Defining Authorizations for System Users

1. In the Profile Generator (transaction PFCG), copy the following standard role delivered by SAP into the customer namespace:
   • SAP_BC_USR_CUA_SETUP_CENTRAL

     The system users in the central system require the copied role Z_SAP_BC_USR_CUA_SETUP_CENTRAL only during the set up of the Central User Administration.

   • SAP_BC_USR_CUA_CENTRAL
   • SAP_BC_USR_CUA_CENTRAL_BDIST

     All system users in the central system require this role if CUA field attributes are set to redistribution.

2. Generate the profiles for these roles.

1. In the Profile Generator (transaction PFCG), copy the following standard role delivered by SAP into the customer namespace:
   • SAP_BC_USR_CUA_SETUP_CLIENT

     The system users in the child system require the copied role Z_SAP_BC_USR_CUA_SETUP_CLIENT only during the set up of the Central User Administration.

   • SAP_BC_USR_CUA_CLIENT
     Caution

     This role contains very extensive authorizations for user administration in the child systems. To protect the change authorizations in this role against misuse, and therefore to increase the security significantly, it was split into two roles. This subdivision is only useful for background processing, as one of the roles is assigned to the background user that schedules the inbound IDoc processing in the background.

     The system user only receives the role SAP_BC_USR_CUA_CLIENT_RFC and receives only the inbound IDocs. The change authorizations for the update of IDocs are contained in the role SAP_BC_USR_CUA_CLIENT_BATCH that is assigned to the background users.

2. Generate the profiles for these roles.

See also:

• Changing Standard Roles
• SAP Note 492589: CUA: Minimum authorizations for system users