Skip to Content
Former Member
Mar 13, 2007 at 06:37 PM

SAP Cleanup of rogue user accounts without CUA


Dear Experts,

I am currently facing the situation that we had to eliminate the SAP CUA in a SAP environment due to architectural incompatibilities. One feature of the CUA was to eliminate "unknown" user accounts in the connected CUA child systems, this is what I was told at least.

This is not supported by the current implementation without CUA. There is a central user management in place built arround a non-SAP IDM system, which was previously interfaced with the CUA. It controls the "known" accounts in the SAP application systems.

Means of user creation and modification are disabled in the former "CUA child systems" despite from the SAP emergency user, its use is controlled by a documented process.

I can personally see the risk, that there are user created "locally" outside the control of the central user management. My question is:

- Is this really a valid risk?

- May we run into compliance issues, as the client is in the financial business?

- What are appropriate controls in case you see a risk in there as well?

Kind regards,


Message was edited by:

Richard Hösl