System Users and RFC Destinations with Trusted Systems

You can increase the security of your system landscape with the Trusted System concept (Trusted Systems: Maintain Trust Relationships Between SAP Systems).

You no longer need to enter system users with the associated authorizations in the RFC destination for the RFC connection from the central to the child system. Instead, when creating the RFC destination, specify that the current user is used. The user of the user administrator is therefore used directly for the RFC connection. This means that there is no longer any danger that the authorizations of an explicitly created system user can be misused.

So that the CUA user administration user can access the user data of the child system by RFC, you must also create administration users in all of the child systems, to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT. If the administrators are to be able to log on to the system directly and should be able work with transactions, you must also assign additional authorizations.

Although you could use Trusted Systems with an explicitly created system user for redistribution of data from the child to the central system, this brings little advantage. You would have to recreate the authorizations and the system users and expose these to misuse. You would also restrict the usage possibilities of the RFC destination to redistribution, meaning that no other application can use this destination.

• You have set up Trusted System trust relationships for the RFC connection from the central to the child system.
• The administrators have the same user ID in all systems.

System Landscape of the Central User Administration

Tasks in SAP System ADM

1. In the logical system ADMCLNT070, you create the following system users with the roles SAP_BC_USR_CUA_SETUP_CENTRAL and SAP_BC_USR_CUA_CENTRAL:
   • CUA_ADM with <password 1>
   • CUA_PRD with <password 2>
   • CUA_CRM with <password 3>
2. In the logical system ADMCLNT070, you create the users for the CUA user administrators with the authorizations for user administration; assign these users at least the roles SAP_BC_USR_CUA_SETUP_CENTRAL and SAP_BC_USR_CUA_CENTRAL.
3. You also create users for CUA user administrators in the logical system ADMCLNT075 to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.
4. Create the following cross-client RFC destinations:
   • Normal RFC destination without Trusted Systems:
     • ADMCLNT070 (from the central system to itself) with user CUA_ADM
   • RFC destinations with Trusted Systems:
     • ADMCLNT075 with the indicators Current User and Trusted System
     • PRDCLNT324 with the indicators Current User and Trusted System
     • PRDCLNT800 with the indicators Current User and Trusted System
     • CRMCLNT800 with the indicators Current User and Trusted System

Tasks in SAP System PRD

1. You also create users for CUA user administrators in the logical system PRDCLNT324 to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.
2. You also create users for CUA user administrators in the logical system PRDCLNT800 to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.
3. You create one cross-client RFC destination ADMCLNT070 without Trusted Systems. Use the system user CUA_PRD created in the central system in this RFC destination.

Tasks in SAP System CRM

1. You also create users for CUA user administrators in the logical system CRMCLNT800 to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.
2. You create one cross-client RFC destination ADMCLNT070 without Trusted Systems. Use the system user CUA_CRM created in the central system in this RFC destination.