Preview Original paying document published on :
http://expertplug.com/materials/training/sap-user-and-authorization-management
You can find many more SAP training material on www.ExpertPlug.com.
(you can download the preview there)
ExpertPlug is an SAP marketplace for training materials and an online community of experts. We offer a simple way for the global SAP workforce, consulting companies and industry to market their skills and find quality information.
As an SAP Expert, you can also market your SAP skills and make extra cash by publishing SAP documents on www.ExpertPlug.com.
1. SAP User and Authorization Management
SAP BC Training document
1
2. DISCLAIMER
“This publication contains references to the products of SAP AG. SAP, R/3, SAP NetWeaver, Duet,
PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and
services mentioned herein as well as their respective logos are trademarks or registered trademarks of
SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of Business Objects
Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products
and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Sybase, Inc. Sybase is an SAP company.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content.
SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties
for SAP Group products and services are those that are set forth in the express warranty statements
accompanying such product and services, if any. Nothing herein should be construed as constituting
an additional warranty”.
SAP®, SAP® R/2®, SAP® R/3®, mySAP.com®, SAP® R/3® Enterprise, SAP NetWeaver®, ABAP™,
SAP® Business Suite, SAP® Customer Relationship Management (SAP CRM), SAP® ERP, SAP®
Product Lifecycle Management (SAP PLM), SAP® Supplier Relationship Management (SAP SRM),
SAP® Supply Chain Management (SAP SCM), SAP NetWeaver® Business Intelligence (SAP
NetWeaver BI), SAP® Business Information Warehouse (SAP BW), SAP NetWeaver® Portal, SAP
NetWeaver® Exchange Infrastructure (SAP NetWeaver XI), SAP® Solution Manager, SAP
NetWeaver® Visual Composer, SAP NetWeaver® Developer Studio are the trademark(s) or
registered trademark(s) of SAP AG in Germany and in several other countries.
2
3. Table of content
DISCLAIMER ............................................................................................................................................. 2
I- Transaction used : ........................................................................................................................... 4
II- Summary / Overview : ..................................................................................................................... 4
III- Requirements / prerequisites: .................................................................................................... 5
IV- Course materials:......................................................................................................................... 5
1) SAP User creation: ....................................................................................................................... 6
2) SAP roles and authorization management: ........................................................................ 11
3) Locking SAP user account: ................................................................................................... 18
4) Inactivating SAP user accounts:........................................................................................... 20
V- Conclusion: .................................................................................................................................... 22
3
4. I- Transaction used :
SAP Transaction code Transaction description
SU01 User maintenance
SU10 Mass user maintenance
PFCG Role maintenance
II- Summary / Overview :
The purpose of this document is to show the process related to SAP User and Authorization
management.
SAP User Management includes the following sub process:
- SAP User creation
- SAP User modification
- SAP User locking and unlocking activities
- SAP User inactivation
SAP Authorization management includes the following sub process:
- SAP role creation
- SAP role modification
- SAP role removal
4
5. III- Requirements / prerequisites:
In order to follow this procedure, it is required to have an extended SAP user access profile
(like SAP_ALL for example) allowing to perform SAP User management activities as well as
SAP Authorization management activities. In particular, it is required to have a full access on
SU01 transaction, SU10 and PFCG.
If you cannot have the SAP_ALL profile assigned, the detailed requirement for creating and
editing user master records are the following:
- Authorization to create or edit a user master record and to assign it to a user group
(object S_USER_GRP).
- Authorization for the authorization profiles you assign to users (object S_USER_PRO)
- Authorization to create and edit authorizations (object S_USER_AUTH)
- Authorization to protect roles. You can use this authorization object to determine which
roles may be processed and which activities (Create, Display, Change, and so on) are
available for the role(s) (object S_USER_AGR).
- Authorization for transactions that you may assign to the role and for which you can
assign authorization at the start of the transaction in the Profile Generator (object
S_USER_TCD)
- Authorization to restrict the values which a system administrator can insert or change in a
role in the Profile generator (S_USER_VAL)
SAP user and authorization management activities are very sensitive
Note : activities and have to be performed by qualified and skilled administrator.
Therefore and if you are not familiar with user management activities, you
should use this document only in a SAP sandbox system or in a training
environment.
IV- Course materials:
In the company, the SAP User and Management and Authorization consultant is responsible
to properly manage the “SAP user lifecycle” that includes the following activities:
- The SAP user creation
- The maintenance of SAP user access rights
- Locking and unlocking the SAP user account
- The inactivation of obsolete SAP user account
5
6. 1) SAP User creation:
In this paragraph, we will show the different steps of the SAP user creation in SAP. We will
consider that we are working in a SAP ERP environment (in fact, the authorization concept in
SAP BI or SAP Portal systems are different).
Each business or technical user that needs to work on SAP requires having a SAP
user account. For security reason and also for license consideration, the SAP user
account must be unique. However and in very few circumstances, it can be required
to use a shared SAP user account (in some production line for example).
⇒ Execute transaction SU01
⇒ Enter the user name (user_test in our example) and click ‘Create’
As you can see, the screen related to the user creation consists of many tab :
- The ‘adress’ tab
- The ‘logon data’ tab
- The ‘defaults’ tab
- The ‘parameters’ tab
- The ‘roles’ tab
- The ‘profiles’ tab
- The ‘groups’ tab
The ‘personalization’ tab
- The ‘licenceData’ tab
6
7. Here is a brief description regarding the tabs of the user creation screen:
Tab Description
address Used to indicate the last name and first name of the user, its contact information,
communication info,…
logon data Used to fill out the Initial Password field on the Logon Data tab page. All other
entries on this screen are optional
Defaults Used to indicate the default user parameter (language, printer,…)
Parameters Used to assign user particular parameters (example : company code,…)
roles Roles for accessing the SAP System to a user are assigned on this tab.
profiles Used to assign manually created authorization profiles (and therefore
authorizations) to a user.
groups Used to assign the user to a user group on this tab page.
personalization Used to make person-related settings using personalization objects
licenceData You specify the contractual user type of the user on this tab page.
Table 1: SAP User creation tab description
7
8. Preview Original paying document published on :
http://expertplug.com/materials/training/sap-user-and-authorization-toolkit
You can find many more full SAP training material and SAP jobs on www.ExpertPlug.com.
ExpertPlug is an SAP marketplace for training materials and an online community of experts. We
offer a simple way for the global SAP workforce, consulting companies and industry to market their
skills and find quality information.
As an SAP Expert, you can also market your SAP skills and make extra cash by publishing SAP
documents on www.ExpertPlug.com.