10-20-2009 5:48 AM
Hi Everyone,
We have CUA linked in with our Solman and during the auditing time, auditors are recommending we do not use CUA_ADMIN user, but instead assign the CUA_ADMIN roles to specific users and get rid of this generic account. Is there any note which specifies that CUA_ADMIN user should not be deleted. I know we should'nt be deleting it. Just need the advice wether we should go ahead with this or not.
Thanks in advance.
Regards
Avneesh
10-20-2009 6:32 AM
10-20-2009 6:32 AM
10-20-2009 6:37 AM
Thanks Martin for the quick response.
But we have already removed SAP_ALL from this user. Moreover if we lock the user then the RFC connection to the child systems wont be establish.
Regards,
Avneesh
10-20-2009 9:22 AM
Hi Avneesh,
It sounds like you have already done the important bit which is assigning the correct auths to your user.
Ask your auditors what the difference is between assigning the same auths to CUA_ADMIN or another system user of a different name. I bet they do not come up with a serious answer. Unless they can justify it, dispute their finding and you will be OK. The important thing is to have the user for CUA connections with the correct auths and set to the correct user type.
10-20-2009 10:02 AM
Hi,
the problem is that RFC connections used by CUA are using user CUA_ADMIN. If you want to change it then you need to [modify|http://help.sap.com/saphelp_nw04/helpdata/en/4c/b5b13bbaac1c3ce10000000a11402f/frameset.htm] all RFC connections from child systems to central system. But I agree that it does not make too much sense to just change user name.
Cheers
10-20-2009 10:17 AM
> But I agree that it does not make too much sense to just change user name.
It can however be a start from the perspective of the master system for the text comparison, particularly if you don't have the destination names and logical system names the same and want to keep them apart.
The bugger with CUA is that even if you remove SAP_ALL, the user will still by design have strong user administration authorizations... e.g. could create a new user with sufficient authorizations to administrate itself, etc.
An alternative is to use Trusted RFC (possibly even with a current user flag setting for the admins) and then use object S_ICF to restrict access on the client side of the call to even call or display the destination. This way, groups of destinations can be protected from user's outside of a certain role (like user admins...) but the destination can still do it's powerfull tasks.
I can recommend looking into this for CUA as a good example. With a small effort, you will quickly achieve a big security gain.
Please check the documentation on the object before activating it, as it is "shared" with S_RFC_ADM.
Cheers,
Julius
10-20-2009 1:31 PM
Exactly Alex!! I have dropped the mails to auditors. lets see what the points they have regading this.
Thanks for the Reply.
Regards,
Avneesh
10-20-2009 1:35 PM
Thanks Julius!
Atleast learnt new thing today. Appreciate the help.
Regards,
Avneesh
10-20-2009 1:06 PM
Hi
If you still need to keep the CUA_ADMIN user is for RFC connections only then why dont you change the userID type from Dialog to system/communications.
Hari
10-20-2009 1:37 PM
Thanks everyone for the effort. I am working on it and will update you all with the best solution i found in this case as soon am done it.
Regards
Avneesh