IBM Global Business Services
User Administration
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Objectives
The participants will be able to:
Know what are the responsibilities of a user administrator
What are the components of User master
What are the different user types
How to maintain users in SU01
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Administration :
Maintaining User Master records
Giving authorization by adding roles or profiles (SAP Profiles)
Display authorization and profiles
Maintain Roles
Generate Authorization Profiles
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Components of the User Master Record:
Logon Data
Address
Parameters
Defaults
Personal data,
Communication
data, Company
address
Roles
Profiles
Assignment of
roles
Start menu, logon
language, default
printer
Default values for
parameter IDs
Groups
Personalization License Data
Assignment of
user groups
Assignment of
license data
Assignment of
profiles
Assignment of
personalization
User group, user
type, validity
period
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
SAP User Type:
Dialog user
Logon with SAPGUI is possible. The user is therefore interaction-capable with the
SAPGUI.
Expired or initial passwords are checked.
Users have the option of changing their own passwords.
Multiple logon is checked.
System User
Logon with SAPGUI is not possible. The user is therefore not interaction-capable with
the SAPGUI.
The passwords are not subject to the password change requirement, that is, they
cannot be initial or expired.
Only an administrator user can change the password.
Multiple logon is permitted.
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
SAP User Type Cont
Service User
Logon with SAPGUI is possible. The user is therefore interaction-capable with the
SAPGUI.
The passwords are not subject to the password change requirement, that is, they
cannot be initial or expired.
Only a user administrator can change the password.
Multiple logon is permitted.
Communication User
Logon with SAPGUI is not possible. The user is therefore not interaction-capable
with the SAPGUI.
Expired or initial passwords are checked but the conversion of the password
change requirement that applies in principle to all users depends on the caller
(interactive/not interactive). (*)
Users have the option of changing their own passwords.
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
SAP User Type Cont
Reference User
No logon possible.
Reference users are used for authorization assignment to other users
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Maintenance:
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Maintenance contd..
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Maintenance contd..
10
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Maintenance contd..
11
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Maintenance contd..
12
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Maintenance contd..
13
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Maintenance contd..
14
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Maintenance contd..
15
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Maintenance contd..
16
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Maintenance contd..
17
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Questions ?
18
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Address Field in User wrt Address Management
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Objectives
The participants will be able to:
Recognize what is company address
How company address can be created
How a user can be assigned to a company address
20
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Company Address Creation of Company
You can create, maintain and display Company address using the tcode SUCOMP
21
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Company Address Creation of Company
You need to enter the above information and click on save
22
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Company Address
The very first company need to be created in SUCOMP. After that all the newly
created users have the default company address automatically assigned to them. To
demonstrate the concept we need to have a look at the SU01 screen.
23
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Creation of User
Create a user in SU01
24
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Assign Company Address
The user is automatically assigned to the default company address
25
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Assign other Company Address
You can assign this user to any of the existing company address using the button
Assign other company address
26
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Assign Company Address
From here you can also create a new company address
27
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Company Address contd..
You need to enter the new company name what you do in SUCOMP
28
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Company Address
The same screen
like SUCOMP and
the same steps are
required to be
performed.
29
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Questions ?
30
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Groups
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Objectives
The participants will be able to:
The concept of user group
Specify the group for a user
Realize the importance of user groups in the context of user administration
32
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Group:
User group can be used for different purpose and in different
way in an SAP environment One of the Primary uses of user groups is to sort users into logical groups.
This allows users to be categorized in a method that is not dependent on roles,
Responsibilities & Profiles etc.
User Groups also allow segregation of user maintenance, this is especially useful in
a large organization as you can control who your user admin team can maintain - an
example would be giving a team leader the authority to change passwords for users in
their team.
33
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Group
In the latest versions of SAP, actually two types of user group exist
The authorization user group (exist in Logon data tab in the user
master record)
The general user groups (exist in Group tab in the user master
record)
The authorization user group is used in conjunction with S_USER_GROUP
authorization object. It allows to create security management authorization by
user group. e.g. you can have a local security administrator only able to
manage users in his groups, Help-Desk to reset password for all users except
users in group SUPER, etc..
The general user group can be used in conjunction with SUIM and SU10, to
select all the users in a specific group. User can only be member of one
authorization user group but several general user group.
34
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Group (SUGR):
35
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Group
36
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Group
37
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Group
38
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Group
USER GROUPS for authorization Check are used for access control to transactions and
tables based on user group assignment for a particular user and to which respective group
he/she belongs and the tables and transactions and reports that group has access.
Groups tab on SU01 Transaction is used for logical grouping of users based on similar
functionalities and for mass operations of same type for multiple users.
39
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Questions ?
40
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Mass Change for users
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Objectives
The participants will be able to:
Use SU10 as a mass user maintenance tool
Display the log once the mass changes are done.
42
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Mass changes:
Logon data
Defaults
Roles
Mass Changes (Su10)
Profiles
Parameters
Passwords
43
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Mass Changes (SU10):
Address Data
44
User Administration
Authorization Data
March-2007
2007 IBM Corporation
�IBM Global Business Services
Mass Changes (SU10):
Please check the
change check box
other wise
changes will not
take place
45
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Mass Changes Log:
46
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Questions?
47
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization objects S_USER_GRP..
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Objectives
The participants will be able to:
Understand the importance of different authorization objects related to user
administration
Divide the administrative power among various roles to be used by administrator.
49
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization objects for Maintaining User master record:
S_USER_GRP - User Master Maintenance: User Groups
S_USER_PRO - User Master Maintenance: Authorization Profile
S_USER_AUTH - User Master Maintenance: Authorizations
S_USER_AGR - Authorizations: Role Check
S_USER_TCD - Authorizations: Transactions in Roles
S_USER_VAL - Authorizations: Field Values in Roles
50
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization objects for Maintaining User master record:
S_USER_GRP
CLASS
ACTVT
Auth. Object
Field
Field
01: Create
02: Change
03: Display
05: Lock, unlock
06: Delete
08: Display change documents
22: Add users to activity groups
24: Archive
78: Assign
68: Model users and assign to systems or activity groups in user management. The
models are used later as templates for the actual assignments.
51
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization objects for Maintaining User master record:
S_USER_PRO
Auth. Object
Profile
Field
ACTVT
Field
01: Create
02: Change
03: Display
06: Delete
07: Activate
08: Display change documents
22: Assign profile to users / remove
assignment
24: Archive
52
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization objects for Maintaining User master record:
S_USER_AUTH
Auth. Object
Authorization object
Field
Authorization name
Field
Activity
Field
01 = create
02 = change
03 = display
06 = delete
07 = activate
08 = display change documents
22 = assign authorization profiles
24 = archive
53
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization objects for Maintaining User master record:
S_USER_AGR
54
Auth. Object
ACT_GOUP
Field
Activity
Field
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization objects for Maintaining User master record:
01 Create roles
02 Change roles
03 Display roles
06 Delete roles
22 Compare role user master records
The profiles generated in the Profile Generator are transferred into the user
master record for the relevant role users.
36 This activity is not yet used. It is planned for use for additional objects that
can be maintained from the roles.
21 Transport role
59 Distribute roles to another system using RFC
64 Generate authorization profiles from the role
68 Modeling: Assigning roles to systems or users in user management using
models. The actual assignments can be derived from these models later.
78 Assignment of roles to systems or user groups in the central system when
using Central User Administration.
79 Assignment of individual roles to composite roles.
DL Download Save roles to a file
UL Upload Upload roles from a file
55
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization objects for Maintaining User master record:
S_USER_TCD
Auth. Object
Field
TCD
T-Code
S_USER_VAL
Auth. Object
OBJECT
AUTH_FIELD
AUTH_VALUE
56
User Administration
Field
Field
Field
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization Objects for User Administration:
S_USER_GRP
ACTVT
CLASS
S_USER_SYS
ACTVT
SUBSYSTEM
57
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization Objects for Role Administration:
S_USER_AGR
ACTVT
ACT_GROUP
S_USER_TCD
TCD
S_USER_VAL
OBJECT
AUTH_FIELD
AUTH_VALUE
58
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization Object for Profiles & Authorizations
Administration:
S_USER_PRO
ACTVT
PROFILE
S_USER_AUT
OBJECT
OBJECT
ACTVT
59
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Questions?
60
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Buffer introduction
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Objectives
The participants will be able to:
Realize the concept of User Buffer.
To view the user buffer.
62
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Buffer:
When
a user logon to the SAP, the
authorizations present in his/her user master
record are copied in memory area called User
Buffer. Each user has his or her own user buffer.
When the users try to perform activities in the
SAP environment, authorizations are checked in
the user buffer. If the required authorization is in
the user buffer, he/she will perform the activity
successfully otherwise system will show the pop
up You are not authorized
63
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Buffer:
A user would fail an authorization check if:
The authorization object does not exist in the
user buffer.
The values checked by the application are not
assigned to the authorization object in the user
buffer
The user buffer contains too many entries and
has overflowed. The number of entries in the user
buffer can be controlled using the system profile
parameter auth/number_in_userbuffer.
64
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
User Buffer:
User can display his/her own user buffer using the transaction SU56
65
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Authorization update in the User Buffer:
Any change in authorizations in the user master
record should be updated in the user buffer. This
update can happen two ways
User has to logoff and re-login to get the effect
of authorizations change.
The parameter auth/new_buffering set to be 4.
So that authorization changes take place
immediately and no need to logoff from the
system.
66
User Administration
March-2007
2007 IBM Corporation
�IBM Global Business Services
Questions ?
67
User Administration
March-2007
2007 IBM Corporation
