2011 Oct 14 8:07 PM
Hello Gurus,
Our landscape consists of multiple systems & clients and we would be creating mass users across the landscape. Since the number of systems and clients are multiple, its going to be tedious task of creating users by logging into each & every client & system. So we are now in discussion whether to go with CUA or to use eCATT script. I went through all the forums & my notes and to my understanding going with eCATT will be more good rather than configuring CUA to our existing landscape. I heard that SAP will or going to retire CUA in the coming years & replace with SAP IDM. So at this point, using eCATT for mass users creation & later on moving to SAP IDM would be a better choice to my understanding.
Please share your expertise or advice. I appreciate your help
Thanks,
Venkat
2011 Oct 14 8:14 PM
Hi Venkat,
I'd go for both. Hook the systems up to Central User Administration and use ECATT scripts on the CUA master for mass maintenance.
As far as the retirement of CUA is concerned I have only heard that no further development will be done on it (no source available).
I haven't heard or read about this functionality being taken out of SAP. Using CUA also doesn't really bother an IDM implementation as IDM can provision directly to separate clients or through the CUA master.
Jurjen
2011 Oct 14 8:14 PM
Hi Venkat,
I'd go for both. Hook the systems up to Central User Administration and use ECATT scripts on the CUA master for mass maintenance.
As far as the retirement of CUA is concerned I have only heard that no further development will be done on it (no source available).
I haven't heard or read about this functionality being taken out of SAP. Using CUA also doesn't really bother an IDM implementation as IDM can provision directly to separate clients or through the CUA master.
Jurjen
2011 Oct 14 9:10 PM
Here is a [blog|http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/21565] [original link is broken] [original link is broken] [original link is broken] [original link is broken]; from SAP that says CUA will never die. Why would SAP remove CUA when it works for many customers?
The only problem with CUA is that when you try to migrate to idm it will be more work for you. Idm supports provisioning to CUA master but it`s adding additional complexity. Hence this scenario is not really popular.
Cheers
2011 Oct 15 9:00 AM
Agreed. It does hower leave you with the choice to either:
Migrate one client at a time from CUA to IDM.
Migrate the whole CUA first and then migrate the clients to IDM one by one afterwards.
Both scenarios have their own pros and cons.
2011 Oct 15 11:05 PM
If there already is a CUA in place, then switching the IdM to provision the master CUA is the recommended migration path. You can change your process (with IdM as front end) in one go without any parrrellel processes, then migrate the child systems without any stress of having to hunt down IDOCs in future..
If you do not have an existing CUA, then it is a different ball game and depends on how exotic your systems are outside of the SAP landscapes, whether the existing user names are unique, whether you want workflows and automation rules, etc.
If you only have SAP ABAP systems to provision to (also for the double-stack Java UMEs) then CUA is done in about a day or so (for technical implementation, and you only need to train the central admins, normally).
IdM in contrast is a project, but offers much more.
eCatt is IMO not an option for user administration. SU10 and BAPIs are a better (stable) option.
Cheers,
Julius
2011 Oct 16 10:53 AM
> eCatt is IMO not an option for user administration. SU10 and BAPIs are a better (stable) option.
Here we disagree. I've done multi-user multi-role assignments in a CUA landscape with both SU10 and ECATT scripts and the ECATTs left me with far less locking issues than SU10 did. You do have to keep that in mind when creating the imput file:
User1 roleA
User1 roleB
User1 roleC
User1 roleD
User2 roleA
User2 roleB
User2 roleC
User2 roleD
etc
Creates less issues than:
User1 roleA
User2 roleA
User3 roleA
User4 roleA
User1 roleB
User2 roleB
User3 roleB
User4 roleB
etc
SU10 (imo) only provides the latter option.
2011 Oct 16 11:46 AM
Hi Jurjen,
This SAP note might interest you (also solves the SU10 lock on the AGR_USERS): https://service.sap.com/sap/support/notes/1416149
I still prefer SU10 with few single roles to assign per user...
Cheers,
Julius
2011 Oct 17 12:12 PM
I would only prefer SU10 only during Mass Locking of users. I have experienced a lot of bugs with SU10 during mass assignment and removal of roles from user.
I always prefer eCATT scripts or LSMW for all such Mass User activity. I think if someone is having issues with eCATT script, then can go for LSMW as well. You just need a developer to build the Project and then it's same as uploading files in eCATT.
Lot of Mass Upload of Data are done using LSMW, so it is reliable.
2011 Oct 17 1:06 PM
> SU10 (imo) only provides the latter option.
I usually use SU10 to automate the first option - line by line. As SU10 will append I usually find that it does the job nicely.
2011 Oct 17 6:10 PM
2011 Oct 24 2:44 PM
Thanks one and all for your time and effort in responding to my query.
Venkat