Solved: Profiles in CUA.

Former Member · ‎09-16-2009

Hi Everyone,

We have CUA configured and theres the user CUA_ADMIN, due to some policies we have to remove SAP_ALL & SAP_NEW from the user CUA_ADMIN. I am not sure if i remove these profiles from the user CUA_ADMIN then will it be able to perform all the tasks as it used to do before.

Moreover if i remove the profiles, then will i be creating some role and will be assigning to the user CUA_ADMIN. If the role needs to be created then please suggest me what all i need to add in that role.

Waiting for the response!! Please help.

Regards,

Avneesh

Former Member · ‎09-16-2009

Hi Avneesh,

If you look in the setup guides for CUA (e.g. http://ecohub.sdn.sap.com/irj/scn/index?rid=/library/uuid/fe4f76cc-0601-0010-55a3-c4a1ab8397b1 ) , they recommend that you use some of the roles in the following naming sequence:

SAP_BC_USR_CUA*

Copy the standard roles and use them as a basis for your own version. There may be some additional idoc & rfc auths required.

Former Member · ‎09-16-2009

Hi Avneesh,

If you look in the setup guides for CUA (e.g. http://ecohub.sdn.sap.com/irj/scn/index?rid=/library/uuid/fe4f76cc-0601-0010-55a3-c4a1ab8397b1 ) , they recommend that you use some of the roles in the following naming sequence:

SAP_BC_USR_CUA*

Copy the standard roles and use them as a basis for your own version. There may be some additional idoc & rfc auths required.

Former Member · ‎09-16-2009

Thanks Alex for the quick response.

We have the standard roles for CUA in the user CUA_ADMIN that is according to the standard guide of CUA. My concern is that is it compulsary to give SAP_ALL & SAP_NEW to the user CUA_ADMIN?

Regards,

Avneesh

Former Member · ‎09-16-2009

Hi Avneesh,

There is no reason to give SAP_ALL or SAP_NEW to any of the CUA users. The standard roles do a pretty good job of doing what they need to. If you think about what they actually do, it's user mainly RFC connections, idoc processing, SU01 etc.

Former Member · ‎09-16-2009

Note that the document mentioned above (from 2005) is not valid for current releases, for example the standard roles delivered might have changes since then.

If you want to copy the standard roles into your own name space and tweak them (as recommended) then you might want to take a look at [this wiki on securing RFC|http://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections] which I started because there were several questions on how to go about this.

Also take note on the procedures for using (relatively new) object S_ICF for CUA (client side RFC server security) as even if you restrict the access of the RFC user, it will still need authorizations for user management because that is what it does. This is a very usefull and more secure new technique which is aimed exactly at scenarios such as CUA - where the user ID does need critical access and you want to increase 80% of the security with 20% effort.

Cheers,

Julius

Edited by: Julius Bussche on Sep 16, 2009 10:32 AM

Former Member · ‎09-16-2009

Thanks Julius.

I am going through it, will update you all once its done with the testing.

Regards,

Avneesh

Former Member · ‎09-16-2009

Thanks Alex & Julius.

The issue is resolved now , i have removed the auth for SAP_ALL & SAP_NEW from CUA_ADMIN and its working fine.

Regards

Avneesh