Saturday, November 17, 2007

Background documentation Adding an ABAP System to ...

When you add an SAP NetWeaver Application Server (AS) ABAP system to your system landscape, you must decide whether you want to do the following:

● Add the system to Central User Administration (CUA)

● Use Lightweight Directory Access Protocol (LDAP) synchronization

You can do both. The following figure shows a number of ABAP systems in a CUA where the CUA central system is synchronized with an LDAP directory.

This graphic is explained in the accompanying text

ABAP Systems in a CUA Landscape and Synchronized with an LDAP Directory

Central User Administration

With CUA, you maintain user master records centrally in one system. Changes to user information are then automatically distributed to the child systems. The CUA provides you with an overview of all user data in the entire ABAP system landscape.

For more information, see Structure linkCentral User Administration.

The use of CUA is not a requirement, but it is designed to make the management of multiple ABAP systems easier. If a new ABAP system is not a child system of CUA, then you must manage the new system independently.

For more information, see Structure linkUser Maintenance.
LDAP Synchronization

You can make use of or provide information to an LDAP directory in your system landscape. The direction of the synchronization depends on whether the LDAP directory or the ABAP system is the leading system for user data.


The user password is not transferred from the AS ABAP to the LDAP directory when the user data is synchronized. You must maintain the user password, both in the ABAP (or CUA) system and in the directory service.

Using Single Sign-On (SSO) with an AS Java, you can avoid duplicate password maintenance altogether. Configure the user management engine (UME) of the AS Java to use the LDAP directory as its data source. All systems must be configured to accept logon tickets. Users can now log on using the UME, are authenticated with the directory service, receive a logon ticket, and can then access all systems with SSO.

For more information, see Adding an AS Java System to Your System Landscape.


If you want to integrate a large number of ABAP systems, we recommend that you use CUA and synchronize the CUA central system with the LDAP directory. This way it is not necessary to synchronize each ABAP system separately. You can then distribute the synchronized data from the central system to the child systems and use the central system to manage the system-specific ABAP authorization role assignments.

For more information about LDAP synchronization, see Structure linkSynchronization of SAP User Administration with an LDAP-Compatible Directory Service.

No comments:

Blog Archive