Due to the changed password requirements for the user types (see SAP Note 622464) in combination with the profile parameters (see SAP Note 450452), we recommend that you use technical users of the type System in the future, instead of system users.
This section provides you with an overview of the interaction of system users, RFC destinations, and authorization roles of the system users and the administration tasks that are connected with this. The exact procedure is described in the following sections.
System users (called CPIC users in older releases) are required for the internal communication of the systems in an ALE group (the distribution of user data). These system users, defined in the target systems, are entered in RFC destinations in the calling systems. To increase the security of your system landscape, when you are creating system users, assign only greatly restricted authorizations, combined in special roles to the system users (as described in the section Creating System Users ).
In principle, one user ID (such as SAPCPIC) would be sufficient, and you could use it for all system users. However, with this situation, it would be practically impossible to change the password of the system users, or simply to keep it secret, as there can be multiple utilizing RFC destinations. So that you must only change the password of the relevant system user in one place when you are changing the password later, use a separate system user for each RFC destination. This means that there are as many system users in your system landscape as there are RFC destinations.
No license fees apply to these system users.
To simplify the maintenance of system users, use the following naming conventions:
For all logical systems in the SAP system ADM, the name for the system user would therefore be CUA_ADM.
In the child system, specify the client in the name of the system user so that there are still different system users for the different child systems in the central system even after the user transfer.
Create a system user in each child system for the RFC connection from the central system to the child system (for example, in child system CRM, client 800, the system user CUA_CRM_800 that is used by the RFC destination CRMCLNT800 defined in the central system ADM). If there are multiple child systems in a SAP system (such as PRDCLNT324 and PRDCLNT800), create a cross-client RFC destination for the connection in one of these child systems (such as ADMCLNT070). For more information about the procedure for creating system users and RFC destinations, see Creating System Users and Creating an RFC Destination for the Target System.
In the central system, create a common system user for all child systems within an SAP system for the connection from child to central system (such as in the central system ADM, client 070, the system user CUA_CRM that is used by the RFC destination CRMCLNT070 defined in the child system CRM.) When you are making these definitions, the system that you define as the central system when setting up the CUA also counts as a child system whose data must also be transferred to the central system.
System Landscape of the Central User Administration
Working in SAP System ADM
Working in SAP System PRD
Working in SAP System CRM