Solved: Cua_Admin User

Former Member · ‎10-20-2009

Hi Everyone,

We have CUA linked in with our Solman and during the auditing time, auditors are recommending we do not use CUA_ADMIN user, but instead assign the CUA_ADMIN roles to specific users and get rid of this generic account. Is there any note which specifies that CUA_ADMIN user should not be deleted. I know we should'nt be deleting it. Just need the advice wether we should go ahead with this or not.

Thanks in advance.

Regards

Avneesh

mvoros · ‎10-20-2009

Hi,

there is a similar question already [answered on this forum|;. By default CUA_ADMIN user has SAP_ALL which is why the auditors and SAP don't recommend to use this account.

BTW why don't you just lock CUA_ADMIN user?

Cheers

mvoros · ‎10-20-2009

Hi,

there is a similar question already [answered on this forum|;. By default CUA_ADMIN user has SAP_ALL which is why the auditors and SAP don't recommend to use this account.

BTW why don't you just lock CUA_ADMIN user?

Cheers

Former Member · ‎10-20-2009

Thanks Martin for the quick response.

But we have already removed SAP_ALL from this user. Moreover if we lock the user then the RFC connection to the child systems wont be establish.

Regards,

Avneesh

Former Member · ‎10-20-2009

Hi Avneesh,

It sounds like you have already done the important bit which is assigning the correct auths to your user.

Ask your auditors what the difference is between assigning the same auths to CUA_ADMIN or another system user of a different name. I bet they do not come up with a serious answer. Unless they can justify it, dispute their finding and you will be OK. The important thing is to have the user for CUA connections with the correct auths and set to the correct user type.

mvoros · ‎10-20-2009

Hi,

the problem is that RFC connections used by CUA are using user CUA_ADMIN. If you want to change it then you need to [modify|http://help.sap.com/saphelp_nw04/helpdata/en/4c/b5b13bbaac1c3ce10000000a11402f/frameset.htm] all RFC connections from child systems to central system. But I agree that it does not make too much sense to just change user name.

Cheers

Former Member · ‎10-20-2009

> But I agree that it does not make too much sense to just change user name.

It can however be a start from the perspective of the master system for the text comparison, particularly if you don't have the destination names and logical system names the same and want to keep them apart.

The bugger with CUA is that even if you remove SAP_ALL, the user will still by design have strong user administration authorizations... e.g. could create a new user with sufficient authorizations to administrate itself, etc.

An alternative is to use Trusted RFC (possibly even with a current user flag setting for the admins) and then use object S_ICF to restrict access on the client side of the call to even call or display the destination. This way, groups of destinations can be protected from user's outside of a certain role (like user admins...) but the destination can still do it's powerfull tasks.

I can recommend looking into this for CUA as a good example. With a small effort, you will quickly achieve a big security gain.

Please check the documentation on the object before activating it, as it is "shared" with S_RFC_ADM.

Cheers,

Julius

Former Member · ‎10-20-2009

Exactly Alex!! I have dropped the mails to auditors. lets see what the points they have regading this.

Thanks for the Reply.

Regards,

Avneesh

Former Member · ‎10-20-2009

Thanks Julius!

Atleast learnt new thing today. Appreciate the help.

Regards,

Avneesh

Former Member · ‎10-20-2009

Hi

If you still need to keep the CUA_ADMIN user is for RFC connections only then why dont you change the userID type from Dialog to system/communications.

Hari

Former Member · ‎10-20-2009

Thanks everyone for the effort. I am working on it and will update you all with the best solution i found in this case as soon am done it.

Regards

Avneesh