If you are using Central User Administration, you can use the distribution parameters in transaction SCUM to determine where individual parts of a user master record are maintained.
Every input field of the user maintenance transaction SU01 has a field attribute that you set once in the central system with transaction SCUM during Customizing. As far as possible, you should then not change the field maintenance indicator at all.
If you later change the distribution from Local or Proposal to Global or Redistribution, data inconsistencies can occur.
You must be particularly careful when removing inconsistencies, since data is lost when you switch system-dependent parameters from local to global maintenance and then distribute the users again. The distribution creates the central system status in all child systems. If you have previously maintained system-dependent data, such as the user assignment of roles, this data is unknown to the central system. This means that when you distribute the central system entries, you overwrite the role assignments of the child system. This system-specific data is therefore permanently lost.
To recreate data consistency after changing the field distribution parameters, proceed as follows:
The only exception to this is the Locks tab page. You can change the indicators on this tab page at any time without any risk.
The system displays the User Distribution Field Selection screen, with tab pages of the fields whose distribution parameters you can set. To display additional fields, choose page down.
You can select the following options on the tab pages:
Global |
You can only maintain the data in the central system. The data is then automatically distributed to the child systems. These fields do not accept input in the child systems, but can only be displayed.
All other fields that are not set to "global" accept input both in the central and in the child systems and are differentiated only by a different distribution after you have saved. |
Proposal |
You maintain a default value in the central system that is automatically distributed to the child systems when a user is created. After the distribution, the data is only maintained locally, and is not distributed again, if you change it in the central or child system. |
RetVal |
You can maintain data both centrally and locally. After every local change to the data, the change is redistributed to the central system and distributed from there to the other child systems. |
Local |
You can only maintain the data in the child system. Changes are not distributed to other systems. |
Everywhere |
You can maintain data both centrally and locally. However, only changes made in the central system are distributed to other systems, local changes in the child systems are not distributed. |
The distribution parameters are automatically transferred to the child systems.
Logon Data Tab Page
On this tab page, you can assign the indicators Global, Local, Proposal, and Redistribution to all entries. However, you can only assign the indicator Everywhere to the initial password. With this setting, the administrator of the central system can set the initial password for a user system-specifically, and the administrator of a child system can set the initial password locally.
An external application such as CRM E-Commerce User Administration in a CUA child system can provide local user administration to the external user administrators using a Web interface through an internal BAPI interface.
Locks Tab Page
You can control the distribution of lock data on this tab page, and therefore determine which locks can be set and/or reset in which systems. When you reset locks, you must pay close attention to the lock indicators in the user master record that can be combined in any way you choose, and the functions available in this system, so that you can set the indicators on the Locks tab page appropriately.
A user cannot log on to a child system of a CUA. The local administration removes the lock. However, this removal refers only to a local lock that may exist in the user master record. Global locks, or, if the indicator for Locked due to incorrect logons is set to global, locks due to incorrect logon attempts, are not removed by this. Therefore, if the local administration should be able to remove locks due to incorrect logon attempts, you must not set the indicator for Locked due to incorrect logons to global in transaction SCUM.
To be able to unlock a user from the central system after an incorrect logon attempt or for local locks in a child system, set the indicator everywhere for the lines Unlock incorr. logon and Unlock locally.
The following functions are available in the respective systems:
Selection on the Locks Tab Page
Field | Description | Global | Local | Everywhere |
---|---|---|---|---|
Unlock Incorr. Logon |
Controls the removal of the indicator Locked due to incorrect logons |
Removal of the indicator Locked due to incorrect logon using the unlock globally function is allowed |
Removal of the indicator Locked due to incorrect logon using the unlock locally function is allowed |
Removal of the indicator Locked due to incorrect logon using the unlock locally function is allowed Removal of the indicator Locked due to incorrect logon using the unlock globally function is also allowed |
Lock Locally |
Controls the setting of the locked locally indicator |
|
Setting the indicator locked locally using the lock locally function is allowed |
|
Unlock Locally |
Controls the removal of the locked locally indicator |
|
Removing the indicator locked locally using the unlock locally function is allowed |
Removing the indicator locked locally using the unlock locally function is allowed Removal of the indicator locked locally using the unlock globally function is also allowed |
Lock Globally |
Controls the setting of the locked globally indicator |
Setting the indicator locked globally using the lock globally function is allowed |
|
|
Unlock globally |
Controls the removal of the locked globally indicator |
Removal of the locked globally indicator using the unlock globally function is allowed |
|
Removal of the locked globally indicator using the unlock globally function is allowed Removal of the indicator locked globally using the unlock globally function is also allowed |
Recommendations for Other Fields
Field | Setting |
---|---|
Printer |
Proposal |
Parameter |
Proposal |
Group (Gen.) |
Proposal |
Fields for data that the users maintain themselves |
Redistribution |
See also:
SAP Note 313945: CUA: Incorrect logon locks not globally reversible