Creating, Copying, and Maintaining User Master Records

Objectives

After completing this lesson, you will be able to:
  • Outline the different users in the SAP environment
  • Explain the elements of user master records
  • Describe the different user types
  • Explain the importance of user groups
  • Create users using the user maintenance transaction

Users in the SAP Environment

The concept of user administration and the creation of a user master record are explained in detail in this lesson. The understanding of the concept is important to obtain a better understanding of SAP systems.

The figure Users in the SAP Environment illustrates how users interact with the SAP system.

Users can log on to an operating system, a database, or an SAP system using a combination of a user ID and a password. The operating system level, the database level, and the SAP system level usually have different authorization concepts.

In the SAP environment, a "user" usually refers to a user master record consisting of a user ID, password, and other user-related information.

Access to the operating system level of the application server and database server must also be protected to prevent damage to data and ensure that the SAP systems can be used. A user/password combination in the SAP system does not guarantee that you can log on to the operating system of a host or to the database server with the same user/password combination. However, identical user/password combinations can be created for SAP systems and operating systems.

Note

In the SAP system, user requests are processed by SAP work processes. These work processes all use a common user to access the database.

This lesson describes how users can log on to a client of an ABAP-based SAP system. Users and authorization data are client-dependent.

Options for Creating a User Master Record

A user master record allows users to log on to an ABAP-based SAP system. You create user master records for each user with the user maintenance (transaction SU01).

You can create a new user master record by creating a new master record or by copying an existing one. The user master record contains all data and settings that are required to log on to a client of the SAP system.

To create a user master record, at least the following information is required in SU01:

  • Last name on the Address tab page.
  • New (initial) password and identical repetition of the password on the Logon Data tab page.

Furthermore, you can provide additional data in SU01, as shown in figure User Master Record. This data is divided into the following tab pages:

  • The Documentation tab contains a brief description and detailed documentation of the user. A person that has technical or functional responsibility for this user, for example, can also be entered on this tab.

  • The Address tab displays address data.

Note

With SAP S/4HANA, a new identity model for business users has been introduced. A business user is defined as a natural person who is represented by a business partner and a link to a user in the system. Business users interact with the software in the context of a business process, for example, in the role of a purchaser, a sales representative, or a production planner. A user in SAP S/4HANA is now related (1:1) to a corresponding business partner (person) from whom essential data is referenced. This reduces redundant maintenance and prevents the disadvantage you have with outdated information.

However, it is still possible to create users without business partner assignment. They are displayed as User with Classic Address.

For more details, see SAP Note 2570961Simplification item S4TWL - Business User Management.

As of release SAP S/4HANA 1909, in transaction SU01, there is a distinction between business users and technical users. The Technical User does not have a business partner associated with it and does not have the address data tab. You should use the Documentation tab for the description.

Technical users are typically users who work in the background or work in RFC interfaces between the systems. When creating a technical user, user type Dialog is selected by default. However, it makes more sense to choose System or Communication Data as user type for technical purposes. Further details on user types are described in this lesson.

Note

SAP recommends that you convert all SU01 users (not the technical users) into business users after an SAP S/4HANA conversion. This is possible as of SAP S/4HANA 1709 FP02.

Elements of User Master Records

Elements of User Master Records

  • The Logon Data tab displays the password and validity period of the user, as well as the user type. For further information about the password rules for special users, refer to SAP Note 622464Change: Password change requirement for user type "SYSTEM".

    Hint

    Some of the following sections in this lesson refer to some fields on this tab in more detail.

  • The Database Management System(DBMS) tab enables the SAP system to manage users and their authorizations in the DBMS (available for SAP systems running on SAP HANA DB only – see SAP Note 1836006Requirements for DBMS User for DB connection).

  • The Secure Network Communications (SNC) tab is used for managing security functions (external product) that are not directly available but have been prepared in SAP systems. Consider the usage regulations for the country in which you want to use this function.

    Hint

    The SNC tab page is not automatically displayed in every version of transaction SU01. Its availability depends on the product/system/release and support package level. At the very latest, this tab page becomes visible once you are using SNC, and have activated the profile parameter snc/enable.

  • The Defaults tab displays default values such as the default printer, the default logon language, and so on.

  • The Parameters tab contains user-specific values for standard fields in SAP systems.

  • The Roles and Profiles tab shows the roles and profiles that are assigned to the user. Users normally get authorizations via roles. The authorizations are combined in authorization profiles that are automatically generated with a corresponding role. Roles are then entered in the user master record.

    Hint

    Lesson 2 of this unit refers to authorizations and role maintenance in more detail.

  • The Groups tab shows the grouping of users for mass maintenance.

  • The Personalization tab displays personalization objects. In some transactions, personal settings are required that have some effect on the appearance of the transaction. These settings can be stored, or pre-populated using personalization objects.

  • The License Data tab allows you to specify the contractual user type of the user. It is evaluated during system measurement.

DBMS User Administration

In a typical SAP system installation, you maintain users who execute applications on the AS ABAP in transaction SU01. There, you can also maintain several technical users for the DBMS, but this is only required in certain specific use cases.

  • For SAP Business Warehouse (SAP BW), a 1:1 assignment of users is required to grant analytics permissions in the database to virtual analysis users in SAP BW.

  • Users run applications that access the database directly. You have to assign database authorizations to these users.

When your SAP system is running on SAP HANA DB, to simplify DMBS user administration, you can define a connection between user administration in AS ABAP and the DBMS. When you create users in AS ABAP, users in the DBMS are created automatically with the same user IDs and the same passwords. When an administrative lock is set for a user in AS ABAP, the corresponding DBMS user is also locked. You can also add or remove DBMS authorizations for the DBMS user, as long as the DBMS supports this.

Hint

The option to synchronize users created with transaction SU01 in ABAP with the SAP HANA database, must be configured first. This includes adding a database connection in table DBCON (transaction DBCO) for the database user and database type HDB and entering the name of the database connection and the client in the USR_DBMS_SYSTEM view with transaction SM30(Maintain Table View).

The necessary configuration steps are described in the online documentation (Product Assistance) for SAP S/4HANA, area Enterprise TechnologyABAP PlatformSecuring the ABAP PlatformSecurity and User AdministrationUser Administration and Identity Management in ABAP Systems. From here, choose the link to User Maintenance Functions and from here choose User and Role Administration of Application Server ABAPAdministration of Users and RolesUser AdministrationUser Administration FunctionsCreating and Editing User Master RecordsDBMS Tab(Link to) DBMS User ManagementConfiguring DBMS User Management for SAP HANA. When you have made the necessary configuration, the DBMS tab page is also displayed in transaction SU01.

User Types

The user type is an important attribute of a user. Different user types are available for different purposes:

Dialog

A normal dialog user is used for all logon types by just one person. During an interactive dialog logon, the system checks for expired/initial passwords, and the user can change his or her own password. The usual settings for the validity period of a password apply to this user type. The dialog user can log on to the system multiple times, but be aware that multiple dialog logons are checked and logged.

System

You use the system user type for dialog-free communication within a system or for background processing within a system. System users are also used for RFC communication in various applications, such as ALE, Workflow, Transport Management System, and Central User Administration. You cannot use this user type for a dialog logon. The usual settings for the validity period of a password are not valid for system users. Only user administrators sets the productive password and can change the password.

Note

For more information, also see SAP Note 622464Change: Password change requirement for user type "SYSTEM".

Communications Data

You use the communications data user type for dialog-free communication between systems. You cannot use this user type for a dialog logon. The usual settings for the validity period of a password apply to users of this type.

Service

A user with type service is a dialog user that is available to a larger, anonymous group of users. In general, you should only assign highly restricted authorizations to users of this type. Service users are used, for example, for anonymous system accesses using an ICF service. The system does not check for expired/initial passwords during logon. Only the user administrator can change the password. Multiple logons are permitted.

Reference

A reference user is a general user, not specific to a particular person. You cannot use a reference user to log on. A reference user is used only to assign additional authorizations. You can specify a reference user for a dialog user for additional authorization on the Roles tab page.

The figure User Types provides an overview of the types and effects of the password rules for users.

User Groups

An entry in field User Group for Authorization Check (on tab Logon Data) is required if you want to divide user maintenance among several user administrators. Only the administrator that has authorization for this group (authorization object S_USER_GRP) can maintain users of this group. If you leave the field blank, the user is not assigned to any group (concerning authorization checks). This means that the user can be maintained by any user administrator allowed to maintain any group. This assignment is part of the logon data in the user master record.

User Master Record is the user master record contains the definition of a user in the client. Examples of these fields include last name, first name, initial password, phone number, and so on. The user master record is used to create a user context (see this entry) when a user logs on to the system.

For mass maintenance of user data (transaction SU10) users can be assigned to a user group on the Groups tab page. Assignments that you make on the Groups tab page are not used for authorization checks that are specified on the Logon Data tab page using the User Group field. This grouping is only suitable for mass maintenance.

You can create user groups in the transaction Maintain User Groups (SUGR).

Basics of User Maintenance

Business Example

As a user administrator, you want to create a new user master record so a new hire can start working in the SAP system. Besides, you want to divide user maintenance among several user administrators. Only administrators who have the authorization for a certain group should be able to maintain users of this group.

Note

In this exercise, when the values include ##, replace the characters by the number your instructor has assigned to you.

Task 1: Create a User Master Record

You want to create a new user master record in the SAP system using the User Maintenance.

Steps

  1. In client 100 of your SAP system, go to user maintenance (SU01) and create a user master record ADMIN-##.

    1. Log on with user TRAIN-## to client 100 in your SAP system.

    2. Start transaction SU01.

    3. In the field User, enter ADMIN-##.

    4. From the menu, choose UserCreate User (F8).

      Note

      As this exercise is meant for practicing, you should create a classic user rather than a technical user since for the latter one no address tab is displayed.

    5. On the Address tab, enter the last name of your choice in the Last name field.

  2. Since this is a user for a new hire, switch to the Logon Data tab and select Dialog as user type.

    1. Switch to the Logon Data tab.

    2. Check if the user type is set to Dialog. If yes, do not change it. If not, select user type Dialog.

  3. Provide an initial password.

    1. In the New Password field, enter an initial password of your choice.

    2. In the Repeat Password field, enter the initial password again.

  4. On the Defaults tab, select the default logon language for the user.

    1. Switch to the Defaults tab.

    2. In the Logon Language field, select the logon language of your choice.

    3. Choose Save (Ctrl+S).

      Result

      A new user master record has been created successfully.

  5. Log on to client 100 of your SAP system with the newly created ADMIN-## user.

    1. Open the SAP Logon program on your desktop.

    2. Choose your training SAP system from the list.

    3. Enter the user ID ADMIN-## and the initial password you defined in the previous step.

    4. Choose Enter.

  6. Set a production password for the user.

    1. Enter a production password (twice).

  7. Start any transactions of your choice. Is the user able to execute any function in the system?

    1. Start any transaction of your choice. What is the result of your action?

      Result

      The user does not have the authorization to execute any transaction.

Task 2: Create and assign User Groups

In your SAP system, you want to create user groups to divide user maintenance among several user administrators. It means that you assign users into user groups. With that, you ensure that master records of certain users can be maintained by specific administrators only. These are administrators who are authorized to change certain user groups.

Steps

  1. Using transaction SUGR, create the following user groups:

    • EMPLOYEES-##
    • ADMINS-##

    1. Continue working as user TRAIN-## in client 100 of your SAP system.

    2. Start transaction SUGR.

    3. In the User group field, enter EMPLOYEES-##.

    4. Choose Create user group.

    5. Enter a description in field Text.

    6. Choose Save (Ctrl+S).

    7. Back on the initial screen of transaction SUGR, in the User group field, enter ADMINS-##.

    8. Choose Create user group.

    9. Enter a description in field Text.

    10. Choose Save (Ctrl+S).

  2. Using transaction SU10, assign the following user groups for authorization checks:

    • EMPLOYEES-##: all users except TRAIN-## and ADMIN-##
    • ADMINS-##: TRAIN-## and ADMIN-##

    1. Continue working as user TRAIN-## in client 100 of your SAP system.

    2. Start transaction SU10.

    3. Choose the F4 help right to the first User field.

    4. Choose Start Search (Enter).

    5. In the Restrict Value Range popup, select all users except TRAIN-## and ADMIN-##. When done, choose Copy.

    6. Choose Change.

    7. On the Logon Data tab, use the F4 help for User Group (in area User Group for Authorization Check) to select user group EMPLOYEES-##.

    8. Select the Change checkbox right to the User Group field.

    9. Choose Save (Ctrl+S).

    10. In the Mass User Changes popup, choose Yes.

    11. Note the change log and choose Back (F3).

    12. Restart transaction SU10 (to ensure that no users are already selected).

    13. Choose the F4 help right to the first User field.

    14. Choose Start Search (Enter).

    15. In the Restrict Value Range popup, select users TRAIN-## and ADMINS-##. When done, choose Copy.

    16. Choose Change.

    17. On the Logon Data tab, use the F4 help for User Group (in area User Group for Authorization Check) to select user group ADMINS-##.

    18. Select the Change checkbox right to the User Group field.

    19. Choose Save (Ctrl+S).

    20. In the Mass User Changes popup, choose Yes.

    21. Note the change log and choose Back (F3).

Additional Information

More information on User Administration topics can be found in the online documentation (Product Assistance) for SAP S/4HANA, area Enterprise TechnologyABAP PlatformSecuring the ABAP PlatformSecurity and User AdministrationUser Administration and Identity Management in ABAP Systems. From here, choose the link to User Maintenance Functions and from here choose User and Role Administration of Application Server ABAPAdministration of Users and RolesUser AdministrationUser Administration Functions .

In addition, the following SAP Notes might be helpful:

  • SAP Note 2570961Simplification item S4TWL - Business User Management

  • SAP Note622464Change: Password change requirement for user type "SYSTEM"

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn