https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256259#M1384375 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>the problem is that RFC connections used by CUA are using user CUA_ADMIN. If you want to change it then you need to [modify|http://help.sap.com/saphelp_nw04/helpdata/en/4c/b5b13bbaac1c3ce10000000a11402f/frameset.htm] all RFC connections from child systems to central system. But I agree that it does not make too much sense to just change user name.</P><P></P><P>Cheers</P></BODY></HTML> Tue, 20 Oct 2009 09:02:06 GMT mvoros 2009-10-20T09:02:06Z https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256255#M1384371 <HTML><HEAD></HEAD><BODY><P>Hi Everyone,</P><P></P><P>We have CUA linked in with our Solman and during the auditing time, auditors are recommending we do not use CUA_ADMIN user, but instead assign the CUA_ADMIN roles to specific users and get rid of this generic account. Is there any note which specifies that CUA_ADMIN user should not be deleted. I know we should'nt be deleting it. Just need the advice wether we should go ahead with this or not.</P><P></P><P>Thanks in advance.</P><P></P><P>Regards</P><P>Avneesh</P></BODY></HTML> Tue, 20 Oct 2009 04:48:38 GMT https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256255#M1384371 Former Member 2009-10-20T04:48:38Z https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256256#M1384372 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>there is a similar question already [answered on this forum|<A class="jive_macro jive_macro_thread" href="https://community.sap.com/" __jive_macro_name="thread" modifiedtitle="true" __default_attr="1477013"></A>;. By default CUA_ADMIN user has SAP_ALL which is why the auditors and SAP don't recommend to use this account. </P><P></P><P>BTW why don't you just lock CUA_ADMIN user?</P><P></P><P>Cheers</P></BODY></HTML> Tue, 20 Oct 2009 05:32:57 GMT https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256256#M1384372 mvoros 2009-10-20T05:32:57Z https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256257#M1384373 <HTML><HEAD></HEAD><BODY><P>Thanks Martin for the quick response. </P><P>But we have already removed SAP_ALL from this user. Moreover if we lock the user then the RFC connection to the child systems wont be establish.</P><P></P><P>Regards,</P><P>Avneesh</P></BODY></HTML> Tue, 20 Oct 2009 05:37:47 GMT https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256257#M1384373 Former Member 2009-10-20T05:37:47Z https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256258#M1384374 <HTML><HEAD></HEAD><BODY><P>Hi Avneesh,</P><P></P><P>It sounds like you have already done the important bit which is assigning the correct auths to your user.</P><P></P><P>Ask your auditors what the difference is between assigning the same auths to CUA_ADMIN or another system user of a different name. I bet they do not come up with a serious answer. Unless they can justify it, dispute their finding and you will be OK. The important thing is to have the user for CUA connections with the correct auths and set to the correct user type.</P></BODY></HTML> Tue, 20 Oct 2009 08:22:36 GMT https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256258#M1384374 Former Member 2009-10-20T08:22:36Z https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256259#M1384375 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>the problem is that RFC connections used by CUA are using user CUA_ADMIN. If you want to change it then you need to [modify|http://help.sap.com/saphelp_nw04/helpdata/en/4c/b5b13bbaac1c3ce10000000a11402f/frameset.htm] all RFC connections from child systems to central system. But I agree that it does not make too much sense to just change user name.</P><P></P><P>Cheers</P></BODY></HTML> Tue, 20 Oct 2009 09:02:06 GMT https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256259#M1384375 mvoros 2009-10-20T09:02:06Z https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256260#M1384376 <HTML><HEAD></HEAD><BODY><P>&gt; But I agree that it does not make too much sense to just change user name.</P><P>It can however be a start from the perspective of the master system for the text comparison, particularly if you don't have the destination names and logical system names the same and want to keep them apart.</P><P></P><P>The bugger with CUA is that even if you remove SAP_ALL, the user will still by design have strong user administration authorizations... e.g. could create a new user with sufficient authorizations to administrate itself, etc.</P><P></P><P>An alternative is to use Trusted RFC (possibly even with a current user flag setting for the admins) and then use object S_ICF to restrict access <STRONG>on the client side of the call</STRONG> to even call or display the destination. This way, groups of destinations can be protected from user's outside of a certain role (like user admins...) but the destination can still do it's powerfull tasks.</P><P></P><P>I can recommend looking into this for CUA as a good example. With a small effort, you will quickly achieve a big security gain.</P><P></P><P>Please check the documentation on the object before activating it, as it is "shared" with S_RFC_ADM.</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Tue, 20 Oct 2009 09:17:57 GMT https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256260#M1384376 Former Member 2009-10-20T09:17:57Z https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256261#M1384377 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>If you still need to keep the CUA_ADMIN user is for RFC connections only then why dont you change the userID type from Dialog to system/communications.</P><P></P><P>Hari</P></BODY></HTML> Tue, 20 Oct 2009 12:06:11 GMT https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256261#M1384377 Former Member 2009-10-20T12:06:11Z https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256262#M1384378 <HTML><HEAD></HEAD><BODY><P>Exactly Alex!! I have dropped the mails to auditors. lets see what the points they have regading this.</P><P></P><P>Thanks for the Reply.</P><P></P><P>Regards,</P><P>Avneesh</P></BODY></HTML> Tue, 20 Oct 2009 12:31:11 GMT https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256262#M1384378 Former Member 2009-10-20T12:31:11Z https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256263#M1384379 <HTML><HEAD></HEAD><BODY><P>Thanks Julius!</P><P></P><P>Atleast learnt new thing today. Appreciate the help.</P><P></P><P>Regards,</P><P>Avneesh</P></BODY></HTML> Tue, 20 Oct 2009 12:35:39 GMT https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256263#M1384379 Former Member 2009-10-20T12:35:39Z https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256264#M1384380 <HTML><HEAD></HEAD><BODY><P>Thanks everyone for the effort. I am working on it and will update you all with the best solution i found in this case as soon am done it.</P><P></P><P>Regards</P><P>Avneesh</P></BODY></HTML> Tue, 20 Oct 2009 12:37:09 GMT https://community.sap.com/t5/application-development-and-automation-discussions/cua-admin-user/m-p/6256264#M1384380 Former Member 2009-10-20T12:37:09Z