Start of Content Area

Background documentation System Users and RFC Destinations with Trusted Systems  Locate the document in its SAP Library structure

Use

You can increase the security of your system landscape with the Trusted System concept ( Trusted Systems: Maintain Trust Relationships Between SAP Systems).

You no longer need to enter system users with the associated authorizations in the RFC destination for the RFC connection from the central to the child system. Instead, when creating the RFC destination, specify that the current user is used. The user of the user administrator is therefore used directly for the RFC connection. This means that there is no longer any danger that the authorizations of an explicitly created system user can be misused.

So that the CUA user administration user can access the user data of the child system by RFC, you must also create administration users in all of the child systems, to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT. If the administrators are to be able to log on to the system directly and should be able work with transactions, you must also assign additional authorizations.

Note

For Trusted Systems, the authorization object S_RFCACL is also checked in child systems (this is not yet contained in the above roles). This ensures that only particular applications (such as SU01) can access the child system by RFC.

Caution

You cannot use Trusted Systems with the “current user” for data distribution from the child to the central system (redistribution with distribution parameters) as the end users could change their own user data with transaction SU3 and distribute it to the central system by redistribution. This would also mean that all end users would require change authorization for the user administration in the central system and could also change all other user data.

Although you could use Trusted Systems with an explicitly created system user for redistribution of data from the child to the central system, this brings little advantage. You would have to recreate the authorizations and the system users and expose these to misuse. You would also restrict the usage possibilities of the RFC destination to redistribution, meaning that no other application can use this destination.

Recommendation

We therefore recommend that you use “normal” RFC destinations for the RFC connection from the child to the central system.

Prerequisite

        You have set up Trusted System trust relationships for the RFC connection from the central to the child system.

        The administrators have the same user ID in all systems.

System Landscape of the Central User Administration

This graphic is explained in the accompanying text

Example

Tasks in SAP System ADM

...

       1.      In the logical system ADMCLNT070, you create the following system users with the roles SAP_BC_USR_CUA_SETUP_CENTRAL and SAP_BC_USR_CUA_CENTRAL:

        CUA_ADM with <password 1>

        CUA_PRD with <password 2>

        CUA_CRM with <password 3>

       2.      In the logical system ADMCLNT070, you create the users for the CUA user administrators with the authorizations for user administration; assign these users at least the roles SAP_BC_USR_CUA_SETUP_CENTRAL and SAP_BC_USR_CUA_CENTRAL.

       3.      You also create users for CUA user administrators in the logical system ADMCLNT075 to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.

       4.      Create the following cross-client RFC destinations:

        Normal RFC destination without Trusted Systems:

         ADMCLNT070 (from the central system to itself) with user CUA_ADM

        RFC destinations with Trusted Systems:

         ADMCLNT075 with the indicators Current User and Trusted System

         PRDCLNT324 with the indicators Current User and Trusted System

         PRDCLNT800 with the indicators Current User and Trusted System

         CRMCLNT800 with the indicators Current User and Trusted System

Tasks in SAP System PRD

...

       1.      You also create users for CUA user administrators in the logical system PRDCLNT324 to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.

       2.      You also create users for CUA user administrators in the logical system PRDCLNT800 to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.

       3.      You create one cross-client RFC destination ADMCLNT070 without Trusted Systems. Use the system user CUA_PRD created in the central system in this RFC destination.

Tasks in SAP System CRM

...

       1.      You also create users for CUA user administrators in the logical system CRMCLNT800 to which you assign at least the roles SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT.

       2.      You create one cross-client RFC destination ADMCLNT070 without Trusted Systems. Use the system user CUA_CRM created in the central system in this RFC destination.

 

 

End of Content Area