cua with web as_ebook
Post on 26-Oct-2014
113 Views
Preview:
TRANSCRIPT
Central User Administrationwith the SAP Web AS
Gerlinde Zibulski, SAP AGDuration of the eBook: 25 minutes
ContentOverview Central User Administration Setting up Central User Administration Use of Central User Administration Integration of Existing Systems System Landscape for Central User Administration Central User Administration and Role Definition Removal of CUA Central User Administration and Directory Integration Challenges with Central User Administration News for CUA
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 2
Your Situation in User AdministrationComplex system landscape with several clients in different systems Users work in more than one system Same user ID should represent the same individual in all systems Administration of users forces user administrator to log on to all relevant systems Enormous administration effort Manual effort to synchronize user data in all systems Enormous effort to find out in which systems of the landscape a user is definedDeletion of employees that have been given their notice Auditing
Lack of control can result in security weaknesses
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 3
The SolutionAdministration of a whole system landscape from one single central system
Overview of all user data in the whole system landscape
Consistent user data in the whole system landscape Additional local maintenance still possible
Central User Administration SAP AG 2002, Central User Administration, Gerlinde Zibulski / 4
Central User Administration using ALE
Recommended >= 4.6c Central System of CUA
Users can be administrated in Central SAP System Automatic Distribution to Client SAP Systems Local Administration still possible (back distribution) No Inconsistencies Central Locks possible
ALE
ALE
SAP 6.10 CUA Client
SAP 4.6 SAP 4.5 CUA Client CUA Client Client Systems of CUA
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 5
Central User Administration
Central System
Child Systems
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 6
Field Selection
What is distributed? You decide... ...by setting attributes for each field
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 7
Options and their descriptionsGlobal Changed only in the Central Client. Changes are automatically distributed
Proposal Default value. Maintained on the Central Client, only gets distributed when user is created
Local Data can only be maintained on the child system
Everywhere Data is maintained both on the Central Client and on the Child system. Changes made in the central client are distributed to the other systems
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 8
Maintenance of Field Attributes
Field set to local: no maintenance in Central System
User Maintenance (SU01) in Central System
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 9
ContentOverview Central User Administration Setting up Central User Administration Use of Central User Administration Integration of Existing Systems System Landscape for Central User Administration Central User Administration and Role Definition Removal of CUA Central User Administration and Directory Integration Challenges with Central User Administration News for CUA
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 10
s: ean m ys a alw tem m s Steps to go through ste a sy y s n at h t i t n lie ote c N Setting Up an ALE communication user } USER
Set Up of System Infrastructure
Define logical systemslater on, systems are always referred to by their logical system ID
Define RFC destinations between central system and child systems Define ALE distribution model Switch on the Central User Administration Define field attributes
} ALE
} CUAMigrate users (if necessary)
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 11
ContentOverview Central User Administration Setting up Central User Administration Use of Central User Administration Integration of Existing Systems System Landscape for Central User Administration Central User Administration and Role Definition Removal of CUA Central User Administration and Directory Integration Challenges with Central User Administration News for CUA
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 12
Use of Central User Administration in PracticeUsers are created and maintained via user maintenance transaction SU01 in the central system Distribution of Initial passwords or password resets possible Central user locks possible
Maintenance of local fields via SU01 by local administrators in the child systems Input only possible for those fields, where maintenance is allowed
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 13
LogsChange user data Child System Central System
LOGcomplete list of errors warnings success messages
Each action in the child system sends a log back to the central system
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 14
Log DisplayDistribution log transaction SCUL in the central system
Various ways to display logsordered by system ordered by error status ordered by user name ordered by user-defined selection criteria
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 15
ContentOverview Central User Administration Setting up Central User Administration Use of Central User Administration Integration of Existing Systems System Landscape for Central User Administration Central User Administration and Role Definition Removal of CUA Central User Administration and Directory Integration Challenges with Central User Administration News for CUA
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 16
Migrate Users
MIGRATION TOOL (Transaction SCUG)Integration of CUA client systems has to be done one by one using the migration tool ... analyze which users have to be transferred ... migrates user master data ... migrates assignments of profiles and roles ... detects conflicts with inconsistent user names Prerequisite for the migration: Same user ID and user name in all systems! SAP AG 2002, Central User Administration, Gerlinde Zibulski / 17
Migrate Users
Central System
Define first child system Choose the one where the user data is most complete
Child Systems
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 18
Migrate Users
Central System
Use MIGRATION TOOL (SCUG) to transfer user data to central system Restriction on selected users is possible
Child Systems
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 19
Migrate Users
Central System
Define next child system
Child Systems
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 20
Migrate UsersNOTE:
Central System
User identified by first name last name
Use MIGRATION TOOL (TA SCUG) to compare user data New Users: User does not yet exist in central system Identical Users: User already exists in central system, user ID is identical Different Users: User already exists in central system, user ID is NOT identical Already Central Users: User has already been transferred to central system
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 21
Migrate Users
Central System
Use MIGRATION TOOL (TA SCUG) to transfer the selected users to the central system If user does not yet exist in central system: transfer all data If user already exists in central system: transfer assignments (system, user roles, profiles)
Child Systems
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 22
ContentOverview Central User Administration Setting up Central User Administration Use of Central User Administration Integration of Existing Systems System Landscape for Central User Administration Central User Administration and Role Definition Removal of CUA Central User Administration and Directory Integration Challenges with Central User Administration News for CUA
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 23
Separate CUA System vs. CUA in PRD
CUA Central System(Central Admin. System)
CUA Client Systems
Dev
QS
PRD
CUA Client Systems
Dev
QS
PRD
CUA Central System
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 24
Separate CUA System vs. CUA in PRD
CUA in separate systemAdvantagesNo performance impact on PRD system Independence from planned downtime of PRD system Independence from PRD system release (higher release with more functionality can be used) Maintenance activities of CUA central system (e.g. import of support packages) has no impact on PRD system Access to user management can easily be controlled
CUA in PRDAdvantagesNo additional hardware and administration cost
DisadvantagesPerformance impact on PRD system No user administration during downtime of PRD system PRD system release determines CUA functionality (no higher release can be used) Maintenance activities of CUA central system (e.g. import of support packages) causes downtime of PRD system Access to user management can be controlled only if separate client on PRD server is set up
DisadvantagesAdditional hardware and administration cost
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 25
Scenario 1: One global CUA
CUA Central System
CUA Client System
Dev
QS
PRD
Create / delete users Change global attributes Assign roles
CUA Client System
Dev
QS
PRD
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 26
Pros & Cons: One Single CUAAdvantagesRequires little resources (hardware and/or diskspace) Consistent user master data in the whole system landscape One single point of administration and control
DisadvantagesMaintenance of CUA central system has immediately impact on production no test of CUA functionality possible Unavailability of CUA central system has impact on the whole system landscape Planned downtime of CUA central system has to be confirmed by all system owners High volume of user data and high number of changes to user master records (e.g. caused through client copy in DEV) can result in decrease of performance of the CUA central system Not suitable for customers where responsibilities for user administration are organizationally split based on systems
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 27
Scenario 2: One CUA per System Landscape
CUA Central System
CUA Client Systems
Dev
QS
PRD
FI System Landscape
CUA Central SystemDev
CUA Client Systems
QS
PRD
HR System Landscape SAP AG 2002, Central User Administration, Gerlinde Zibulski / 28
Pros & Cons: Separate CUAs per System LandscapeAdvantagesUnavailability of one CUA central system has no impact on the other system landscape Planned downtime of one CUA central system must not be confirmed by other system owners Allows split responsibilities for user administration based on systems
DisadvantagesMaintenance of CUA central system has immediately impact on production no test of CUA functionality possible Resources requirements for CUA central systems (hardware and/or diskspace) User master data between two system landscape is not synchronized High number of changes to user master records (e.g. caused through client copy in DEV) can result in decrease of performance of the CUA central system No single point of administration and control
No narration on this slide
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 29
Scenario 3: Two Tier CUA Landscape
CUA Client Systems CUA Central SystemDev QS
CUA Client SystemPRD
CUADev QS PRD
Central System
CUA Client Systems
CUA Client System
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 30
Pros & Cons: Two Tier CUA LandscapeAdvantagesMaintenance of Test CUA has no immediate impact on production test of CUA functionality possible before applying it to the production environment Unavailability of one CUA central system has no impact on the other system landscape High number of changes to user master records in DEV and QAS (e.g. caused through client copy in DEV) has no impact on performance of Production CUA Different availability levels for Test and Production CUA can be implemented (e.g. High available Production CUA and normal Test CUA)
DisadvantagesResources requirements for CUA central systems (hardware and/or diskspace) User master data between two system landscape is not synchronized Planned downtime of Production CUA central system must be confirmed by all system owners No single point of administration and control Not suitable for customers where responsibilities for user administration are organizationally split based on systems
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 31
Scenario 4: Decentralized CUAsGlobal Landscape HR CS CS
CUA 6.10
Meta Directory
Employee data that is not confidentialLDAP Server
SAP User DataCUA 6.10 CUA 6.10 CUA 6.10
CS
CS Region Europe
CS
CS
CS Region America
CS
CS
CS Region Asia
CS
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 32
ContentOverview Central User Administration Setting up Central User Administration Use of Central User Administration Integration of Existing Systems System Landscape for Central User Administration Central User Administration and Role Definition Removal of CUA Central User Administration and Directory Integration Challenges with Central User Administration News for CUA
SAP AG 2002, Central User Administration, Gerlinde Zibulski / 33
CUA and Role Maintenance
CUA Central SystemAssign roles Develop roles
SAP Component System
DevRead (single / composite) roles
QS
PRD
Transport
SAP Component System
Develop roles
Dev
QS
PRD
Transport SAP AG 2002, Central User Administration, Gerlinde Zibulski / 34
Role Implementation Approach
Role (>= 4.6) = Activity group (
top related