Should I keep CUA while having GRC

The one consistent expectation of any client is always the desire for a seamless user access management experience for end users , while being aligned to the most important business processes of your organization.

SAP over the years has provided various solutions catering to businesses of all size, enabling them to have a well structured user management enterprise.Having worked with both CUA and GRC alongwith IDM, sometimes I have encountered this conundrum as to whether we should dismantle CUA from our current setup.Sharing my perspective with you all, please let me know what can be the best approach in comments.

CUA: Central user management system

Central User Administration is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. User administration is centrally performed from the central system (client with CUA). Other clients that are been controlled by the central system are termed child clients. The benefit of CUA lies in the possibility to restrict user’ access to specific clients in the multiple SAP system environment. The system makes use of Application Link Enabling (ALE) to exchange master data across the clients.

Disadvantages of a stand alone CUA:

CUA can only connect to ABAP instances

Password self service is not available, which means a great deal of dependancy on service desk for password reset and account unlocks

Not suitable for customers where responsibilities for user administration are organizationally split based on systems

Conflicts due to unclear responsibilities for user management

GRC Access Control:

GRC Access Control is undisputedly the favorite solution for SAP Security consultants to ensure seamless automation of User management alongwith effective control and monitoring of the most important business processes.

However the question is, if my company was using CUA and is now planning to use GRC for user provisioning, should I still keep CUA and how??

The answer in my opinion is a both yes and no.

Technically it is possible to run CUA from GRC, since both are ABAP based.


1.Create RFC Connections between GRC box and CUA box.(make sure the connector name for GRC and CUA be the same)

2. In the path SPRO →Governance Risk Complaince →Access Control →User Provisioning →Maintain CUA Settings

Define your CUA system under CUA Global System and all your CUA connected child systems under CUA Model Distribution.

3.Make sure all your child system are defined in GRC connector settings.

4.Also do the connection mapping for all scenarios.Remember for action 4(Provisioning) only CUA connector should be mapped .

However in the question is should we allow that ?

In production, having a CUA system in the GRC box, just adds on to additional cost and maintainence. So probably it would be best to dismantle the CUA and use GRC for Access management and control.

However for non production environments especially sandbox and development systems, you may want to retain CUA for user creation,password resets over GRC.

Please let me know what you think should be the best approach.

SAP Security consultant