SlideShare a Scribd company logo

Sap user and authorization management

ExpertPlug
ExpertPlug

Preview Original paying document published on : http://expertplug.com/materials/training/sap-user-and-authorization-management You can find many more SAP training material on www.ExpertPlug.com. (you can download the preview there) ExpertPlug is an SAP marketplace for training materials and an online community of experts. We offer a simple way for the global SAP workforce, consulting companies and industry to market their skills and find quality information. As an SAP Expert, you can also market your SAP skills and make extra cash by publishing SAP documents on www.ExpertPlug.com.

1 of 8
SAP User and Authorization Management SAP BC Training document 1
DISCLAIMER “This publication contains references to the products of SAP AG. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content. SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such product and services, if any. Nothing herein should be construed as constituting an additional warranty”. SAP®, SAP® R/2®, SAP® R/3®, mySAP.com®, SAP® R/3® Enterprise, SAP NetWeaver®, ABAP™, SAP® Business Suite, SAP® Customer Relationship Management (SAP CRM), SAP® ERP, SAP® Product Lifecycle Management (SAP PLM), SAP® Supplier Relationship Management (SAP SRM), SAP® Supply Chain Management (SAP SCM), SAP NetWeaver® Business Intelligence (SAP NetWeaver BI), SAP® Business Information Warehouse (SAP BW), SAP NetWeaver® Portal, SAP NetWeaver® Exchange Infrastructure (SAP NetWeaver XI), SAP® Solution Manager, SAP NetWeaver® Visual Composer, SAP NetWeaver® Developer Studio are the trademark(s) or registered trademark(s) of SAP AG in Germany and in several other countries. 2
Table of content DISCLAIMER ............................................................................................................................................. 2 I- Transaction used : ........................................................................................................................... 4 II- Summary / Overview : ..................................................................................................................... 4 III- Requirements / prerequisites: .................................................................................................... 5 IV- Course materials:......................................................................................................................... 5 1) SAP User creation: ....................................................................................................................... 6 2) SAP roles and authorization management: ........................................................................ 11 3) Locking SAP user account: ................................................................................................... 18 4) Inactivating SAP user accounts:........................................................................................... 20 V- Conclusion: .................................................................................................................................... 22 3
I- Transaction used : SAP Transaction code Transaction description SU01 User maintenance SU10 Mass user maintenance PFCG Role maintenance II- Summary / Overview : The purpose of this document is to show the process related to SAP User and Authorization management. SAP User Management includes the following sub process: - SAP User creation - SAP User modification - SAP User locking and unlocking activities - SAP User inactivation SAP Authorization management includes the following sub process: - SAP role creation - SAP role modification - SAP role removal 4
III- Requirements / prerequisites: In order to follow this procedure, it is required to have an extended SAP user access profile (like SAP_ALL for example) allowing to perform SAP User management activities as well as SAP Authorization management activities. In particular, it is required to have a full access on SU01 transaction, SU10 and PFCG. If you cannot have the SAP_ALL profile assigned, the detailed requirement for creating and editing user master records are the following: - Authorization to create or edit a user master record and to assign it to a user group (object S_USER_GRP). - Authorization for the authorization profiles you assign to users (object S_USER_PRO) - Authorization to create and edit authorizations (object S_USER_AUTH) - Authorization to protect roles. You can use this authorization object to determine which roles may be processed and which activities (Create, Display, Change, and so on) are available for the role(s) (object S_USER_AGR). - Authorization for transactions that you may assign to the role and for which you can assign authorization at the start of the transaction in the Profile Generator (object S_USER_TCD) - Authorization to restrict the values which a system administrator can insert or change in a role in the Profile generator (S_USER_VAL) SAP user and authorization management activities are very sensitive Note : activities and have to be performed by qualified and skilled administrator. Therefore and if you are not familiar with user management activities, you should use this document only in a SAP sandbox system or in a training environment. IV- Course materials: In the company, the SAP User and Management and Authorization consultant is responsible to properly manage the “SAP user lifecycle” that includes the following activities: - The SAP user creation - The maintenance of SAP user access rights - Locking and unlocking the SAP user account - The inactivation of obsolete SAP user account 5
1) SAP User creation: In this paragraph, we will show the different steps of the SAP user creation in SAP. We will consider that we are working in a SAP ERP environment (in fact, the authorization concept in SAP BI or SAP Portal systems are different). Each business or technical user that needs to work on SAP requires having a SAP user account. For security reason and also for license consideration, the SAP user account must be unique. However and in very few circumstances, it can be required to use a shared SAP user account (in some production line for example). ⇒ Execute transaction SU01 ⇒ Enter the user name (user_test in our example) and click ‘Create’ As you can see, the screen related to the user creation consists of many tab : - The ‘adress’ tab - The ‘logon data’ tab - The ‘defaults’ tab - The ‘parameters’ tab - The ‘roles’ tab - The ‘profiles’ tab - The ‘groups’ tab The ‘personalization’ tab - The ‘licenceData’ tab 6
Here is a brief description regarding the tabs of the user creation screen: Tab Description address Used to indicate the last name and first name of the user, its contact information, communication info,… logon data Used to fill out the Initial Password field on the Logon Data tab page. All other entries on this screen are optional Defaults Used to indicate the default user parameter (language, printer,…) Parameters Used to assign user particular parameters (example : company code,…) roles Roles for accessing the SAP System to a user are assigned on this tab. profiles Used to assign manually created authorization profiles (and therefore authorizations) to a user. groups Used to assign the user to a user group on this tab page. personalization Used to make person-related settings using personalization objects licenceData You specify the contractual user type of the user on this tab page. Table 1: SAP User creation tab description 7
Preview Original paying document published on : http://expertplug.com/materials/training/sap-user-and-authorization-toolkit You can find many more full SAP training material and SAP jobs on www.ExpertPlug.com. ExpertPlug is an SAP marketplace for training materials and an online community of experts. We offer a simple way for the global SAP workforce, consulting companies and industry to market their skills and find quality information. As an SAP Expert, you can also market your SAP skills and make extra cash by publishing SAP documents on www.ExpertPlug.com.

Recommended

Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security Siva Pradeep Bolisetti
 
Authorization objects a simple guide
Authorization objects a simple guideAuthorization objects a simple guide
Authorization objects a simple guideAlbert Shumov
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRCtechgurusuresh
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...NextLabs, Inc.
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 

Recommended

Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security Siva Pradeep Bolisetti
 
Authorization objects a simple guide
Authorization objects a simple guideAuthorization objects a simple guide
Authorization objects a simple guideAlbert Shumov
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRCtechgurusuresh
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...NextLabs, Inc.
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis SecurityGuang Ying Yuan
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...NextLabs, Inc.
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
Your roles as key user sap
Your roles as key user sapYour roles as key user sap
Your roles as key user sapdjleon
 
Pensum adm
Pensum admPensum adm
Pensum admAdhemar Vargas
 
CSI tools SAP Authorization Presentation TROOPERS 2014
CSI tools SAP Authorization Presentation TROOPERS 2014CSI tools SAP Authorization Presentation TROOPERS 2014
CSI tools SAP Authorization Presentation TROOPERS 2014CSI tools
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
Basic settings Of SAP Fi
Basic settings Of SAP FiBasic settings Of SAP Fi
Basic settings Of SAP FiLav Kumar
 
Summarisation levels in SAP COPA
Summarisation levels in SAP COPASummarisation levels in SAP COPA
Summarisation levels in SAP COPARajesh Shanbhag
 
SAP HCM authorisations: streamline processes and improve HR data security
SAP HCM authorisations: streamline processes and improve HR data securitySAP HCM authorisations: streamline processes and improve HR data security
SAP HCM authorisations: streamline processes and improve HR data securitySven Ringling
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Co product costing detailed trng
Co product costing detailed trngCo product costing detailed trng
Co product costing detailed trngVenkat Reddy
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 

More Related Content

Viewers also liked

Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...NextLabs, Inc.
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
Your roles as key user sap
Your roles as key user sapYour roles as key user sap
Your roles as key user sapdjleon
 
CSI tools SAP Authorization Presentation TROOPERS 2014
CSI tools SAP Authorization Presentation TROOPERS 2014CSI tools SAP Authorization Presentation TROOPERS 2014
CSI tools SAP Authorization Presentation TROOPERS 2014CSI tools
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
Basic settings Of SAP Fi
Basic settings Of SAP FiBasic settings Of SAP Fi
Basic settings Of SAP FiLav Kumar
 
Summarisation levels in SAP COPA
Summarisation levels in SAP COPASummarisation levels in SAP COPA
Summarisation levels in SAP COPARajesh Shanbhag
 
SAP HCM authorisations: streamline processes and improve HR data security
SAP HCM authorisations: streamline processes and improve HR data securitySAP HCM authorisations: streamline processes and improve HR data security
SAP HCM authorisations: streamline processes and improve HR data securitySven Ringling
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Co product costing detailed trng
Co product costing detailed trngCo product costing detailed trng
Co product costing detailed trngVenkat Reddy
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 

Viewers also liked (16)

Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
 
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
 
Your roles as key user sap
Your roles as key user sapYour roles as key user sap
Your roles as key user sap
 
Pensum adm
Pensum admPensum adm
Pensum adm
 
CSI tools SAP Authorization Presentation TROOPERS 2014
CSI tools SAP Authorization Presentation TROOPERS 2014CSI tools SAP Authorization Presentation TROOPERS 2014
CSI tools SAP Authorization Presentation TROOPERS 2014
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
 
Basic settings Of SAP Fi
Basic settings Of SAP FiBasic settings Of SAP Fi
Basic settings Of SAP Fi
 
Summarisation levels in SAP COPA
Summarisation levels in SAP COPASummarisation levels in SAP COPA
Summarisation levels in SAP COPA
 
SAP HCM authorisations: streamline processes and improve HR data security
SAP HCM authorisations: streamline processes and improve HR data securitySAP HCM authorisations: streamline processes and improve HR data security
SAP HCM authorisations: streamline processes and improve HR data security
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 
Co product costing detailed trng
Co product costing detailed trngCo product costing detailed trng
Co product costing detailed trng
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshop
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
 

Sap user and authorization management

  • 1. SAP User and Authorization Management SAP BC Training document 1
  • 2. DISCLAIMER “This publication contains references to the products of SAP AG. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content. SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such product and services, if any. Nothing herein should be construed as constituting an additional warranty”. SAP®, SAP® R/2®, SAP® R/3®, mySAP.com®, SAP® R/3® Enterprise, SAP NetWeaver®, ABAP™, SAP® Business Suite, SAP® Customer Relationship Management (SAP CRM), SAP® ERP, SAP® Product Lifecycle Management (SAP PLM), SAP® Supplier Relationship Management (SAP SRM), SAP® Supply Chain Management (SAP SCM), SAP NetWeaver® Business Intelligence (SAP NetWeaver BI), SAP® Business Information Warehouse (SAP BW), SAP NetWeaver® Portal, SAP NetWeaver® Exchange Infrastructure (SAP NetWeaver XI), SAP® Solution Manager, SAP NetWeaver® Visual Composer, SAP NetWeaver® Developer Studio are the trademark(s) or registered trademark(s) of SAP AG in Germany and in several other countries. 2
  • 3. Table of content DISCLAIMER ............................................................................................................................................. 2 I- Transaction used : ........................................................................................................................... 4 II- Summary / Overview : ..................................................................................................................... 4 III- Requirements / prerequisites: .................................................................................................... 5 IV- Course materials:......................................................................................................................... 5 1) SAP User creation: ....................................................................................................................... 6 2) SAP roles and authorization management: ........................................................................ 11 3) Locking SAP user account: ................................................................................................... 18 4) Inactivating SAP user accounts:........................................................................................... 20 V- Conclusion: .................................................................................................................................... 22 3
  • 4. I- Transaction used : SAP Transaction code Transaction description SU01 User maintenance SU10 Mass user maintenance PFCG Role maintenance II- Summary / Overview : The purpose of this document is to show the process related to SAP User and Authorization management. SAP User Management includes the following sub process: - SAP User creation - SAP User modification - SAP User locking and unlocking activities - SAP User inactivation SAP Authorization management includes the following sub process: - SAP role creation - SAP role modification - SAP role removal 4
  • 5. III- Requirements / prerequisites: In order to follow this procedure, it is required to have an extended SAP user access profile (like SAP_ALL for example) allowing to perform SAP User management activities as well as SAP Authorization management activities. In particular, it is required to have a full access on SU01 transaction, SU10 and PFCG. If you cannot have the SAP_ALL profile assigned, the detailed requirement for creating and editing user master records are the following: - Authorization to create or edit a user master record and to assign it to a user group (object S_USER_GRP). - Authorization for the authorization profiles you assign to users (object S_USER_PRO) - Authorization to create and edit authorizations (object S_USER_AUTH) - Authorization to protect roles. You can use this authorization object to determine which roles may be processed and which activities (Create, Display, Change, and so on) are available for the role(s) (object S_USER_AGR). - Authorization for transactions that you may assign to the role and for which you can assign authorization at the start of the transaction in the Profile Generator (object S_USER_TCD) - Authorization to restrict the values which a system administrator can insert or change in a role in the Profile generator (S_USER_VAL) SAP user and authorization management activities are very sensitive Note : activities and have to be performed by qualified and skilled administrator. Therefore and if you are not familiar with user management activities, you should use this document only in a SAP sandbox system or in a training environment. IV- Course materials: In the company, the SAP User and Management and Authorization consultant is responsible to properly manage the “SAP user lifecycle” that includes the following activities: - The SAP user creation - The maintenance of SAP user access rights - Locking and unlocking the SAP user account - The inactivation of obsolete SAP user account 5
  • 6. 1) SAP User creation: In this paragraph, we will show the different steps of the SAP user creation in SAP. We will consider that we are working in a SAP ERP environment (in fact, the authorization concept in SAP BI or SAP Portal systems are different). Each business or technical user that needs to work on SAP requires having a SAP user account. For security reason and also for license consideration, the SAP user account must be unique. However and in very few circumstances, it can be required to use a shared SAP user account (in some production line for example). ⇒ Execute transaction SU01 ⇒ Enter the user name (user_test in our example) and click ‘Create’ As you can see, the screen related to the user creation consists of many tab : - The ‘adress’ tab - The ‘logon data’ tab - The ‘defaults’ tab - The ‘parameters’ tab - The ‘roles’ tab - The ‘profiles’ tab - The ‘groups’ tab The ‘personalization’ tab - The ‘licenceData’ tab 6
  • 7. Here is a brief description regarding the tabs of the user creation screen: Tab Description address Used to indicate the last name and first name of the user, its contact information, communication info,… logon data Used to fill out the Initial Password field on the Logon Data tab page. All other entries on this screen are optional Defaults Used to indicate the default user parameter (language, printer,…) Parameters Used to assign user particular parameters (example : company code,…) roles Roles for accessing the SAP System to a user are assigned on this tab. profiles Used to assign manually created authorization profiles (and therefore authorizations) to a user. groups Used to assign the user to a user group on this tab page. personalization Used to make person-related settings using personalization objects licenceData You specify the contractual user type of the user on this tab page. Table 1: SAP User creation tab description 7
  • 8. Preview Original paying document published on : http://expertplug.com/materials/training/sap-user-and-authorization-toolkit You can find many more full SAP training material and SAP jobs on www.ExpertPlug.com. ExpertPlug is an SAP marketplace for training materials and an online community of experts. We offer a simple way for the global SAP workforce, consulting companies and industry to market their skills and find quality information. As an SAP Expert, you can also market your SAP skills and make extra cash by publishing SAP documents on www.ExpertPlug.com.