Skip to Content

RFC login and user creation to remote system

Hi there,

Hopefully this is the related forum for this question. We have a scenario where we need an automated process to create users on one system and then create just the same account on a remote system with deactivated password.

How is this best handled in ABAP code where the system account info/password of the remote system is not listed in the abap code. Should a SM59 connection be created and then somehow this is referenced from abap code ?

Also, this will be a SM37 job stream running on the local server under one name running the job and in the code it should be using a different name (destination) for the remote connection to create the user.

I am a security person, not abaper. Input /best practice appreciated.

Thanks !

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • avatar image
    Former Member
    Feb 23, 2010 at 09:01 PM

    BAPI_USER_CREATE1 check this BAPI.

    Similarly you can create a RFC in othe rsystem and call it from your system.

    When iit create user id & password

    Pass it to login.

    I hope it will heps you

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 23, 2010 at 09:35 PM

    > I am a security person, not abaper. Input /best practice appreciated.

    Actually this is a security question, so I have moved it to the security forum... 😊

    If the password is to be deactivated in the target system but not in the source ("master" system) then you can use several standard user provisioning mechanisms for this (CUA, GRC-CUP, IdM, UME configuration...) and configure the target system to deactivate the password itself. There are also several ways of achieving this, without any coding required necessarily.

    The most obvious one which jumps to mind is RZ11 parameter login/password_change_for_SSO.

    Alternately if your scenario is better suited to it, you can also use login/password_max_idle_initial.

    Also see transaction RSUSR200.

    Etc...

    > Should a SM59 connection be created and then somehow this is referenced from abap code ?

    No. It should be referenced from configuration of the application which calls the RFC connection, defined in SM59. You can also optionally use the "current user" setting and alternate authentication methods to (saved) passwords. This I would generally recommend.

    Cheers,

    Julius

    Edited by: Julius Bussche on Feb 23, 2010 10:36 PM

    Add comment
    10|10000 characters needed characters exceeded