Release child systems
The child systems can be released individually from the without removing it entirely. Removing a CUA can be done step-by-step and tested. The following steps must be performed for each child system:
- Release the child system in One Identity Manager from the CUA
- Set up a new synchronization project and synchronize the client
- Release child systems from the CUA distribution model of the SAP R/3 environment
To release a child system from the CUA
-
In the Manager, select the SAP R/3 > Clients category.
-
In the results list, select the child system you want to release.
-
Select the Release client from CUA task and confirm the security prompt with Yes.
After checking whether the client can be removed, One Identity Manager converts the data.
- User accounts and their external identifiers are copied from the central system to the child system.
- SAP groups and group assignments to user accounts are copied from the central system to the child system.
- SAP roles and profiles are converted and assigned to the copied user accounts.
- Removes user account access permissions to the child system (purges SAPUserMandant table).
- The client assignment to the central system is removed.
- If an account definition is assigned to the client, it is converted. The SAPUser table is assigned as a user account table.
To set up synchronization for the released client
-
If the client is hosted in a different SAP system than the central system, then there is a synchronization project for the client. Delete this synchronization project.
-
Create a new synchronization project. For this purpose, use the SAP R/3 synchronization (base administration) project template.
For more information, see Creating a synchronization project for initial synchronization of an SAP client.
TIP: If a suitable synchronization project already exists for an SAP client with an identical schema, then the released client can be assigned to this synchronization project as another base object.
-
Start the synchronization.
-
Check the synchronization result. Fix errors and handle outstanding objects.
To release the child system from the CUA distribution model
-
If the synchronization was run without errors, delete the child system from the CUA distribution model in the SAP R/3 environment.
Only the client assignment to the CUA distribution model is to be removed. For more information, see your SAP R/3 documentation.
Related topics
Converting the central system
As soon as all child systems have been removed from a central user administration, the central system can also be converted. The following steps must be performed:
- Convert the central system in One Identity Manager
- Delete user accounts without central system access
- Delete the from the distribution model of the SAP R/3 environment
- Set up a new synchronization project and synchronize the client
To convert the central system
-
In the Manager, select the SAP R/3 > Clients category.
-
Select the target system in the result list.
-
Select the Release client from CUA task and confirm the security prompt with Yes.
After checking whether the client qualifies for conversion, the data is converted in the One Identity Manager database.
- Converts SAP roles and profiles in the central system.
- Converts SAP role and profile assignments to user accounts.
- Removes user account access permissions to the central system (purges SAPUserMandant table).
- Removes the client's central system identifier.
-
Once conversion is complete, it is necessary to decide how to proceed with user accounts that did not have access permissions to the central system within the CUA.
-
If you want to delete these user accounts, click Yes.
Select this option to ensure that only the users who were authorized to access the client before the conversion are granted access. User accounts created by an IT Shop request or by inheritance of a valid account definition remain intact.
All other user accounts without access permissions are deleted.
-
If you want to keep these user accounts, click No.
The user accounts are retained and are thus authorized for access in this client.
-
Decide what to do with user accounts that were created using a valid account definition. If you want to delete these user accounts, remove the account definition assignment to the identities.
For more information, see Assigning account definitions to identities.
IMPORTANT: All provisioning processes must be completed before conversion can continue.
Perform the following step before creating a new synchronization project for the client.
To delete the CUA from the distribution model of the SAP R/3 environment
-
Once all child systems have been released from the CUA distribution model in the SAP R/3 environment, you can delete the entire CUA from the distribution model.
-
Specify how to proceed with user accounts that did not have access permissions to the central system within CUA.
If these user accounts have been deleted in One Identity Manager, select the Additionally Lock Users Locally option here.
As a result, the user accounts that were created using an account definition are locked and do not get access permissions to the client.
For more information, see your SAP R/3 documentation.
To set up synchronization for the client
-
Delete the synchronization project for the central system.
-
Create a new synchronization project. For this purpose, use the SAP R/3 synchronization (base administration) project template.
- On the Additional settings page, disable the Central User Administration (CUA) option.
For more information, see Creating a synchronization project for initial synchronization of an SAP client.
TIP: If a suitable synchronization project already exists for an SAP client with an identical schema, then the released client can be assigned to this synchronization project as another base object.
-
Start the synchronization.
-
Check the synchronization result. Fix errors and handle outstanding objects.
User accounts that did not have access permissions for the central system and were created through an account definition are locked.
-
Check locked user accounts.
-
Unlock all user accounts that should have access to the client.
-
Remove the account definition from the linked identity of all user accounts to be deleted.
For more information, see Assigning account definitions to identities.
Related topics
Checking for successful conversion
If all child systems have been removed without errors and the central system has been converted without errors, the is removed. The SAP user accounts in all previously involved clients can be managed either separately or through the linked identity.
To check for correct conversion of a child system
-
In the Manager, select the SAP R/3 > Clients category.
-
In the results list, select the client of the former child system.
-
Check the following main data
- ALE name: Value deleted.
- ALE model name: Value deleted.
- CUA status: None.
- CUA central system: None assigned.
-
Select the SAP client overview task.
-
Click the form element for the assigned account definition and check the account definition's main data.
-
Check if the required account definition is still needed.
After the removing the CUA, a user account in the central system is no longer a necessary prerequisite for the creation of a user account in the former child system. In this case, the required account definition can be removed.
-
Synchronization is set up and works correctly.
To check for correct conversion of a central system
-
In the Manager, select the SAP R/3 > Clients category.
-
In the results list, select the client of the former central system.
-
Check the following main data
- ALE name: Empty value.
- ALE model name: Value deleted.
- CUA status: None.
-
Select the SAP client overview task.
No child system is assigned.
-
Synchronization is set up and works correctly.
Troubleshooting an SAP R/3 connection