This website is not affiliated with, sponsored by, or approved by SAP AG.
4 posts • Page 1 of 1
Our current situation:
We are at the starting point of implementing the CUA in our company and
see the benefits, but also some issues.
Despite the benefits of:
- one central user master record
- central maintenance possibility
- better overview
We think that there are also some issues, which question the usage of the CUA like:
1. Overview turns into complexity (Benefit becomes Problem!)
If role assignment should be done via CUA, then the role tab overview in the user master might become complex (depending on the authorization concept and system landscape) since all user/role assignments from connected systems become visible for administration.
One alternative might be to only keep the user master data centrally (partial use of CUA) for distribution and do user / role assignment still locally on the client systems. This would also be beneficial when using PFCG for role assignment, because PFCG cannot be used on the client system(s) anymore, when role assignment is ought to be done via CUA. In addition there might be a reason for BW applications, when PROFILES (some might ask why PROFILES?) are assigned automatically to users. (still under investigation)
2. Tools to administer user / role assignments
Today, we primarily use PFCG to do user/role assignment on systems via CATT for mass maintenance in SAP implementations; when we implement the CUA including user/role administration, this simple to use approach will not be possible anymore and we would have to use SU10 or other means of doing that.
The CUA also impacts the performance; we need to investigate further. E.g. for every user master record, at least three IDOCS are created (user, profile, activity group)
4. Last but not least - Strategy of SAP
The CUA is not further developed and enhanced; some important provisioning techniques like approval process with work flow capabilities are not available; in addition SAP starts selling the SAP GRC suite, which also includes the Ã¢â‚¬Å“VIRSA Access EnforcerÃ¢â‚¬
as for the questions 1-3 - look here:
there's the solution to connect your CUA to HR-ORG. also in that topic: link to documentation.
as for 4. whatever SAP decides where the future will be ... waiting for it could prove pointless. better act now und upgrade then (if that will be necessary, which i very much doubt).
Sorry to resurrect an old post, but my organization needs to do something to help manage a large influx of new users and new clients/systems (as well as try to reduce the work of maintaining the old one.)
We are primarily concerned with ABAP based systems ranging from 3.1i to 6.X and also have a few BW and portal apps thrown-in to the mix.
I agree with fish's parting shot that waiting for the "next big thing" is an exercise in futility in the software world, so I am mostly asking just to see if there has been any major announcements or changes since last year.
If not, I think we are going to try to do a zoom job with implementing CUA (for the systems it will support) and manually operating the others.
CUA is still alive and kicking. Access Enforcer won't replace CUA but the IdM product SAP is working on probably will at some point in the future. The migration path won't be for a few years yet.
Just looking back to point 4 in the original post, if you systems are poorly sized then the idocs will not process quickly which can be a pain. It won't impact the rest of the system unless all the background processes are maxed out alreasy (in which case you may have bigger problems).
4 posts • Page 1 of 1
Users browsing this forum: No registered users and 2 guests