Due to the changed password requirements for the user types (see SAP Note 622464) in combination with the profile parameters (see SAP Note 450452), we recommend that you use technical users of the type System in the future, instead of system users.
This section provides you with an overview of the interaction of system users, RFC destinations, and authorization roles of the system users and the administration tasks that are connected with this. The exact procedure is described in the following sections.
System users (called CPIC users in older releases) are required for the internal communication of the systems in an ALE group (the distribution of user data). These system users, defined in the target systems, are entered in RFC destinations in the calling systems. To increase the security of your system landscape, when you are creating system users, assign only greatly restricted authorizations, combined in special roles to the system users (as described in the section Creating System Users ).
In principle, one user ID (such as SAPCPIC) would be sufficient, and you could use it for all system users. However, with this situation, it would be practically impossible to change the password of the system users, or simply to keep it secret, as there can be multiple utilizing RFC destinations. So that you must only change the password of the relevant system user in one place when you are changing the password later, use a separate system user for each RFC destination. This means that there are as many system users in your system landscape as there are RFC destinations.
No license fees apply to these system users.
To simplify the maintenance of system users, use the following naming conventions:
· In the central system, the naming convention CUA_<system ID>. These system users are used in the child systems in the RFC destinations for child to central system.
For all logical systems in the SAP system ADM, the name for the system user would therefore be CUA_ADM.
· In the child systems, the naming convention CUA_<system ID>_<Client>. These system users are used in the central systems in the RFC destinations for central to child system.
In the child system, specify the client in the name of the system user so that there are still different system users for the different child systems in the central system even after the user transfer.
Create a system user in each child system for the RFC connection from the central system to the child system (for example, in child system CRM, client 800, the system user CUA_CRM_800 that is used by the RFC destination CRMCLNT800 defined in the central system ADM). If there are multiple child systems in a SAP system (such as PRDCLNT324 and PRDCLNT800), create a cross-client RFC destination for the connection in one of these child systems (such as ADMCLNT070). For more information about the procedure for creating system users and RFC destinations, see Creating System Users and Creating an RFC Destination for the Target System.
In the central system, create a common system user for all child systems within an SAP system for the connection from child to central system (such as in the central system ADM, client 070, the system user CUA_CRM that is used by the RFC destination CRMCLNT070 defined in the child system CRM.) When you are making these definitions, the system that you define as the central system when setting up the CUA also counts as a child system whose data must also be transferred to the central system.
System Landscape of the Central User Administration
Working in SAP System ADM
1. In the logical system ADMCLNT070, you create the following system users with the roles SAP_BC_USR_CUA_SETUP_CENTRAL and SAP_BC_USR_CUA_CENTRAL (see Defining Authorizations for System Users) :
¡ CUA_ADM with <password 1>
¡ CUA_PRD with <password 2>
¡ CUA_CRM with <password 3>
2. In the logical system ADMCLNT075, you create the system user CUA_ADM_075 with the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.
3. You create the following cross-client RFC destinations and use these with the system users that you have created in the child systems:
¡ ADMCLNT070 (from the central system to itself) with user CUA_ADM
¡ ADMCLNT075 with user CUA_ADM_075
¡ PRDCLNT324 with user CUA_PRD_324
¡ PRDCLNT800 with user CUA_PRD_800
¡ CRMCLNT800 with user CUA_CRM_800
Working in SAP System PRD
1. In the logical system PRDCLNT324, you create the system user CUA_PRD_324 with the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.
2. In the logical system PRDCLNT800, you create the system user CUA_PRD_800 with the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.
3. You create one cross-client RFC destination ADMCLNT070. Use the system user CUA_PRD created in the central system in this RFC destination.
Working in SAP System CRM
1. In the logical system CRMCLNT800, you create the system user CUA_CRM_800 with the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.
2. You create one cross-client RFC destination ADMCLNT070. Use the system user CUA_CRM created in the central system in this RFC destination.