Show TOC

System Users and RFC DestinationsLocate this document in the navigation structure

This section provides you with an overview of the interaction of system users, RFC destinations, and authorization roles of the system users and the administration tasks that are connected with this. The exact procedure is described in the following sections.

Caution

Due to the changed password requirements for the user types (see SAP Note 622464 Information published on SAP site) in combination with the profile parameters (see SAP Note 450452 Information published on SAP site), we recommend that you use technical users of the type System.

System users (called CPIC users in older releases) are required for the internal communication of the systems in an ALE group (the distribution of user data). These system users, defined in the target systems, are entered in RFC destinations in the calling systems. To increase the security of your system landscape, when you are creating system users, assign only greatly restricted authorizations, combined in special roles to the system users.

In principle, one user ID (such as SAPCPIC) would be sufficient, and you could use it for all system users. However, with this situation, it would be practically impossible to change the password of the system users, or simply to keep it secret, as there can be multiple utilizing RFC destinations. So that you must only change the password of the relevant system user in one place when you are changing the password later, use a separate system user for each RFC destination. This means that there are as many system users in your system landscape as there are RFC destinations.

Note

No license fees apply to these system users.

To simplify the maintenance of system users, use the following naming conventions:

  • In the central system, the naming convention CUA_<SID>. These system users are used in the child systems in the RFC destinations for child to central system.

    For all logical systems in the SAP system ADM, the name for the system user would therefore be CUA_ADM.

  • In the child systems, the naming convention CUA_<SID>_<Client>. These system users are used in the central systems in the RFC destinations for central to child system.

    In the child system, specify the client in the name of the system user so that there are still different system users for the different child systems in the central system even after the user transfer.

Create a system user in each child system for the RFC connection from the central system to the child system. For example, in child system CRM client 800, the system user CUA_CRM_800 is used by the RFC destination CRMCLNT800 defined in the central system ADM. If there are multiple child systems in an SAP system, such as PRDCLNT324 and PRDCLNT800, create a cross-client RFC destination for the connection in one of these child systems, such as ADMCLNT070.

In the central system, create a common system user for all child systems within an SAP system for the connection from child to central system. For example, in the central system ADM client 070, create the system user CUA_CRM that is used by the RFC destination CRMCLNT070 defined in the child system CRM. When you make these definitions, the system that you define as the central system when setting up the CUA also counts as a child system, whose data must also be transferred to the central system.

Figure 1: System Landscape of the Central User Administration

Example:

Working in SAP System ADM

  1. In logical system ADMCLNT070, create the following system users with the roles SAP_BC_USR_CUA_SETUP_CENTRAL and SAP_BC_USR_CUA_CENTRAL:

    • CUA_ADM with <password_1>

    • CUA_PRD with <password_2>

    • CUA_CRM with <password_3>

  2. In logical system ADMCLNT075, create the system user CUA_ADM_075 with the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.

  3. Create the following cross-client RFC destinations and use these with the system users that you created in the child systems:

    • ADMCLNT070 (from the central system to itself) with user CUA_ADM

    • ADMCLNT075 with user CUA_ADM_075

    • PRDCLNT324 with user CUA_PRD_324

    • PRDCLNT800 with user CUA_PRD_800

    • CRMCLNT800 with user CUA_CRM_800

Example:

Working in SAP System PRD
  1. In logical system PRDCLNT324, create the system user CUA_PRD_324 with the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.

  2. In logical system PRDCLNT800, create the system user CUA_PRD_800 with the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.

  3. Create one cross-client RFC destination ADMCLNT070. Use the system user CUA_PRD created in the central system in this RFC destination.

Example:

Working in SAP System CRM

  1. In logical system CRMCLNT800, create the system user CUA_CRM_800 with the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.

  2. Create one cross-client RFC destination ADMCLNT070. Use the system user CUA_CRM created in the central system in this RFC destination.

Related Information