The Global User Manager is an additional tool with which you can considerably simplify the central user administration. Use of the Global User Manager is not obligatory. You can still make assignments at individual user level with the existing user and role maintenance transactions. The Global User Manager gives you various grouping possibilities at user and system level for maintaining user and system assignments in a system group in the central system, in addition to the previous individual user view. The Global User Manager contains these maintenance possibilities because the user master record data hardly changes once the user has been created. System assignments and authorizations change more frequently. Do not distribute the user data in the Global User Manager until you have completely modeled the data for all users. Everything which is not defined in the Global User Manager is deleted in the target systems. You cannot assign an authorization profile to users or user groups directly in the Global User Manager. The authorizations are assigned in roles. If you want to create a role automatically from an existing authorization profile, call the transaction SU25 and choose item 6: Copy data from existing profiles. An advantage of the Global User Manager is that you do not need to consider the full complexity of the system environment when modeling authorizations. You consider only one part of the whole in each work step, two of the axes of an assignment triangle.
Source | Target |
User/user group | System/System type |
System/System type | Role/Composite role |
Role/Composite role | User/user group |
To model a complete assignment to be distributed into the target systems, you must create a closed assignment triangle as shown in the graphic. The Global User Manager reduces the complexity of this procedure so that you only need to make the two other assignments from each corner. When you have done so from all corners, the assignment is complete.
The Global User Manager Screen
The Global User Manager only runs in the central system of the central user administration.
Call the transaction SUUM to display the Global User Manager.
All users and user groups in the system group are displayed at the left-hand side of the screen. The systems and system types are displayed in the middle, and the roles and composite roles in the system group on the right.
Choose Extras ® Compare systems in the Global User Manager to display the roles and composite roles of the subsidiary systems. You can alternatively choose Compare texts in subsidiary systems in the Roles tab in the user maintenance transaction SU01. The data may not be immediately available because it is distributed asynchronously.
Using the Global User Manager
If you want to use the Global User Manager, the procedure depends on whether your system environment already contained users before the installation of the central user administration. If users already exist, you should migrate the current user master records into the Global User Manager, so that previously existing assignments are not deleted the first time you distribute user data with the Global User Manager.
System environment with existing users
To use the Global User Manager in a system environment with existing productive users:
- Choose Extras ® Migration ® Users to get the current user master records of all systems in the Global User Manager.
- Choose Extras ® Migration ® Roles to automatically assign the roles to the systems in which they exist, in the Global User Manager.
The data is compared with the current system status at individual user level in the Global User Manager after the migrations. To ensure that you do not lose any existing data, do not start to model user groups and system types until the migrations are finished.
Role names must be unique in the system environment. The system environment behaves like a single system, and a role can only exist once in this system. If a role with the same name exists in several systems in the system group, it appears several times in the Global User Manager role list.
You can make assignments at both individual user level and user group level in the Global User Manager. This can have unwanted effects after a user migration. Example: You have migrated all developers in your system in the Global User Manager as described above. You have then defined a user group for all developers containing the same authorizations which they had previously as individual users. When you assign all developers to the user group, the authorizations are assigned twice. So if you remove a developer from the user group, he or she still has the individual authorizations and can continue to develop. You should remove the individual user assignments after a migration as soon as you assign the users to their user groups. Use individual user assignments to give a user additional authorizations which differ from the standard authorizations of the user group.
System environment without (existing) users
If there are no active users in your system environment, you do not need to migrate the existing user master records. You can start to create new users in transaction SU01 and model the authorizations in the system environment in the Global User Manager. Each user must only be created once in the central system and can then be assigned to other systems in the Global User Manager. The Global User Manager creates the users in these systems and assigns roles to them.
Proceed as follows:
- Create a user in the transaction SU01.
- Enter a user group for the current user in the Groups tab, if one has already been created in the Global User Manager. You will not need to make this assignment again in the Global User Manager.
Only assign something in the System and Role tabs when it is only for this individual user. Define other authorization for user groups in the Global User Manager.
All data that you enter in SU01 is also in the Global User Manager. Conversely, all assignments made and distributed in the Global User Manager are also in SU01.
Definition on system types and user groups
Proceed as follows:
- Create a system type/user group by choosing the appropriate pushbutton.
- Assign systems or users to the system type/user group respectively by Drag & Drop.
A system can only be assigned to one system type. A user can belong to several user groups.
Modeling in the Global User Manager
To specify the systems and roles for a user group:
- Mark the user group and choose Display assignments.
- To assign systems or system types to the user group, Drag & Drop a system or a system type to the entries under Assignments to user groups. Assign roles or composite roles to the user group similarly.
The current system/system type and role assignments of the selected user group are displayed. No systems or roles should be assigned to the user group yet.
To restrict the number of entries displayed in a list (users, roles, etc.), choose the selection icon next to an entry and restrict the value range.
You have now defined two of the three sides of the above assignment triangle. This example focuses on the user group and we have so far assigned systems and roles. The axis which connects system and role is still missing. If you migrated the roles, this assignment is made automatically and the triangle is complete. If not, you must define it for each role.
You can display and change assignments from any corner of the triangle. When you display the assignments to a role you can edit the systems and user groups for this role. When you display the assignments to a system type you can define the users and roles for the systems of this system type.
Distributing data with the Global User Manager
Display and check your distribution data in a list before distributing it. Proceed as follows:
- Choose Display distribution data.
- Check whether the data for selected users is correctly flagged for distribution.
- To distribute data immediately, choose Distribute immediately.
Only delete the user data when you have checked a sample of it in the list display.
You can distribute data from the Global User Manager immediately manually, or schedule a regular background job.
The data is distributed immediately. It can take a few minutes until the data reaches the target system because it is distributed asynchronously
Immediate distribution can damage the performance of your system. To avoid this, schedule a periodic background job to distribute the data, e.g. at night.
The data is distributed according to the modeling in the Global User Manager in the SU01 of the central system and from there to the subsidiary systems. Only the users are created and the roles assigned in the subsidiary systems. Other data is not distributed, it is retained in the central system. There is no log in the transaction SCUL.
Only changes since the last distribution are distributed. This minimizes the amount of data to be distributed.
To distribute data in a periodic background job, choose Extras ® Schedule distribution.
- Enter a meaningful name for the background job under Job name.
- Choose a job class to specify processing priority.
- Choose the central system of the central user administration under Target server.
- Choose to schedule the ABAP program RSUSR500.
- Choose to specify when the job is to run.
- Choose Save.
No comments:
Post a Comment