R/3 User Management

Anand Munuswamy

User Administration Overview

Unit Overview

This unit describes the basic overview of User Administration, Maintaining user, Resetting Password, Locking and unlocking a user, User groups via SU01 transaction in SAP R/3

User Administration Overview

Unit Objective

After completing this unit, you will be able to :

1. Explain the Function of User Administration

2. Creating and maintaining Users in R/3

3. Describe and use of User Groups

4. Describe and use of Personalization

5. Modify, lock and unlock users (SU01)

6. Resetting Password (SU01)Contd ..

User Administration Overview

Unit Objective

7. Develop authorization and profiles

8. Explain the function of Authorization Objects, Fields

9. Describe the Authorization Checks / Trace

10. Explain and configure User Administrator

11. Describe SAP Standard Logon Users

12. Explain the terms of logon and password controls

The User Master Record: Creating a SAP Account (SU01)

Create

The User Master Record: Selecting a Password (SU01)

Selecting a password

Logon Data

User Group

User Master Record : Account Validity and Account Number

Setting Validity Period

User Master Record : User Type

User Type

The User Master Record: Assigning External mail id

E-mail address

(necessary for external mail set-up)

Defaults

Parameters

Roles

Profiles

User Profile

Groups

The User Master Record: Changing SAP Account (SU01)

Change

Delete

The User Master Record: Deleting SAP Account (SU01)

Lock/Unlock

The User Master Record: Locking/Unlocking SAP Account (SU01)

Changing Password

The User Master Record: Changing Password of SAP Account (SU01)

Copying an Existing User

The User Master Record: Copying an existing user (SU01)

User Master record

Authorization Objects (SU03)

Authorization Objects (SU03)

Example: Authorization Fields

The Authorisation Problem Report (1/3)

1

3

2

Documentation - Display Authorization Check (2/3)

1

2 34

Documentation - Display Authorization Check (3/3)

Ensure that the file is saved in Rich Text Format

Authorizations

Profiles

AuthorizationsAuthorizations

Authorization objects

Authorization within Profiles, refers to a valid instance of Authorization object i.e. an Authorization object with valid values for their fields

Fields & Values

Profiles are created when 'roles' are generated. Profiles are collection of authorizations for a particular task which are assigned to multiple users.

The security structure in SAP:

Example: Authorization Checks/Trace (Contd..)

ABAP/4 Code for SD70AV3A. . . GET KNA1.AUTHORITY-CHECK OBJECT objectnameID fieldname1 FIELD fieldvalue1...ID fieldnamen FIELD fieldvaluenWRITE KNA1.. . .

Transaction VF31

Program SD70AV3A

Mr. Smith’s User Master Record

AuthorizationAuthorization

Authorization fields

Mr. Smith

Authorization Object

Authorization Profile

Functional Area

Auth Object

Fields where input in required

Configuring Maintenance Administrators

User Administrator

AuthorizationAdministrator

Activation Administrator

Super User

Define and edit profiles and authorizations

Maintain user master records

Activate profiles and authorizations

Domain

Special Logon Users

User SAP*

User DDIC

ProductionPlanning

MaterialsManagement

Finance andControlling

Sales andDistribution

Human Resources

SAP* password is ‘pass’ if there is no entry for SAP* in table USR02

Special User IDs The two user Ids (SAP* and DDIC) should only be used for tasks thatspecifically required either of those user Ids. A user who requires similar“super user” security rights should have a copy of the SAP* user security.

The security rights of SAP* and DDIC are extensive, dangerous and pose asecurity risk. Anyone, who requires or requests similar security rights shouldhave an extremely valid reason for the request. Convenience is not a validreason.

The user ID SAP* and DDIC should never be deleted. Instead :1. Change the password2. Lock the user ID

User Logon and Password Controls

ProductionPlanning

MaterialsManagement

Finance andControlling

Sales andDistribution

Human Resources

Table USR40 to define impermissible passwords for your system