Managing Users and User Groups

• DG Industries has 15 users in the sales department who need to access SAP Business One. These users work with the same forms and menus.
• When processing sales documents, the users need to have the same form settings for documents, the same UI look-and-feel, and similar requirements for print settings.
• The company wants to enforce a strong password policy, requiring users to select a password of a set minimum length.
• Solution:
  • Define a set of common defaults for display and print settings and assign to each user account as User Defaults
  • Set up one user account with the required form settings, then copy the form settings to the other user accounts (or to a user group)
  • Define a common set of UI configuration changes in a UI Template, then assign to each of the user accounts (or to a user group)
  • Define a custom password policy in SAP Business One.
• Note: User Groups can speed up the assignment of common settings, including general authorizations, to multiple users. User groups will be discussed in this course.

To work with SAP Business One, a user needs an account. The user account contains the user ID, password and other details.

Even with an account, a user cannot access any functionality until they have been assigned both the correct license and general authorizations:

• The license allows legal use of the software
• General Authorizations permit access to functions and menus in SAP Business One according to the user's license type and can be further refined by role

The user's account is associated with personalization options such as form settings, user defaults, UI configuration templates, and cockpit dashboards.

The user account can be optionally linked to an employee master data record for HR purposes and for another type of authorization - data ownership.

The user account can be linked to a designated sales employee or buyer which is entered into marketing documents.

To create a user account, choose the path shown in the slide and enter the user details. The user code must be unique, up to 8 characters, and is case sensitive. Once saved, the user code cannot be changed.

To enable the user to login with single sign-on (SSO), enter the Windows domain and account name. You must also enable single sign-on functionality in the System Landscape Directory (SLD). As a result, users can access SAP Business One without entering their user code and password. If you want to use the single sign-on function for SAP Business One, version for SAP HANA, you must choose domain user authentication and specify the domain name and user during the installation of the SAP Business One server components.

Note:

• If you create employee master data first, you have the option to generate the user account when you create the master data
• You can access the user setup window from the Express Configuration Wizard. See the related course in the Implementation Tools curriculum.

• If you check the Superuser checkbox in the user account, the user becomes a super user. A super user has by default full authorization to every function in SAP Business One and must be assigned a professional license. You cannot edit the authorizations for a super user account.
• If you do not check the Superuser checkbox, the user by default has no authorizations to any system functionality. General Authorizations must be set for each user to every function that the user will work with. You can assign a limited license to this user or a professional license.
• A super user can create new user accounts, reset the passwords of other users, and assign licenses and authorizations for other users. During the implementation project the super users will be nominated and should receive training in all system and administration functionality.

• To enable a user to access SAP Business One using the mobile apps for IOS and Android, select the Mobile User checkbox. The mobile phone number is mandatory in the user account as the user must enter this number when they logon from the phone. If the device has no phone number, for example, an iPad, choose a fictitious mobile phone number.
• You must also enter the ID of the user's mobile device, which is a unique MAC address. To find the device ID, launch the SAP Business One mobile app on the device. In the Logon page, tap Settings. The device ID appears in the Device ID field, in the Logon Settings section.
• The mobile apps use the Web services of the integration framework to connect to the database. Therefore you must install the integration framework of SAP Business One. This is free and distributed with the SAP Business One installation software. You also need to activate the mobile scenario sap.B1Mobile within the integration framework.
• The integration framework uses the B1i user to connect to SAP Business One, for example for authentication when using the mobile solution. You need to assign a B1i license to the user. This license is free but must be assigned in addition to the contracted license.
• Consult the relevant user guides on IOS and Android for more information on using the mobile apps.

• Employee master data is used to define organizational hierarchies, teams, department and branches. These relationships are used for data ownership authorizations.
• The employee record and the user account can be linked using the User Code in the employee record and the Employee name in the user account. This can make it easier to maintain and update user records.
• Many fields are common between the employee master data and the user account. When you add an employee master data record, the system will prompt you to automatically create a user account if one does not exist. Various fields from the employee record are copied over to the user account and the two records are linked.
• If a user account already exists, you can have common fields copied from the master data to the user account.
• When the records are linked, if you enter additional data in the user account, the system will copy the data over to the employee record, and vice versa.

• Over time it may be necessary to remove user accounts. To do this, select the user account then open the Data menu and choose Remove.
• Remember to remove the license assignment prior to removing the account to avoid misallocation or orphaning of licenses.
• Note that the system will not let you create a new account later with the same user code (the record is still kept in the database).

When SAP Business One is installed, some predefined user accounts are created and reserved:

• The manager user is created when the company is first created.
• The B1i user is created when the integration framework of SAP Business One is selected for installation. This is the technical user account used internally by the integration framework to connect to SAP Business One.
• The Workflow user is created when the Workflow service is installed. The Workflow service allows companies to design and execute standard business processes consisting of tasks and business logic. The Workflow user is used to connect from the service to the company database.
• The AlertSvc user is automatically created at installation time. This internal technical user ensures that the alert service sends alert notifications to a user even if the user is not logged in to SAP Business One. See the related topic on Alerts for more details.
• The Support user is available when Remote Support Platform (RSP) is activated on the customer's server. It provides a way for a support consultant to log in and access a company's system to perform maintenance and support, without the need for a license.

• Each user must be allocated a license to use the system. To assign a license, select the user code then select the type of license from the available, purchased licenses. Each time a license is assigned to a user the number of available licenses is reduced.
• Mobile users also must be assigned a B1i license which is free, and which allows the use of the integration framework for mobile web apps.
• Notice that you can import the license file from this screen. The license file is sent to you by SAP and contains the licenses you have purchased for the customer.
• For more information on licensing, see the license guide.

In the user account you can optionally assign the user to a user group. Essentially a user group is a list of users who share common requirements, for example, form settings or general authorizations. The idea is to assign common settings at the group level instead of to each individual user.

User groups operate on the concept that employees in a company can be grouped according to their roles or functions they work with (for example, sales people, accountants, and managers). Generally, users with the same role require similar:

• General authorizations
• Alert notifications
• Form settings
• UI look-and-feel settings

To create a new user group, open the menu shown in the slide and choose the Create Group button (or press Ctrl +A to switch to add mode).

A user group can be of type Authorization, Alerts, Form Settings, UI Configuration Templates, or Cross All Types. Before you create a user group you should identify users with similar roles and requirements so you can create a group with the correct type:

• Authorization. For users who share the same general authorization requirements. For more information on authorization user groups, see the related course General Authorizations.
• Alerts. For users who need the same alert notifications. For more information on alerts, see the related course Alerts.
• Form settings. For users with common forms settings per document. Form settings for one user can quickly be copied to the users in a user group.
• UI configuration templates. For users with common UI look-and-feel requirements. For more information on UI configuration templates user groups, see the related course UI Configuration Templates.
• Cross All Types. For users who share common settings in more than one of the other group types.

You then add users to the group by selecting from the list of users. You can optionally set a valid date range for the new group. For example, you can predefine a set of authorizations for a group and activate them at a later date.

User groups appear in related configuration windows according to the type:

• Authorization groups appear in the General Authorizations window, allowing you to assign authorizations simultaneously to everyone in the user group.
• Alert groups appear in the Alerts Management window when you configure a new alert, allowing you to assign all the users in the group to receive alert notifications.
• Form settings groups appear in the Copy Form Settings window, allowing you to simultaneously copy form settings from a source user to all users in the group.
• UI Configuration templates groups appear in the UI Configuration Template setup window, allowing you to assign a UI template simultaneously to all the users in the group.
• Cross All Types groups appear in all four configuration windows. This allows you to assign the users in this group in any one of the configuration windows.

To assign form settings with a user group:

• Create the user group with the type Form Settings or Cross All Types and add the users to the group
• Login as one of the users and set the form settings for the documents
• Choose the Copy Form Settings button from that user's account
• In the Copy Form Settings window, choose the Groups tab and select the predefined group. The group members will receive the same form settings.

To see how authorization user groups work, see the related course on General Authorizations.

To see how UI configuration templates user groups work, see the related course on UI Configuration Templates. To see how alerts user groups work, see the related course on Alerts.

In the General Settings you can define the default settings that will be applied to user accounts. These settings include actions at the start of each login session, display language, date and time formats, and fonts and backgrounds.

• In the User Defaults screen, you can define a set of default settings and assign them to user accounts. You assign a code to the set of defaults, and then select the code in the user account.
• An example might be to set up common defaults for users who work in the same local department, or who work with the same warehouse.
• The settings include date and time formats, the display color, language and font, plus accounts used for cash and checking, default warehouse, and so on.
• On the Print tab you can define print actions on a per document basis. These include the number of copies and remarks for printing, as well as actions that are taken automatically when adding a document, such as an email or export to PDF. In the slide example, the options to automatically export and e-mail a sales quotation as a PDF are selected for that document. Note that similar per document settings can be made in the Print Preferences → Per Document window. These user defaults settings take priority over the setting in print preferences.

User defaults also cover credit card G/L accounts, and allow you to set up separate attachment folders for different group of users.

The attachments folder is used when a user:

• Exports a document as a PDF
• Attaches a document to an email
• Adds an attachment to a document, activity, business partner or other form that has an Attachments tab.

The path to the company-wide attachments folder must first be defined in the General Settings (Path tab). Then you can define sub-folders of the main attachments folder and assign the path to the sub-folder for a set of users.

You should determine an appropriate schedule for backing up the attachments folders. You can schedule backup of the attachments folders using the Remote Support Platform (RSP) tool.

Some of the default settings for users can be changed by the user for their own account.

Users can open their account using the My Personal Settings icon.

Not all settings are available in the user account, but when they are, these settings override the same settings defined in the user defaults or in the General Settings. Thus the narrowest settings take precedence over the wider settings.

A user can change settings in the General, Services and Display tabs of their account. One important setting that a user can control is the ability to use the enter key on a numeric key pad as a tab key so that the user can move between fields in a document for faster data entry. Note that this setting only applies to a keyboard that has a numeric key pad.

• Password administration is typically done by the super user.
• A default password policy is supplied to enforce password compliance. The default policy is available under the password administration function. Only super users have access to this function.
• The password policy applies to all users and dictates the required strength of the user password, the composition of characters, and how often it needs to be changed.
• You can select low, medium, high or enter custom settings for the password policy. The security level that is selected in this screen is applied to the system.
• The default password policy is low and only requires a 4 character minimum password length and the password never expires. The high password policy requires an 8 character minimum password length and forces a password change ever 30 days. You can set your own custom policy.
• Whichever policy is chosen, you can choose a password example that is shown to users when they create passwords and this acts as a template for the required password criteria.
• If single-sign on is in use throughout the company, the user still has the option to login using their SAP Business One credentials, so the password policy should be maintained.

• The initial password for a user can be set by the super user when the account is first created, by selecting the ellipsis button to the right of the password field.
• Alternately, the super user can leave the password empty and select the checkbox option for the user to create a password when they first log on. In this case the user receives a prompt to create a password in accordance to the password policy. The user leaves the old password field empty, and simply enters and confirms the new password.

• Users can change their password at any time by choosing the change password function. This function is available to all users, regardless of license or authorizations. The new password must adhere to the password policy.
• Note that in SAP Business One, all passwords are encrypted.

• A user account can be locked to prevent access to SAP Business One or to temporarily disable an account. The super user can lock an account manually, and the account will be automatically locked after a specified number of unsuccessful login attempts by the user, if this is defined in the password policy. The default low password policy does not lock a user account.
• Only a super user can unlock a user account.

• An audit log is maintained that records each user logon, logoff, and password change.
• This is especially useful for monitoring password changes and failed login attempts.
• To view the log, choose the Tools menu then choose Access Log.
• You can double-click a row to see details for a user. The client IP address is included in the details, allowing the administrator to track the source of an attempted login.

Here are some key points to take away from this session.

• All users need an account and license. There are two types of user account. If you check the Superuser checkbox when you create a user account, the user will have full authorization to every function in SAP Business One and this cannot be changed. This user needs a Professional license. If you do not check the Superuser checkbox, the user by default has no authorizations to any function and you need to grant general authorizations to each user plus a suitable license.
• Several predefined user accounts exist in a new company database and are reserved.
• A user group is a list of users who share common requirements, for example, form settings, UI look-and-feel, general authorizations. User groups enable you to assign common settings at the group level instead of to each individual user.
• You can define overall settings for users in the General Settings on the Services, Display and Font & Bkgd tabs.
• You can also define a set of User Defaults including printing options, credit cards, and an attachments folder, and assign these defaults to users with common requirements, roles and/or locations.
• There is also the option to define many of these settings at the user account level. Settings made at the user account level override settings in the user defaults or in the General Settings.
• The password administration function allows a super user to set the strength of the password using a password policy. There are three prebuilt password policies (low, medium and high) plus the ability to define a policy to your own requirement. Super users can change the password for a user account, or lock an account to prevent access.
• All users can change their own password. The new password must comply with the password policy and an example of the required password is shown to the user.
• The access log provides an audit trail of user logons and password changes