Types of Users in SAP

8/13/2019 Types of Users in SAP

1/9

There are five types of users in sap

Dialog users (A)A normal dialog user is used for all logon types by exactly one person. This is used to logon using SAP GUI. During adialog logon, the system checks for expired/initial passwords. The user can change his or her own password. Multipledialog logons are checked and, if appropriate, logged. These users are used for carrying out normal transactions.This is an interactive type of logon. The initial multiple logons are 6. They are set according to companies policy.System Users (B)

These are non interactive users. They are used for background processing and internal communication in the system(such as RFC users for ALE, Workflow, TMS, and CUA). Their passwords cannot be changed by the end users. Onlythe user administrator can change their passwords. Multiple logon is permitted in these type of users. Dialog logon isnot possible for these type of users.

Communication Users (C)Used for dialog-free communication between systems. It is not possible to use this type of user for a dialog logon.Their passwords are valid for certain period of time so they expire. The users have option to change their ownpasswords.Service User (S)Dialog user available to a larger, anonymous group of users. The system does not check for expired/initial passwordsduring logon. Only the user administrator can change the passwords. Generally, highly restricted authorizations aregiven to this type of users.Reference User (L)

A reference user is, like the service user, a general non-person-related user. Dialog logon is not possible with thiskind of user. A reference user is used only to assign additional authorizations. To assign a reference user to a dialoguser, specify it when maintaining the dialog user on the Rolestab page

Dialog User System user Communication User Service User Reference

Logon with SAPGUI possible/Interactive

Yes No No Yes No

Multiple logon permitted yes NA yes yes yes

Password Expires orinitialized

NA NA Expires or initialized ----NA---

Password can be changed by End user UserAdministrator

End User

SAP BASIS Security Interview Questions

Creating a User Role

The easiest way to create a new user role is to copy an already existing user role, either one of

your own or one of the ones provided to you in the installation of SAP. So lets assume that you


2/9

have none of your own and use one

This document is the intellectual property of Jo Spencer and may not be edited without

permission.

of the SAP role templates provided. It might assist you with picking one of these roles if you have

someone dump the appropriate information into a spreadsheet containing the Role Name, Role

Description, Transactions contained in the Role, and the Transaction description. The SQL querywould be something like this:

SELECT AGR_TEXTS.AGR_NAME, AGR_TEXTS.TEXT, AGR_TCODES.TCODE, TSTCT.TTEXT

FROM AGR_TEXTS, AGR_TCODES, TSTCT WHERE AGR_TEXTS.MANDT = '000' AND

AGR_TEXTS.SPRAS = 'E' AND AGR_TEXTS.LINE = 0 AND AGR_TCODES.MANDT = '000' AND

AGR_TCODES.AGR_NAME = AGR_TEXTS.AGR_NAME AND TSTCT.SPRSL = 'E' AND

TSTCT.TCODE = AGR_TCODES.TCODE ORDER BY AGR_TEXTS.AGR_NAME,

AGR_TCODES.TCODE;

This query should be changed based on the details of your SAP instance. Identify the roles(s) to

be used as the source for your role copy.

1. Log on to client needing the role.

2. Go to transaction PFCG.

3. On the Role Maintenance screen, either type in the role name to be copied or select it from a

dropdown. Press Enter to confirm that the role exists.

4. Click the Copy role button or press Shift+F11.

5. One the Query popup box, fill in the to role field with the name to be given the new role. Come

up with a standard that everyone follows so the base original role is designated in some way so

you dont forget where you got the original. The name must begin with Z or Y. Most people will

add a Z- in the first two characters of the role name. If you want to only select specific roles from a

Composite role, you would click the Copy selectively button, otherwise click the Copy all button.

6. Once the role has been copied, you will be taken back to the original PFCG screen where you

will see the name of your new role. Change you Role description and save the new role before

working with it any further

Return to Index...

Modifying a User Role

1. Log on to client needing the role change.


3. On the Role Maintenance screen, either type in the role name to be changed or select it from a

dropdown. Press Enter to confirm that the role is found.

4. Click the Change Role little yellow pencil button role button or press F6.

5. Click the Authorizations tab and then the Change Authorization Data button.

6. On the Change Role: Authorizations screen, expand and change the authorizations you need to

adjust. When finished click first the Save button and then the Generate button looks like a littlered and white beachball.

7. Back out to the Change Roles screen and click the User tab. Click on User Comparison and

then Complete Comparison. Once the comparision is done, click Save one more time and you are

done!

Return to Index...

Deleting a User Role



3/9

permission.

1. Log on to client needing the role deletion.


3. On the Role Maintenance screen, either type in the role name to be changed or select it from a

dropdown. Press Enter to confirm that the role is found.

4. Click the Role Delete button or Shift+F2.5. On the Delete Role popup, confirm that you wish to delete the deletion. If you get an Information

popup, confirm it also.

6. Your deletion will return a successful message in the bottom status bar.

Return to Index...

Transporting User Roles between Clients (Transport System Method)

When a modification is made to a role in the 100 client, the roles must be transported to the 800

client. One role, several roles, or all roles can be done if needed. They can all be added to the

same transport change request. After the roles have been moved to other clients, you will need to

log on to each of those clients and do a user comparison. You will also need to do a text

comparison in client 100 of the appropriate SAP system.

1. Log on to client 100 of the appropriate SAP system.


3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click

the Truck picture-icon.

4. You will see an Information popup. Click the green picture-icon.

5. In the Choose objects popup, unclick the s beside User assignment and Personalization. If you

want to transport the users along with the role, profiles, and authorizations, you can the to the

left of User assignment. Click the green picture-icon.

6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a new

change request. On the Create Request popup, fill in the Short description and click the Save

picture-icon. You will be returned to the Prompt for Customizing request popup which contains

the generated change request number for this system change. Click the green to continue.

7. You will see a Data entered in change request message in the status bar at the bottom of the

screen. Now enter the name of the next role to be transported and click the Truck picture-icon.

8. You will see an Information popup. Click the green picture-icon.9. In the Choose objects popup, unclick the s beside User assignment and Personalization. If you



10. On the Prompt for Customizing request popup, continue to use the same transport you

created in step 6. Click the green to continue.

11. Continue to perform steps 7 through 10 until all the roles you need to transport have been

attached to the transport change request.12. The generated transport can now be released and transported into the clients needing the

modified roles.

13. You may now leave the PFCG transaction.

Return to Index...

Transporting User Roles between Clients (Upload/Download Method)

Central User Administration distributes clients and their information to the other clients

connected to the Distribution Model. It does not, however, do the


4/9


permission.

same for roles and role authorizations. So when a modification is made to a role in the 100 client,

the roles must be transported to the 800 client. One role, several roles, or all roles can be done if

needed. They can all be added to the same transport change request. After the roles have been

moved to other clients, you will need to log on to each of those clients and do a user comparison.You will also need to do a text comparison in client 100 of the appropriate SAP system.




the Truck picture-icon.





6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a new

change request. On the Create Request popup, fill in the Short description and click the Save

picture-icon. You will be returned to the Prompt for Customizing request popup which contains

the generated change request number for this system change. Click the green to continue.

7. You will see a Data entered in change request message in the status bar at the bottom of the

screen. Now enter the name of the next role to be transported and click the Truck picture-icon.





10. On the Prompt for Customizing request popup, continue to use the same transport you

created in step 6. Click the green to continue.

11. Continue to perform steps 7 through 10 until all the roles you need to transport have been

attached to the transport change request.

12. The generated transport can now be released and transported into the clients needing the

modified roles.


Return to Index...

Performing a User Comparison on the Modified Roles




the Change button.4. On the Change Roles screen, click the User tab.

5. On the User tab, click the User compare button.

6. On the Compare Role User Master Record popup, click the Complete compare button.

7. You will receive a User master record for role was adjusted message in the status bar at the

bottom of the screen. You may now leave the PFCG transaction.

Return to Index...

Performing a Text Comparison to Refresh Role Selection Lists


5/9


permission.


2. Go to transaction SU01.

3. On the User Maintenance: Initial Screen screen, type in the user model_user. Click the pencil

picture-icon.4. On the Maintain User screen, click the Text comparison from child Syst. button.

5. On the CUA: Text comparison from Child Systems screen, type LSDEV100 for the Receiving

system and LSQAS800 for the to system. This is a range, and since LSPRD300 falls

alphabetically between LSDEV100 and LSQAS800, all three systems will have the text comparison

performed. Click the clock picture-icon.

6. On the CUA: Text comparison from Child Systems results screen, you will see a list of the

systems compared and the compare results. Click the white arrow on green picture-icon 3 times,

or until you have left the SU01 transaction.

Return to Index...

Users, Roles, and Authorizations

SAP security is based on authorization objects and authorizations. An authorization object is

used to indicate that a user can perform a certain activity. An authorization is used to limit the

scope of that activity.

For example, a profile contains the S_DEVELOP authorization object. This authorization object

allows a user to perform ABAP workbench activities. Some users will need to do all ABAP

activites while others will only need to perform a few. So S_DEVELOP has a selection of

authorizations you can use: ACTVT, DEVCLASS, OBJNAME, OBJTYPE, and P_GROUP. The

authorizations are set to the appropriate values as needed. A tree view of the S_DEVELOP

authorization object can be seen below:

S_DEVELOP

ACTVT

Create or generate

Change

Display

Delete

Activate, generate

Execute

Create in DB

Delete in DB

Convert to DB

Administer

CopyAll Functions

Deactivate Mod. assistant

DEVCLASS

Single Value or Value Range

OBJNAME


OBJTYPE


6/9


P_GROUP


The S_DEVELOP authorization object in a profile lets a user perform ABAP workbench activities.

But having a S_DEVELOP authorization object with the ACTVT

This document is the intellectual property of Jo Spencer and may not be edited withoutpermission.

authorization value set to Display (03) means that the user is limited to display only in the ABAP

workbench transactions. Thus we see that authorization objects grant while authorizations limit. It

is important to remember, however, that a user with a profile having a S_DEVELOP with full

authorizations still cannot access an ABAP workbench transaction until a matching S_TCODE

(start up transaction code) has been added as well. In other words, a user may have the rights to

add, modify and delete ABAP programs but until an entry for SE38 has been added to the

S_TCODE authorization object, he cannot access transaction SE38 which is the ABAP Editor.

All authorization objects and authorizations are grouped into profiles before being attached to

users. Profiles use a combination of authorization objects and their respective authorizations, and

their creation can be complex as well as tedious. In order to simplify the creation of profiles, the

Profile Generator (transaction PFCG) was created. Roles are created via a more user-friendly

interface which generates profiles based on the information added via this interface.

Manually creating profiles is the old way of doing things. There are times, such as the start of a

new SAP landscape where no roles exist, that the use of profiles is handy. But once the landscape

has been completed all users, with the exception of the Basis team, should be attached to roles.

There should never be a need to manually create a SAP new profile. To add a new role, the easiest

method is to copy an existing role that matches your needs as closely as possible and make the

changes you need for the new role.

This documentation covers changing user security via both methods.

Adding Authorization Objects and/or Authorizations to a Profile

Remember that profiles are NOT the standard way to implement SAP security

1. Log on to the appropriate client in the appropriate SAP system.


3. In the Manually edit authorization profiles section of the Profile: Initial Screen screen, enter the

Profile you want to change. Make sure the Active only is checked. Click the Create work area for

profiles button.

4. On the Profile List screen, double-click the profile to be changed.

5. A profile can contain authorization objects only (single profile) or one or more other profiles

(collective profile). If the next screen is titled Maintain Profile, this is a single profile, and you

should proceed to the next step. If the next screen is titled Collect Profiles, this is a collective

profile and you should skip to step 13.6. On the Maintain Profile screen, you must decide if you need to add a new authorization object

and one or more of its authorizations, or add a new authorization to an authorization object

already in the profile. If you need to add a new authorization to an authorization object already in

the profile, skip to step 7. Otherwise, scroll down the Consisting of authorizations list until you

find a blank line. Type the authorization object you need to add and press Enter. You will need to

scroll through the list again until you find the authorization object you just added (it is was to find

since the Authorization column should still be blank). Once you find the new entry line, use the


7/9

drop down to fill in the Authorization column. Click on the Save picture-icon.

7. If you need to add another authorization to an authorization object already in the profile list,

click on the +Add authorization button.

8. From the Maintain Profiles: Object Classes screen, double-click the Object class of the

authorization you are adding.

9. On the Maintain Profiles: List of Authorizations screen, select the authorization you need to addby double-clicking the appropriate line. This


permission.

will return you to the Maintain Profile screen where you can see that your authorization has been

added.

10. On the Maintain Profile screen, click the Save picture-icon. Then click the lit match picture-

icon to activate the new profile changes.

11. On the Activate Profile: Execution Screen screen, click on the lit match picture-icon to

complete the profile activation process.

12. You may now leave the SU02 transaction.

13. In order the change a profile collection, you must make the changes in one or more of the

dependent profiles, save the changes in the dependent profile(s), activate the dependent

profile(s), save the collection owner profile, and activate the collection owner profile. On the

Collect Profiles screen, double-click on the profile you want to change.

14. You will be taken to the Maintain Profile screen. Perform steps 6 to 11. Then use the white

arrow on green picture-icon to go back.

15. On the Collect Profiles screen, click the Save picture-icon. Then click the lit match picture-icon

to activate the new profile changes.

16. On the Activate Profile: Execution Screen screen, click on the lit match picture-icon to

complete the profile activation process.

17. You may now leave the SU02 transaction.

Return to Index...

Adding Authorization Objects and/or Authorizations to a Role

1. Log on to client 100 in the DEV SAP system.


3. On the Role Maintenance screen, enter the Role you want to change. Click the Change button.

4. On the Change Role screen, click the Authorizations tab and then click the pencil picture-icon.

5. If you are only adding a start up transaction to the role, skip to step 10. Otherwise, the

assumption is that a new authorization object is to be added. On the Change role: Authorizations

screen, click the +Manually button.

6. On the Manual selection of authorizations popup, enter the authorizations objects that need to

be added (ie S_DEVELOP, S_PROGRAM, etc.) Click the green when you are finished.7. Back on the Change role: Authorizations screen, if all the displayed signal lights are green, skip

to step 8. Otherwise, fully expand the lines that are yellow and/or red and supply the necessary

information. All signal lights should be green before moving to the next step.

8. On the Change role: Authorizations screen, click the Save picture-icon. You will receive a Data

saved confirmation message in the status bar at the bottom of the screen.

9. On the Change role: Authorizations screen, click the red-and-white beach ball picture-icon to

generate a profile from the saved role. Reply affirmatively if any confirmation popups. You will


8/9

receive a Profile(s) created message in the status bar at the bottom of the screen. If you do not

need to add any start up transactions to the profile, you may now leave the PFCG transaction.

10. On the Change Role: Authorizations screen, expand the Cross-application Authorization

Objects Authorization Check for Transaction Start Authorization Check for Transaction Start

until you see the Transaction code entry line. Double-click on the entry portion of the Transaction

code line.11. In the Maintain Field Values popup, scroll down the list until you find a blank From and To line.

Enter the transaction(s) to be added, and click the Save picture-icon when you have finished.


permission.

12. On the Change role: Authorizations screen, click the Save picture-icon. You will receive a Data

saved confirmation message in the status bar at the bottom of the screen.

13. On the Change role: Authorizations screen, click the red-and-white beach ball picture-icon to

generate a profile from the saved role. Reply affirmatively if any confirmation popups. You will

receive a Profile(s) created message in the status bar at the bottom of the screen.


Return to Index...

Granting Transaction Access to a User via Profile

*** Since SAP R/3 4.5, this is not the standard for user authorizations.

***

Return to Index...

Granting Transaction Access to a User via Role

1. Log on to the applicable SAP instance and client.


3. On the User Maintenance: Initial Screen screen, fill in the User ID for the user you want to

change, either by typing it in or choosing it from the drop down. Click the little yellow pencil

Change button.

4. On the Maintain User screen, click on the Roles tab. Fill in the new role in the first available Role

field. Press ENTER to confirm that the role exists. Click the Save button.

5. Make sure to use transaction PFCG to run a user comparion to rebuilt the role-to-user

connections.


Return to Index...

Revoking Authorizations from a User via Profile


***

Return to Index...

Revoking Authorizations from a User via RoleUse the same procedure as Adding Authorization Objects and/or Authorizations to a

Role

Return to Index...

Revoking Transaction Access from a User via Profile

*** Remember that profiles are NOT the standard way to implement SAP security. ***

Return to Index...



9/9

permission.

Attaching a Profile to a User


***

Return to Index...

Attaching a Role to a User1. Log on to the applicable SAP instance and client.


3. On the User Maintenance: Initial Screen screen, fill in the User ID for the user you want to

change, either by typing it in or choosing it from the drop down. Click the little yellow pencil

Change button.

4. On the Maintain User screen, click on the Roles tab. Fill in the new role in the first available Role

field. Press ENTER to confirm that the role exists. Click the Save button.

5. Make sure to use transaction PFCG to run a user comparion to rebuilt the role-to-user

connections.


Documents

Types of Users in SAP