Start of Content Area

Procedure documentation Defining Authorizations for System Users  Locate the document in its SAP Library structure

To further increase the security of your system landscape, we deliver strongly restricted authorizations contained in SAP standard roles for the system users. To issue the system users with the required authorizations to set up and operate the CUA, assign the roles described below.

The roles contain no menu entries, only authorization data, as the system users cannot log on in dialog mode. Some fields of the authorization data contain the value Asterisk (*), as the system requires complete authorization, for example, for user groups.

Creating Roles in the Central System

...

       1.      In the Profile Generator (transaction PFCG), copy the following standard role delivered by SAP into the customer namespace:

        SAP_BC_USR_CUA_SETUP_CENTRAL

The system users in the central system require the copied role Z_SAP_BC_USR_CUA_SETUP_CENTRAL only during the set up of the Central User Administration.

        SAP_BC_USR_CUA_CENTRAL

        SAP_BC_USR_CUA_CENTRAL_BDIST

All system users in the central system require this role if CUA field attributes are set to redistribution.

       2.      Generate the profiles for these roles.

Creating Roles in the Child Systems

...

       1.      In the Profile Generator (transaction PFCG), copy the following standard role delivered by SAP into the customer namespace:

        SAP_BC_USR_CUA_SETUP_CLIENT

The system users in the child system require the copied role Z_SAP_BC_USR_CUA_SETUP_CLIENT only during the set up of the Central User Administration.

        SAP_BC_USR_CUA_CLIENT

Caution

This role contains very extensive authorizations for user administration in the child systems. To protect the change authorizations in this role against misuse, and therefore to increase the security significantly, it was split into two roles. This subdivision is only useful for background processing, as one of the roles is assigned to the background user that schedules the inbound IDoc processing in the background.

The system user only receives the role SAP_BC_USR_CUA_CLIENT_RFC and receives only the inbound IDocs. The change authorizations for the update of IDocs are contained in the role SAP_BC_USR_CUA_CLIENT_BATCH that is assigned to the background users.

       2.      Generate the profiles for these roles.

 

See also:

        Changing Standard Roles

        SAP Note 492589: CUA: Minimum authorizations for system users

 

 

End of Content Area