Skip to Content
Technical Articles
Author's profile photo Prakash Malligachari

Central User Administration(CUA) Configuration

Note: I have recently configured Central User Administration (CUA) in one of our customer’s landscape, so I am writing this blog post, so audience can get the quick overview of Central User Administration configuration.

Introduction to Central User Administration (CUA) in SAP

Central User Administration is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. This feature is laudable when similar user accounts are created and managed on multiple clients. User administration is centrally performed from the central system (client with CUA). Other clients that are been controlled by the central system are termed child clients. From the foregoing, it can be said that the central system acts like the “parent client”. The benefit of CUA lies in the possibility to restrict user’ access to specific clients in the multiple SAP system environment. The system makes use of Application Link Enabling (ALE) to exchange master data across the clients. ALE is a technology that allows distributed and asynchronous business processing.

Why do we need CUA?

CUA or central use administration is actually configured to save the money and resource to manage large and similar user exist in many system in the landscape. This tool help us to manage all the user master record centrally from on client of the system.

  • Complex system landscapes
  • Manual Maintenance of user information in all the available systems
  • Tedious Administrative task
  • Complex administrative job may lead to Security problems

Benefits of Central User Administration

  • Once you configure CUA users can only be created or deleted in the central system.
  • User attributes can be maintained only locally, only centrally, or both centrally and locally
  • Therefore, the required roles and authorizations must exist in active form in all child systems.
  • As a result each user only has to be administered once centrally, which gives the administration a much clearer overview of all users and authorizations.

Steps by Step Process: Few Points

  1. We need a SAP Landscape/single system with multiple clients
  2. The administrator should have access to SAP and tcodes SU01, BD54, BD64, SCC4, SCUA, SCUM, SM59
  3. We do need to create system users in central system and child systems
  4. Create RFC connections between systems
  5. Create logical system
  6. Assign logical system to corresponding clients
  7. Create model view
  8. Add BAPI to model view
  9. Generate partner profiles and distribute model view
  10. Create CUA and distribution model
  11. Maintain parameters between central and child systems

Preparation:

 

First, we would need two client of systems for the configuration.

For example, I am hereby taking a system ECC with two client: 800 (Central client); 820 (Child System)

1.)  Create system user:

These system users required for RFC configuration between two clients. These RFC are being required to transfer the data here. We do need to create following in the respective clients with the below-defined roles:

Client 1:    800 User, this is a central system: CUA_ECC800
Client 2:    820 User, this is a child system: CUA_ECC820

Note: Both users are created as “Service user” type.

Above are the usernames created in client 800 and 820 respectively with below roles.
User CUA_ECC800 with below roles (roles in the central system)
SAP_BC_USR_CUA_CENTRAL
SAP_BC_USR_CUA_CENTRAL_BDIST
SAP_BC_USR_CUA_CENTRAL_EXTERN

User CUA_ECC820 with below roles (roles in the child system)
SAP_BC_USR_CUA_CLIENT
SAP_BC_USR_CUA_SETUP_CLIENT 

 

2.) Create RFC connections between systems:

1.Go to SM59 t-code and select ABAP connections
2.Click “Create” button or press F8
3.Enter the RFC connection name(ie.ECCCLNT800&ECCCLNT820) and choose connection type as 3 which means ABAP connections
4.Enter the description of the RFC like “RFC connection for CUA” and save
5.Now Enter the Target Host as system name(Computer name) of the ECC system or enter the IP address of the system and system number of ECC(like 00)
6.All the above settings must be carried out on “Technical Settings” tab
7.Next go to “Logon & Security” tab
8.Enter the Client number of the target client ECC system i.e.
9.Also enter the username and password which is created in ECC target client  in initial stage
10.Language is optional and similarly Unicode option in Unicode tab
11.You can select “Unicode” option if target system is Unicode system or leave it
12.Now save the settings and you will be prompted “Connection will be used for Remote logon”
13.Click “OK” and Click “Connection Test” or Ctrl+F3

RFC from 820 to 800

RFC from 800 to 820

3.) Create logical system: 

You need to create logical system for each client/ system and make sure it should not defer from RFC connections respectively

Go to BD54 t-code and setup logical systems.

 4.) Assign logical system to corresponding clients:

Go to t-code SCC4 and assign the logical systems to each client/system respectively

5.) Create model view:

This steps need to be done in the Central system.

  1. Login to the central client of the system
  2. Go to transaction BD64 and click on change button.

6.) Add BAPI to model view:

Select the model view and click “Add BAPI”.

 7.) Generate partner profiles and distribute Model View:

We are done with model view creation and BAPI. Now we need to generate partner profiles go to Environment and click generate partner profiles

Come back to the BD64 screen, select the model view, and go to Edit ModelView –> select Distribute. This will distribute your model view to child systems and you will get message like below

 

So now, we are done with model view creation and distribution.

 

Installation:

8.) Create CUA and distribution model:

Go to t-code SCUA and create distribution model. Enter the model view name which is created in BD64 earlier and click create button as shown in below figure.

 

Now you will get a screen like below and select the child systems in the pop up screen

Once you selected the system name and click save.You will get a screen as below if you are done everything correctly, which means your CUA configuration is done successfully.

 

9.) Maintain parameter between central and child systems:

Once we are good with CUA configuration there are parameter setup needs to be done from central system like which all are maintained in central and child systems

Go to SCUM tcode and click to change mode for parameter maintenance

It will give you broad idea about what are the parameters should be maintained centrally and which can be maintained child system as well as globally.

Ex. Role addition should be done from central system and password reset and defaults can be maintained from both centrally and local.

 

Run the RSADRCK2 report to sync-up the company address.

 

/nscum : Verify the users in central user

SU01: Verify the user is included in systems.

 

To change the user password from CUA system and to child systems.

Please use “change password” for global password reset, if we use “Logon data” password reset, it will only reset in CUA.

 

We can only assign the roles in CUA to child systems, Click on “Text Comparison” to sync-up the roles information to CUA system.

Note: We can only assign the roles to child system and Roles cannot be editable from CUA.

Select the all the CUA systems to receive the roles information, So CUA can assign the roles to users.

 

Additional information to check the distribution logs from CUA.

Execute the RSUSRLOG and provide the user name to view the log.

To Sync-up company name between systems, Please Run the RSADRCK2 report.

In addition, if decided to delete the child system from CUA, Please run the RSDELCUA and we20/bd64 cleanup is required.

 

Wind-up

This is the complete process of configuration were we have learnt how to configure CUA and manage the users from centrally. Feel free to post any comments or queries related to this topic.

 

Reference links.

https://wiki.scn.sap.com/wiki/display/Basis/Central+User+Administration%28CUA%29+configuration

https://it.toolbox.com/blogs/eseyinok/central-user-administration-cua-an-overview-020107

Assigned Tags

      12 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Imran Khan
      Imran Khan

      Hi Prakash,

      Good document on CUA with detailed steps.

      Author's profile photo Sunil Badajena
      Sunil Badajena

      Hi Prakash,

       

      Thanks for sharing valuable blog.

       

      Sunil

      Author's profile photo Sabesp Infraestrutura
      Sabesp Infraestrutura

      Hi Prakash,

      Amazing stuff, congratulations. Very well detailed.

       

      Thanks

      Ricardo S. Ferraz

      Author's profile photo Anushree Tiwari
      Anushree Tiwari

      Hi Prakash ,

       

      Great  blog. just it should be /nscug instead of /nscum : Verify the users in central user.

      you can even you SCUL tcode to view the logs

       

      Regards,

      Anushree Tiwari

      Author's profile photo Nitesh Rajak
      Nitesh Rajak

      Hi Prakash,

      Very nice document with screenshot.

      Regards

      Nitesh Rajak

      Author's profile photo Clemens Kopfer
      Clemens Kopfer

      Nice blog.

      You happen to know if some Fiori-Apps are available? Userline etc?

      Could not find any.

      Author's profile photo Frank Buchholz
      Frank Buchholz

      Central User Administration Cookbook
      https://archive.sap.com/documents/docs/DOC-17019

      Author's profile photo Jose Martinez
      Jose Martinez

      Quick question is CUA supported in SAP S/4HANA?

      Author's profile photo Sathiyabama Sathiamoorthi
      Sathiyabama Sathiamoorthi

      Hi,

      Yes, it works in S/4 HANA system too.

       

      Best Regards

      sathiya

      Author's profile photo SHAFEEQ MOHAMMED
      SHAFEEQ MOHAMMED

      Hi ,

      in detail nice explanation.

      i have one question , can I use AD Groups and LDAP and manage users through AD groups.

      shafeeq

      Author's profile photo Randall King
      Randall King

      Did you ever get an answer on this?  We are just starting to work on LDAP integration, and making sure it's ready for our upcoming CUA project would be very helpful.

      Author's profile photo Erik Hoven
      Erik Hoven

      Hi

      Thanks for a nice explanation.

       

      ...will it work for SAP Cloud products as well - example SuccessFactors ?

      Is there any iFlow in SAP Integration Suite that can integrate SuccessFactors ?

       

      Thanks