Visit our Google Group Way 2 SAP BASIS


Moderators: BASIS24x7, Rashed


Postby meetmuqeet »



In complex system landscapes with multiple systems and clients, the administration cost for keeping the user master records in the systems consistent and up-to-date is very high. Employees join the company, resign, or change jobs within the company. Users must usually access several systems and clients in order to perform their business tasks, and therefore require multiple users.

Since user master records are client-specific, they must be maintained in each client of each and every system. For example, if you want to create a new user, you must create it manually in all the clients of all of the SAP R/3 Systems in which it should be valid.

User master records can be maintained centrally in one client of a system. If a new client is built as a copy of a maintenance client, the new client can initially be filled with the user master records of the maintenance client. During this copy, the roles of the maintenance client are copied together with the user master records. However, you cannot select which users should be copied and which should not. The user master records also cannot be automatically synchronized sequentially

Advantage of having CUA

* Administration of a whole system landscape from one single central system
* Overview of all user data in the whole system landscape
* Consistent user data in the whole system landscape
* Additional local maintenance still possible

CUA in separate system vs in PRD


* No performance impact on PRD system
* Independence from planned downtime of PRD system
* Independence from PRD system release (higher release with more functionality can be used) Maintenance activities of CUA central system (e.g. import of support packages) has no impact on PRD system
* Access to user management can easily be controlled


* Additional hardware and administration cost



* No additional hardware and administration cost


* Performance impact on PRD system
* No user administration during downtime of PRD system.
* PRD system release determines CUA functionality (no higher release can be used)
* Maintenance activities of CUA central system (e.g. import of support packages) causes downtime of PRD system
* Access to user management can be controlled only if separate client on PRD server is set up

Pro & Cons: Single CUA


* Requires little resources (hardware and/or diskspace)
* Consistent user master data in the whole system landscape
* One single point of administration and control


* Maintenance of CUA central system has immediately impact on production –no test of CUA functionality possible
* Unavailability of CUA central system has impact on the whole system landscape
* Planned downtime of CUA central system has to be confirmed by all system owners
* High volume of user data and high number of changes to user master records (e.g. caused through client copy in DEV) can result in decrease of performance of the CUA central system
* Not suitable for customers where responsibilities for user administration are organizationally split based on systems

Organizational challenges

* Technical CUA configuration does not match the organization of the user administration
* Conflicts due to unclear responsibilities for user management
* User administrators are not trained in CUA usage

Posts: 40


Postby blopezq »

The Central User Administration (CUA) is the identity provisioning tool for ABAP-based SAP Systems.

The CUA consists of one ABAP-based central system where you maintain user master records, and any number of other ABAP-based child systems to which changes in the data are distributed automatically. With the CUA you can maintain user accounts centrally in the entire system landscape.

CUA data is distributed asynchronously between the SAP systems using Application Link Enabling (ALE). The central system in the CUA ALE environment is linked to each child system, and master data is synchronized from the central system to the child systems. The child systems are not linked to one another.

For users, you can do the following centrally:

Create, lock, unlock, change, assign roles, assign profiles, reset password, delete

Determine whether attributes of the user master record can be maintained locally or centrally

Users are distributed via ALE. Only initial or resetted passwords are distributed. After the user has logged on once and changed his or her password, it can then only changed locally.
Posts: 11

Return to User Administration Forum

Who is online

Users browsing this forum: No registered users and 1 guest

Visit our Google Group Way 2 SAP BASIS