1. How to create the user group in SAP system? Ans : User group can be created by performing the below steps:
Execute the t-code SUGR
Enter the name of user group to be created in the textbox
Click on the create the button
Enter the description and click on save button
2. How to find the Transport requests containing the specific role? Ans : The list of Transport requests containing the specific role can be retrieved by performing below steps:
Execute the t-code SE03
Double click on option “Search for Objects in requests/Tasks” under node “Objects in Requests” in left panel of screen. This will take us to new screen.
In object selection screen, enter the field value as ACGR and check the checkbox present at left side.
Enter the role name for which we need the list of transport request.
In screen “Request/Task Selection” screen (below section of the same screen), check the status of the requests which we need in the list
Click on execute button
3. How to check the transport requests created by other user? Ans: The t-code SE10 provide the option to enter the user name. By using this facility, we can search the transport requests created by other users.
4. How to generate the list of roles having authorization objects with status as “maintained”? Ans: This list can be generated by using the table AGR_1251 as below:
Execute the t-code SE16
Enter the table name as AGR_1251 and hit enter button
Enter the field value as “G” in field “Object Status” and click on execute
The same table can be used to generate the list of roles with authorization objects having status modified and manual with field values M and U respectively.
5. How to find the email ids if given a list of users (say 100)? Ans: The list of email ids for given users can be generated by performing the below steps:
Execute the t-code SE16
Enter the table name as USR21.
Upload the list of users using multiple selection option and execute. This will give us the list of users and their respective person numbers
Extract this data to excel sheet
Now, go back to SE16 and enter table name ADR6
Upload the list of person number extracted from table USR21 and execute
Now, table ADR6 will give us the list of person numbers and their email ids.
Download the list in excel and perform V-look up in excel to map the email ids of users with their SAP IDs
6. How to find user defined, system default values for security parameters? Ans : The values for parameters can be checked by using the t-code RSPFPAR. After executing the t-code, given the parameter name and click on execute.
7. How to assign the logical system to client? Ans : Logical system can be assigned to client by using the t-code SCC4. We need to be very careful while doing this change as it can affect the CUA (if configured).
8. Which entities are not distributed while distributing the authorization data from master role to derived roles? Ans: During the distribution of authorization data from master role to derived roles, Organizational values and user assignment are not distributed. The Org. values and user assignments are specific to individual roles hence has no bearing on master-derived role relationship.
9. How to assign the multiple roles to more than 20 users in one shot in t-code SU10? Ans : To perform this mass role assignment, we need to follow below steps in SU10:
In SU10 home screen, click on the button “Authorization Data”
This will take to the new screen similar to screen in t-code SUIM -> User by complex search criteria. Enter the search criteria for users needed to be changed in SU10 and execute the same
Once the list of users is reflected, click on “select all” button on left top corner of the list and click on “Transfer” button. This will take us back to SU10 screen with all the selected users in users
Now, click on select all button in SU10 home screen and then click on change button.
Above step will take us to the next screen where you can perform the role assignment as in normal case of SU10 t-code
10. What is the use of SU25 t-code? Ans: The t-code SU25 is used to copy the data from tables USOBT and USOBX to tables USOBT_C and USOBX_C. Generally, this t-code needs to be executed after the installation of system upgrade so that the values in customer tables are updated accordingly.
11. What is the use of authorization object S_TABU_LIN? Ans: This authorization object is used to provide the access to tables on row level.
12. What are the authorization groups and how to create them? Ans : Authorization groups are the units comprising of tables for common functional area. Generally, each table is assigned to a authorization group due to this reason we need to mention the value of authorization group while restricting the access to table in authorization object S_TABU_DIS. The authorization group can be created by using the t-code SE54. The assignment of tables to authorization group can be checked by using table TDDAT.
13. What is SOX (Sarbanes Oxley)? Ans: Sarbanes-Oxley is a US law passed in 2002 to strengthen corporate governance and restore investor confidence. Act was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley.
The Sarbanes-Oxley Act is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Sarbanes-Oxley defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, but also affects the IT departments whose job it is to store a corporation’s electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for “not less than five years”. The consequences for non-compliance are fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.
Organizations should be able to guarantee the integrity of some of their operations like PTP or OTC which can have quiet a significant impact on the way the financial statements are projected if not controlled.
Organizations today are thereby moving in direction of automating their softwares for SOX compliance. A key factor towards achieving SOX compliance is to seperate the duties amongst individuals to such an extent that no one person has the authorization to fulfill a complete cycle say procurement or sales.
14. How to create a query in SAP R/3 system? Ans: The query can be created and executed using the t-code SQVI:
Execute the t-code SQVI.
Enter the name of query to be created and click on create button.
Enter the Title and comments for query and select the data source such as table or table join.
Select the preferred view as Basis Mode or Layout Mode and click on continue button.
Above step will take us to the new screen, add the respective table on which we need to create a query.
If Data source is selected as table join, select the respective tables as needed and joining fields.
Save and come to main screen. Here, you need to select the fields to be displayed in output and their sequence.
The query can be created and executed using the t-code SQVI.
15. What is the use of ST01? What are the return codes of t-code ST01 Ans: Transaction code ST01 is used to trace the user authorizations. This can be useful if we need to check which all the authorizations have been checked in background when any t-code is being executed by the business user.
Below are the return codes of ST01 :
0 – Authorization check passed
1 – No Authorization
2 – Too many parameters for authorization check
3 – Object not contained in user buffer
4 – No profile contained in user buffer
6 – Authorization check incorrect
7,8,9 – Invalid user buffer
Central User Administration in SAP (CUA)
Hi All,
Here is the procedure for Central user administration configuration in a landscape:
1) Create Logical systems to all clients for the landscape using BD54 or SALE as comfortable.
2) Attach Logical system to clients using Same.
3) Create RFC connection to relevant systems with the same name as logical system name .
If you Logical system name is SIDCLNT100 for dev then create RFC connection to DEV with same name SIDCLNT100.
4) Let us suppose you Central system: DEVCLNT100 Child system: QUACLNT200
5) Create user CUA_DEV_100 in devclnt100 system
4. Create user CUA_QUA_200 in quaclnt200 system.
Create RFC’s to child systems from central and central to child.
5) Now logon to central system and execute tcode scua to configure cua.
Enter the name of the distribution model: CUA
Press create
Enter ALL Child system RFC’s
Save your entries now result screen will appear
If you expand the nodes for
the individual systems, you normally see the following messages for
each system: .ALE distribution model was saved,. .Central User
Administration activated,. and .Text comparison was started. If
problem messages are displayed here, follow the procedure in SAP
Note 333441:
6) Setting the Parameters for Field Distribution Enter Tcode SCUM in central system following screen will appear Now maintain your filed distribution and save it. You can use transaction SUCOMP to administer company address data. You can use transaction SCUG in the central system to perform the synchronization activities between the central system and the child systems by selecting your child system on the initial screen of transaction SCUG and then choosing Synchronize Company Addresses in the Central System
After you have synchronized the company addresses, you can transfer the users from the newly connected child systems to central administration.
transaction SCUG in the central system. To do this, on the initial screen of
transaction SCUG, select your child system and choose the Copy Users to
the Central System button.
Use
You can use the report RSCCUSND from the central system of Central User Administration (CUA) to synchronize the master data of selected users with a child system of the CUA. The report sends the master data (including role and profile assignments) to a child system of the CUA.
If master data exists in the child system for the user sent, it is overwritten.
Procedure …
1. Start report RSCCUSND (for example, using transaction SA38).
2. In the Receiving System field, specify the child system to which you want to send the user data.
3. You can use the fields User and User Group to restrict the number of users.
4. Specify the data that you want to distribute under Distribution Options.
5. Choose Execute.
Hmnn That’s all about configuration if you still have doubt ping me!!!! PING !!1PING !!!
Regards, Gagan Deep Kaushal
Advertisements
Contents
This section applies to the SAP ERP connector only. It is relevant for CA Identity Manager and CA Secure Cloud. It is not relevant for CA Identity Governance.
The SAP ERP connector lets you manage SAP Central User Administration (CUA) environments. SAP CUA maintains user records in a central master system, and automatically distributes these records to its child systems.
You can acquire the child systems as endpoints as well as managing the master system as a CUA master.
How the SAP ERP Connector Works with SAP CUA
After the SAP ERP connector has connected to an SAP CUA master system, you can use your CA product to manage identities on the SAP CUA master system. The master then propagates your changes to the child systems.
Note: You cannot use the SAP ERP connector to manage a CUA master system as a standalone SAP system.
When you create an account on the master system, the master creates the new account on each child system.
When you use the connector to remove an account from the master system, the master removes the account on itself and on all of the child systems.
Note: Passwords are not propagated from master to child systems.
Example: Add a role to the SAP CUA master using CA Identity Manager
In this example, you use the User Console to create an account on the SAP CUA master. When you create the account, you give it the following roles:
role1
CHILD01/role3
CHILD02/role4
The following changes happen:
CA Identity Manager creates an account on the CUA master system.
The SAP CUA master makes the following changes:
On the master system, the master assigns role1 to the new account.
The master propagates the account to both child systems.
On CHILD01, the master assigns role3 to the new account.
On CHILD02, the master assigns role4 to the new account.
Connect to an SAP CUA Master System
Follow these steps:
Identify the fields that you want to manage centrally in the master system.
For each of these fields, set the field distribution parameters to GLOBAL. You can do this with SAP transaction SCUM. For information, read the SAP help at http://help.sap.com/saphelp_nw70ehp1/helpdata/en/6a/b1b13bb3acd607e10000000a11402f/content.htm
Connect to the master system as usual.
Discover Whether an SAP ERP Endpoint Is Managed by SAP CUA
You can identify whether the SAP ERP endpoint is managed by SAP CUA.
Follow these steps:
Log in to the User Console, then navigate to the SAP ERP endpoints page.
Find the CUA Status field. If the SAP system is a CUA master, the field shows 'CUA master system managed as a CUA engine'.
Manage Passwords in SAP CUA
When you change a password in a CUA master system, the change is not distributed to other CUA members. If you want to use the SAP ERP connector to manage passwords on the child systems, acquire these child systems as separate SAP endpoints.
These steps describe how to extend your existing system to allow you to manage passwords.
Follow these steps:
On the SAP system, set the distribution model of the initial password to to 'proposal' using the SAP transaction SCUM. This allows the connector to change passwords when connecting to a child system.
In the User Console, connect to each child system as a separate endpoint.
Re-explore and correlate the users container on the endpoint set up to manage such child systems.
How Passwords in SAP CUA Work
We recommend that you use the connector to manage locally managed attributes of the account.
When connecting to a CUA master system, if not using a pre-expired password, the following occurs:
Sap Cua Automatically Synchronize Roles Meaning
On Account Creation for both CUA Master and CUA Child The password is pre-expired. You must change the password upon first logon.
On Account Modify CUA Master - The password is changed. CUA Child - The password change is not distributed to child systems. Password management must be done locally.
Note: With SAP Kernel 6.40, an attempt to change the password of an account that does not reside on the Master system will return PASSWORD NOT ALLOWED.
When connecting to a CUA master system using a pre-expired password, the following occurs:
On Account Creation for both CUA Master and CUA Child The password is pre-expired. You must change the password upon first logon.
On Account Modify CUA Master - The password is pre-expired. You must change the password upon first logon after the change. CUA Child - The password change is not distributed to child systems. Password management must be done locally.
Distribution Settings in SAP CUA
Some distribution settings in your CUA environment can cause unexpected results.
If you use the SAP connector to change an attribute in a way that conflicts with the CUA distribution model, the modification attempted by the connector may be ignored. In some cases, SAP returns an error. However, in other cases you receive no notification that your change was ignored.
Sap Cua Authomatically Synchronize Roles In One
In addition, the User Console may not give a visual indication that the attribute change is permitted under the current distribution settings.
With the exception of password management, we recommend that where possible, the distribution settings be set to 'Global'.
Use the following advice to design your system:
When the distribution model for an attribute has been set to 'Global', this attribute must be managed by the connector using the endpoint connecting to the CUA master system.
When the distribution model for an attribute has been set to 'Local', the attribute can only be managed from the endpoint(s) connecting directly to each individual member system, regardless of its status within the CUA.
Passwords cannot be managed as 'Global', regardless of the distribution settings. Any changes applied to the password on a CUA master system are not distributed to the child systems by design.
Note: For further details on the distribution parameters for fields within transaction SCUM, refer to the SAP Central User Administration documentation available at http://service.sap.com.