cancel
Showing results for 
Search instead for 
Did you mean: 

Role assignment not happening properly after rsldapsync_user is executed

Former Member
0 Kudos

Hi Experts,

We are using CUA-LDAP sync report to get users from ldap to cua. From CUA, we have configured 2 child systems one is client 340, another is client 360 of our ECC system. We have also maintained proper mapping table for both 340, 360.

Now , when report rsldapsync_user is executed from se38, I can see that proper role assignemnet is happening for all users in 360 client but some users are skipped in 340. These users are present in 340 but no roles is assigned to them. Where as in CUA, all users have proper role assignment.

I am getting below error in scul for 340.

Role GPD_HCM_EMPLOYEE is locked by user CUA_QEH_340

Role GPD_HCM_EMPLOYEE_MANAGER is locked by user CUA_QEH_340

Role assignment to user GPDSEEMP1008 not executed completely

There are some users which are properly synchronized in 340 but many are not ( from 500 users, 142 are not synchronized and all these users have same error).

One turnaround for this is to run report RSCCUSND but I dont want to run this report. Also I am not sure if all users will be synchronized with this report.

My question is why is this happening for only client 340? in 360 all users are synchronized properly. My CUA rfc are load balancing for both clients.

Please help me to resolve this issue.

View Entire Topic
Former Member
0 Kudos

Hi Arjun and Ashu,

In my mapping table, I have to maintain entries for both clients. That is, when is run the ldap sync report, users from Active directory should be created in both clients with same role. this is working perfectly in 360 not in 340.

How can I check if serial processing is going on in 360 but not in 340 ?? I have checked in we20, and I can see that properties are same for inbound idocs.

I'll check the notes that you guys have given and will post again if it solves the issue.

Thanks,

Ankit

Former Member
0 Kudos

Hi Ankit,

In my mapping table, I have to maintain entries for both clients. That is, when is run the ldap sync report, users from Active directory should be created in both clients with same role. this is working perfectly in 360 not in 340.

LDAP sync and pushing roles from CUA to child system are 2 diff things.I believe you get users from active dir i.e LDAP to CUA and then from CUA to other child system.If you have maintained RFC's,users and mapping perfectly for both clients and getting lock error while pushing updates to other client, then it leads to parrallel idoc processing error.Which is very well described in the note:Note 399271 - CUA: Tips for optimizing ALE distribution performance

----


Parallel processing of user administration IDocs (Message type USERCLONE ) may result in locking problems in two instances:

1. If several IDocs are to be processed in parallel for the same user, the system only waits for a maximum of one minute for the lock to be released. After this, an error status is set.

2. If several IDocs are to be processed in parallel for different users and these contain user assignments for the same roles (direct assignments or indirect single role assignments because of assigned composite roles), a warning message is issued in transaction SCUL, indicating that the IDoc has still been posted correctly.

-


Note 557610 - CUA: Lock problem with serial IDOC processing

How can I check if serial processing is going on in 360 but not in 340 ?? I have checked in we20, and I can see that properties are same for inbound idocs.

I wanted to check if you just send idocs to client 340 separately,is it getting pushed into? OR you still getting lock error.

Go through these notes,they should be useful in your scenario.

Regards,

Ashutosh