CUA With Web AS_eBook

Central User Administrationwith the SAP Web AS

Gerlinde Zibulski, SAP AGDuration of the eBook: 25 minutes

ContentOverview Central User Administration Setting up Central User Administration Use of Central User Administration Integration of Existing Systems System Landscape for Central User Administration Central User Administration and Role Definition Removal of CUA Central User Administration and Directory Integration Challenges with Central User Administration News for CUA

SAP AG 2002, Central User Administration, Gerlinde Zibulski / 2

Your Situation in User AdministrationComplex system landscape with several clients in different systems Users work in more than one system Same user ID should represent the same individual in all systems Administration of users forces user administrator to log on to all relevant systems Enormous administration effort Manual effort to synchronize user data in all systems Enormous effort to find out in which systems of the landscape a user is definedDeletion of employees that have been given their notice Auditing

Lack of control can result in security weaknesses


The SolutionAdministration of a whole system landscape from one single central system

Overview of all user data in the whole system landscape

Consistent user data in the whole system landscape Additional local maintenance still possible

Central User Administration SAP AG 2002, Central User Administration, Gerlinde Zibulski / 4

Central User Administration using ALE

Recommended >= 4.6c Central System of CUA

Users can be administrated in Central SAP System Automatic Distribution to Client SAP Systems Local Administration still possible (back distribution) No Inconsistencies Central Locks possible

ALE

ALE

SAP 6.10 CUA Client

SAP 4.6 SAP 4.5 CUA Client CUA Client Client Systems of CUA


Central User Administration

Central System

Child Systems


Field Selection

What is distributed? You decide... ...by setting attributes for each field


Options and their descriptionsGlobal Changed only in the Central Client. Changes are automatically distributed

Proposal Default value. Maintained on the Central Client, only gets distributed when user is created

Local Data can only be maintained on the child system

Everywhere Data is maintained both on the Central Client and on the Child system. Changes made in the central client are distributed to the other systems


Maintenance of Field Attributes

Field set to local: no maintenance in Central System

User Maintenance (SU01) in Central System




s: ean m ys a alw tem m s Steps to go through ste a sy y s n at h t i t n lie ote c N Setting Up an ALE communication user } USER

Set Up of System Infrastructure

Define logical systemslater on, systems are always referred to by their logical system ID

Define RFC destinations between central system and child systems Define ALE distribution model Switch on the Central User Administration Define field attributes

} ALE

} CUAMigrate users (if necessary)




Use of Central User Administration in PracticeUsers are created and maintained via user maintenance transaction SU01 in the central system Distribution of Initial passwords or password resets possible Central user locks possible

Maintenance of local fields via SU01 by local administrators in the child systems Input only possible for those fields, where maintenance is allowed


LogsChange user data Child System Central System

LOGcomplete list of errors warnings success messages

Each action in the child system sends a log back to the central system


Log DisplayDistribution log transaction SCUL in the central system

Various ways to display logsordered by system ordered by error status ordered by user name ordered by user-defined selection criteria




Migrate Users

MIGRATION TOOL (Transaction SCUG)Integration of CUA client systems has to be done one by one using the migration tool ... analyze which users have to be transferred ... migrates user master data ... migrates assignments of profiles and roles ... detects conflicts with inconsistent user names Prerequisite for the migration: Same user ID and user name in all systems! SAP AG 2002, Central User Administration, Gerlinde Zibulski / 17

Migrate Users

Central System

Define first child system Choose the one where the user data is most complete

Child Systems


Migrate Users

Central System

Use MIGRATION TOOL (SCUG) to transfer user data to central system Restriction on selected users is possible

Child Systems


Migrate Users

Central System

Define next child system

Child Systems


Migrate UsersNOTE:

Central System

User identified by first name last name

Use MIGRATION TOOL (TA SCUG) to compare user data New Users: User does not yet exist in central system Identical Users: User already exists in central system, user ID is identical Different Users: User already exists in central system, user ID is NOT identical Already Central Users: User has already been transferred to central system


Migrate Users

Central System

Use MIGRATION TOOL (TA SCUG) to transfer the selected users to the central system If user does not yet exist in central system: transfer all data If user already exists in central system: transfer assignments (system, user roles, profiles)

Child Systems




Separate CUA System vs. CUA in PRD

CUA Central System(Central Admin. System)

CUA Client Systems

Dev

QS

PRD

CUA Client Systems

Dev

QS

PRD

CUA Central System


Separate CUA System vs. CUA in PRD

CUA in separate systemAdvantagesNo performance impact on PRD system Independence from planned downtime of PRD system Independence from PRD system release (higher release with more functionality can be used) Maintenance activities of CUA central system (e.g. import of support packages) has no impact on PRD system Access to user management can easily be controlled

CUA in PRDAdvantagesNo additional hardware and administration cost

DisadvantagesPerformance impact on PRD system No user administration during downtime of PRD system PRD system release determines CUA functionality (no higher release can be used) Maintenance activities of CUA central system (e.g. import of support packages) causes downtime of PRD system Access to user management can be controlled only if separate client on PRD server is set up

DisadvantagesAdditional hardware and administration cost


Scenario 1: One global CUA

CUA Central System

CUA Client System

Dev

QS

PRD

Create / delete users Change global attributes Assign roles

CUA Client System

Dev

QS

PRD


Pros & Cons: One Single CUAAdvantagesRequires little resources (hardware and/or diskspace) Consistent user master data in the whole system landscape One single point of administration and control

DisadvantagesMaintenance of CUA central system has immediately impact on production no test of CUA functionality possible Unavailability of CUA central system has impact on the whole system landscape Planned downtime of CUA central system has to be confirmed by all system owners High volume of user data and high number of changes to user master records (e.g. caused through client copy in DEV) can result in decrease of performance of the CUA central system Not suitable for customers where responsibilities for user administration are organizationally split based on systems


Scenario 2: One CUA per System Landscape

CUA Central System

CUA Client Systems

Dev

QS

PRD

FI System Landscape

CUA Central SystemDev

CUA Client Systems

QS

PRD

HR System Landscape SAP AG 2002, Central User Administration, Gerlinde Zibulski / 28

Pros & Cons: Separate CUAs per System LandscapeAdvantagesUnavailability of one CUA central system has no impact on the other system landscape Planned downtime of one CUA central system must not be confirmed by other system owners Allows split responsibilities for user administration based on systems

DisadvantagesMaintenance of CUA central system has immediately impact on production no test of CUA functionality possible Resources requirements for CUA central systems (hardware and/or diskspace) User master data between two system landscape is not synchronized High number of changes to user master records (e.g. caused through client copy in DEV) can result in decrease of performance of the CUA central system No single point of administration and control

No narration on this slide


Scenario 3: Two Tier CUA Landscape

CUA Client Systems CUA Central SystemDev QS

CUA Client SystemPRD

CUADev QS PRD

Central System

CUA Client Systems

CUA Client System


Pros & Cons: Two Tier CUA LandscapeAdvantagesMaintenance of Test CUA has no immediate impact on production test of CUA functionality possible before applying it to the production environment Unavailability of one CUA central system has no impact on the other system landscape High number of changes to user master records in DEV and QAS (e.g. caused through client copy in DEV) has no impact on performance of Production CUA Different availability levels for Test and Production CUA can be implemented (e.g. High available Production CUA and normal Test CUA)

DisadvantagesResources requirements for CUA central systems (hardware and/or diskspace) User master data between two system landscape is not synchronized Planned downtime of Production CUA central system must be confirmed by all system owners No single point of administration and control Not suitable for customers where responsibilities for user administration are organizationally split based on systems


Scenario 4: Decentralized CUAsGlobal Landscape HR CS CS

CUA 6.10

Meta Directory

Employee data that is not confidentialLDAP Server

SAP User DataCUA 6.10 CUA 6.10 CUA 6.10

CS

CS Region Europe

CS

CS

CS Region America

CS

CS

CS Region Asia

CS




CUA and Role Maintenance

CUA Central SystemAssign roles Develop roles

SAP Component System

DevRead (single / composite) roles

QS

PRD

Transport

SAP Component System

Develop roles

Dev

QS

PRD

Transport SAP AG 2002, Central User Administration, Gerlinde Zibulski / 34

Role Implementation Approach

Role (>= 4.6) = Activity group (

CUA With Web AS_eBook

Documents

Transcript of CUA With Web AS_eBook