Implementing Basic User Administration for On-Premise/Private Cloud

This lesson deals exclusively with SAP users who log on to a client of an ABAP-based SAP system, for instance, On-Premise and SAP Private Cloud Edition.

The concepts of user master record and authorization are essential to understand SAP systems better. In this lesson, you will discover the user master record concept; in the next lesson, you will tackle the authorization concept.

Although different operating systems, databases, and SAP systems usually have different authorization concepts, users log on using a username/password combination.

Suppose that a username and password combination is created in an SAP system for a user. In that case, logging on to the host's operating system with the same username and password combination is impossible. However, identical username and password combinations can be created for SAP systems and operating systems.

You can use the SAP Fiori app to create a business partner for the Employee type. The employee is assigned an Employee ID and a User ID. To begin, choose the SAP Fiori App Maintain Employees and choose Create. Then, create an Employee with an Employee ID and User ID.

Then, you create a user for this User ID in SU01. To create a SU01 user, start transaction SU01. Enter the User ID in the User field and choose Create User. The Maintain Users screen indicates that this is a user with a business partner assignment.

Authorization protection is performed at the following levels:

• When the system calls a transaction
• When the authorization for the actions and data is used during a transaction

You can log on to a client of an SAP system if you know the username and password of a user master record and if the user type is authorized for the logon type. For example, logging on with a communication or system user in the dialog process is impossible.

In an SAP system, an authorization check is performed every time a transaction is called. If you attempt to start a transaction for which you are not authorized, the system rejects the login and displays an appropriate error message.

If you start a transaction for which you have authorization, the system displays the initial screen of this transaction. Depending on the transaction called, you enter data and perform actions on this screen. Extra authorization checks can be performed to protect the data and actions.

Authorizations are assigned to the user based on the security role(s) maintained in the user’s master record in transaction SU01. Authorizations are contained in profiles that are associated with specific role definitions.

Start transaction SU01 to create an SU01 user. Enter the User ID in the User field and choose Create User. The Maintain Users screen indicates that this is a user with a business partner assignment.

To start user maintenance (transaction SU01), choose Tools → Administration → User Maintenance → Users in the SAP menu (transaction S000).

You can create a new user master record by copying an existing one or creating a new one. The user master record contains all the data and settings required to log into an SAP system client.

The user master record data is divided into the following tab pages:

• Address: This tab page contains all the address-related data.
• Logon Data: This tab page contains details such as password, validity period of the user, and user type. For further information about the password rules for particular users, see SAP Note 622464.
• Secure Network Communications (SNC): This tab page contains the security functions (external product) that are not directly available but have been prepared in SAP systems. Note the usage regulations for the country where you want to use this function.
• Defaults: This tab page displays the default values, such as the default printer and the logon language.
• Parameters: This tab page displays the user-specific values for standard fields in SAP systems.
• Roles and Profiles: This tab page displays the roles and profiles assigned to the user.
• Groups: This tab page groups users for mass maintenance.
• Personalization: This tab page is used for applying personal settings. Some transactions require personal settings that affect the appearance of a particular transaction code. These settings can be stored (prepopulated) on this tab page using personalization objects.
• License Data: This tab page is used to specify the contractual user type of the user. The license data is required for system measurement.

When creating a user, you must maintain at least the following input fields:

• Last name on the Address tab page.
• Initial password and identical password repetition on the Logon Data tab page.

In the SU01 transaction in SAP, various user types can be assigned to users. These user types determine the level of access and permissions that a user has within the system. Some of the common user types include:

• Dialog user: This is a standard user type for interactive access to SAP applications. Dialog users can log in and perform transactions within the system.
• System user: This user type is used for technical system processes and background operations. System users typically have restricted access and are used for automated tasks.
• Service user: Service users are used for specific application services within the SAP system. They have restricted access to specific tasks related to their assigned service.
• Reference user: This user type is used for creating templates for new users. Reference users have predefined settings and authorizations that can be used to create new user accounts.
• Communication user: Communication users are used for external communication with other systems or applications. They are typically used for system-to-system communication and have restricted access and permissions.

In SU01, user groups are ways to group users based on similar characteristics or roles. They are used to distribute user maintenance among several user administrators or to maintain user data in mass.

A user group for authorization checks is required to divide user maintenance among several user administrators. Only the administrator who has the authorization for this group can maintain users of this group.

If you leave the field empty, the user is not assigned to any group. This means that any user administrator allowed to maintain any group can maintain the user. This assignment is part of the login data in the user master record.

For mass maintenance of user data (transaction SU10), users could be assigned to a user group on the Groups tab page. Assignments you make on the Groups tab page are not used for the authorization checks specified on the Logon Data tab page using the User Group field. This is purely a grouping that is suitable for mass maintenance.

User groups can be created in the transaction Maintain User Groups (SUGR).

Sometimes, a user or group of users require a different security policy for login and passwords than the default values configured at the system level. For example, powerful users such as administrators have passwords with a higher level of protection than standard users. Such users are forced to change their passwords more often or have more complex rules for their passwords. However, if applied widely, such requirements can increase helpdesk requests if you force standard users to comply with such requirements.

Under these circumstances, a security policy can be applied to a user or group of users' master records. Otherwise, the user is subject to the standard security policy.