How to set up Central User Administration (CUA) in SAP

As we have seen the overview of CUA in our pervious blog, now, I will explain the procedure to set up the CUA. At macro level details, below steps need to be performed to set up the CUA:

Steps to Set Up the CUA

  1. Create Administrator
  2. Specify Logical systems
  3. Assign logical systems to client
  4. Create system users
  5. Create RFC destinations
  6. Create CUA
  7. Set field distributor parameters
  8. Synchronization of company addresses
  9. Transfer Users

Below are the systems considered as an example to set up CUA:

  • System ABC with client 123
  • System PQR with client 456
  • System XYZ with client 789

Here, we will set system ABC (client 123) as a CUA central system and other systems as child systems. As per this structure, we will proceed with above mentioned steps:

1. Create Administrator User

In a completely new system that is to be set up, an administration user needs to be created with which all further steps can be performed. To create such administrator user:

  • Login to all systems with user SAP* and create the user in t-code SU01
  • Assign the relevant administrator role to user
  • Apply the security measures to secure SAP* user against misuse

2. Specify Logical systems

In CUA landscape, SAP systems are identified with Logical system names. Due to this, Logical systems need to be created for every system which is going to be included in CUA landscape. This is one time task to be performed before setting up CUA. The Logical systems can be defined be following below steps:

  • Login to system ABC (client 123) with administrator user created in step 1
  • Go to t-code BD54 You can; alternatively maintain the table view V_TBDLS using transaction SM30.
  • Choose Edit ? New Entries
  • In the LogSystem column, create a new logical name in capital letters for every CUA system (that is, for the central and all child systems including those from other SAP Systems). Here, the standard naming convention for logical system is <System ID>CLNT<Client>. In this way, the below logical systems will be created in CUA central system (ABC system):
    • ABCCLNT123
    • PQRCLNT456
    • XYZCLNT789

In the same way, create the logical system name for the central system in all child systems.

3. Assign logical systems to client

We need to perform this cross-client procedure only once for each SAP system as per below procedure:

  • Login with administrator user and execute the t-code SCC4
  • Switch to change mode
  • Call the detail display of the client that you want to assign a logical system by double clicking on the line of the client
  • In the Logical System field, specify the name of the logical system to which the selected client is to be assigned

Ex: – If we execute the t-code SCC4 in system ABC then, open the client 123 and maintain the logical system name as ABCCLNT123

4.Create system users

System users are required for the internal communication of the systems in an ALE group. These system users, defined in the target systems, are entered in RFC destinations in the calling systems.

Note: – No license fees apply to these system users.

To simplify the maintenance of system users, use the following naming conventions:

  • In the central system (system ABC), the naming convention will be CUA_<system Id>. This system user is used in the RFC destinations from child to central system. With this naming convention, we need to create the system user in system ABC with name: CUA_ABC
  • In the child systems, the naming convention CUA__<System Id>_<Client>. These system users are used in the RFC destinations from central to child system. With this naming convention, we need to create the system users as below:
SAP CUA System Name System User
Table 1
Categorized as SAP Tagged

S_TABU_NAM: An advanced authorization object for generic table access

In general, the access to particular table is controlled by authorization object S_TABU_DIS which has fields for activity (ACTVT) and Authorization group (DICBERCLS). In this case, it is understood that the table is assigned to specific authorization group and the name of authorization group containing the respective table has be maintained in S_TABU_DIS.

However, this situation has some limits:

  • There are large numbers of table which are not assigned to any authorization groups, these are included under authorization group &NC& but assignment of tables to this authorization group is not much useful while securing access to any particular table.
  • The authorization group name can have up to 4 characters hence there is a limit to define the authorization group.
  • If we need to give access to only one table belonging to some authorization group; say XYZ then it involves an additional efforts.

Categorized as SAP Tagged

SAP R/3 Security – Interview Questions

1. How to create the user group in SAP system?
Ans :

User group can be created by performing the below steps:

  • Execute the t-code SUGR
  • Enter the name of user group to be created in the textbox
  • Click on the create the button
  • Enter the description and click on save button

2. How to find the Transport requests containing the specific role?
Ans :

The list of Transport requests containing the specific role can be retrieved by performing below steps:

  • Execute the t-code SE03
  • Double click on option “Search for Objects in requests/Tasks” under node “Objects in Requests” in left panel of screen. This will take us to new screen.
  • In object selection screen, enter the field value as ACGR and check the checkbox present at left side.
  • Enter the role name for which we need the list of transport request.
  • In screen “Request/Task Selection” screen (below section of the same screen), check the status of the requests which we need in the list
  • Click on execute button

3. How to check the transport requests created by other user?

The t-code SE10 provide the option to enter the user name. By using this facility, we can search the transport requests created by other users.

Categorized as SAP Tagged

Introduction to Central User Administration (CUA) – SAP

In a large landscape consisting of number SAP systems, it becomes time consuming job to perform user administration. For instance, if one needs to assign the role to one user in all the systems involved in the landscape, one needs to perform the below steps in each system in landscape:

  • Login to system
  • Execute the t-code SU01 and open the user
  • Assign the role and save the changes

The above process can be simplified if Central User Administration system (CUA) has been installed in above landscape. Now, we will go through the detailed introduction to CUA in below section.
CUA is a SAP system to which all the SAP systems in landscape are connected through RFC connections. This enables user to perform user maintenance for all the connected systems from one central CUA system. Below is the pictorial representation of this concept:

Central User Administration (CUA) in SAP
Central User Administration (CUA) in SAP

Categorized as SAP Tagged

How to change SAP tables without coding or debugging

Generally, transactin code SM3o is used to edit any table in SAP. To use this trasnaction code, user needs to go thorough some authorizatios checks. No matter security on table editing, the SAP table contects can be directly edited by usign the trasnaction code SE16N as below:

When in transaction SE16N use the command &SAP_EDIT in the command field in SAP. However, this works if you have debug with changes access for object S_DEVELOP, but S_TABU_DIS is ignored as well as the system settings regarding changes. If you use this function for transaction, master data or other tables that cannot be changed with SM30, you can cause quiet some damage.  So, use with caution.

The step by step information is given below:

1:  Use transaction SE16N  and enter a table of your choic

2: In the command field enter “&SAP_EDIT” and hit enter. The maintenance indicator in SE16N will be switched  on.

Categorized as SAP Tagged

SAP R/3 Audit Review Checklist

It is always advisable to perform a check on SAP R/3 system a couple of times a year to ensure the tight security of SAP System. Below are few useful Do’s which can help to achieve the high degree of Security:

Review the following:- 

 System security file parameters (TU02) (e.g. password length/format, forced password sessions,  user failures to end  session etc.) have been set to ensure confidentiality and integrity of password.


1.  Setup and modification of user master records follows a specific procedure and is properly approved by management. 

2. Setup and modification of authorizations and profiles follows a specific procedure and is performed by someone 
   independent of the person responsible for user master record maintenance. 

3. An appropriate naming convention for profiles, authorizations and authorization objects has been developed to help security maintenance and to comply with required SAP R/3 naming conventions. 

4. A user master record is created for each user defining a user ID and password. Each user is assigned to a user group, in the user master record, commensurate with their job responsibilities. 

5. Check objects (SU24) have been assigned to key transactions) to restrict access to those transaction. 

6. Authorization objects and authorizations have been assigned to users based on their job responsibilities and ensuring the SOD (Segregation of duties). 

7. Users can maintain only system tables commensurate with their job responsibilities

     Select a sample of :- 

1. Changes to user master records, profiles and authorizations and ensure the changes were properly approved. (The changes can be viewed with transaction (SECR). 

2. Verify that a naming convention has been developed for profiles, authorizations and in-house developed authorization objects to ensure that theycan be easily managed and will not be overwritten by a subsequent release upgrade (for Release 2.2 should begin with Y_ or Z_ and for Release 3.0 by Z_ only.) 

3. Assess and review of the use of the authorization object S_TABU_DIS and review of table authorization classes 
   (TDDAT)  whether all system tables are assigned an appropriate authorization class and users are assigned system table maintenance access (Through S_TABU_DIS) based on authorization classes commensurate with their job responsibilities. 

4. Assess and review of the use of the authorization objects S_Program and S_Editor and the review of program classes (TRDIR) whether all programs are assigned the appropriate program class and users are assigned program classes commensurate with their job responsibilities.

Source code for “Display All Objects” in SAP ABAP

We can find the source code for some of the Display All objects from transaction code SE38, using Utilities –> Environment Analysis.
We an also look at the object hierarchy by clicking on “Display Object List” , while looking at the source code. There are various tables that cross-reference components. These can be found by tracing a where-used, for example. If we want to reproduce these in our own SAP ABAP code, we have to spend a lot of time in debug, finding out exactly when the standard SAP code is called, and how it is called.
Categorized as SAP Tagged ,



  • In CCMS infrastructure , if the system identifies a problem, it should execute an auto reaction, such as informing the responsible person.
  • Completed messages alerts are no longer stored in the monitoring segment, but rather in a database table (ALALERTDB). This table should be regularly cleaned up (report RSALDBRG). The completed messages can still be displayed using the Alert History.
  • From a security point of view, it is recommended that you also define a second RFC connection between the systems, with which the analysis methods can be started in the remote system from the central monitoring system. If a problem occurs, you can therefore branch directly from the central monitor to the remote system to analyze the situation in more detail.
  • SAP recommends that, for your regular work, you create your own monitors that display precisely the cross-system or local data that you require for your work. The sets and monitors delivered by SAP cannot be changed.
  • Threshold values must be stored locally in every system. However, instead of maintaining the same threshold values in every system, SAP recommends that you maintain the values in the central monitoring system and then distribute them to the monitored SAP systems using the transport system.
  • The delivered SAP monitors should always be used only as templates. The copied monitors are then adjusted to the customer’s requirements.
  • Transfer as little data as possible by RFC
  • Before you create your own monitor, you should clarify the purpose of the monitor. The monitor should display as little data as possible in as clear a way as possible.
  • The prerequisite for transporting the threshold values to other SAP systems is that you have stored them in properties variants.
  • In the RFC connection that is used for the start of the analysis method, do not enter a user, but rather check the field Current User.
  • As a global guide value, SAP recommends 10-20 monitoring attributes for each monitored instance in the central monitor.
  • Note the naming convention that your monitor set should not begin with SAP.
Categorized as SAP Tagged ,

Applying the Support Packs in SAP System

SUPPORT PACKS:-  Support Packs provides enhanced functionality, Bug fixes, changes to the existing Data Dictionary Elements, Repository objects like programs, reports, transactions etc.  Support Packs are of various types. Few of them are:

 Basis Support Packages (SAP KB 62050)

ABAP Support Packages (SAP KA 62050)

Application Support Packages (SAP KH 47050)

HR Support Packages (SAP KE 47050)


1. SPAU and SPDD list should be checked before start of support package application.

2. Objects in repair state needs to be released. 

3. It is recommended that latest SPAM/ SAINT version should be applied before starting and Support Package application.

4. Enough space to hold the support packs in “EPS” in directory USR/SAP/TRANS/EPS/IN. There should be no aborted packages from previous support pack or Plug In applied.

5.  Support Packages should be applied in the sequence of number of support packs.

6. Technical & functional consultants need to be informed while applying support packages.

7. Schedule downtime and inform the users.

8. Go through composite note thoroughly before applying support packs. If the support pack is  greater than 10MB then uncar the file using command SAPCAR – XVF .sar. When we uncar, two files are generated with extensions .ATT&  .PAT


1. Go to transaction code Spam

2. Load Packages from the presentation server/Application server

3. Display all the new support patches to be applied

4. Select the support package to be applied

5. Import the Queue Support Package starts upgrading the system and it goes into various phases like TP connect to DB, DDIC import, DDIC Activation. These phases can be found in Table PAT01.  While applying support packages its stops to run SPAU/SPDD.

 SPAU: This is the transaction to update repository objects like programs, reports, transactions, function modules while applying support packs. This is the phase where functional consultant’s assistance is required.

SPDD: This is the transaction which is used to update Data Dictionary Elements while applying support packages. This is the phases where functional consultant’s assistance is required.

Note:  If the objects are changed earlier with the help of SAP notes, now these notes are part of the support packs which are modifying the system. In this scenario each and every object which were modified earlier with the help of Note are popped up on the screen whether to keep the original or change to newer version.

Categorized as SAP Tagged