You can increase the security of your system landscape with the Trusted System concept (Trusted Systems: Maintain Trust Relationships Between SAP Systems).
You no longer need to enter system users with the associated authorizations in the RFC destination for the RFC connection from the central to the child system. Instead, when creating the RFC destination, specify that the current user is used. The user of the user administrator is therefore used directly for the RFC connection. This means that there is no longer any danger that the authorizations of an explicitly created system user can be misused.
So that the CUA user administration user can access the user data of the child system by RFC, you must also create administration users in all of the child systems, to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT. If the administrators are to be able to log on to the system directly and should be able work with transactions, you must also assign additional authorizations.
For Trusted Systems, the authorization object S_RFCACL is also checked in child systems (this is not yet contained in the above roles). This ensures that only particular applications (such as SU01) can access the child system by RFC.
You cannot use Trusted Systems with the "current user" for data distribution from the child to the central system (redistribution with distribution parameters) as the end users could change their own user data with transaction SU3 and distribute it to the central system by redistribution. This would also mean that all end users would require change authorization for the user administration in the central system and could also change all other user data.
Although you could use Trusted Systems with an explicitly created system user for redistribution of data from the child to the central system, this brings little advantage. You would have to recreate the authorizations and the system users and expose these to misuse. You would also restrict the usage possibilities of the RFC destination to redistribution, meaning that no other application can use this destination.
We therefore recommend that you use "normal" RFC destinations for the RFC connection from the child to the central system.
System Landscape of the Central User Administration
Tasks in SAP System ADM
Tasks in SAP System PRD
Tasks in SAP System CRM