Central User Administration(CUA) Configuration

Note: I have recently configured Central User Administration (CUA) in one of our customer’s landscape, so I am writing this blog post, so audience can get the quick overview of Central User Administration configuration.

Introduction to Central User Administration (CUA) in SAP

Central User Administration is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. This feature is laudable when similar user accounts are created and managed on multiple clients. User administration is centrally performed from the central system (client with CUA). Other clients that are been controlled by the central system are termed child clients. From the foregoing, it can be said that the central system acts like the “parent client”. The benefit of CUA lies in the possibility to restrict user’ access to specific clients in the multiple SAP system environment. The system makes use of Application Link Enabling (ALE) to exchange master data across the clients. ALE is a technology that allows distributed and asynchronous business processing.

Why do we need CUA?

CUA or central use administration is actually configured to save the money and resource to manage large and similar user exist in many system in the landscape. This tool help us to manage all the user master record centrally from on client of the system.

• Complex system landscapes
• Manual Maintenance of user information in all the available systems
• Tedious Administrative task
• Complex administrative job may lead to Security problems

Benefits of Central User Administration

• Once you configure CUA users can only be created or deleted in the central system.
• User attributes can be maintained only locally, only centrally, or both centrally and locally
• Therefore, the required roles and authorizations must exist in active form in all child systems.
• As a result each user only has to be administered once centrally, which gives the administration a much clearer overview of all users and authorizations.

Steps by Step Process: Few Points

1. We need a SAP Landscape/single system with multiple clients
2. The administrator should have access to SAP and tcodes SU01, BD54, BD64, SCC4, SCUA, SCUM, SM59
3. We do need to create system users in central system and child systems
4. Create RFC connections between systems
5. Create logical system
6. Assign logical system to corresponding clients
7. Create model view
8. Add BAPI to model view
9. Generate partner profiles and distribute model view
10. Create CUA and distribution model
11. Maintain parameters between central and child systems

Preparation:

First, we would need two client of systems for the configuration.

For example, I am hereby taking a system ECC with two client: 800 (Central client); 820 (Child System)

1.)  Create system user:

These system users required for RFC configuration between two clients. These RFC are being required to transfer the data here. We do need to create following in the respective clients with the below-defined roles:

Client 1:    800 User, this is a central system: CUA_ECC800
Client 2:    820 User, this is a child system: CUA_ECC820

Note: Both users are created as “Service user” type.

Above are the usernames created in client 800 and 820 respectively with below roles.
User CUA_ECC800 with below roles (roles in the central system)
SAP_BC_USR_CUA_CENTRAL
SAP_BC_USR_CUA_CENTRAL_BDIST
SAP_BC_USR_CUA_CENTRAL_EXTERN

User CUA_ECC820 with below roles (roles in the child system)
SAP_BC_USR_CUA_CLIENT
SAP_BC_USR_CUA_SETUP_CLIENT 

2.) Create RFC connections between systems:

1.Go to SM59 t-code and select ABAP connections
2.Click “Create” button or press F8
3.Enter the RFC connection name(ie.ECCCLNT800&ECCCLNT820) and choose connection type as 3 which means ABAP connections
4.Enter the description of the RFC like “RFC connection for CUA” and save
5.Now Enter the Target Host as system name(Computer name) of the ECC system or enter the IP address of the system and system number of ECC(like 00)
6.All the above settings must be carried out on “Technical Settings” tab
7.Next go to “Logon & Security” tab
8.Enter the Client number of the target client ECC system i.e.
9.Also enter the username and password which is created in ECC target client  in initial stage
10.Language is optional and similarly Unicode option in Unicode tab
11.You can select “Unicode” option if target system is Unicode system or leave it
12.Now save the settings and you will be prompted “Connection will be used for Remote logon”
13.Click “OK” and Click “Connection Test” or Ctrl+F3

RFC from 820 to 800

RFC from 800 to 820

3.) Create logical system: 

You need to create logical system for each client/ system and make sure it should not defer from RFC connections respectively

Go to BD54 t-code and setup logical systems.

 4.) Assign logical system to corresponding clients:

Go to t-code SCC4 and assign the logical systems to each client/system respectively

5.) Create model view:

This steps need to be done in the Central system.

1. Login to the central client of the system
2. Go to transaction BD64 and click on change button.

6.) Add BAPI to model view:

Select the model view and click “Add BAPI”.

 7.) Generate partner profiles and distribute Model View:

We are done with model view creation and BAPI. Now we need to generate partner profiles go to Environment and click generate partner profiles

Come back to the BD64 screen, select the model view, and go to Edit ModelView –> select Distribute. This will distribute your model view to child systems and you will get message like below

So now, we are done with model view creation and distribution.

Installation:

8.) Create CUA and distribution model:

Go to t-code SCUA and create distribution model. Enter the model view name which is created in BD64 earlier and click create button as shown in below figure.

Now you will get a screen like below and select the child systems in the pop up screen

Once you selected the system name and click save.You will get a screen as below if you are done everything correctly, which means your CUA configuration is done successfully.

9.) Maintain parameter between central and child systems:

Once we are good with CUA configuration there are parameter setup needs to be done from central system like which all are maintained in central and child systems

Go to SCUM tcode and click to change mode for parameter maintenance

It will give you broad idea about what are the parameters should be maintained centrally and which can be maintained child system as well as globally.

Ex. Role addition should be done from central system and password reset and defaults can be maintained from both centrally and local.

Run the RSADRCK2 report to sync-up the company address.

/nscum : Verify the users in central user

SU01: Verify the user is included in systems.

To change the user password from CUA system and to child systems.

Please use “change password” for global password reset, if we use “Logon data” password reset, it will only reset in CUA.

We can only assign the roles in CUA to child systems, Click on “Text Comparison” to sync-up the roles information to CUA system.

Note: We can only assign the roles to child system and Roles cannot be editable from CUA.

Select the all the CUA systems to receive the roles information, So CUA can assign the roles to users.

Additional information to check the distribution logs from CUA.

Execute the RSUSRLOG and provide the user name to view the log.

To Sync-up company name between systems, Please Run the RSADRCK2 report.

In addition, if decided to delete the child system from CUA, Please run the RSDELCUA and we20/bd64 cleanup is required.