As a SAP administrator or support personnel, user handling should not be of major concern if certain rules and guidelines are followed from the beginning of the project. This, however, does not apply to authorization and role maintenance, which are matters of joint projects and efforts between the SAP functional and technical people. The reason is that usually SAP system managers do not have to deal with such things as granting access to certain users for specific general ledger accounts, cost centers, or production plants. It is the role of the customization specialists, developers, or business consultants to define entities that should be protected by means of authorization objects and to assign or create the corresponding roles or profiles.
This task is really important, and it might become a puzzle that can take a lot of time to solve, depending on the degree of security protection desired and the number of users and modules being implemented. The easy part of user administration deals with such things as creating user master records, changing passwords, helping users define their own default values, and organizing the user maintenance tasks.
Managing User Master Records
Similar to the rest of the SAP systems based on the SAP WAS for ABAP, where there is a material master, a vendor master, and so on, the user administrative and management functions also have a user master. The user master records define the user accounts for enabling access to the system. They contain other screens with additional fields apart from the user ID, some of which are just for information purposes (but are nevertheless important) and others that can make life easier for both users and administrators.
The user master records contain all the access information needed by the system to validate a user logon and assign users access rights to the system, such as passwords, roles, and authorization profiles. There is a lot of extra information in a user master record, including which start menu the users will see when they first log on, what printer is assigned by default, and the addresses and phone numbers of users. Some of the fields are just for information purposes, whereas others have a direct effect on the working environment for the users.
To reach the user maintenance functions via menu options, from the SAP Easy Access menu select Tools | Administration | User Maintenance | Users, or type the transaction code SU01 in the command field.
Initial screen for user management
This screen shows the input field for specifying an individual user for which to perform administrative actions. To find a particular user when you don't know the proper user ID, you can select the possible entries list arrow and then click on the List icon on the dialog box. To perform functions over a group of users, the system includes some options under the menu Environment | Mass Changes. This is introduced in a later section.
From the User Maintenance initial screen, there are many options available. Normally, the input field for the user field is empty, except if you have been working in other user management functions previously in the same session. User master records are client dependent, which means that they are separately defined for each client in the SAP system. For example, if user FREDSMITH is defined on client 003, but not on client 005, he won't be able to log on in client 005.
To create a user master record you have two options: either define it completely from scratch or copy it from another user or from a reference user you had previously defined. The next list explains both methods.
The first data the system displays corresponds to the Address information. Here the Last Name is a mandatory field that must be completed to go to other sections. You can move back and forth between tabstrips by clicking on them. However, any mandatory fields on these tabstrips must be completed before you can move to another section.
The most important mandatory field is the password, located under the Logon Data tabstrip. Enter or generate a password in the Initial Password field and retype it in the second field (verification field). Also you can optionally enter the user group for authorization check, or select it from the list of available groups by clicking on the possible list entries arrow.
Users themselves can maintain information corresponding to Address, Defaults, and Parameters by selecting System | User Profile | Own Data if they have the required authorizations.
When mandatory fields are completed, you can save the user by clicking on the Save icon. It is important, however, to assign at least some authorization profiles or role to the users; otherwise they won't be able to perform any task. After a user has been created, any modification to the user master fields is performed by entering the user ID in the User input field of the initial User Maintenance screen and clicking on the Change icon on the application toolbar.
For example, suppose your company is implementing a SAP R/3 Enterprise for managing the sales and distribution, the materials management, and the finances. Possibly there will be users who just take orders in the system, others doing accounting work, and others with different tasks. In these cases, you can create a reference user for the sales module and use that user master record as a reference for creating the rest. The same process can be done for the users of other modules.
To create a new user by copying from a reference user, from the initial user maintenance screen, enter the name of the new user in the input field and press the Copy function button from the application toolbar. The system displays a dialog box similar to the one shown in Figure .
As you can decide what parts of the user master record to copy. You might want to copy just the profiles or just the address, in case you want to reuse any of the company address, or even just the defaults. In any case, you will have to specify a new password for the new user. The other values for the following screens can be modified just as if you were creating a new user. To modify any input field value, just write over the field while in Overwrite mode.
Creating users from scratch
Dialog box for copying users
User Master Records Fields
Whether you are creating or modifying user master records, the SAP system screens for the user maintenance transaction show several input fields. There are many, and some of the most important fields are the following:
SAP systems include a large number of predefined roles and profiles matching most common user needs for the different SAP application modules and also for the development and system management functions. To get the list of predefined roles you can click on the possible entries arrow of the input field for profile. Looking for specific predefined profiles can be done by either looking in the application documentation or by searching the implementation guide (IMG). There are other ways to search for profiles by tracing authorizations and then vising the authorization information system.
The system provides facilities for creating your own roles and profiles, using the Role Maintenance and the Profile Generator, when the predefined profiles or roles are not enough.
Available Defaults and Options for User Master Records
After the first initial screen for user maintenance, the system provides additional screens for entering other user information. You can set, for example, the default printer for a user, the user's address, and values for user field defaults (parameters). The three available screens are Address, Defaults, and Parameters. These subscreens are accessed by clicking on the corresponding tabstrip within the User Maintenance screen. Users can set their own values and defaults by themselves in the System | User Profile | Own Data menu. The following sections show the available options that can be set by users.
Specifying User Address
The information in user addresses is only used by the SAP system for documentation purposes. It can be very useful, however, for system administrators when trying to locate a user by her or his name, phone number, and so on. Often companies assign user IDs using letters and numbers which are coded so that it is easier to locate or assign user IDs to system users. The address data for a user includes three main information boxes, corresponding to Person, Communication, and Company. Some of the most important fields in those boxes are as follows:
Setting User Default Values
Administrators or users by themselves can set some fixed or default values for some common functions or input fields that they find often while working in SAP systems. Figure shows an example of this screen. Here, you can set the following:
Maintaining user default values
Setting User Default Values for Parameters
The parameters that can be set on this screen match some fields of the SAP systems. Setting default values using these parameters offers the advantage that every time a user is presented with a screen containing any of those fields, the value is automatically entered in the input field. This concept is explained in Chapter . Remember that at any time users can overwrite those values or change the parameter values by selecting System | User Profile | Own Data.The parameter screen has two fields:
Managing User Groups
User groups within the SAP user maintenance functions basically serve as a way to divide administration tasks. To reach the user group screen, from the initial user maintenance, select Environment | User Groups and then you can either Maintain or Display them. User groups are just assigned a name. So the only two basic functions to perform are either create a group or delete a group. To create or delete a group, position the cursor over the group name and click on the corresponding function button. Clients 000 and 001 include a special privilege group, SUPER, which is normally assigned to superusers SAP* and DDIC. To delete the group SUPER, users need special authorization.
Modifying User Master Records
Changes to user master records can be performed by the system administrator with the corresponding authorization or by the users themselves to their own address, defaults, or parameters values. Normal privileged users cannot change, for example, their roles or authorization profiles. They can do that only if they have additional access rights to perform that operation. The modifications made to a user master record (like a password, a locking, a time period validity, etc.) are only effective the next time a user logs on. Current logged-on users are not affected by those changes. But administrators can make some changes to the users' access permission by modifying and then activating authorizations and profiles. Changes made to profiles are not effective until the users log on again; however, a modified and reactivated authorization has an immediate effect, even on logged-on users. So, for instance, if an authorization has been changed and then activated, it will immediately affect all users with profiles containing that authorization.
To delete a single user master record, just enter it in the input box of the initial user maintenance screen and press DELETE on the application toolbar.
Locking and Unlocking Users
Administrators can temporarily set a lock in user master records that prevents a particular user from logging on to the SAP system. To lock a user, enter the user name in the inputfield and select the Lock/Unlock button on the application toolbar, or select User Names | Lock/Unlock from the main menu. Locking and unlocking functions work in a toggle fashion. A lock won't have an effect on users who are currently logged on.
The system also enters automatic locks in user master records after 12 consecutive unsuccessful logon attempts. The default value is 12, but administrators can change that by setting an instance profile parameter. Refer to the section on technical details at the end of this chapter.
A user who has been automatically locked out by the system because of unsuccessful logon attempts is also automatically unlocked by the system at midnight. However, a manual lock on a user master record will remain in place until you explicitly delete it.
Making Modifications to a Group of Users
The SAP system includes many functions to perform over a group of users. The options available are as follows:
User Information System
The user maintenance functions of the SAP system include a comprehensive information system where you can look up, display, and analyze the users, profiles, or authorizations of the system. The system permits extensive navigation among the information: from users to profiles, from there to authorizations, and so on. To reach the user and authorization information system, from the main user maintenance menu, select Information | Information System. The system displays a report tree corresponding to the authorization information system. These report trees contain several folders, each of which contains different reports.
By running different reports from the report tree folders, you can get a list of users, profiles, objects, authorizations, and so forth. The system presents several selection screens to permit searching for different criteria.
Authorization info system report tree
Another very useful report collection is the Change Documents folder reports, which can be used for displaying any modifications made to authorizations, users, or profiles and tells who did the modification.
To change a password for a user, click the Change Password pushbutton on the application toolbar from the initial user maintenance screen. The system will display the New Password dialog box where you have to enter the password twice to verify that you didn't make any typing mistakes. When system managers change the password for other users, the system requests these users to enter the new password when they log on. Administrators can change their passwords and other users' passwords as many times as they wish; however, normal privileged users can only change their passwords once a day.
By default and right from installation, there are some standard requirements concerning passwords. Some of the restrictions are set up in the system code and cannot be changed, while others can be changed as required by setting some instance profile parameters or by configuring system tables. For example, system administrators might decide to set up a minimum password length or enter a character siring as a nonpermitted password. On the other hand, passwords are not case sensitive, so uppercase and lowercase passwords or a mix and match of both cases behave exactly the same.
Password Restrictions and Requirements
The passwords restrictions and requirements are as follows:
With the previous restrictions and other user master records rules, the process of logging on to SAP systems based on SAP WAS requires some more work for the system code to do besides checking the password. For instance, when a user tries to log on with a correct password, the system first checks whether the user is locked. If the user is locked either manually by the system manager or automatically after 12 unsuccessful logon attempts or by a system upgrade, the system displays an error message.
If the user is not locked, then the system checks whether the current password has expired. In this case, the system requests the user to enter a new password.
Restricting Password Strings
System administrators can forbid passwords or password strings by entering them in the table USR40. This is useful, for example, to avoid the use of passwords that start with similar words as the name of the company, the river that crosses nearby, and so forth. Table USR40 is maintained with standard table maintenance transactions such as SM30 (System | Services | Table Maintenance | Extended Table Maintenance).
To specify a nonpermitted password string, you can enter the typical wildcards, * and ?, where the * substitutes a group of characters, and the ?, a single character. In this example, all passwords starting with the characters SAP, containing R3, or ending with 2005 are forbidden. This table is client independent and, therefore, the password restrictions are applied to any system client.
Maintaining forbidden password character strings in table USR40
Managing SAP System Superusers
The SAP WAS system includes in the default installation two special users: DDIC and SAP*. These users have special privileges and must be protected to avoid unauthorized access. System administrators should consider a good strategy for managing the superusers of SAP systems for security reasons and to ensure system integrity. The standard installation creates the system clients 000, 001, and 066. The SAP* and DDIC users are created in clients 000 and 001 with standard names and passwords.
SAP* is the standard SAP system superuser, and it's the only system user who does not require a user master record because it's defined in the code itself. When a new client is created for doing a client copy, SAP* is created by default in the new client with a standard password PASS and unlimited access rights. In the standard installation, SAP* has the password 06071992 in clients 000 and 001. The special properties of the SAP* user can be deactivated. To deactivate the properties of the SAP* superuser, you must create a user master record for it, in which case it will have just the authorizations given in the profiles of the user master record.
If a user master record exists for SAP* and then it is deleted, it recovers the special properties assigned by the system code and has the password PASS again. When SAP* does not have a user master record, the password is always PASS; it cannot be changed, and it's not subject to any authorization check.
Some of the measures to protect SAP* are as follows:
Defining a New Superuser
Defining a new superuser just requires giving him or her a superuser profile with all authorizations in the user master record. The standard profile with full authorization, which is the only one needed to define a new superuser to replace SAP*, is the SAP_ALL profile. SAP_ALL contains all SAP authorizations, including the new authorizations as released in the SAP_NEW profile. SAP_NEW is a standard profile that ensures upward compatibility in access privileges. It's the way to protect users against authorization problems after a new system upgrade. If the upgrade of the system includes new access tests, this profile ensures the inclusion of those new authorization objects needed to validate the new access tests.
User DDIC (from data dictionary) is the maintenance user for the ABAP dictionary and for software logistics. It's the user required to perform special functions in system upgrades. Like SAP*, user DDIC is a user with special privileges. The user master record for user DDIC is automatically created in clients 000 and 001 when you install your SAP system. It has, by default, the password 19920706. Its difference from SAP* is that it has its own user master record. To secure DDIC against unauthorized use, you must change the password for the user in clients 000 and 001 in your SAP system. User DDIC is required for certain installation and setup tasks in the system, so you should not delete DDIC.
SAP BASIS Related Interview Questions
|SAP CRM Interview Questions||SAP HR Interview Questions|
|SAP ABAP Interview Questions||SAP HANA Interview Questions|
|SAP Crystal Reports Interview Questions||SAP SOLMAN Interview Questions|
|SAP Security Interview Questions||SAP BPC Interview Questions|
|SAP Netweaver Interview Questions||SAP UI5 Interview Questions|
|SAP Smart Forms Interview Questions|
Sap Basis Tutorial
Sap: From Sap R/3 To Sap Netweaver
The Architecture Of The Sap Web Application Server
Sap Netweaver: An Overview
Using Sap Systems
Upgrading To Sap R/3 Enterprise: The First Step Into Sap Netweaver
The Change And Transport System
Development Options With Sap Solutions: Abap Engine
User Management And Security In Sap Environments
Web Application Server System Management
Performance And Troubleshooting With Sap Solutions
Sap For It Managers: Implementation, Planning, Operation, And Support Of Sap Systems
All rights reserved © 2020 Wisdom IT Services India Pvt. Ltd
Wisdomjobs.com is one of the best job search sites in India.