Reviewing User Management

• Methods
  • Application authentication
  • Corporate authentication
  • Corporate authentication with Single Sign-On
• For Application Authentication:
  • Username/password
  • Secret question
  • Reset password
  • Recover username
• Privacy statement

Your company security and authentication rules govern which of the following three possible login authentication methods apply:

• Application authentication: Users have an SAP Ariba product username and password that they enter on the login page. Usernames and passwords are maintained by the administrator within the SAP Ariba product.
• Corporate authentication: A remote authentication mechanism where users log in to the SAP Ariba product using a username and password that matches the corporate username and password.
• Corporate authentication with single sign-on: A remote authentication mechanism where users log into their corporate network, which automatically logs them in to their SAP Ariba product when needed. Single sign-on with corporate authentication provides benefits to your organization, but requires your network administrators to enable communication between your user authentication system and SAP Ariba.

• Individual with a valid username and password to log into the system
• Shared by all SAP Ariba Spend Management solutions
• Can be internal, external (supplier or customer), or third-party
• User information includes:
  • Type
  • Unique User ID
  • Name and contact information
  • Locale
  • Default currency
  • Time zone

A user in SAP Ariba Spend Management can view or participate in spend management activities. They are added to an organization and consist of information about the person that is responsible for logging in with that UserID. Typically, users are created by Admin users with the Customer User Administrator permission. The Customer User Admin permission is usually assigned to a user during Deployment so that way they can create additional users for their organization.

There are three types of users within SAP Ariba Spend Management and those are Enterprise Users, External Supplier or Customer Users, and Third-Party Users.

Enterprise Users – Also called buyers. They are users that belong to the internal organization.

External Supplier or Customer User – These are the users who belong to supplier or customer organizations. A supplier organization provides your organization with a good or service. A customer organization receives goods or services from your organization.

Third-Party Users – A type of Enterprise User and is often used when your organization uses single sign-on. The Third Party user is able to access your site without being part of your corporate network as they use a different URL to access the login page.

To create a user, you will need to provide the following information:

General Tab

1. Type of User
2. User ID: this must be unique for each user and the Best Practice recommendation is to ensure that all User IDs follow the same convention. Example: jsmith or john.smith@email.com
3. Name: this is the name of the person that will use this User ID
4. Organization: users must belong to an organization. For Enterprise and Third Party Users, this will automatically populate with the name of your organization.
5. Business Email Address

These fields are required when creating a new user. Other optional fields include Phone Number, Locale, Currency, and Time Zone. These fields exist on the user for organizational reasons. For example, you can assign users to a supervisor.

Invitation Tab

SAP Ariba Spend Management allows you to generate an invitation to a user upon creation. This triggers an email to be sent providing the user with login information to set up a password and access the site using the new User ID that was created. This invitation option is only available during creation. Once the user is created, a password reset needs to be sent in order to invite the user to the site.

There are also places where you can provide Ship To and Billing Addresses for the user as well.

The last thing you need to set up before creating a user is the permissions that will be assigned. To assign permissions, click the Groups tab. Here, you can choose from a list of permissions to assign to the user depending on what their role within the site will be. Any permissions assigned to a User ID will apply to the entire site and could occupy user and/or team member licenses. User licensing will be covered later in this course.

Be sure all information is correct prior to clicking Create. Once a user is created, it can only be deactivated. You can edit the user information, but note that you cannot edit the User ID.

User Data is usually divided into two buckets:

External users

• Members of external organizations (suppliers or customers) who have access to your SAP Ariba solutions
• Manage using Supplier and Customer Manager and/or SM Administration

Internal users

• Members of your organization who have access to your SAP Ariba solutions
• Manage using User Manager

Note

We will be focusing on internal users in this module.

Internal users are also called enterprise users within the administration areas of your SAP Ariba site. For example, when you go to create a user the option for the type of user you will see for an internal user is enterprise user. These are the people that will have groups assigned to their User IDs which grant them permissions, such as creating projects, observer abilities, and more within your SAP Ariba site. Groups will be explained in greater detail later in this module.

There are two ways administrators can create a user:

1. Manually from the Administration UI
2. Data import via CSV file

When a realm has only SAP Ariba Strategic Sourcing solutions (non-suite integrated), users can be imported via Manage → Administration → Site Manager → Data Import/Export → Import Enterprise Users task or via Manage → Administration → User Manager → Data Import/Export → Import Enterprise Users task.

In suite integrated realms, users are created via Manage → Core Administration. Once users are created via Core Administration, assigning system groups will grant permissions relevant to each system group’s associated solutions.

General Tab: When selecting a User ID, it's best practice to create the User ID to match your corporate login information. Should your organization decide to implement Single Sign On (SSO) in the future, this will prevent the need to replace User IDs so the users can continue owning their projects created prior to the implementation of SSO.

Invitation Tab: This tab is only available when initially creating a user. If you choose not to send the invitation/password email to the new user when you initially create the user ID, you may send it later by generating the password.

Ship-To Address/Billing Address: These tabs are useful when you are creating a user for SAP Ariba Procurement solutions. For SAP Ariba Strategic Sourcing solutions, this information is not required.

Groups Tab: This is where you can assign system groups or custom groups to users. System groups will grant permissions to the users depending on the group assigned. Custom groups are used for organizational purposes to logically group users together. An example of this might be Administrative Users. You could create a group and place all of the administrative users into this group. This custom group can then be used in approval flows or in various other parts of the SAP Ariba solutions.

With the appropriate integration setup, realms can seamlessly update users via master data integration.

Users and group assignments are considered master data which can be extracted from SAP ERP and sent to SAP Ariba through automated tasks and batch loads.

As such, users consisting of email addresses, usernames, supervisors, groups can be imported via Direct Connectivity or through mediated connectivity using adapters.

Changes to user data in their correlating ERP / Peoplesoft / HR systems can be recognized in SAP Ariba through this automation.

Example: Inactive users in HR system can flag the user as inactive in SAP Ariba.

• A collection of users based on a logical division, such as:
  • System role
  • Department
  • Location
• SAP Ariba solutions include standard system groups
• Administrators can create additional groups
• Groups can include other groups
• A user can belong to more than one group

Group membership enables users to perform specific tasks in the end-user and Ariba Administrator interfaces. For example, only members of the Customer Administrator group can use Ariba Administrator to import, export, and manage all types of data.

SAP Ariba includes a number of default, or system-defined groups. To understand the capabilities of these groups, on the dashboard, click Manage → Administration. In Ariba Administrator, click User Manager, and then click Groups. Click List All, and then view the Description field for each group. The descriptions are also available when you view group details.

In addition to system groups, you can define your own groups. Keep in mind that any custom groups created by an administrator are for organizational purposes only. Custom groups are not directly associated with permissions.

The image shows that a group can contain many users. For example, Sourcing Agent contains four different users: Mary, Kirk, Juan, and Gene.

A user can be assigned to many groups. In the example, Kirk Stabler (user) belongs to the groups shown in the slide. Sourcing Agent, Contract Manager, and Report Administrator are system groups. Headquarters is a custom created group to help organize Kirk and identify him as a user at the organization’s headquarters.

System Groups

• Out-of-the-box groups that are included in your SAP Ariba solution
• Used to grant users the ability to perform certain tasks within the system
• Typically aligned with job roles

  Examples:

  • Contract Agent
  • Sourcing Manager
  • Customer Administrator

AribaManaged

• Custom groups created by administrators, but are managed inside SAP Ariba
• Don't have roles associated with them directly
• Often used for access control on reports, contract workspaces, sourcing events
• Can be added as ‘child group’ of a system group to give members roles; members of the AribaManaged group will inherit all roles associated with the parent system group

External

• Groups maintained in an external system, such as an ERP system or a set of CSV files
• Objects with this adapter source can be overwritten or deleted when data is imported from the external system
• Custom groups imported from a CSV file have this adapter source

System Groups are provided by SAP Ariba and are associated with permissions. For example, Customer Administrator is a System group and is associated with permissions that allow a user with this permission to access administrative functions. When viewing the groups within your site, you will see a column to determine if the group is defined by the system, if it’s AribaManaged, or if it’s Externally managed.

It's possible for groups to be defined externally as well, through integration with your ERP. For example, you could create and manage a group (and even a user) from your ERP system. While this won’t be covered in this class, it's important to understand that the Defined By field on a group may have impact over whether or not you're able to make modifications to the group within SAP Ariba. For example, I might have a group called ERP Users. This group is managed by an ERP system, so when a new user is added to the group in an ERP, that is automatically transferred to the ERP User group in SAP Ariba. If a user was to manually edit this externally managed group within SAP Ariba, the change made in SAP Ariba would be overwritten by the ERP import, so the user would be added back to that group after the next import unless the ERP import file was also modified. As an administrator, it’s important to know which groups are externally managed so you know whether or not a change can be made within SAP Ariba.

In the example of the image above:

• The AribaManaged group ‘London Analysts’ is a child of the system group Senior Analyst.
• The AribaManaged group ‘Boston Analyst’ is a child of AribaManaged group US Analysts.
• US Analysts is both a parent group (of New York Analysts and Boston Analysts) and a child group (of Senior Analysts).

Each customer purchases a specific number of user licenses for each SAP Ariba Strategic Sourcing solution purchased.

Group membership and Project Ownership determine whether a user is considered a chargeable user.

Work directly with your SAP Ariba Account Executive (AE) or Customer Engagement Executive (CEE) if you have any specific questions regarding your user licenses.

• CEEs will work with customers to ensure their user counts are within their contractual counts by running Prepackaged Reports. Prepackaged reports can be run to compare results from the reports against the number of user licenses outlined on the customer's order form.

Any user who is a member of any of the system groups listed as a User in the Group licensing referenceable is counted as a licensed user:

A project owner represents an individual for whom one of the following is true:

1. Listed as the owner on the Overview tab of a project.
2. Included in the list of individuals in the Project Owner group on the Team tab.
3. Included in a project group (as an individual or as a member of another group), where the project group is assigned the Project Owner role.

User licenses can be occupied not only by assigning system groups to a User ID, but also by the roles associated to a project group where that user has been assigned. For example, a user might have only the Internal User group assigned to them which makes them a Team Member. If that Internal User’s ID is assigned to the Project Owner group or a group with the Project Owner role, that user will now occupy a User license.

Report on user group membership

1. Select Manage → Prepackaged Reports.
2. Click System and Benchmark Usage Reports and select Open.
3. Click System Usage Reports and select Open.
4. Expand the Sourcing Usage Reports or Contract Usage Reports section.
5. Click Sourcing – User Names and Permissions or Contracts – User Names and Permissions (depending on the section) and select Open.
6. Click Export to view the report in Microsoft Excel.
7. Save and open the file.
8. For Sourcing users: Filter Yes values in the Sourcing User column.
9. For Contracts users: Filter Yes values in the Contracts User column.

Report on project owners

1. Select Manage → Prepackaged Reports.
2. Click System and Benchmark Usage Reports and select Open.
3. Click System Usage Reports and select Open.
4. Expand the Contract Usage Reports section and select All Contract Workspaces.
5. Edit to modify report criteria to 12 months in Relative date range field.
6. To review contract chargeable users as a project owner, export the report to Microsoft Excel and filter unique values by the All Owners → User column.

• Administrators have the ability to Act as another user
  • You can see which user you are acting as on the top right corner of the screen
• See what the other user is allowed to see
  • Used primarily for troubleshooting and testing
• Perform limited actions that particular user can perform
  • Used to process approvals, document tasks, remove objects and other system maintenance activities
• The system will log anything that you do on behalf of the user you act as such as completing a task, approving a document, etc.

While acting as an another user, you can perform a subset of actions that the user can normally perform. For example, you can view their My Tasks list or view any tasks that are overdue and help to troubleshoot any issues they may be having. When you are done acting as that user, click Stop in the top right corner of the screen.

Any changes or actions that you take will be logged in the system and the log will indicate that you (the administrator) performed those actions while you were acting as the other user. It is also handy when you are acting as the internal support desk for your organization and a user calls and asks for help. The Act as feature allows you to see exactly what they see. If a user is unable to perform their job functions, an administrator can set up a delegation rather than using the Act as feature.

• Delegations allow one user to act as another user for a specific time period
  • Delegator specifies a start and end date
  • Delegator has option to continue receiving notifications even while delegation is on
• Delegations are created by the delegator or the administrator
• To create a delegation, click Create Delegation in the User Manager menu, fill in the required fields, and click Set Delegation
• Once delegation is set, the delegate will receive a prompt to select who to act as for the duration of the delegation

To create a delegation, click Manage → Administration → User Manager → Delegations → fill in the fields → click Set Delegation.

Users can set up delegation for themselves through the delegation option on their Preferences menu. At any time, an administrator can go to this page and see what delegations have been set up. Administrators also have the ability to create/end delegations created by individual users.

Lock

• Remove a user’s access temporarily
• Can still be added to projects, events, but cannot log in
• To lock a user: select user, then click Actions → Lock

Deactivate

• Intended to remove a user’s access permanently
• Cannot be added to projects or events because the user is not displayed to users
• To deactivate a user: select user, then click Actions → Deactivate

Activate

• Activated users can be seen by other users in the UI
• To reactivate a user, select user, then click Actions → Activate

When users are locked, they’re still visible to other users. For example, a locked internal user can still be added to a project team by a colleague. A locked supplier can still be invited to participate in a sourcing event. The locked user just won’t be able to log in.

A deactivated user cannot be seen by other users. The deactivated user’s ID will not appear in any participant search results by end-users. Only users with the Customer User Administrator have the ability to search for deactivated users and organizations if they choose to do so by setting the Active field to No or Either during a search.

Users and organizations can only be deactivated. They cannot be deleted or removed from the site. Likewise, once a User ID is created, it cannot be used again, even if the user is deactivated so be sure when creating users that the User ID has been entered as desired.

You can generate passwords for multiple users at once, including users who already have a password and those who haven’t received one yet. The system will send the appropriate type of email (reset password vs. invitation email with initial password) to each user.

If your organization uses single sign-on (SSO), this reset password option will give an error indicating that you are using a corporate authenticator. This means that SAP Ariba doesn't actually manage the passwords since they are maintained by your corporate network. Passwords for customers with SSO can be reset by your IT department or whichever department is responsible for giving you access to your corporate system.

New User

• SAP Ariba sends invitation email with an initial password.
• User will log in for first time to change their password.

Existing User

• SAP Ariba sends password reset email to the user.
• It usually happens if user is locked out or forgets their password.

• Case-sensitive
• Must be between 12 and 32 characters long
• Can include any Latin characters, special characters, and numerals
• Must include at least one numeral between the first and last character, one lowercase letter, one uppercase letter, and one special character
• Example: Go2Sapariba#

When you receive an email with a link to reset your password, note that this link will only work once. If you use this link to try to login to the site after changing your password, you will be told that the username/password are incorrect. This is because that link is embedded with a temporary password that allows you to login and change your password. Once you use the link and create your new password, that temporary password embedded in the link is no longer associated with your User ID.

If you’d like to save the link to the site as favorite, you can click the link to reset your password and then once the password is reset, close that page and go directly to the login page. The format of a login page is customersitename.sourcing.ariba.com. The customer site name is the URL that your organization has determined. Once you arrive to this login page, you can then save that as a favorite. This link will not be associated with a password or have an embedded password in the link so it will recognize your new password when you try to login the next time.

• Common system groups can have licensing implications.
• Certain groups grant permissions in multiple applications and their permissions cannot be segregated by application. Those groups include:
  • Contract Administrator
  • Contract Agent
  • Contract Manager
  • Customer Administrator
  • Customer Dashboard Admin
  • Customer User Admin
  • Procurement Agent
  • Senior Analyst
  • Supplier Manager
• It is recommended that clients use their corporate network IDs when setting up Enterprise Users in SAP Ariba, but clients will sometimes choose other IDs.
  • The user ID becomes important during suite integration if the client is also implementing SSO or remote authentication.

User License Impact: Customer Admin system permission can take up 3 user licenses. If your organization subscribes to SAP Strategic Sourcing, SAP Ariba Contracts, and SAP Ariba Supplier Information and Performance Management, any user assigned to the Customer Administrator permission will take up a user license for all three of those solutions. This applies to all of the groups listed in the slide above, so use caution when assigning these particular permissions and ensure the users that have them really need them.

It is recommended when creating new users to ensure that their User ID in SAP Ariba matches their corporate login information. Single sign-on (SSO) does not use SAP Ariba to authenticate users. This means SAP Ariba does not have the username and password information to be validated for correctness and grant access into the site. Instead, remote authentication is used and in order to gain access to SAP Ariba, the User ID created within SAP Ariba needs to match what is on your corporate network in order to be authenticated and granted access into the site.

Since User IDs can’t be edited after they are created, it’s recommended that you create them initially as the corporate login information. This way, should your organization decide to implement SSO in the future, it prevents the need for having to replace their original User ID with the new User ID created in SAP Ariba that matches the corporate network User ID.

More information on SSO is available by searching Connect and in the Help menu of your SAP Ariba site.