Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Role Assignment does not get distributed from CUA

Former Member
0 Kudos
1,560

Hi all.

I create user and role in CUA client.

There is no error in role generation.

When I try to find my role in SU01 by pressing F4 of my role (Y*), system give me message role not found. But that's not my biggest problem.

I can assign my role by typing manually.

My biggest problem is only SAP ID get distributed into target system, not the role assignment.

So in the target system I can see my user id without role assign to it.

I checked my user id from SCUL. User and profile does not contain any error message in target client.

I tried with transaction RSCCUSND, still my user id does not contain role.

I checked my SCUM transaction, profiles and roles has Global settings.

Does someone can give me a clue why this happens and how to solve this issue.

Many thanks

1 ACCEPTED SOLUTION

jurjen_heeck
Active Contributor
0 Kudos
320

> Does someone can give me a clue why this happens and how to solve this issue.

Your CUA master probabely isn't aware of the role you have created in the CUA client yet. See [Performing a Text Comparison with Target System Specification|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/9d/bdbba36f55db43ab8e8272e1d5d97b/frameset.htm] on SAP help for the solution.

10 REPLIES 10

jurjen_heeck
Active Contributor
0 Kudos
321

> Does someone can give me a clue why this happens and how to solve this issue.

Your CUA master probabely isn't aware of the role you have created in the CUA client yet. See [Performing a Text Comparison with Target System Specification|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/9d/bdbba36f55db43ab8e8272e1d5d97b/frameset.htm] on SAP help for the solution.

0 Kudos
320

Hi Jurjen.

Thanks for your reply.

I can see my role in master (CUA) client. Unfortunately I can't transfer this role into child system and there is no error at all

mvoros
Active Contributor
0 Kudos
320

Hi,

can you see any suspicious in SCUL? Have you searched for OSS notes related to CUA? It might be a bug and already fixed in service pack.

Cheers

0 Kudos
320

Hi Martin.

All fine in SCUL.

I am wondering, whether the role itself need to be created in child system as well.

If yes, then what is the purpose of Roles and Profile tab in SCUM then.

mvoros
Active Contributor
0 Kudos
320

Hi,

yes, the role has to be defined in the child system. It's not possible to define roles in one centralized system. For example you have ERP and CRM systems in your landscape. Both systems share some basic authorization objects which are part of NetWeaver platform (e.g. S_TCODE) but each system have application specific authorization objects. Therefore it would be really hard to create a role in ERP for CRM where you don't have definition for any specific authorization objects. ERP also misses any SU24 records for CRM applications.

The step mentioned by Jurjen just copies role names with description into central system.

The purpose is really simple. You can centrally manage your users. You can create a user in cetnral system and distribute it into child systems with proper role assignment in each system (e.g. ERP roles in ERP system and CRM roles in CRM system).

Cheers

0 Kudos
320

Sandy,

CUA is for central user admin only.

for cental role admin you can user ERM (SAP GRC product)

usually all child system are connected to one dev system and role are created in DEV system and transported to all the child systems, that is the process followed.

hope it help.

regards,

Surpreet

0 Kudos
320

Sandy,

Just to add what Dipanjan had already explained, if you create a composite role in a child system and assign it to a users from the master, you'll find none of the single roles will be visible ( which will be visible to you if you assign the same composite role to an user directly in the child system ). This clearly shows that its only the identity of the parent role that gets transferred to the master system.

Hope we're able to answer your queries. Do revert if you need any further clarification.

Dipesh

0 Kudos
320

This message was moderated.

0 Kudos
320

Hi All.

Many thanks for your answers and clarification.

Obviously my interpretation on CUA Global setting was not quite right

"Global: You can only maintain the data in the central system. It is fully distributed."

sdipanjan
Active Contributor
0 Kudos
320

Lets try to simplify the thing in layman language.

CUA is to manage user ids of different SAP systems (client level) centrally from one system without logging into each of those child systems. To do so, the Central system stores the information of the Roles (and their Text and Generated Profile Name ONLY) and Profiles (standard or non-generated profiles) in few of it's tables like: USLA04, USRSYSACT, USRSYSACTT, USRSYSPRF, USRSYSPRFT etc.

It doesn't mean that the Roles for the corresponding child system is present in the central system and no need of creating (or making available) such roles in the Child systems. The physical existence of the Role for each system doesn't get transferred in the Central system when you do the Text comparison rather the identity only against the corresponding system.

So the Roles has to be there in the corresponding Child systems and the Assignment (not physical assignment - only linking the name for that child system) of them to the user ids can be done from Central system.

Also you have got the idea of Text comparison and requirement of keeping or creating roles in each system based on it's nature from the other posts.

Let us know any more questions you have.

regards,

Dipanjan