This website is not affiliated with, sponsored by, or approved by SAP AG.

CUA implementation: some Pros and Cons

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

CUA implementation: some Pros and Cons

Postby gegi1970 » Tue Mar 27, 2007 11:43 am

Our current situation:
We are at the starting point of implementing the CUA in our company and
see the benefits, but also some issues.

Despite the benefits of:
- one central user master record
- central maintenance possibility
- better overview

We think that there are also some issues, which question the usage of the CUA like:

1. Overview turns into complexity (Benefit becomes Problem!)
If role assignment should be done via CUA, then the role tab overview in the user master might become complex (depending on the authorization concept and system landscape) since all user/role assignments from connected systems become visible for administration.

One alternative might be to only keep the user master data centrally (partial use of CUA) for distribution and do user / role assignment still locally on the client systems. This would also be beneficial when using PFCG for role assignment, because PFCG cannot be used on the client system(s) anymore, when role assignment is ought to be done via CUA. In addition there might be a reason for BW applications, when PROFILES (some might ask why PROFILES?) are assigned automatically to users. (still under investigation)

2. Tools to administer user / role assignments
Today, we primarily use PFCG to do user/role assignment on systems via CATT for mass maintenance in SAP implementations; when we implement the CUA including user/role administration, this simple to use approach will not be possible anymore and we would have to use SU10 or other means of doing that.

3. Performance
The CUA also impacts the performance; we need to investigate further. E.g. for every user master record, at least three IDOCS are created (user, profile, activity group)

4. Last but not least - Strategy of SAP
The CUA is not further developed and enhanced; some important provisioning techniques like approval process with work flow capabilities are not available; in addition SAP starts selling the SAP GRC suite, which also includes the “VIRSA Access Enforcerâ€
gegi1970
 
Posts: 3
Joined: Mon Oct 23, 2006 8:49 am
Location: Buchs, Switzerland

Postby thx4allthefish » Thu Mar 29, 2007 10:24 am

as for the questions 1-3 - look here:

http://www.sapfans.com/forums/viewtopic.php?t=278510

there's the solution to connect your CUA to HR-ORG. also in that topic: link to documentation.

as for 4. whatever SAP decides where the future will be ... waiting for it could prove pointless. better act now und upgrade then (if that will be necessary, which i very much doubt).
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5690
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Is CUA still considered to be a "good idea"

Postby Growlor » Tue Feb 19, 2008 5:10 pm

Sorry to resurrect an old post, but my organization needs to do something to help manage a large influx of new users and new clients/systems (as well as try to reduce the work of maintaining the old one.)
We are primarily concerned with ABAP based systems ranging from 3.1i to 6.X and also have a few BW and portal apps thrown-in to the mix.
I agree with fish's parting shot that waiting for the "next big thing" is an exercise in futility in the software world, so I am mostly asking just to see if there has been any major announcements or changes since last year.
If not, I think we are going to try to do a zoom job with implementing CUA (for the systems it will support) and manually operating the others.

Thanks,
Growlor
Growlor
 
Posts: 1
Joined: Tue Feb 19, 2008 4:16 pm

Re: Is CUA still considered to be a "good idea"

Postby Al. » Wed Feb 20, 2008 5:39 am

Growlor wrote:Sorry to resurrect an old post, but my organization needs to do something to help manage a large influx of new users and new clients/systems (as well as try to reduce the work of maintaining the old one.)
We are primarily concerned with ABAP based systems ranging from 3.1i to 6.X and also have a few BW and portal apps thrown-in to the mix.
I agree with fish's parting shot that waiting for the "next big thing" is an exercise in futility in the software world, so I am mostly asking just to see if there has been any major announcements or changes since last year.
If not, I think we are going to try to do a zoom job with implementing CUA (for the systems it will support) and manually operating the others.

Thanks,
Growlor

CUA is still alive and kicking. Access Enforcer won't replace CUA but the IdM product SAP is working on probably will at some point in the future. The migration path won't be for a few years yet.

Just looking back to point 4 in the original post, if you systems are poorly sized then the idocs will not process quickly which can be a pain. It won't impact the rest of the system unless all the background processes are maxed out alreasy (in which case you may have bigger problems).
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3047
Joined: Tue Feb 25, 2003 5:35 am
Location: London


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 4 guests





This website is not affiliated with, sponsored by, or approved by SAP AG.