CUA.

I attached the roles to the user ID from server 336 but it does not work.

I dont know where i gave gone wrong..Is there any idea what all i would have missed out.

please help me.

Hi i am back ..things about the users are working fine now.

YES IT WAS PROBLEM WITH RFC.

thanks for all the support.............now i have some doubt.

1. while transfering user from child (336 server) to central (236 server) through SCUG. The messaged pooped saying not all the user has been transfered.

still some thing missing while transfering or i have to do some setting in 336.

2.Can i maintain roles child server specific from the central system.I will not have access to pfcg to any child server.and still can create or maintain roles.

Hi Nidhi,

In order to perform the user and role admin tasks centrally, CUA is used. therefore, you cannot maintain the roles or users once the CUA is configured. you can do the user and role admin through the parent client to which all the child systems are connected.

You can only reset the password of the users in specific child system.

Hi

1.Thats for the quick replies the error showed to me when i log in to sucg is :

*CUA_SYSTEM

D35CLNT236

Q35CLNT336 + New System: Not All Users WereCopied+*

So this mean that all my users has not been copied to my central system D35CLNT236.

Please guide what is the steps to make it successfull.

2.There is another problem i am facing. There are different types of users in the system.Like we have P user ID for portal and H user ID for system.

Is there any way where i can still control the user type authorization.

so while transfering user can i restrict centain user group.

if yes then how to go about..Is it through scum.