Solved: Role assignment to user in child system

former_member247164 · ‎08-16-2011

Hi,

We have a CUA with role assignment in SCUM defined as global. There is any way of assigning roles to users in child system when CUA system is not available? There is any way to allow roles assignement in both Parent and child systems?

Many thanks for your help!!

Raquel

Former Member · ‎08-16-2011

One way would be to temporarily delete the CUA assignment in the child and then maintain locally, but you will need to attach it again... and decide whether you want the CUA master to know about what you have done.

Plan B on older Support Packs is to take a look at the correction instructions of [SAP Note 1504495|https://service.sap.com/sap/support/notes/1504495] but for this you need full access () to the S_USER objects, in which case you could detatch the CUA anyway.

However as a temporary workaround in Test systems it could have been usefull.

Plan C: Allow reference user assignments locally and authorize the role indirectly. Via the available authorizations of and access to the reference users you can then contain the scenario. Works fine for me if the concept of reference users is understood.

However in most cases you should do it via the CUA and will end up doing this anyway via the CUA - that is what you have a CUA for. So... logon to your CUA in the morning, give the SAPGui scheme a nice bright colour and administrate the users and role assignments there. This is a small price to pay compared to not having a CUA or IdM...

Cheers,

Julius

Former Member · ‎08-16-2011

Hi,

I don't have a CUA in front of me but f you set the field distribution for roles & profiles to RetVal then this should be possible.

Former Member · ‎08-16-2011

One way would be to temporarily delete the CUA assignment in the child and then maintain locally, but you will need to attach it again... and decide whether you want the CUA master to know about what you have done.

Plan B on older Support Packs is to take a look at the correction instructions of [SAP Note 1504495|https://service.sap.com/sap/support/notes/1504495] but for this you need full access () to the S_USER objects, in which case you could detatch the CUA anyway.

However as a temporary workaround in Test systems it could have been usefull.

Plan C: Allow reference user assignments locally and authorize the role indirectly. Via the available authorizations of and access to the reference users you can then contain the scenario. Works fine for me if the concept of reference users is understood.

However in most cases you should do it via the CUA and will end up doing this anyway via the CUA - that is what you have a CUA for. So... logon to your CUA in the morning, give the SAPGui scheme a nice bright colour and administrate the users and role assignments there. This is a small price to pay compared to not having a CUA or IdM...

Cheers,

Julius

former_member247164 · ‎08-17-2011

Hi,

Thank you guys, your answers were really useful. I am looking just for a workaround for emergency cases when CUA system is not available.

Julius, could we use option D even if normally we don't use reference users? I don't understand the concept of reference user.

Referring to Option B, does it mean that if I applied the correction I could assign users to role in child system just when the CUA system is unavailable?

Right now we have SAP_BASIS 700 SP 22, and I have checked that the user assignment in role menu in SAP Easy Access menu is active, so in case CUA is not available we could use that.

Many thanks for your answer again

Raquel

Former Member · ‎08-20-2011

This message was moderated.