Documente Academic
Documente Profesional
Documente Cultură
Use
With these functions, we can assign user data and access authorizations to the users of our
ABAP system.
Note:
The changes that we make to user master records only take effect when the user next logs on
to the system. If a user is logged on at the time when the system administrator implements the
changes, these will only take effect when the user logs on to their next session.
We can also change a users authorizations by changing and then reactivating profiles and
authorizations within the user master record. Changes to reactivated authorizations have
immediate effect. Changes to profiles, on the other hand, only take effect at the users next
logon.
Prerequisites
We have the following authorizations as the user administrator:
Authorization to create or edit a user master record and to assign it to a user group
(object S_USER_GRP)
Authorization to protect roles, we can use this authorization object to determine which
roles may be processed and which activities (Create, Display, Change, and so on) are
available for the role(s) (object S_USER_AGR).
Authorization for transactions that we may assign to the role and for which we can
assign authorizations at the start of the transaction in the Profile Generator (object
S_USER_TCD)
Authorization to restrict the values which a system administrator can insert or change in
a role in the Profile generator (S_USER_VAL)
Organizing Authorization Administration
The authorization system allows us great flexibility in organizing and authorizing the
administration of user master records and roles:
If our company is small and centralized, we can have all administration of user master
records and authorization components executed by a single super user.
Protecting Special Users
Clients 000, 001 and 066 are created when our SAP System is installed. Two special users are
defined in clients 000 and 001. Since these users have standard names and standard
passwords, we must secure them against unauthorized use by outsiders who know of their
existence.
Note that no special user is created in client 066.
The two special users in the SAP System are as follows:
The maintenance user for the ABAP Dictionary and software logistics, user DDIC.
The user master record for user DDIC is automatically created in clients 000 and 001 when
we install our SAP System. The default password for this user is 19920706. The system code
allows user DDIC special privileges for certain operations. For example, DDIC is the only
user that is allowed to log on to the SAP System during an upgrade.
To secure DDIC against unauthorized use, we must change the initial password for the user in
clients 000 and 001 in our R/3 System.
The user EarlyWatch is delivered in client 066 and is protected using the password
SUPPORT. The SAP EarlyWatch experts use this user which should not be deleted. Change
the password. This user should only be used for EarlyWatch functions (monitoring and
performance).
Securing User SAP* Against Misuse
The SAP system has a default super user, SAP*, in the clients 000 and 001. A user master
record is defined for SAP* when the system is installed. However, SAP* is programmed in
the system and does not require a user master record.
If we delete the SAP* user master record and log on again as SAP* with initial password
PASS, then SAP* has the following attributes:
The user is not subject to authorization checks and therefore has all authorizations.
Create a user master record for SAP* in all new clients and in client 066.
Delete all profiles from the SAP* profile list so that it has no authorizations.
Ensure that SAP* is assigned to the user group SUPER to prevent accidental deletion
or modification of the user master record.
The SUPER user group has a special status in the predefined user profiles. The users that are
assigned to group SUPER can be maintained or deleted only by the new super user that we
define, provided that:
SAP_NEW assures upward compatibility of authorizations. The profile ensures that users are
not inconvenienced when a release or update includes new authorization checks for functions
that were previously unprotected.
Protecting User DDIC Against Unauthorized Access
User DDIC is a user with special privileges in installation, software logistics, and the ABAP
Dictionary. The user master record is created in clients 000 and 001 when we install our R/3
System.
We should secure the DDIC user against misuse by changing DDICs initial password
19920706 in clients 000 and 001.
User DDIC is required for certain installation and setup tasks in the system, so we should not
delete it.
Depending on the size and organization of our company, we should, however, distribute
the administration of user master records and authorizations among multiple administrators,
each with limited areas of responsibility. This applies in particular in a decentralized
environment, in which different time zones might apply. This also helps to achieve maximum
system security.
Each administrator should only be able to perform certain tasks. By separating these tasks, we
make sure that no single super user has total control over our user authorizations. We also
make sure that more than one person approves all authorizations and profiles. In addition,
define standard procedures for creating and assigning our authorizations.
Since we can precisely restrict authorizations for user and authorization administration, the
administrators do not have to be privileged users in our data processing organization. We can
assign user and authorization administration to ordinary users.
Note:
We use the role administration tools and functions (transaction PFCG) to maintain our roles,
authorizations and profiles. These functions make our job easier by automating certain
processes and providing more flexibility in our authorization plan. We can also use the
Central User Administration functions to centrally edit the roles delivered by SAP or our
own, new roles, and to assign the roles to any number of users.
In Organization if We Are Using the Role Administration Tool
If we are using the role administration tool (the profile generator), we can distribute the
administration tasks within an area (such as a department, cost center, or other organizational
unit) to the following administrator types:
Authorization profile administrator, who checks and approves the data, and generates
the authorization profile, to do this, he or she choose All Roles in transaction
SUPC or PFCG, and then specifies the abbreviation of the role to be edited. On the
following screen, he or she checks the data by choosing Display Profile.
User administrator, who edits the user data with the user administration transaction
(SU01) and assigns roles to the users, this enters the approved profiles in the master
records of the users.
These administrators of one or more areas are administered by super users who set up
their user master records, profiles, and authorizations. We recommend that we assign
the super user, the user administrator, and the authorization administrator the SUPER
group. If we use the pre-defined user administration authorizations, this group
assignment makes sure that user administrators cannot modify their own user master
records or those of other administrators. Only administrators with the pre-defined
profile S_A.SYSTEM can edit users in the group SUPER.
The table in the section Setting Up User and Authorization Administrators shows the tasks
that we should assign to individual administrators, tasks that we should not assign, and the
templates that we have predefined for these tasks.
Setting Up User and Authorization Administrators
Use
If we have organized our user administration in a decentralized manner, in which we have
distributed the user administration tasks among multiple administrators, we must create these
administrators as normal SAP users or assign these tasks to existing users.
The table below shows the tasks that we should assign to individual administrators, tasks that
we should not assign, and the templates and roles that we have predefined for these tasks. A
role is only available for the user administrator. This has the advantage over a template that
the administrator receives a menu that contains all of the important functions for his or her
work.
Organization of the User Administrators when using the Role Administration Tool
Administrator
User Administrator
Authorization Data
Administrator
Authorization
Profile
Administrator
Permitted Tasks
Creating and
changing user
master records
Impermissible Tasks
Changing role data
Assigning roles to
users
Assigning profiles
beginning with
"T_......." to users
Displaying
authorizations and
profiles
Using the User
Information System
Creating and
changing roles
Changing
authorization data
and transaction
selection in roles
Using the User
Information System
Displaying roles and
the associated data
Changing or
generating profiles
Using transaction
PFCG or SUPC to
generate the
authorizations and
profiles that begin
Changing users
SAP_ADM_AU
Generating profiles
Changing users
SAP_ADM_PR
Generating
authorization
profiles with
authorization
objects that begin
with S_USER
Performing a user
master comparison
(transaction PFUD,
Performing a profile
comparison of the
user master
comparison)
Administrator
Authorization profile
administrator
Authorization data
administrator
User administrator
5.
The system displays the Maintain User screen. We can edit the user more here.
6. To actually create the user, save our entries.
Note:
When we are copying a user, the reference user of the copy source is always copied too, as
long as we have sufficient authorizations to assign the roles or profiles of the reference user.
If we do not want the reference user to be assigned to the new user, we must manually delete
it from the user master record after the copy process.
Errors that occur during the authorization checks are collected and displayed in a log.
For information about authorization checks for the assignment of reference users, see
SAP Note 513694.
Business Address Services (BC-SRV-ADR) Purpose
Business Address Services (BAS) offer functions for managing addresses in applications.
We can store and further process addresses, using different address types. An address is
subordinate to an associated application object (such as a customer, a purchase order, or a
plant).
Implementation Considerations
The BAS provide flexible dialog integration for standard functions such as creating,
changing, displaying and finding addresses. In this way, the BAS guide users through
different applications when they maintain addresses.
BAS function modules enable the application to store addresses for the associated application
object in BAS tables. These tables contain the addresses of all applications that use the BAS
in a system. Functions and data storage in address management are central with regard to a
client in a system.
Integration
The BAS are already used by a broad range of applications, including, for example:
Bank addresses
User addresses
Together with the address, we can enter data for all common communication methods
(for example, telephone number, fax number, e-mail address, and so on).
Checks against city and street directories are performed using interfaces (for example,
for partner solutions) or as a function in the standard system (city and street files are
delivered without content and can be filled by means of transfer programs).
A duplicate check and an error-tolerant search are performed using interfaces, which
can be validated, for third-party vendors.
Functions are provided for using addresses in combination with other tools (see
Integration).
Integration into the Application
Three address types are available to map addresses from the application onto BAS
data structures: Company addresses, personal addresses, and workplace addresses
It is also possible to maintain address-independent communication data. For more
information, see Address-Independent Communication Data.
Dialogs for maintaining addresses can be integrated flexibly into the application (as a
dialog box, sub screen, or full screen). We can parameterize the screens to hide fields
or to define required fields, for example.
Address used
for
Example
Master data
Customer,
vendor
Customizing
objects
Plant, sales
organization
System user
System user
Constraints
The functions of Business Address Services are system-dependent. However, we can use the
tools and methods mentioned above to transport and distribute addresses.
Time-dependent addresses (which are valid for a limited period only, such as the vacation
address of a newspaper subscriber) are currently not supported.
BOR
Definition
The Business Object Repository (BOR) is the object-oriented repository in the R/3 System. It
contains the SAP business object types and SAP interface types as well as their components,
such as methods, attributes and events.
BAPIs are defined as methods of SAP business object types (or SAP interface types) in the
BOR. Thus defined, the BAPIs become standard with full stability guarantees as regards their
content and interface.
SAP
Use
The BOR has the following functions for SAP business object types and their BAPIs:
Arranges the various interfaces in accordance with the component hierarchy, enabling
functions to be searched and retrieved quickly and simply.
This finds the functionality searched for quickly and simply.
BAPIs can be called within the R/3 System from external application systems and other
programs. BAPIs are the communication standard for business applications. BAPI interface
technology forms the basis for the following developments:
Connecting:
New R/3 components, for example, Advanced Planner and Optimizer (APO) and
Business Information Warehouse (BW).
Non-SAP software
Legacy systems
Isolating components within the R/3 System in the context of Business Framework
PC programs as frontends to the R/3 System, for example, Visual Basic (Microsoft) or
Visual Age for Java (IBM).
For further background information on BAPIs refer to the document BAPI User Guide.
API Documentation
If we are working in the Developer Studio, the corresponding Java doc is directly available
under the Reference API Documentation node from within the Java Development
Manual structure.
Otherwise, if we access this documentation using the Help Portal without having installed the
Developer Studio, we can use selected versions of Java doc made available in the SAP
Developer Network (SDN).
Start menu
The user can specify the name of an area menu from the possible entries help in this field.
The SAP Menu then only contains the components of this area menu.
A user needs the credit management transactions for his or her daily work. If the start menu in
his or her user data is FRMN, the SAP Menu only displays the credit management
transactions.
The system-wide initial menu can be specified in the transaction SSM2.
Logon language
The default system language at logon. Users can however choose another language on the
logon screen
Output device
Spool control
Personal time zone (different from the company time zone on the Address tab page,
crucial with RFC)
Date format
Parameter: Enter the parameter ID for which we want to define a default value. We can
display all of the parameter IDs defined in the system by choosing F4.
Value: Enter the default value for the parameter.
Transaction Variants and Screen Variants
Whenever we use a transaction in the SAP system to process specific business transactions, it
often makes sense to adjust processing flow to mirror these business activities. This can be
done by hiding all information not pertinent to the business. More important information
should be placed in a better position.
Creating a transaction variant alters the layout of the screen. Business processes delivered by
SAP retain their integrity in any case.
Transaction variants are actually made up of a series of screen variants. The field values and
settings for each screen in the transaction variant are stored in a screen variant.
We can create as many variants of a specific transaction as we like. These variants are started
by entering a transaction code that we have selected. We system administrator can assign our
transaction codes to user menus. This allows the users in the departments that use our
transaction to call the transaction directly. For more information, refer to the section entitled
Creating Roles.
The functions of the transactions variants are supplemented by the integration of the tool
GuiXT. Transactions can be enhanced using graphics, texts, and HTML pages. Screen fields
can also be moved around on the screen, and important new menu functions can be added to
the user interface or application toolbar in the form of pushbuttons.
More information:
Transaction Variants
Variant Transactions, Setting Transaction Variants
Creating and Maintaining Variant Groups
Screen Variants
Table Control Layout in Variants
Transaction Variants and Screen Variants: Limitations
Transaction Variants and Screen Variants: Special Features
GuiXT
More information about the tab pages for user administration:
Logon Data Tab Page
When we create a user, it is only mandatory to fill out the Initial Password field on the Logon
Data tab page. All other entries on this screen are optional. The fields are described in detail
below.
Alias
We can assign an alias of up to 40 characters to a user to specify more memorable names.
Depending on the programming of the application, the user can then log on using either the
(12 character) user name or the alias.
If an external user sets up a user account for himself or herself in the Internet, he or she
automatically uses an alias instead of a user name to do this. The SAP system then creates a
new user master record with this alias and an automatically generated 12 character user name.
The user then reports, for example, password problems using his or her alias instead of the
technical user name, which is unknown to the user. The system administration determines the
correct user master record in the SAP system using the alias.
Initial Password
We have the following options when assigning initial passwords:
Enter the password manually and repeat it in the Repeat Password field to avoid
typographical errors.
This means that the user can no longer log on using a password, but only with Single Sign-On
variants (X.509 certificate, logon ticket). This is useful if we do not require password-based
logon because logon is performed exclusively in other ways (such as using logon tickets, see
SAP Note 177895). In this case, deactivating the password increases security, as passwords
that are not used are usually still initial.
Although the deactivation of passwords cannot be made retrospectively (looking backward),
the administrator can define a new initial password at any time.
The deactivation of the password on the Logon Data tab page refers to the local system. If
Central User Administration is in use, we can change or deactivate passwords systemspecifically in user maintenance.
More Information:
Password Rules
Notes
We can change this with profile parameter
login/min_password_lng.
Predefined in SAP system
At least one character in the new We can change this with profile parameter
password must be different from login/min_password_diff.
the old password.
As of SAP Web AS 6.10, the
administrator can specify the
minimum number of characters
that must be different in the old
and new passwords in a profile
parameter.
The password must comply with We can activate this with the profile parameter
the current password rules and
login/password_compliance_to_current_policy.
must be changed if it does not.
Until SAP NetWeaver 6.40
(inclusive), changed password
rules did not apply to old
password, but were only
evaluated when passwords were
changed.
A productive password (chosen
We can change this with the profile parameter
by the user) is valid for a
login/password_max_idle_productive.
maximum of x days, if it is not
used.
Available after SAP NetWeaver
6.40.
An initial password (set by the
We can change this with the profile parameter
user administrator) is valid for a
login/password_max_idle_initial.
maximum of x days, if it is not
used. After this period has
expired, the password can no
longer be used for authentication.
The user administrator can
reactivate password-based logon
by assigning a new initial
password.
Available after SAP NetWeaver
6.40.
As of SAP Web AS 6.10, the function module PASSWORD_FORMAL_CHECK can
determine whether a string meets the current password rules. The following rules are not
evaluated here:
The password can only be changed after the old password has been entered correctly.
At least x characters in the new password must be different from the old password.
For an exact description of the sequence and the scope of the check, see the documentation
for the function module. We can display this documentation with transaction SE37.
Profile Parameters for Logon and Password (Login Parameters)
The following table presents the profile parameters with which we can set password and
logon rules. These profile parameters define the minimum requirements for passwords, for
example, that the password must contain at least three special characters. We cannot set upper
limits for password rules. For example, in accordance with the usual password rules, the users
can enter any number of special characters. For information about the procedure for changing
profile parameters, see Changing and Switching Profile Parameters.
To make the parameters globally effective in an SAP system (system profile parameters), set
them in the default system profile DEFAULT.PFL. However, to make them instance-specific,
we must set them in the profiles of each application server in our SAP system.
To display the documentation for one of the parameters, choose Tools CCMS
Configuration Profile Maintenance (transaction RZ10), specify the parameter name, and
choose Display. On the following screen, choose the Documentation pushbutton.
Password Rules
Parameter
login/min_password_lng
login/min_password_digits
login/min_password_letters
login/min_password_lowercase
login/min_password_uppercase
login/min_password_specials
Explanation
Defines the minimum length of the
password.
Default value: 6; permissible values: 3
40
Until SAP NetWeaver 6.40 (inclusive),
up to 8 characters.
Defines the minimum number of digits
(0-9) in passwords.
Default value: 0; permissible values: 0
40
Available as of SAP Web AS 6.10 (Until
SAP NetWeaver 6.40 (inclusive), up to 8
characters.)
Defines the minimum number of letters
(A-Z) in passwords.
Default value: 0; permissible values: 0
40
Available as of SAP Web AS 6.10 (Until
SAP NetWeaver 6.40 (inclusive), up to 8
characters.)
Specifies how many characters in lowercase letters a password must contain.
Permissible values: 0 40; default value
0
Available after SAP NetWeaver 6.40
Specifies how many characters in uppercase letters a password must contain.
Permissible values: 0 40; default value
0
Available after SAP NetWeaver 6.40
Defines the minimum number of special
characters in the password Permissible
special characters are, in particular, !"@
$%&/()=?'`*+~#-_.,;:{[]}\<>| and space
and the grave accent.
After SAP NetWeaver 6.40, all
characters that are not letters or digits
are regarded as special characters.
login/password_charset
Password Logon
login/password_compliance_to_current_policy Permissible values: 0 no check; 1 the
system checks during password logon
whether the current password complies
with the current password rules and
forces a password change if this is not
login/disable_password_logon
login/password_logon_usergroup
login/password_max_idle_productive
login/password_max_idle_initial
login/password_max_new_valid
login/password_max_reset_valid
the case.
Default value: 0
Available after SAP NetWeaver 6.40
Controls the deactivation of passwordbased logon
This means that the user can no longer
log on using a password, but only with
Single Sign-On variants (X.509
certificate, logon ticket). More
information: Logon Data Tab Page
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Controls the deactivation of passwordbased logon for user groups
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Specifies the maximum period for which
a productive password (a password
chosen by the user) remains valid if it is
not used. After this period has expired,
the password can no longer be used for
authentication. The user administrator
can reactivate password-based logon by
assigning a new initial password.
Permissible values: 0 24,000 (unit:
days); Default value 0, that is, the check
is deactivated
Available after SAP NetWeaver 6.40
Specifies the maximum period for which
an initial password (a password chosen
by the administrator) remains valid if it
is not used. After this period has expired,
the password can no longer be used for
authentication. The user administrator
can reactivate password-based logon by
assigning a new initial password.
This parameter replaces the profile
parameters
login/password_max_new_valid and
login/password_max_reset_valid.
Permissible values: 0 24,000 (unit:
days); Default value 0, that is, the check
is deactivated
Available after SAP NetWeaver 6.40
Defines the validity period of passwords
for newly created users.
Only available in SAP Web Application
Server 6.20 and 6.40.
Defines the validity period of reset
passwords.
login/password_expiration_time
login/password_change_for_SSO
login/password_history_size
login/password_change_waittime
Incorrect Logon
Parameter
login/fails_to_session_end
Explanation
Controls the deactivation of multiple dialog
logons
Available as of SAP Basis 4.6
List of excepted users, that is, the users that
are permitted to log on to the system more
than once.
Available as of SAP Basis 4.6
Explanation
Defines the number of unsuccessful logon
attempts before the system does not allow
any more logon attempts. The parameter is
to be set to a value lower than the value of
parameter login/fails_to_user_lock.
Default value: 3; permissible values: 1 -99
login/fails_to_user_lock
login/failed_user_auto_unlock
login/ticket_only_by_https
login/ticket_only_to_host
login/system_client
login/update_logon_timestamp
Other User Parameters
Parameter
rdisp/gui_auto_logout
Edit Address
Info Info System
Environment Mass
changes
Environment Archive
and read
Environment Maintain
Profiles
Environment Maintain
Authorization
Environment User
groups
Environment
Organizational Assignment
Environment Maintain
Company Address
Environment
Distribution Log
Mass Changes
With the Mass Changes function (transaction SU10), we can perform most of the changes
that we can make for individual users in user maintenance for user groups; that are certain
sets of users. This applies for Logon data, Defaults, Parameters, Roles, and Profiles.
The mass change functions apply to all of the users displayed in the initial screen unless we
make a selection.
Warning:
We must choose Change in the Address, Logon data and Constants tab pages for each change.
In this way, we can ensure that our changes, such as the deletion of a fields contents are
accepted for the corresponding fields.
Delete users
Lock/unlock users
1.
Choose Change .
2.
Change the user data. We can decide whether parameters,
roles, profiles and groups are added to or removed from the user
master records.
Choose Delete .
Choose Lock ( ) or Unlock ( ).
Note:
The users are only locked or unlocked if it is allowed in the current
system. If the system is in the Central User Administration, only
the central system may be able to lock and unlock. See Setup field
distribution parameters.
The functions of the Info and Environment menus correspond to those of user maintenance
(see User Maintenance Functions).
Mass changes log
After every mass change, the system shows who made which changes in which system at
what time.
The log contains several message levels which we can expand with a pushbutton. If a
message has a long text, we can display it with a pushbutton next to the message.
We can make certain settings for the log display under Settings and the Color legend explains
the colors used in the display.
We can print the log or save it in a PC file.
Special Features for Central User Administration (CUA).
If we use the Central User Administration, i.e. we make the mass changes from the central
system, profiles and roles are displayed system-dependently. For more information, see
Distributing users.
User Administration with Active Central User Administration
With active Central User Administration, we still use transaction SU01 to edit users; however
user administration is somewhat different:
Whether fields are ready for input or not depends on the distribution attributes that we
assigned to the field in transaction SCUM. For more information about this, see Setting
Distribution Parameters for Fields.
Only the fields that may be maintained in the system are ready for input.
We can only change a field that is to be maintained globally in the central system. This field
does not accept input in the child systems.
In the central system, the user administration transaction also displays the tab page
Systems. Here we enter the systems to which users are to be distributed. To display the
systems for the corresponding distribution model, use the possible entries help. Each time we
save, the system distributes the user data to these listed systems.
The Roles and Profiles tab pages each contain an additional column for each entry,
specifying the system for which the user is assigned the role and/or profile.
With the Text comparison from child sys. Pushbutton on the Roles and Profiles tab pages, we
can update the texts for roles/profiles that we have changed, for example, in the child
systems. The texts in the child systems are stored temporarily so that they are available in the
central system. As the comparison requires some time, it is performed asynchronously and
the current texts may not be available immediately.
We can only assign profiles to users for the systems in which they are distributed. If we enter
a new system when we assign profiles to users, the system displays a warning that the user
was assigned a new system. The entry is automatically transferred into the tab page Systems.
After this, the user master record is also distributed in the new system.
During text comparisons from child systems, the names of the generated profiles for the role
are not copied to the central system, that is, only assigned profiles are displayed on the
Profiles tab page (such as SAP_ALL or SAP_NEW), but no generated profiles of the roles.
All user master records are created in the user master records. Users can then only log onto
the central system if the central system itself is entered in Systems tab page of the
corresponding user master record.
Note:
We can display the global user data from a child system in the User Information System.
Further Information
As well as the authorizations already mentioned, we also need another authorization in the
central system for object S_USER_SYS. We can only assign new systems to a new user with
this authorization.
When a user is deleted in the central system, the system entry for the user is retained until the
deletion is confirmed. If an error occurs, we can repeat the deletion by canceling the system
(in the child system).
In the child systems, the RFC user is output as the last person to make changes. Choose an
appropriate name when we set up the RFC user.
Password Status
The Logon Data tab page and the dialog box for changing the password on the initial screen
of user administration transaction SU01 always display the status of the password.
The meaning of these displays depends on whether the system is a CUA central system with
global initial password assignment or a standalone system (or a CUA central system with an
equivalent setting in the CUA distribution parameters, such as initial password = proposal).
Standalone System
The password status corresponds to the status in the database.
The password status corresponds to the initial password to be newly assigned before saving,
since it is not possible to determine and display the individual password statuses from the
child systems.
Depending on the type of password change, the password status is changed to Password
deactivated or Initial password (set by administrator).
Possible Password Statuses
Productive password
The password was set by the user.
Password deactivated
The password has been deactivated, that is, the user can no longer log on to the system with a
password.
Special Features of Password Status for Special User Types
The password for the user types service and system can only have the status productive
password or password deactivated. When creating a reference user, it is no longer necessary
to specify a password. Since it is not possible to log on at all with a reference user, the
password is automatically deactivated for a reference user. This also applies when copying
and renaming a user of type Reference.
In addition to the user type Reference user, the system displays the message Logon not
possible. If we change any user type to a reference user, the previous password and password
status (relating to the previous user type) and always retained.
Additional Information on the Logon Data Tab Page
If a users password has not been deactivated, the Logon Data tab page displays the following
information in the first line under password, in the specified order:
If the user has been locked due to incorrect logon attempts: Password logon not possible
(too many incorrect logon attempts)
Dialog (A)
It is possible to log on using SAP GUI. The user is therefore capable of interaction
through SAP GUI.
Purpose: for individual human users (including Internet users)
System (B)
It is not possible to log on using SAP GUI. The user is therefore incapable of
interaction through SAP GUI.
The password change requirement does not apply to the passwords, that is, they cannot
be initial or expired.
Communications (C)
It is not possible to log on using SAP GUI. The user is therefore incapable of
interaction through SAP GUI.
Although the system checks whether the password has expired or is initial, the
implementation of the requirement to change the password, which exists in principle, depends
on the logon method (interactive or non-interactive).
Service (S)
Shared system access for a larger, anonymous group of users. Assign only very
restricted authorizations for this user type.
It is possible to log on using SAP GUI. The user is therefore capable of interaction
through SAP GUI.
During a log on, the system does not check whether the password has expired or is
initial.
Purpose: Anonymous system access (such as for public Web services). After an
individual authentication, an anonymous session begun with a service user can be continued
as a person-related session with a dialog user.
Reference (L)
User type for general, non-person related users that allow the assignment of additional
identical authorizations, such as for Internet users created with transactions SU01.
To assign a reference user to a dialog user, specify it when maintaining the dialog user on the
Roles tab page. In general, the application controls the assignment of reference users. This
assignment is valid for all systems in a Central User Administration (CUA) landscape. If the
assigned reference user does not exist in a CUA child system, the assignment is ignored.
We should be very cautious when creating reference users.
If we do not implement the reference user concept, we can deactivate this field in
accordance with SAP Note 330067.
We also recommend that we set the value for the Customizing switch
REF_USER_CHECK in table PRGN_CUST to "E". This means that only users of type
REFERENCE can then be assigned. Changing the Customizing switch affects only new
assignments of reference users. Existing assignments are retained.
We further recommend that we place all reference users in one particularly secure user
group to protect them from changes to assigned authorizations and deletion.
Note:
Prior to Release 4.6C, the SAP System categorized users into two basic types: dialog users
and non-dialog users (also referred to as CPIC users or background users). We recommend
using non-dialog users for communications between systems where the user ID and password
are defined in the system (for example, in RFC destinations between systems). This ensures
that no one logs on for a dialog session with this user.
We recommend assigning the appropriate user type when creating users. For example, if the
user does not need dialog access to the SAP system, define it as a system user. If the user is
an anonymous, public user that many different individuals can use, define it as a service user
and keep its authorizations to a minimum.
Valid from... and Valid to...
We define the validity period of the user master record with these fields. If we do not want to
restrict the validity, leave the fields empty.
Account Number
For each user or user group, assign an account name or number of our choice. The user
appears in the computing center accounting system (ACCOUNTING EXIT) under this
number.
A suitable account number would be the users cost center or company code, for example.
We recommend that we always enter an account name or number in the computing center
accounting system. The user will otherwise be assigned to a general category without account
number.
SNC Tab Page
This tab page is only displayed if we are using Secure Network Communications (SNC). It
contains the following fields:
SNC Name
The SNC name is the user name from SAP NetWeaver Single Sign-On or the external
security product that we copy from there and either enter in this field or in table USRACL. A
unique that is a canonical SNC Name is also generated for storage in the database.
Allow password logon for SAP GUI (user-specific)
This indicator only has an effect when secure network communication (SNC) has been
enabled and password logon over SAP GUI is allowed for specific users. For this condition to
apply, we must set the following profile parameters:
snc/enable = 1
snc/accept_insecure_gui = U
The SNC Status indicates the status of these profile parameters.
If the profile parameters are set as described above, use this indicator to determine whether
the user is forced to log on with their SNC name or not.
By default, Allow password logon for SAP GUI is not selected, meaning the user can only
log on with their SNC name, provided a mapping exists between the SNC name and the user
account.
When Allow password logon for SAP GUI is selected, the system allows the user to log on
without their SNC name, using user ID and password. If the system receives an SNC name
and a mapping exists for that user, the user can still log on securely, even if logon with
password is allowed.
See also:
SNC secures the data communication paths between the various SAP system client
and server components of the SAP system that use the SAP protocols RFC or DIAG. There
are well-known cryptographic algorithms that have been implemented by security products
supported and with SNC; we can apply these algorithms to our data for increased protection.
We can use additional security features that SAP does not directly provide (for example,
the use of smart cards).
We can change the security product at any time without affecting the SAP business
applications.
Levels of Protection
There are three levels of security protection we can apply. They are:
Authentication only
Integrity protection
Roles Tab Page
We assign authorizations for accessing the SAP System to a user on the Roles tab page.
Note:
After an upgrade or release change, we must regenerate and revise the role profiles
(generated profiles). To do this, choose Environment Installation/Upgrade (transaction
SU25).
Table
We can enter any number of roles, the validity of which we can restrict with the Valid from
and Valid to columns. If we choose input help for these columns, the system displays a
calendar in which we can select the date.
Reference User for Additional Rights
To assign additional authorizations to a user, we can also assign a reference user to it (see
Logon Data Tab Page).
Special Features if You Are Using Central User Administration (CUA).
If we are using Central User Administration with the field distribution setting Global for the
Role field (transaction SCUM), the Roles tab page in the central system has the following
special features:
The additional column System that specifies the system in which the role is valid
The additional pushbutton Text Comparison, with which we can make the profile and
role names of the child systems known to the central system
Assigning Roles
Use
Assign roles to the users in the SAP System so that they receive authorizations to execute
functions. We have the following options:
Assign the Role to Users in Role Maintenance (Transaction PFCG)
Assign the Role to Users Using the SAP Easy Access Menu.
Column System
The system also displays the column System on the Roles and Profiles tab page. It specifies
the system for which we have assigned the role or profile for each entry.
Reference user
This assignment of a reference user is valid for all systems in a CUA landscape. If the
reference user does not exist in a CUA child system, the assignment is ignored.
Never enter the generated profiles directly on the Profiles tab page, as transaction PFUD
deletes these assignments if there is no entry for them on the Roles tab page. When we assign
a role to a user on the Roles tab page, the profile generated for this role is automatically
entered on the Profiles tab page (see Assigning a Role and Comparing Profiles in the User
Master Record with Roles).
We can assign 300 authorization profiles to a user (see SAP Note 410993).
We can manually maintain profiles by choosing Tools
Administration
User Maintenance
Manual Maintenance
Edit Profiles Manually (see Creating and Maintaining Authorizations and Profiles
Manually); however, we recommend that we use the Profile Generator instead, and generate
the profiles automatically. We can enter composite profiles (a combination of several profiles)
in the user master records when manually maintaining profiles.
The SAP system contains predefined profiles, the most important of which are explained
below:
SAP_ALL: To assign all authorizations that exist in the SAP system to users, assign
the profile SAP_ALL.
Authorization Profile SAP_ALL
This composite profile contains all SAP authorizations, meaning that a user with this profile
can perform all tasks in the SAP system. We should therefore not assign this authorization
profile to any of our users. We recommend that we create only one user with this profile. We
should keep the password of this user secret (store it in a safe) and only use it in emergencies
(see also Protective Measures for SAP*).
Instead of using the SAP_ALL profile, we should distribute the authorizations it contains to
the appropriate positions. For example, instead of assigning our system administrator (or
super user) the authorization SAP_ALL, assign him or her only those that apply to system
administration, namely the S_* authorizations. These authorizations give him or her enough
rights to administer the entire SAP system, without allowing him or her to perform tasks in
other areas such as Personnel.
SAP_NEW: Composite profile to bridge the differences in releases in the case of new
or changed authorization checks for existing functions, so that our users can continue to work
as normal. This composite profile contains very extensive authorizations, as, for example,
organizational levels are assigned with the full authorization asterisk (*).
Temporarily assign either the composite profile SAP_NEW, suitably adjusted beforehand, or
the relevant single profile SAP_NEW_<Release> contained in the composite profile. We
require all single profiles between the old release and the new release. For example, if we are
upgrading from SAP R/3 4.5B to SAP R/3 4.6C, we require the following SAP_New profiles:
SAP_NEW_4.6A, SAP_NEW_4.6B and SAP_NEW_4.6C. The simplest way to make these
assignments is to delete all other single profiles from SAP_NEW and to assign SAP_NEW.
Once we have incorporated the new authorization checks in our authorization concept, delete
the SAP_NEW profile to avoid assigning authorizations that are too extensive.
Authorization Profile SAP_NEW
This composite profile contains a single profile for each release that contains the
authorizations that the users require to be able to continue using the functions that they have
used until now, but which are protected with new authorization checks. However, we should
not leave this profile active for a long period of time.
We recommend that we perform the following steps:
1. After the upgrade, delete the SAP_NEW_* profiles from the composite profile
SAP_NEW for releases before the last revision of our authorization concept.
2. Assign the composite profile SAP_NEW to all users. This means that they can
continue to use the functions that they have used until now.
3.
Distribute the authorizations contained in the SAP_NEW single profiles to the roles
or profiles that we use productively and maintain the authorization values.
4.
Delete the profile assignment for SAP_NEW and the SAP_NEW profile.
A long list of SAP_NEW profiles (for example, after multiple upgrades) indicates that it is
time to revise and redefine our authorization concept.
Note:
We must add the new authorizations to manually generated profiles
The additional column System that specifies the system in which the manually
generated profile is valid
The additional pushbutton Text Comparison, with which we can make the profile and
role names of the child systems known to the central system
The profiles generated by the assignment of roles are no longer displayed (these
profiles are only displayed in the child systems in which they are valid)
Comparing User Master Records
Use
The user master record comparison consists of three types of comparison:
as a background program (for example, with the aim of improving runtime behavior); choose
Perform User Master Comparison and the desired processing types. Then choose Save, to
schedule a variant of the program RHAUTUPD_NEW.
Composite role comparison: Start the composite role comparison if we make changes
to a composite role definition (that is, if we add or delete single roles to a composite role) or
import a change. Single-role assignments are compared with the composite role assignments
for the user. If we add single roles to the composite role, the single roles are assigned to those
users that are assigned the composite role. Conversely, if single role assignments are deleted
for the users, the single role is removed from the composite role.
Display error messages: All error messages are displayed on the screen in dialog
mode.
Replicate local HR assignments in the central system: We can only select this option
if we are in a child system of a CUA group and if organizational management is active. This
option replicates the role assignments that exist in the child system that originate through
relationships in the local organizational management model, for information in the CUA
central system. We can display these relationships in the user maintenance (transaction
SU01).
Result
Following the comparison the system displays a log that includes any errors that occurred
(background processing log for a background job).
Groups Tab Page
We assign the user to a user group on this tab page. This is purely a grouping that is suitable,
for example, for mass maintenance of user data (transaction SU10).
Assignments that we make on the Groups tab page are not used for authorization checks that
are specified on the Logon Data tab page using the User Group field.
Personalization Tab Page
On the Personalization tab page, we can make person-related settings using personalization
objects. We can call this tab page both in role maintenance and in user maintenance. The
procedure for personalization is the same.
Personalizing User or Role
1. As the Personalization tab page is available both in user and role maintenance, we have
the following options:
To change the values of a personalization object, choose Change ( ) or select the object by
double clicking it.
A dialog box for entering default values appears.
The opportunity to create personalization objects provides a framework for application
development with which user-dependent data can be easily saved for an application.
To use the framework, we must simply create a key, under which the user-dependent data is
to be saved. The data can then be stored in the application simply by calling an interface
direct to a generic data repository. We can specify if changing the data for this key should
also be performed with the user administration. To do this, the application must provide a
dialog window that can be called in the user maintenance for the personalization key.
In addition to using the generic storage of personalization data, it is possible to connect our
own tables with user-dependent data to user administration using the framework. For more
information, see Central Store for Personalization Data.
Central and child systems have a release status of at least SAP Web AS 6.20 and SAP
Note 704412 is installed
In transaction SCUM, the maintenance of the license data is set to Global (see Setting
Distribution Parameters for Fields). This is the default setting for a new installation of the
CUA.
Setting Up Field Distribution Parameters
Use
If we are using Central User Administration, we can use the distribution parameters in
transaction SCUM to determine where individual parts of a user master record are
maintained.
In the child system with automatic redistribution to the central system and the other
CUA child systems
Every input field of the user maintenance transaction SU01 has a field attribute that we set
once in the central system with transaction SCUM during Customizing. As far as possible, we
should then not change the field maintenance indicator at all.
Warning:
If we later change the distribution from Local or Proposal to Global or Redistribution, data
inconsistencies can occur.
User Master Record
Record that contains important master data for a user in the SAP system. The user master
record contains the assignment of one or more roles to the user. In this way, a user menu and
the corresponding authorizations for the activities contained in the user menu are assigned to
the user. Only users who have a user master record can log on to the system.
We must be particularly careful when removing inconsistencies, since data is lost when we
switch system-dependent parameters from local to global maintenance and then distribute the
users again. The distribution creates the central system status in all child systems. If we have
previously maintained system-dependent data, such as the user assignment of roles, this data
is unknown to the central system. This means that when we distribute the central system
entries, we overwrite the role assignments of the child system. This system-specific data is
therefore permanently lost.
To recreate data consistency after changing the field distribution parameters, proceed as
follows:
rather than locally, we must not redistribute the users. Instead, we must remove the CUA and
set it up again, so that we can copy the users and their system-specific data from the child
systems into the central system again. After completely removing the CUA and setting it up
again, the field distribution parameters are set to "global" by default. Check these settings
before we transfer the users again with transaction SCUG.
The only exception to this is the Locks tab page. We can change the indicators on this tab
page at any time without any risk.
Procedure
1.
Log on to the central system (in this example, ADM, client 070).
2.
In the Implementation Guide (IMG, transaction SALE), choose Modeling and
Implementing Business Processes Predefined ALE Business Processes CrossApplication Business Processes Central User Administration Set Distribution
Parameters for Fields (transaction SCUM).
The system displays the User Distribution Field Selection screen, with tab pages of the fields
whose distribution parameters we can set. To display additional fields, choose page down.
We can select the following options on the tab pages:
Global
We can only maintain the data in the central system. The data is
then automatically distributed to the child systems. These fields
do not accept input in the child systems, but can only be
displayed.
Note:
All other fields that are not set to global accept input both in
the central and in the child systems and are differentiated only
by a different distribution after we have saved.
Proposal
We maintain a default value in the central system that is
automatically distributed to the child systems when a user is
created. After the distribution, the data is only maintained
locally, and is not distributed again, if we change it in the
central or child system.
RetVal
We can maintain data both centrally and locally. After every
local change to the data, the change is redistributed to the
central system and distributed from there to the other child
systems.
Local
We can only maintain the data in the child system. Changes are
not distributed to other systems.
Everywhere We can maintain data both centrally and locally. However, only
changes made in the central system are distributed to other
systems, local changes in the child systems are not distributed.
3.
To maintain the other parameters, too, switch to the other tab pages. The tab pages
correspond to those of user maintenance.
4.
Save our entries.
The distribution parameters are automatically transferred to the child systems.
Locks Tab Page
We can control the distribution of lock data on this tab page, and therefore determine which
locks can be set and/or reset in which systems. When we reset locks, we must pay close
attention to the lock indicators in the user master record that can be combined in any way we
choose, and the functions available in this system, so that we can set the indicators on the
Locks tab page appropriately.
A user cannot log on to a child system of a CUA. The local administration removes the lock.
However, this removal refers only to a local lock that may exist in the user master record.
Global locks, or, if the indicator for Locked due to incorrect logons is set to global, locks due
to incorrect logon attempts, are not removed by this. Therefore, if the local administration
should be able to remove locks due to incorrect logon attempts, we must not set the indicator
for Locked due to incorrect logons to global in transaction SCUM.
To be able to unlock a user from the central system after an incorrect logon attempt or for
local locks in a child system, set the indicator everywhere for the lines Unlock incorrect.
Logon and Unlock locally.
The following functions are available in the respective systems:
Lock globally: This function is only available in the central system. The request to lock
or unlock is sent to all child systems and performed there.
Unlock globally: This function is only available in the central system. The request to
lock or unlock is sent to all child systems and performed there.
Unlock incorrect logon globally: This function is only available in the central system.
The request to lock or unlock is sent to all child systems and performed there.
Lock locally
Unlock locally: This function attempts to remove all three possible lock indicators:
Locked due to incorrect logons, global lock, and local lock.
Explanation
Controls the
removal of the
indicator Locked
due to incorrect
logons
Lock
Locally
Controls the
setting of the
locked locally
indicator
Unlock
Locally
Controls the
removal of the
locked locally
indicator
Global
Removal of the
indicator Locked
due to incorrect
logon using the
unlock globally
function is
allowed
Local
Removal of the
indicator Locked
due to incorrect
logon using the
unlock locally
function is
allowed
Setting the
indicator locked
locally using the
lock locally
function is
allowed
Removing the
indicator locked
locally using the
unlock locally
function is
Everywhere
Removal of the
indicator Locked
due to incorrect
logon using the
unlock locally
function is
allowed
Removal of the
indicator Locked
due to incorrect
logon using the
unlock globally
function is also
allowed
Removing the
indicator locked
locally using the
unlock locally
function is
allowed
Lock
Globally
Controls the
setting of the
locked globally
indicator
Unlock
globally
Controls the
removal of the
locked globally
indicator
Setting the
indicator locked
globally using the
lock globally
function is
allowed
Removal of the
locked globally
indicator using
the unlock
globally function
is allowed
allowed
Removal of the
indicator locked
locally using the
unlock globally
function is also
allowed
Removal of the
locked globally
indicator using
the unlock
globally function
is allowed
Removal of the
indicator locked
globally using the
unlock globally
function is also
allowed
We have transferred the users with all of their data (address data, license data, and so
on) from the child systems to the central system (see Transferring Users from New Systems)
Transferring Users from New Systems
Use
If we include a new system in the distribution model selected, we must make sure that the
user master records in the new system are transferred to the central system.
Prerequisites
We have synchronized the company addresses.
Procedure
1.
Log on to the central system (in this example, ADMCLNT070).
2.
In the Implementation Guide (IMG, transaction SALE), choose Modeling and
Implementing Business Processes Predefined ALE Business Processes Central
User Administration Transfer Users from New Systems (transaction SCUG).
The system displays the Central User Administration Structure Display screen with a
Tree structure of the systems of the distribution model. The systems with New
indicators
contain user master records that are not contained in the Central User Administration.
3.
If we are setting up a completely new Central User Administration, place the cursor on
the central system and choose Transfer Users.
The system displays the following tab pages:
New users
Identical users
Different users
4.
5.
Select all new and changed users and choose Transfer Users.
Perform steps 3 and 4 successively for all child systems from which we want to transfer
users.
6.
After we have completed the user transfer, remove the roles
Z_SAP_BC_CUA_SETUP_CENTRAL and
Z_SAP_BC_USR_CUA_SETUP_CLIENT from the system users.
These roles are only required to set up the CUA, but not for its operation. By restricting
the authorizations of the system users to the minimum level, we increase the security of
our system landscape.
7.
Use transaction SCUL to check the distribution of the users after the transfer.
Note:
Users that we have not copied to the central system can still be maintained in the child
system. This means that the functions Create and Delete are still displayed in the user
maintenance. These functions are no longer available only after the complete transfer of all
users.
8.
Save our entries.
References
To explicitly search for authorizations that contain the full authorization asterisk (*), we need
to enter a number sign (#) before the asterisk, that is, search for #*. Otherwise, the system
searches for any values.
We can also use the User Information System to:
Determining Transactions
Cross-System Information
Users locked globally in the central system (if we are using CUA)
Users locked locally and globally by the administration (if we are using CUA)
This evaluation also displays the date and time of the last logon.
Procedure
The procedure is explained using an example of Users by System
(RSUSR_SYSINFO_ZBV). To, for example, display the list of users on a child system,
follow the procedure below:
1.
Start the user information system (transaction SUIM) in the central system of the central
user administration.
2.
Expand the nodes Users and Cross-System Information (Central User-Administration).
3.
Choose the Execute option next to Users by System.
4. We now have the following options:
To determine the CUA systems in which a certain user exists, enter the name of
the user, and then choose Execute.
To determine all or some of the users in one or more CUA systems, either enter
the user name only a placeholder or some of the name and the placeholder, such as
FER*.
Result
The result list appears. Depending on our selection, the user names and receiving systems are
displayed as well as the last outbound IDoc number of the respective user master record.
For the reports Users by Role and Users by Profile, we can restrict the selection further:
7.
Locked users
Dialog user
Communication user
System user
Service user
Reference user
Selection by the status of the password
Explanation
The password is initial; that is, the user has
never yet changed it.
with date
The user changed his or her password on
the specified date.
with date
The user has not logged on to the system
again since the administrator changed the
password.
inactive
The password has been deactivated.
To change a user in the result list, select it and choose Select. The user maintenance
transaction (transaction SU01) appears.
With Critical Authorizations (RSUSR009)
Use
Report RSUSR009 is obsolete and has been replaced by report RSUSR008_009_NEW. We
can start this report in the User Information System by choosing Users With Critical
Authorizations (New Version).
We can use this report to determine the users that have critical combinations of
authorizations, as defined in table USKRIA.
A table entry consists of the specification of an authorization object with field name and field
value. The entries are combined using a common four-character ID and the logical linking
operators AND or OR.
Example of an Entry Schema
ID
Object
Field
From To AND/OR Text For
Color
ZT01
S_TABU_DIS ACTVT
02
03 AND
Combination1 1
ZT01
S_TABU_DIS DICBERCLS PSNO
AND
1
ZT01
S_TCODE
TCD
SU01
AND
1
In the above example, a user is displayed in the result list if all three authorizations are
contained in his or her user master record. Critical combinations for the same object must
exist in the same authorization (see SAP Note 674212). If the linkage OR was used instead of
AND, the user would be displayed in the result list if he or she had only one of the three
authorizations in his or her user master record.
We can call the maintenance dialog for creating and changing entries in table USKRIA both
on the initial screen and from the result list of the report.
Notes on Maintaining Critical Authorizations
Within one ID, use only uniform and completely entered linking operators (exclusively
AND or exclusively OR).
There is no input help available for entering authorization objects, fields, and field
values.
We can copy the defaults delivered by SAP (again) by choosing SAP Default (Control
and F3).
Warning
When we do so, we overwrite all previously maintained entries.
Table USKRIA is a cross-client table. This means that we cannot maintain this table in
systems that are locked for cross-client Customizing. In this case, we must deliver the
data by transport from the development system.
Procedure
We can restrict the evaluation by critical combinations by choosing the button Change
Crit.Comb. To call the table of combinations and deleting or changing table rows as
required.
1.
Start the user information system (transaction SUIM).
2.
Expand the Users node.
3.
Choose the option Execute next to List of Users with Critical Authorizations.
4.
Choose Change Crit. Comb.
The Entry of Critical Authorizations for Report RSUSR009 view appears, on which we
can enter the critical authorizations in a table. We can also call this screen from the result list
by choosing Change Crit. Auth.
5. We can delete the existing combinations or add new combinations by choosing New
Entries.
6.
To create new combinations, enter the required data.
For more information, see the above example.
Data of a Critical Authorization
Field
Comment
ID
Name of the authorization objects link
Object
Name of the authorization object
Field Name
Name of the authorization field. Optional
specification, without which, the system
searches in the user master records only for
the authorization object.
From
First authorization value.
Optional specification, without which, the
system searches in the user master records
only for the authorization object.
If we leave the From field empty, the
program searches for authorizations with
spaces for the specified field and object
(see SAP Note 674212).
If we enter an asterisk (*) in the From field,
the report searches for full authorization for
the specified field.
For fields with fixed values, the report
searches for authorizations that contain all
possible fixed values and displays the users
to which authorizations of this type are
assigned.
To
Last authorization value.
Optional specification, without which, the
system searches in the user master records
only for the authorization object.
AND/OR
Linkage type
Text for Critical Authorizations
Enter a short text to explain the critical
combination in the Text for Critical
Authorizations field of the first entry of
each ID. This text is displayed in the result
list after the report has been executed.
Any texts that are not in the first entry are
not taken into account.
Color
7.
Save our entries in a transport request.
8.
Choose Back and Execute.
Result
The system displays a list of all users that have the combination of authorizations for which
we are searching.
With Critical Authorizations (New Version, RSUSR008_009_NEW)
Use
This report replaces the reports RSUSR008 and RSUSR009 and offers the following
improvements:
Differentiation between SAP defaults for critical data for different business areas.
Previously, we could only use and change defaults collectively.
Improved performance
Improved user-friendliness
We can either start the report using transaction SA38 or in the User Information System
(transaction SUIM) by choosing Users With Critical Authorizations (New Version).
The report is provided as of SAP Web AS 6.20 with the following Support Packages:
3.
4.
5.
All entries within a group must have the same operand AND or OR. The individual
groups are essentially linked with AND. An OR link is not possible.
We can specify critical data for different authorization objects within the same group.
If we specify a transaction code for an ID, all authorization data required to execute the
transaction and maintained in transaction SE93 is automatically entered as critical data,
after we have confirmed and saved the dialog box.
If we leave the From field empty, the program searches for authorizations with spaces
for the specified field and object. If we enter an asterisk (*) in the From field, the report
searches for full authorization for the specified field. (See SAP Notes 216557 and
674212)
c.
Save your entries.
6.
Create a variant.
a.
Open the folder Variants for Critical Authorizations by double-clicking it, and then
choose New Entries.
b.
Enter the name and description of the variant.
c.
Save our entries.
7.
Assign the IDs of critical authorizations to the variant that we have just created.
a.
Select the variant and choose the Critical Authorizations folder under the Variants for
Critical Authorization folder by double-clicking it.
b.
Choose New Entries.
c.
Use the input help to choose existing IDs.
d.
Save our entries.
8.
Execute the report variant with critical authorizations.
a.
On the initial screen of the report, choose the option For Critical Authorizations under
Name of the Variant
b.
Use the input help to select an existing variant, and choose Execute.
The users identified for each ID are displayed by the program in the result list.
Analyzing Users with Critical Combinations of Authorizations
We can use the report RSUSR008_009_NEW to combine the IDs for critical authorizations
in any way, and to create variants with these combinations.
1.
To maintain critical combinations, choose Critical Combinations on the initial screen.
A dialog box appears that displays four folders in two hierarchies:
2.
In change mode, open the Combination folder in the lower hierarchy by double-clicking
it, and choose New Entries.
Specify the following data in the table control:
The name
The color for the result list
The description of the combination
Save our entries.
Assign the IDs of critical authorizations to the combination.
Select the combination and open the Critical Authorization folder by double-clicking it.
Choose New Entries.
Use the input help to select IDs of critical authorizations.
Save our entries.
a.
b.
3.
a.
b.
c.
d.
Note
The selected IDs are essentially linked with AND. An OR link is not possible.
4.
Create a variant.
a.
Open the folder Variants for Critical Combinations of Authorizations by double-clicking
it, and then choose New Entries.
b.
Specify the name and description of the variant in accordance with the namespace
convention.
c.
Save our entries.
5.
Assign critical combinations to the variant.
a.
Select the variant and choose the Combination folder under the Variants for Critical
Combinations of Authorizations folder by double-clicking it.
b.
Choose New Entries.
c.
Use the input help to choose existing combinations.
d.
Save our entries.
6.
Execute the report variant with critical combinations.
a.
On the initial screen of the report, choose the option For Critical Combinations under
Name of the Variant
b.
Use the input help to choose an existing variant.
c.
Choose Execute.
The result list displays the users for each combination within the selected variant.
Additional Selection Criteria
We can use the group Selection Criteria for Users to define additional properties that the users
to be displayed must fulfill. This makes analysis quicker and more flexible.
Note that the User Group field relates to entries in the field User Group for Authorization
Check on the Logon Data tab page of user maintenance (transaction SU01), while entries in
the field User Group (General) evaluate the data specified on the Groups tab page of user
maintenance (transaction SU01).
We can use the indicator Display Only Valid Users to restrict the display to users whose
validity period covers the date of the report execution.
Evaluation of the Result List
The result lists are different, depending on the type of the selection variant:
All other functions are standard functions of the ALV Grid Control.
Authorization for the object S_TCODE that contains at least one of the transaction
SE80, SE37, or SE38
An authorization for the object S_DEVELOP with the value PROG or FUGR in the
OBJTYPE field and the value 02 in the ACTVT field
The ID to be created with critical authorization data therefore contains three groups, for each
of which the values are each linked with OR.
ID Example 1
Group
Object*
Field Name From
To
AND/OR*
A001
S_TCODE
TDC
SE80
OR
A001
S_TCODE
TDC
SE37
OR
A001
S_TCODE
TDC
SE38
OR
A002
S_DEVELOP OBJTYPE
PROG
OR
A002
S_DEVELOP OBJTYPE
FUGR
OR
A003
S_DEVELOP ACTVT
02
any (OR or
AND)
Example 2
In a modification of the first example, we now determine users that have development
authorization both for executable programs and for function groups. To do this, split the ID of
the first example into two individual IDs and create a combination of these two IDs:
ID 1
Group
Object*
Field Name From
To
AND/OR
A001
S_TCODE
TCD
SE80
OR
A001
S_TCODE
TCD
SE38
OR
A002
S_DEVELOP OBJTYPE
PROG
AND
A002
S_DEVELOP ACTVT
02
AND
and
ID 2
Group
Object*
Field Name From
To
AND/OR
A001
S_TCODE
TCD
SE80
OR
A001
S_TCODE
TCD
SE37
OR
A002
S_DEVELOP OBJTYPE
FUGR
AND
A002
S_DEVELOP ACTVT
02
AND
Determining Roles, Profiles, Authorizations, and Authorization Objects
Use
These reports RSUSR070 (roles), RSUSR020 (profiles), RSUSR030 (authorizations), and
RSUSR040 (authorization objects) are constructed in the same way: The first node by
complex selection criteria represents a combination of the nodes below in each case. The
evaluation for the Roles node is presented as an example. In this way, we can, for example,
find all roles that contain the authorization post document (F_BKPF_BUK, activity 01).
Procedure
1.
Start the user information system (transaction SUIM).
2.
Expand the Roles node.
3.
Choose the Execute option next to Roles by complex selection criteria.
4.
Under Selection by authorization values, enter F_BKPF_BUK in the Object1 field, and
choose Input Values (we cannot enter any values for report RSUSR040).
The fields previously hidden for entering the values are now ready for input.
5.
Enter the activity 1 as the value.
The result list appears.
6. There are additional functions available to us on the result list, depending on the search
area:
Detail: Starts transaction PFCG: displaying the role
User assignment
Profile assignment
Transaction assignment
Value Input
The input values for the Value field of the authorization object are interpreted as follows:
Value
no input
A*
*
*
VALUE
Explanation
The system displays all authorization objects, irrespective of the value
entered in the field.
The system displays all authorization objects whose field contains a space
as the value.
The system displays all authorizations values whose field value begins with
A.
The system displays all authorization objects whose field contains the
placeholder asterisk as the value.
The system displays all authorization objects whose field contains the
placeholder asterisk as the value.
The system displays all authorization objects whose field contains
VALUE as the value.
Note:
With the selection For User, the reference user assigned to this user is also taken into account.
If we specify a reference user in the Executable for User selection, only the authorizations
assigned directly to this user are taken into account. Since a reference user cannot log on to a
system, the transactions displayed by the report cannot be directly started by the reference
user. Only a dialog user that has been assigned this reference user can do so.
Authorization Checks
To ensure that a user has the appropriate authorizations when he or she performs an action,
users are subject to authorization checks.
The following actions are subject to authorization checks that are performed before the start
of a program or table maintenance and which the SAP applications cannot avoid:
The system checks in table TSTC whether the transaction code is valid and whether the
system administrator has locked the transaction.
The system then checks whether the user has authorization to start the transaction.
The SAP system performs the authorization checks every time a user starts a transaction from
the menu or by entering a command. Indirectly called transactions are not included in this
authorization check. For more complex transactions, which call other transactions, there are
additional authorization checks.
The authorization object S_TCODE (transaction start) contains the field TCD
(transaction code). The user must have an authorization with a value for the selected
transaction code.
The system checks whether the transaction code is assigned an authorization object. If
so, a check is made that the user has authorization for this authorization object.
The check is not performed in the following cases:
We have deactivated the check of the authorization objects for the transaction (with
transaction SU24) using check indicators, that is, we have removed an authorization object
entered using transaction SE93. We cannot deactivate the check for objects from the SAP
NetWeaver and HR areas.
This can be useful, as a large number of authorization objects are often checked when
transactions are executed, since the transaction calls other work areas in the background. In
order for these checks to be executed successfully, the user in question must have the
appropriate authorizations. This results in some users having more authorization than they
strictly need. It also leads to an increased maintenance workload. We can therefore deactivate
authorization checks of this type in a targeted manner using transaction SU24.
We have globally deactivated authorization objects for all transactions with transaction
SU24 or transaction SU25.
So that the entries that we have made with transactions SU24 and SU25 become
effective, we must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES
to Y (using transaction RZ10).
All of the above checks must be successful so that the user can start the transaction.
Otherwise, the transaction is not called and the system displays an appropriate message.
Starting Report Classes
We can perform additional authorization checks by assigning reports to authorization classes
(using report RSCSAUTH). We can, for example, assign all PA* reports to an authorization
class for PA (such as PAxxx). If a user wants to start a PA report, he or she requires the
appropriate authorization to execute reports in this class.
We do not deliver any predefined report classes. We must decide our-self which reports we
want to protect in this way. We can also enter the authorization classes for reports with the
maintenance functions for report trees. This method provides a hierarchical approach for
assigning authorizations for reports. We can, for example, assign an authorization class to a
report node, meaning that all reports at this node automatically belong to this class. This
means that we have a more transparent overview of the authorization classes to which the
various reports are transported.
Note
We must consider the following:
There are certain system reports that we cannot assign to any authorization class. These
include:
RSRZLLG0
Reports that are called using SUBMIT in a customer exit at logon (such as SUSR0001,
ZXUSRU01).
relevant group assignments. For this case, we deliver tables with predefined assignments to
authorization groups. The assignments are defined in table TDDAT; the checked
authorization object is S_TABU_DIS.
We can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT)
A user wants to access this table must have authorization object S_TABU_DIS in his or her
profile with the value Z000 in the field DICBERCLS (authorization group for ABAP
Dictionary objects).
See also:
N: Do not check
P: Check
PP: Check/maintain
Explanation
Check for the corresponding
authorization object takes
place in accordance with
values defined by
programmer.
If the authorization default
value is set to yes, the
administrator must specify a
default when creating a role.
Field values are not
displayed in the role
administration tool.
Check disabled. Field
values are not displayed in
the role administration tool.
This indicator can only be
set for transactions, and not
for HR or Basis
authorization objects. For
services, this is technically
not possible.
Check always executed.
Field values are not
displayed in the role
administration tool, since
there is no authorization
default value.
Check always executed.
Field values are displayed in
the role administration tool.
A yellow traffic light means
that an authorization default
value still contains at least
We cannot suppress authorization checks for authorization objects that belong to Basis
components or to Human Resources (HR).
This example describes how we can compare two users (the procedure is the same for roles,
profiles, or authorizations). The master records are resolved to authorization field level and
compared.
Procedure
1.
Start the user information system (transaction SUIM).
2.
Expand the Comparisons node.
3.
Choose the Execute function in the From Users line.
4.
In the User A and User B fields, enter the names of the users to be compared.
5.
To compare users in different systems, choose the Across Systems button.
To compare a user of the current system with a user from another system, enter the user
name for user A and the RFC destination and the user name for user B. We can use the
input help to select from the available RFC destinations.
To compare a user from another system A with a user from a further system B from the
current system, enter the RFC destinations of these systems in the fields RFC
Destination for System A and RFC Destination for System B.
6.
Choose Execute.
The system displays the Comparisons screen, on which a comparison of the two users is
displayed. This is divided into same values, different objects, same values, and different
values. In the case of different objects, only the user for which an authorization object is
displayed has the object. Different values means that although both users have authorizations
for the same object, the values are different. Same values mean that both the authorization
object and the authorization values of the two users match.
To display documentation for an authorization object, select the object and choose
Documentation.
To display a sorted comparison of the values by authorization fields, select the relevant
line and choose Select.
Result
The authorizations from different profiles were resolved, combined by objects and sorted by
fields. This means that we have a compact comparison of the values for each field.
Note that this display allows a quick comparison, but that the interaction of the fields within
an authorization is of vital importance. In particular, it can be the case for the objects listed
under "same values" that although two users have the same values for an object, they do not
have the same authorizations, as the field values are combined differently in different
authorizations. We should therefore regard this comparison function only as a utility for
finding differences and not for documenting equality.
For information about investigating the user master records of two users for an object at the
authorization level, see the Users by complex selection criteria section of Determining Users
with the Users Node.
Creating Where-Used Lists for Profiles (RSUSR002)
Use
We can use this report to create where-used lists for profiles, authorization objects,
authorizations, and authorization values. We are looking for, for example, all users to which a
certain profile (such as SAP_ALL) is assigned.
Procedure
1.
Start the user information system (transaction SUIM).
2.
Expand the nodes Where-Used List and Profiles.
3.
Choose the Execute option next to one of the following search areas (in this example,
next to In Users):
In Users
In Roles
In Composite Profiles
4.
Specify the profile (in our example, SAP_ALL), and choose Execute.
The result list By Complex Selection Criteria appears.
5.
There are additional functions available to us on the result list, depending on the search
area.
Result
The result list shows the where-used list of the object in the specified search area; in our
example, therefore, all users to which the SAP_ALL profile is assigned.
Functions in the Result List for the In Users Search Area
Function
Display Details
List with Roles
List with Profiles
Change Documents
Comment
Display details for the user.
List of users with their role assignment
List of the users with all profiles assigned to the user
List of change documents for a user
Comment
Starts role maintenance (transaction PFCG) for the selected role.
Starts the where-used list for the users assigned the role selected in
the result list
List of the profiles for a role, from which, in turn, we can create a
where-used list for the profiles contained in the list.
Displays a list of composite roles in which the single role selected
in the result list are contained.
Displays which single roles are contained in the selected
composite role from the result list.
List of all transactions contained in the role, for which we can
display all fields and values by choosing Details.
Functions in the Result List for the In Composite Profiles Search Area
Function
Display Details
Where-Used List
Comment
Display details for the profile.
Where-used list for a profile selected in the result list that contains
the profile for which we originally performed the search in the
where-used list. The same selection options are available again on
the Profile Where-Used List dialog box (use in profiles, user
master records, or roles)
Change Documents
List of change documents for a profile
Creating Where-Used Lists for Authorization Objects (RSUSR002)
Use
We can use this report to create where-used lists for profiles, authorization objects,
authorizations, and authorization values.
Procedure
1.
Start the user information system (transaction SUIM).
2.
Expand the nodes Where-Used List and Authorization Objects.
3.
Choose the Execute option next to In Programs.
4.
Enter the authorization object and choose Execute.
The Authorization Object Where-Used List dialog box appears.
5.
Specify the search area. Use in:
Programs
Classes
BSP Applications
Transactions
Package Interfaces
The result list appears.
Result
The result list displays the where-used list for the authorization object in the specified search
area. Additional functions are available to us in the result list.
Functions in the Result List
Function
Comment
Change
Calls the ABAP Editor in change mode for the program.
Display
Calls the ABAP Editor in display mode for the program.
Where-used list
Displays all programs, classes, and so on that use the selected
program.
Delete
Deletes the program
Complete List
Additional properties of the programs are displayed in the complete
list.
Creating Where-Used Lists for Authorizations (RSUSR002)
Use
We can use this report to create where-used lists for profiles, authorization objects,
authorizations, and authorization values.
Procedure
1.
Start the user information system (transaction SUIM).
2.
Expand the nodes Where-Used List and Authorizations.
3.
Choose the Execute option next to one of the following search areas:
In Users
In Profiles
4.
Enter the authorization and the associated authorization object, and choose Execute.
The result list appears.
5.
There are additional functions available to us on the result list, depending on the search
area.
Result
The result list displays the where-used list for the authorization object in the specified search
area.
Functions in the Result List for the In Users Search Area
Function
Comment
Display Details
Display details for the user.
List with Roles
Displays all roles of the users in the result list
Comment
Display details for the profile.
Starts the where-used list for the profile selected in the result list
List of change documents for the selected profile
In Users
In Roles
In Profiles
In Authorizations
4.
Specify the authorization object (such as M_MSEG_WWE), for the values of which we
want to create the where-used list, and the values for the authorization object in the
fields, which are different, depending on the authorization object (in this example,
activity = 01).
5.
Choose Execute.
The result list appears.
6.
There are additional functions available to us on the result list, depending on the search
area.
Result
The result list displays the where-used list for the authorization object in the specified search
area.
Functions in the Result List for the In Users Search Area
Function
Display Details
Roles
Profiles
Change Documents
Comment
Displays profiles for the selected user, including the authorization
objects, authorizations, and authorization fields
List of users with their roles
List of users with their profiles
List of change documents for the users selected in the result list
Comment
Starts the role maintenance transaction (PFCG).
Displays a list of the users assigned to the role.
Profile Assignment
Contained in
Composite Roles
Contained Single
Roles
Transaction
Assignment
Comment
Displays all authorization objects, authorizations, and authorization
values for the profile
Starts the where-used list for the profile selected in the result list
List of change documents for the profiles in the result list
Comment
Displays the authorization values for the authorization.
Starts the where-used list for the authorization selected in the result
list
List of change documents for the authorization selected in the result
list
A user (RSUSR100)
A profile (RSUSR101)
An authorization (RSUSR102)
A role (RSSCD100_PFCG)
Note that changes for users, profiles, and authorizations are divided into two areas:
Changing header data: password changes, validity, user type, user group, account
number, lock status
We can select both fields to obtain all information. In this case, the left column shows the
status before the change the right column the changed entry.
We determine the changes for roles and role assignments using a separate interface.
Determining Documents for Users, Profiles, and Authorizations
1.
Start the user information system (transaction SUIM).
2.
Expand the Change Documents node.
3.
Choose the Execute option next to For Users (or For Profiles or For Authorizations).
4.
Specify the user (or the profile, or the authorization) and other restricting values, and
choose Execute.
The result list Lists of Change Documents for Users appears.
5.
We can display details for profiles and authorizations by double clicking the appropriate
object in the result list.
Determining Documents for Roles and Role Assignments
The interface for determining change documents for role assignment is a section of the
interface to determine the change documents for roles.
1.
Start the user information system (transaction SUIM).
2.
Expand the Change Documents node.
3.
Choose the Execute option next to For Roles (or For Role Assignments).
4.
Enter the required details and then choose Execute.
We can select an individual role or a particular change document with the fields Name of the
Role and Change Number of the Document. We can use the fields Changed By and To Date
or To Time to further restrict the selection. We can use the button next to Changed By to enter
our user name in the input field.
We can also choose the following document types under Change Documents, where an
additional input field is displayed at the end of the list for some document types:
Role description
Authorization data
Authorization profile
Attributes
MiniApps
User assignment
With the User Assignment option, we can use the input field Assigned User to display the
changes to role assignments for individual users.
We can use the option All Change Documents (Technical View) to display the contents of the
key fields of the table entered in the field Change Document Table. If we enter an asterisk (*)
as a placeholder or leave the field empty, all tables are used in the evaluation.
Result
Initial entries for role data are differentiated from empty entries in the result list by the
comment unknown.
We can also create user-specific ALV list variants in the result list.