How To Replace SAP CUA with SAP Identity Management
In this blog I will write about the CUA replacement process. The topics will cover what you have to consider during this process.
The Central User Administration (CUA) is no longer the strategic solution from SAP to centrally manage users and authorizations. The replacement with the new SAP NetWeaver Identity Management 7.2 (IdM) provides benefits in following main areas:
- Integration to non-SAP applications
- Personal data from HR with automatic user creation / delimiting
- Configurable workflows with requests and approvals including emails
- More flexible SAP ABAP and SAP Java child system distribution, e.g. including rules for local fields
- Cross-system business role model and optionally automatic granting processes based on rules
- Reporting with SAP BW or SAP BO Crystal Reports – also for request overviews
Following blog focuses on the step-by-step CUA replacement process, which needs to be well-planned for a smooth shift towards SAP IdM.
Knowledge / experience in the following areas are helpful:
- SAP CUA experience
- SAP IdM basics
Areas to be Considered
For a successful CUA replacement, following areas need to be considered:
- How the administration workflow and role model should be in future with focus on delegating requests and approvals to the departments
- Self-Services for password resets, requesting roles, maintaining master data etc. with early workshops for involved users
- Rules based on leading systems for personal data and organizational structures, e.g. SAP HCM
- Which distribution model to be used in comparison to the CUA, e.g. child system specific attributes handled in IdM
- Custom ABAP programs related to user administration need to be adapted or switched off
- Other 3rd party systems to be integrated, e.g. directories
- Reconciliation processes for child system, when local departments are responsible and inconsistencies could happen
CUA Replacement Process
1. Connecting CUA to IdM
In our case we assume that SAP IdM is already set-up. First, we would connect towards CUA using the SAP ABAP repository template for the system connection and the job templates for data import to SAP IdM. The job should be adapted to map fields according to the distribution model. The information from the child systems is retrieved via CUA in this step.
When IdM administrative masks and other workflows are configured, the data can be checked. In addition, the distribution model needs to be adapted. The provisioning can be switched on step-by-step for certain attributes / roles / users to test the functionality from a leading IdM and distribute via CUA. This helps the users to be trained and gain knowledge about IdM. CUA can still be used for certain reports or other custom functionalities. In this case, a reconciliation process inside IdM needs to be configured.
In addition, other leading and target systems could be integrated to already use new IdM functionalities, e.g. with HR data and a business role model for CUA, SAP Java systems and the company directory.
2. Connecting CUA Child Systems to IdM
From now on the child systems will be connected one after another to IdM. The general steps for a connection to a child system are:
- Maintain connection data in IdM via a repository
- Load the data from the child system to IdM via a job and stop administration via CUA
- Disable the CUA connection inside CUA and the child system itself
- Migrate the account information and SAP roles inside IdM via a job pointing directly to the child system instead of CUA
- Switch on initial provisioning from IdM and start administration via IdM
- Schedule the child system in IdM for the update load / reconciliation job
This downtime between CUA and IdM administration could take up to a few hours when you have large amounts of data in each child system.
3. Shutdown the CUA
After the last child system is disconnected from the CUA, the CUA itself can be disconnected from the IdM and turned off.
A full replacement of the CUA by SAP IdM has a lot of advantages, e.g. integrating non-SAP systems, using delegated workflows and more flexible distribution rules. Therefore, the mentioned areas need to be evaluated to get the best out of the new IdM functionalities.
After setting up SAP IdM, the CUA is first connected to IdM. This solution can be tested by still having the administration possibilities inside the CUA – if needed. Afterwards, the child systems are disconnected from the CUA and connected towards IdM. This process can be changed and optimized to own needs. With the shutdown of the CUA, the full advantages of IdM can be used.