Overview of User Administration - SAP BASIS

As a SAP administrator or support personnel, user handling should not be of major concern if certain rules and guidelines are followed from the beginning of the project. This, however, does not apply to authorization and role maintenance, which are matters of joint projects and efforts between the SAP functional and technical people. The reason is that usually SAP system managers do not have to deal with such things as granting access to certain users for specific general ledger accounts, cost centers, or production plants. It is the role of the customization specialists, developers, or business consultants to define entities that should be protected by means of authorization objects and to assign or create the corresponding roles or profiles.

This task is really important, and it might become a puzzle that can take a lot of time to solve, depending on the degree of security protection desired and the number of users and modules being implemented. The easy part of user administration deals with such things as creating user master records, changing passwords, helping users define their own default values, and organizing the user maintenance tasks.

Managing User Master Records

Similar to the rest of the SAP systems based on the SAP WAS for ABAP, where there is a material master, a vendor master, and so on, the user administrative and management functions also have a user master. The user master records define the user accounts for enabling access to the system. They contain other screens with additional fields apart from the user ID, some of which are just for information purposes (but are nevertheless important) and others that can make life easier for both users and administrators.

The user master records contain all the access information needed by the system to validate a user logon and assign users access rights to the system, such as passwords, roles, and authorization profiles. There is a lot of extra information in a user master record, including which start menu the users will see when they first log on, what printer is assigned by default, and the addresses and phone numbers of users. Some of the fields are just for information purposes, whereas others have a direct effect on the working environment for the users.

To reach the user maintenance functions via menu options, from the SAP Easy Access menu select Tools | Administration | User Maintenance | Users, or type the transaction code SU01 in the command field.

Initial screen for user management

Initial screen for user management

This screen shows the input field for specifying an individual user for which to perform administrative actions. To find a particular user when you don't know the proper user ID, you can select the possible entries list arrow and then click on the List icon on the dialog box. To perform functions over a group of users, the system includes some options under the menu Environment | Mass Changes. This is introduced in a later section.

Creating Users

From the User Maintenance initial screen, there are many options available. Normally, the input field for the user field is empty, except if you have been working in other user management functions previously in the same session. User master records are client dependent, which means that they are separately defined for each client in the SAP system. For example, if user FREDSMITH is defined on client 003, but not on client 005, he won't be able to log on in client 005.

To create a user master record you have two options: either define it completely from scratch or copy it from another user or from a reference user you had previously defined. The next list explains both methods.

  • Creating new users from scratch. From the User Maintenance menu, enter the name for the new user and click on the Create icon, or with the right mouse button select the F8 function key, or select User Names | Create from the menu bar. Figure shows a screen similar to the one you will get. The system displays the different sections of the user master records within the different tabstrips. You might get additional tabstrips if you have security interfaces installed, such as with an SNC compatible product.

    The first data the system displays corresponds to the Address information. Here the Last Name is a mandatory field that must be completed to go to other sections. You can move back and forth between tabstrips by clicking on them. However, any mandatory fields on these tabstrips must be completed before you can move to another section.

    The most important mandatory field is the password, located under the Logon Data tabstrip. Enter or generate a password in the Initial Password field and retype it in the second field (verification field). Also you can optionally enter the user group for authorization check, or select it from the list of available groups by clicking on the possible list entries arrow.

    Users themselves can maintain information corresponding to Address, Defaults, and Parameters by selecting System | User Profile | Own Data if they have the required authorizations.

    When mandatory fields are completed, you can save the user by clicking on the Save icon. It is important, however, to assign at least some authorization profiles or role to the users; otherwise they won't be able to perform any task. After a user has been created, any modification to the user master fields is performed by entering the user ID in the User input field of the initial User Maintenance screen and clicking on the Change icon on the application toolbar.

  • Copying users from reference master records. Instead of defining the SAP users one by one from scratch, it is usually better to define some template user master records and to create new users by copying these templates and changing only some of the fields. Doing it this way reduces the time needed to create users, especially at the beginning of the system life. These models or reference users can be regular SAP system users.

    For example, suppose your company is implementing a SAP R/3 Enterprise for managing the sales and distribution, the materials management, and the finances. Possibly there will be users who just take orders in the system, others doing accounting work, and others with different tasks. In these cases, you can create a reference user for the sales module and use that user master record as a reference for creating the rest. The same process can be done for the users of other modules.

    To create a new user by copying from a reference user, from the initial user maintenance screen, enter the name of the new user in the input field and press the Copy function button from the application toolbar. The system displays a dialog box similar to the one shown in Figure .

    As you can decide what parts of the user master record to copy. You might want to copy just the profiles or just the address, in case you want to reuse any of the company address, or even just the defaults. In any case, you will have to specify a new password for the new user. The other values for the following screens can be modified just as if you were creating a new user. To modify any input field value, just write over the field while in Overwrite mode.

    Creating users from scratch

    Creating users from scratch
  • Logon data

    Logon data
  • Dialog box for copying users

    Dialog box for copying users
  • User Master Records Fields

    Whether you are creating or modifying user master records, the SAP system screens for the user maintenance transaction show several input fields. There are many, and some of the most important fields are the following:

  • Initial password. The password for the first logon with the user ID. The password must be entered twice in a verification field, to make sure there were no typing errors. The next section explains password management from the point of view of the administrator. For an introduction and guide for users, refer to the section on password rules in Chapter .
  • User group. Located under the Groups tabstrip, the name of the user master record groups to which this user can be assigned. This is a useful field for dividing user maintenance among groups or for performing changes on all users belonging to a group. For example, you can create user administrator master records in charge of a particular group but not of others. Before you can assign a group, it must have been created first.
  • User type. Located on the Logon Data tabstrip, there are five user types available, each of which provides special access privileges depending on the type of processing. The normal interactive or ordinary user must be of type Dialog, which is the default. Other types of users are
    • System, which provides access privileges for processing background jobs and for internal RFC calls.
    • Communication, which is used for communication between systems not requiring dialog, such as ALE, RFC, or the TMS.
    • Service, a very special type of user, which can be assigned to a large group of anonymous users, which allows multiple logons.
    • Reference, which is an additional user type for assigning additional and identical authorizations to users. No online access to the system is allowed with this type of users. A user can only be assigned to a user type.
  • Validity period. In this optional field, administrators can enter a period of time in which the user ID is valid. Although this field is often left empty, it can be very useful within a security policy, especially when setting accounts for occasional users such as external consultants or business partners.
  • Other data: accounting number. You can enter in this optional field any name or number you want to assign to a user as his or her user account. It can be unique for each user or can be shared by a group of users. This field is useful when working with the SAP user accounting system, which performs statistics of the usage of the system. If you want to get individual usage statistics, you could enter the same user ID name into this field. For group statistics, a possibility is to enter the cost center, the department name, and so forth. If you leave it blank, the accounting statistics for the user will be assigned to a collective No account category.
  • Roles. In the roles tab page, you can enter any number of predefined roles, which is one collective way of assigning specific authorizations to users for accessing SAP systems. Formerly this was known as task profile.
  • Profiles. A profile gives the user the permission to access specific system functions. Profiles are made of a group of authorizations and authorization objects. Profiles can be simple or composite. Composite profiles are groups of profiles (either simple or composite).

SAP systems include a large number of predefined roles and profiles matching most common user needs for the different SAP application modules and also for the development and system management functions. To get the list of predefined roles you can click on the possible entries arrow of the input field for profile. Looking for specific predefined profiles can be done by either looking in the application documentation or by searching the implementation guide (IMG). There are other ways to search for profiles by tracing authorizations and then vising the authorization information system.

The system provides facilities for creating your own roles and profiles, using the Role Maintenance and the Profile Generator, when the predefined profiles or roles are not enough.

Available Defaults and Options for User Master Records

After the first initial screen for user maintenance, the system provides additional screens for entering other user information. You can set, for example, the default printer for a user, the user's address, and values for user field defaults (parameters). The three available screens are Address, Defaults, and Parameters. These subscreens are accessed by clicking on the corresponding tabstrip within the User Maintenance screen. Users can set their own values and defaults by themselves in the System | User Profile | Own Data menu. The following sections show the available options that can be set by users.

Specifying User Address

The information in user addresses is only used by the SAP system for documentation purposes. It can be very useful, however, for system administrators when trying to locate a user by her or his name, phone number, and so on. Often companies assign user IDs using letters and numbers which are coded so that it is easier to locate or assign user IDs to system users. The address data for a user includes three main information boxes, corresponding to Person, Communication, and Company. Some of the most important fields in those boxes are as follows:

  • Last Name. In this field you must enter the surname of the user. This is a mandatory field that has an additional use when using the SAP Business Workplace.
  • Telephone No., Fax, and E-mail. These fields can be used for entering the phone number, fax number, and e-mail address, which are important, especially the fax and the e-mail, when connecting the SAP systems with external fax systems or Internet e-mail.
  • Company. You can also enter and maintain the company information for users.

Setting User Default Values

Administrators or users by themselves can set some fixed or default values for some common functions or input fields that they find often while working in SAP systems. Figure shows an example of this screen. Here, you can set the following:

  • Start menu. You can set the name of the menu or the transaction, which will be started automatically when a user logs on.
  • Logon language. Setting this field for a user will overwrite the system default when the user logs on. If the language field for the initial logon window of the SAP system is empty, the language specified in this field is used.
  • The default printer for a user. This is assigned in the Output Device field. You can click on the possible entries arrow to display a list of printers.
  • The output controller check boxes. These are particularly important for handling user print requests. Check the box next to Print immediately to have a print job sent directly to the printer; otherwise, it will just send it to the output controller where users can print it later. Setting the box next to Delete after output tells the system to delete the job from the spool database after it has been printed.
  • The format for date and decimal points. The last check box, CATT, is used for special test functions within the computer-aided test tool provided in the SAP system. For information on CATT, look it up in the SAP online documentation.

Maintaining user default values

Maintaining user default values

Setting User Default Values for Parameters

The parameters that can be set on this screen match some fields of the SAP systems. Setting default values using these parameters offers the advantage that every time a user is presented with a screen containing any of those fields, the value is automatically entered in the input field. This concept is explained in Chapter . Remember that at any time users can overwrite those values or change the parameter values by selecting System | User Profile | Own Data.The parameter screen has two fields:

  • Parameter ID refers to the parameter ID, which you can find using the technical information for the field (remember: place your cursor on the field, press F1 and then Technical Info). You can also list the available parameters by clicking on the possible entries arrow next to the parameter input field.
  • In the Value field, enter the value you want to assign as the default any time a SAP screen presents that field.

Managing User Groups

User groups within the SAP user maintenance functions basically serve as a way to divide administration tasks. To reach the user group screen, from the initial user maintenance, select Environment | User Groups and then you can either Maintain or Display them. User groups are just assigned a name. So the only two basic functions to perform are either create a group or delete a group. To create or delete a group, position the cursor over the group name and click on the corresponding function button. Clients 000 and 001 include a special privilege group, SUPER, which is normally assigned to superusers SAP* and DDIC. To delete the group SUPER, users need special authorization.

Modifying User Master Records

Changes to user master records can be performed by the system administrator with the corresponding authorization or by the users themselves to their own address, defaults, or parameters values. Normal privileged users cannot change, for example, their roles or authorization profiles. They can do that only if they have additional access rights to perform that operation. The modifications made to a user master record (like a password, a locking, a time period validity, etc.) are only effective the next time a user logs on. Current logged-on users are not affected by those changes. But administrators can make some changes to the users' access permission by modifying and then activating authorizations and profiles. Changes made to profiles are not effective until the users log on again; however, a modified and reactivated authorization has an immediate effect, even on logged-on users. So, for instance, if an authorization has been changed and then activated, it will immediately affect all users with profiles containing that authorization.

Deleting Users

To delete a single user master record, just enter it in the input box of the initial user maintenance screen and press DELETE on the application toolbar.

Locking and Unlocking Users

Administrators can temporarily set a lock in user master records that prevents a particular user from logging on to the SAP system. To lock a user, enter the user name in the inputfield and select the Lock/Unlock button on the application toolbar, or select User Names | Lock/Unlock from the main menu. Locking and unlocking functions work in a toggle fashion. A lock won't have an effect on users who are currently logged on.

The system also enters automatic locks in user master records after 12 consecutive unsuccessful logon attempts. The default value is 12, but administrators can change that by setting an instance profile parameter. Refer to the section on technical details at the end of this chapter.

A user who has been automatically locked out by the system because of unsuccessful logon attempts is also automatically unlocked by the system at midnight. However, a manual lock on a user master record will remain in place until you explicitly delete it.

Making Modifications to a Group of Users

The SAP system includes many functions to perform over a group of users. The options available are as follows:

  • Deleting, creating, locking, and unlocking several users from the current client.From the initial User Maintenance screen, select Environment | Mass Changes. In the new screen you select users by using the possible entries list box, or by Address or Authorization criteria.
  • Modifying profiles or roles for all selected users. To do this, select Environment | Mass Changes. First select the users in the Mass Change initial screen manually or by using criteria, and then click on the Change button on the application toolbar. You can not only modify profiles, but many other information for the group of users which can be applied to all of them at the same time, such as validity period, user type, defaults, and so on.

User Information System

The user maintenance functions of the SAP system include a comprehensive information system where you can look up, display, and analyze the users, profiles, or authorizations of the system. The system permits extensive navigation among the information: from users to profiles, from there to authorizations, and so on. To reach the user and authorization information system, from the main user maintenance menu, select Information | Information System. The system displays a report tree corresponding to the authorization information system. These report trees contain several folders, each of which contains different reports.

By running different reports from the report tree folders, you can get a list of users, profiles, objects, authorizations, and so forth. The system presents several selection screens to permit searching for different criteria.

Authorization info system report tree

Authorization info system report tree

Another very useful report collection is the Change Documents folder reports, which can be used for displaying any modifications made to authorizations, users, or profiles and tells who did the modification.

Password Management

To change a password for a user, click the Change Password pushbutton on the application toolbar from the initial user maintenance screen. The system will display the New Password dialog box where you have to enter the password twice to verify that you didn't make any typing mistakes. When system managers change the password for other users, the system requests these users to enter the new password when they log on. Administrators can change their passwords and other users' passwords as many times as they wish; however, normal privileged users can only change their passwords once a day.

By default and right from installation, there are some standard requirements concerning passwords. Some of the restrictions are set up in the system code and cannot be changed, while others can be changed as required by setting some instance profile parameters or by configuring system tables. For example, system administrators might decide to set up a minimum password length or enter a character siring as a nonpermitted password. On the other hand, passwords are not case sensitive, so uppercase and lowercase passwords or a mix and match of both cases behave exactly the same.

Password Restrictions and Requirements

The passwords restrictions and requirements are as follows:

  • The password cannot be the word pass.
  • Minimum password length is set by default to three characters. Administrators can change this setting by specifying a greater value in the instance profile parameter login/min_password_lng. If you change this parameter, be sure to do it in the common DEFAULT.PFL so that it has effect on every instance of the SAP system. Maximum password length is always set to eight characters.
  • You can also specify the minimum number of digits, letters or special characters, by specifying a number value in the profile parameters login/min_password_digits, login/min_password_letters, or login/min_password_specials.
  • The first character of a password cannot be an exclamation point (!) or a question mark (?).
  • When a user changes his or her password, he or she may not use any of the last five passwords.
  • Administrators can decide to forbid certain strings to be used as passwords. Users will receive an error message in the status bar when specifying a password that has been forbidden by the administrator. The process of forbidding passwords is explained later.
  • A password cannot begin with three identical characters. For example, aaamy and bbbyou are invalid passwords.
  • A user must change his or her password if there is an expiration date in the user master account and the date has arrived. System managers can decide how frequently the users must enter new passwords. To enforce password changes, set the instance profile parameter login/password_expiration_time with a value indicating the number of days after which a password must be changed. For example, if the profile parameter is set to 30, users will be requested to change their password every month. To leave the passwords without limit, the default value 0 is used for this parameter.

    With the previous restrictions and other user master records rules, the process of logging on to SAP systems based on SAP WAS requires some more work for the system code to do besides checking the password. For instance, when a user tries to log on with a correct password, the system first checks whether the user is locked. If the user is locked either manually by the system manager or automatically after 12 unsuccessful logon attempts or by a system upgrade, the system displays an error message.

    If the user is not locked, then the system checks whether the current password has expired. In this case, the system requests the user to enter a new password.

Restricting Password Strings

System administrators can forbid passwords or password strings by entering them in the table USR40. This is useful, for example, to avoid the use of passwords that start with similar words as the name of the company, the river that crosses nearby, and so forth. Table USR40 is maintained with standard table maintenance transactions such as SM30 (System | Services | Table Maintenance | Extended Table Maintenance).

To specify a nonpermitted password string, you can enter the typical wildcards, * and ?, where the * substitutes a group of characters, and the ?, a single character. In this example, all passwords starting with the characters SAP, containing R3, or ending with 2005 are forbidden. This table is client independent and, therefore, the password restrictions are applied to any system client.

Maintaining forbidden password character strings in table USR40

Maintaining forbidden password character strings in table USR40

Managing SAP System Superusers

The SAP WAS system includes in the default installation two special users: DDIC and SAP*. These users have special privileges and must be protected to avoid unauthorized access. System administrators should consider a good strategy for managing the superusers of SAP systems for security reasons and to ensure system integrity. The standard installation creates the system clients 000, 001, and 066. The SAP* and DDIC users are created in clients 000 and 001 with standard names and passwords.

User SAP*

SAP* is the standard SAP system superuser, and it's the only system user who does not require a user master record because it's defined in the code itself. When a new client is created for doing a client copy, SAP* is created by default in the new client with a standard password PASS and unlimited access rights. In the standard installation, SAP* has the password 06071992 in clients 000 and 001. The special properties of the SAP* user can be deactivated. To deactivate the properties of the SAP* superuser, you must create a user master record for it, in which case it will have just the authorizations given in the profiles of the user master record.

If a user master record exists for SAP* and then it is deleted, it recovers the special properties assigned by the system code and has the password PASS again. When SAP* does not have a user master record, the password is always PASS; it cannot be changed, and it's not subject to any authorization check.

Some of the measures to protect SAP* are as follows:

  • Change the password in client 000 and 001.
  • Create a user master record for SAP* in 000, 001,066, and the possible new clients you create in the system.
  • Turn off the special status of SAP* by setting the instance profile parameter login/ no_automatic_user_sapstar to a value greater than zero in the common default profile, DEFAULT.PFL. If the parameter is set, then SAP* has no special default properties. If there is no SAP* user master record, then SAP* cannot be used to log on. Be sure to have a user master record for SAP* even when this parameter is set because, if the parameter is reset to the value 0, the system will again allow the logins by SAP* with the password PASS.
  • Having a user master record, SAP* behaves like any other user subject to authorization checks. Its password can be changed
  • Create your own superuser account in each system client. This is explained in the next section.
  • Delete all profiles from the SAP* profile list so that it has no authorizations.
  • Be sure that SAP* is assigned to the user group SUPER, which protects the master records from being deleted by anyone not having authorization to delete SUPER master records. The user group SUPER has special status in the user maintenance profiles as delivered by the system. Users within this group can only be maintained or deleted by new superusers, as defined by the SAP standard authorization profiles.

Defining a New Superuser

Defining a new superuser just requires giving him or her a superuser profile with all authorizations in the user master record. The standard profile with full authorization, which is the only one needed to define a new superuser to replace SAP*, is the SAP_ALL profile. SAP_ALL contains all SAP authorizations, including the new authorizations as released in the SAP_NEW profile. SAP_NEW is a standard profile that ensures upward compatibility in access privileges. It's the way to protect users against authorization problems after a new system upgrade. If the upgrade of the system includes new access tests, this profile ensures the inclusion of those new authorization objects needed to validate the new access tests.


User DDIC (from data dictionary) is the maintenance user for the ABAP dictionary and for software logistics. It's the user required to perform special functions in system upgrades. Like SAP*, user DDIC is a user with special privileges. The user master record for user DDIC is automatically created in clients 000 and 001 when you install your SAP system. It has, by default, the password 19920706. Its difference from SAP* is that it has its own user master record. To secure DDIC against unauthorized use, you must change the password for the user in clients 000 and 001 in your SAP system. User DDIC is required for certain installation and setup tasks in the system, so you should not delete DDIC.

All rights reserved © 2020 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status