SAP GRC Access Control: Configuring compliant user provisioning (formerly Virsa Access Enforcer) into CUA Systems
Introduction
It is recommended for organizations with complex SAP landscape consisting of many SAP systems to use the Central User Administration (CUA) for user administration tasks. Use of CUA enables security admins to maintain user master records centrally from one system. Even though Access Enforcer provides an ability to perform user provisioning centrally from one place into multiple SAP systems, by no means Access Enforcer has the ability to replace CUA. Access Enforcer mainly deals with compliant automated provisioning. This article describes how to properly configure Access Enforcer to work with CUA. Some troubleshooting steps while using the CUA provisioning from AE are also discussed.
Procedure for Configuring CUA
a. Configure Connectors in AE :
1. It is very important to note that connector names in Access Enforcer should be exactly the same as the logical system names defined in CUA master and child systems. The screen shot below displays the logical system names of the CUA master system and one child system.
2. If the above does not help then modify the connector short description and Application to be same as the connector name. Go to Configuration -> Connectors -> Available Connectors. Select the connector and click on Change. Modify the Short Description and Application fields to reflect the Name field value.
Introduction
It is recommended for organizations with complex SAP landscape consisting of many SAP systems to use the Central User Administration (CUA) for user administration tasks. Use of CUA enables security admins to maintain user master records centrally from one system. Even though Access Enforcer provides an ability to perform user provisioning centrally from one place into multiple SAP systems, by no means Access Enforcer has the ability to replace CUA. Access Enforcer mainly deals with compliant automated provisioning. This article describes how to properly configure Access Enforcer to work with CUA. Some troubleshooting steps while using the CUA provisioning from AE are also discussed.
Procedure for Configuring CUA
a. Configure Connectors in AE :
1. It is very important to note that connector names in Access Enforcer should be exactly the same as the logical system names defined in CUA master and child systems. The screen shot below displays the logical system names of the CUA master system and one child system.
2. Create the connector in Access Enforcer for the CUA master system. Go to Configuration ->Connectors and click on Create SAP link to create the connector. In the Name field, enter the logical system name of the CUA master system. Provide other details (e.g. Application server host, System Number, Client, User Id etc.) in this screen and click on Save. Test the connection to check that it is working properly.
3. Create connectors as above for each of the child systems. Make sure to enter the logical system name in the Name field. Provide all the details and click on Save. Click on Test connection to check that the connectors are properly configured and it is working properly.
b. Configure CUA master system in Access Enforcer
To provision users using the CUA system, the CUA master system name need to be set in Access Enforcer. To set the CUA master system name, go to Configuration -> Workflow and click on CUA system. In the System dropdown all the connectors set up in Access Enforcer shows up. Select the CUA master system from the dropdown and click on Save.
Please note that the Function Template fields in this screen can be selected as Standard which will use out of the box Access Enforcer supplied programs for CUA provisioning. If any Custom programs are needed to be used, for CUA provisioning, then select “Custom” in the “Function Template” field and provide the program name.
Troubleshooting
Following are some steps that can be followed to troubleshoot if CUA provisioning from Access Enforcer does not work properly after following the above procedure.
1. Make sure that the Access Enforcer service user role /VIRSA/AE_DEFAULT_ROLE delivered with RTA or an equivalent customized (Z) role copied from above AE role is assigned to the service user id used in Access Enforcer connector in all the master and child systems.
3 comments:
Cool Post.
SAP Training in Chennai
SAP ABAP Training in Chennai
SAP FICO Training in Chennai
SAP MM Training in Chennai
SAP SD Training in Chennai
nice post.
go langaunage training
azure training
java training
salesforce training
Cool SAP Training in Chennai
Post a Comment