One way would be to temporarily delete the CUA assignment in the child and then maintain locally, but you will need to attach it again... and decide whether you want the CUA master to know about what you have done.
Plan B on older Support Packs is to take a look at the correction instructions of [SAP Note 1504495|https://service.sap.com/sap/support/notes/1504495] but for this you need full access () to the S_USER objects, in which case you could detatch the CUA anyway.
However as a temporary workaround in Test systems it could have been usefull.
Plan C: Allow reference user assignments locally and authorize the role indirectly. Via the available authorizations of and access to the reference users you can then contain the scenario. Works fine for me if the concept of reference users is understood.
However in most cases you should do it via the CUA and will end up doing this anyway via the CUA - that is what you have a CUA for. So... logon to your CUA in the morning, give the SAPGui scheme a nice bright colour and administrate the users and role assignments there. This is a small price to pay compared to not having a CUA or IdM...
Thank you guys, your answers were really useful. I am looking just for a workaround for emergency cases when CUA system is not available.
Julius, could we use option D even if normally we don't use reference users? I don't understand the concept of reference user.
Referring to Option B, does it mean that if I applied the correction I could assign users to role in child system just when the CUA system is unavailable?
Right now we have SAP_BASIS 700 SP 22, and I have checked that the user assignment in role menu in SAP Easy Access menu is active, so in case CUA is not available we could use that.
Many thanks for your answer again