Types of Users in SAP

Embed Size (px)

Citation preview

  • 8/13/2019 Types of Users in SAP

    1/9

    There are five types of users in sap

    Dialog users (A)A normal dialog user is used for all logon types by exactly one person. This is used to logon using SAP GUI. During adialog logon, the system checks for expired/initial passwords. The user can change his or her own password. Multipledialog logons are checked and, if appropriate, logged. These users are used for carrying out normal transactions.This is an interactive type of logon. The initial multiple logons are 6. They are set according to companies policy.System Users (B)

    These are non interactive users. They are used for background processing and internal communication in the system(such as RFC users for ALE, Workflow, TMS, and CUA). Their passwords cannot be changed by the end users. Onlythe user administrator can change their passwords. Multiple logon is permitted in these type of users. Dialog logon isnot possible for these type of users.

    Communication Users (C)Used for dialog-free communication between systems. It is not possible to use this type of user for a dialog logon.Their passwords are valid for certain period of time so they expire. The users have option to change their ownpasswords.Service User (S)Dialog user available to a larger, anonymous group of users. The system does not check for expired/initial passwordsduring logon. Only the user administrator can change the passwords. Generally, highly restricted authorizations aregiven to this type of users.Reference User (L)

    A reference user is, like the service user, a general non-person-related user. Dialog logon is not possible with thiskind of user. A reference user is used only to assign additional authorizations. To assign a reference user to a dialoguser, specify it when maintaining the dialog user on the Rolestab page

    Dialog User System user Communication User Service User Reference

    Logon with SAPGUI possible/Interactive

    Yes No No Yes No

    Multiple logon permitted yes NA yes yes yes

    Password Expires orinitialized

    NA NA Expires or initialized ----NA---

    Password can be changed by End user UserAdministrator

    End User

    SAP BASIS Security Interview Questions

    Creating a User Role

    The easiest way to create a new user role is to copy an already existing user role, either one of

    your own or one of the ones provided to you in the installation of SAP. So lets assume that you

  • 8/13/2019 Types of Users in SAP

    2/9

    have none of your own and use one

    This document is the intellectual property of Jo Spencer and may not be edited without

    permission.

    of the SAP role templates provided. It might assist you with picking one of these roles if you have

    someone dump the appropriate information into a spreadsheet containing the Role Name, Role

    Description, Transactions contained in the Role, and the Transaction description. The SQL querywould be something like this:

    SELECT AGR_TEXTS.AGR_NAME, AGR_TEXTS.TEXT, AGR_TCODES.TCODE, TSTCT.TTEXT

    FROM AGR_TEXTS, AGR_TCODES, TSTCT WHERE AGR_TEXTS.MANDT = '000' AND

    AGR_TEXTS.SPRAS = 'E' AND AGR_TEXTS.LINE = 0 AND AGR_TCODES.MANDT = '000' AND

    AGR_TCODES.AGR_NAME = AGR_TEXTS.AGR_NAME AND TSTCT.SPRSL = 'E' AND

    TSTCT.TCODE = AGR_TCODES.TCODE ORDER BY AGR_TEXTS.AGR_NAME,

    AGR_TCODES.TCODE;

    This query should be changed based on the details of your SAP instance. Identify the roles(s) to

    be used as the source for your role copy.

    1. Log on to client needing the role.

    2. Go to transaction PFCG.

    3. On the Role Maintenance screen, either type in the role name to be copied or select it from a

    dropdown. Press Enter to confirm that the role exists.

    4. Click the Copy role button or press Shift+F11.

    5. One the Query popup box, fill in the to role field with the name to be given the new role. Come

    up with a standard that everyone follows so the base original role is designated in some way so

    you dont forget where you got the original. The name must begin with Z or Y. Most people will

    add a Z- in the first two characters of the role name. If you want to only select specific roles from a

    Composite role, you would click the Copy selectively button, otherwise click the Copy all button.

    6. Once the role has been copied, you will be taken back to the original PFCG screen where you

    will see the name of your new role. Change you Role description and save the new role before

    working with it any further

    Return to Index...

    Modifying a User Role

    1. Log on to client needing the role change.

    2. Go to transaction PFCG.

    3. On the Role Maintenance screen, either type in the role name to be changed or select it from a

    dropdown. Press Enter to confirm that the role is found.

    4. Click the Change Role little yellow pencil button role button or press F6.

    5. Click the Authorizations tab and then the Change Authorization Data button.

    6. On the Change Role: Authorizations screen, expand and change the authorizations you need to

    adjust. When finished click first the Save button and then the Generate button looks like a littlered and white beachball.

    7. Back out to the Change Roles screen and click the User tab. Click on User Comparison and

    then Complete Comparison. Once the comparision is done, click Save one more time and you are

    done!

    Return to Index...

    Deleting a User Role

    This document is the intellectual property of Jo Spencer and may not be edited without

  • 8/13/2019 Types of Users in SAP

    3/9

    permission.

    1. Log on to client needing the role deletion.

    2. Go to transaction PFCG.

    3. On the Role Maintenance screen, either type in the role name to be changed or select it from a

    dropdown. Press Enter to confirm that the role is found.

    4. Click the Role Delete button or Shift+F2.5. On the Delete Role popup, confirm that you wish to delete the deletion. If you get an Information

    popup, confirm it also.

    6. Your deletion will return a successful message in the bottom status bar.

    Return to Index...

    Transporting User Roles between Clients (Transport System Method)

    When a modification is made to a role in the 100 client, the roles must be transported to the 800

    client. One role, several roles, or all roles can be done if needed. They can all be added to the

    same transport change request. After the roles have been moved to other clients, you will need to

    log on to each of those clients and do a user comparison. You will also need to do a text

    comparison in client 100 of the appropriate SAP system.

    1. Log on to client 100 of the appropriate SAP system.

    2. Go to transaction PFCG.

    3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click

    the Truck picture-icon.

    4. You will see an Information popup. Click the green picture-icon.

    5. In the Choose objects popup, unclick the s beside User assignment and Personalization. If you

    want to transport the users along with the role, profiles, and authorizations, you can the to the

    left of User assignment. Click the green picture-icon.

    6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a new

    change request. On the Create Request popup, fill in the Short description and click the Save

    picture-icon. You will be returned to the Prompt for Customizing request popup which contains

    the generated change request number for this system change. Click the green to continue.

    7. You will see a Data entered in change request message in the status bar at the bottom of the

    screen. Now enter the name of the next role to be transported and click the Truck picture-icon.

    8. You will see an Information popup. Click the green picture-icon.9. In the Choose objects popup, unclick the s beside User assignment and Personalization. If you

    want to transport the users along with the role, profiles, and authorizations, you can the to the

    left of User assignment. Click the green picture-icon.

    10. On the Prompt for Customizing request popup, continue to use the same transport you

    created in step 6. Click the green to continue.

    11. Continue to perform steps 7 through 10 until all the roles you need to transport have been

    attached to the transport change request.12. The generated transport can now be released and transported into the clients needing the

    modified roles.

    13. You may now leave the PFCG transaction.

    Return to Index...

    Transporting User Roles between Clients (Upload/Download Method)

    Central User Administration distributes clients and their information to the other clients

    connected to the Distribution Model. It does not, however, do the

  • 8/13/2019 Types of Users in SAP

    4/9

    This document is the intellectual property of Jo Spencer and may not be edited without

    permission.

    same for roles and role authorizations. So when a modification is made to a role in the 100 client,

    the roles must be transported to the 800 client. One role, several roles, or all roles can be done if

    needed. They can all be added to the same transport change request. After the roles have been

    moved to other clients, you will need to log on to each of those clients and do a user comparison.You will also need to do a text comparison in client 100 of the appropriate SAP system.

    1. Log on to client 100 of the appropriate SAP system.

    2. Go to transaction PFCG.

    3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click

    the Truck picture-icon.

    4. You will see an Information popup. Click the green picture-icon.

    5. In the Choose objects popup, unclick the s beside User assignment and Personalization. If you

    want to transport the users along with the role, profiles, and authorizations, you can the to the

    left of User assignment. Click the green picture-icon.

    6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a new

    change request. On the Create Request popup, fill in the Short description and click the Save

    picture-icon. You will be returned to the Prompt for Customizing request popup which contains

    the generated change request number for this system change. Click the green to continue.

    7. You will see a Data entered in change request message in the status bar at the bottom of the

    screen. Now enter the name of the next role to be transported and click the Truck picture-icon.

    8. You will see an Information popup. Click the green picture-icon.

    9. In the Choose objects popup, unclick the s beside User assignment and Personalization. If you

    want to transport the users along with the role, profiles, and authorizations, you can the to the

    left of User assignment. Click the green picture-icon.

    10. On the Prompt for Customizing request popup, continue to use the same transport you

    created in step 6. Click the green to continue.

    11. Continue to perform steps 7 through 10 until all the roles you need to transport have been

    attached to the transport change request.

    12. The generated transport can now be released and transported into the clients needing the

    modified roles.

    13. You may now leave the PFCG transaction.

    Return to Index...

    Performing a User Comparison on the Modified Roles

    1. Log on to client 100 of the appropriate SAP system.

    2. Go to transaction PFCG.

    3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click

    the Change button.4. On the Change Roles screen, click the User tab.

    5. On the User tab, click the User compare button.

    6. On the Compare Role User Master Record popup, click the Complete compare button.

    7. You will receive a User master record for role was adjusted message in the status bar at the

    bottom of the screen. You may now leave the PFCG transaction.

    Return to Index...

    Performing a Text Comparison to Refresh Role Selection Lists

  • 8/13/2019 Types of Users in SAP

    5/9

    This document is the intellectual property of Jo Spencer and may not be edited without

    permission.

    1. Log on to client 100 of the appropriate SAP system.

    2. Go to transaction SU01.

    3. On the User Maintenance: Initial Screen screen, type in the user model_user. Click the pencil

    picture-icon.4. On the Maintain User screen, click the Text comparison from child Syst. button.

    5. On the CUA: Text comparison from Child Systems screen, type LSDEV100 for the Receiving

    system and LSQAS800 for the to system. This is a range, and since LSPRD300 falls

    alphabetically between LSDEV100 and LSQAS800, all three systems will have the text comparison

    performed. Click the clock picture-icon.

    6. On the CUA: Text comparison from Child Systems results screen, you will see a list of the

    systems compared and the compare results. Click the white arrow on green picture-icon 3 times,

    or until you have left the SU01 transaction.

    Return to Index...

    Users, Roles, and Authorizations

    SAP security is based on authorization objects and authorizations. An authorization object is

    used to indicate that a user can perform a certain activity. An authorization is used to limit the

    scope of that activity.

    For example, a profile contains the S_DEVELOP authorization object. This authorization object

    allows a user to perform ABAP workbench activities. Some users will need to do all ABAP

    activites while others will only need to perform a few. So S_DEVELOP has a selection of

    authorizations you can use: ACTVT, DEVCLASS, OBJNAME, OBJTYPE, and P_GROUP. The

    authorizations are set to the appropriate values as needed. A tree view of the S_DEVELOP

    authorization object can be seen below:

    S_DEVELOP

    ACTVT

    Create or generate

    Change

    Display

    Delete

    Activate, generate

    Execute

    Create in DB

    Delete in DB

    Convert to DB

    Administer

    CopyAll Functions

    Deactivate Mod. assistant

    DEVCLASS

    Single Value or Value Range

    OBJNAME

    Single Value or Value Range

    OBJTYPE

  • 8/13/2019 Types of Users in SAP

    6/9

    Single Value or Value Range

    P_GROUP

    Single Value or Value Range

    The S_DEVELOP authorization object in a profile lets a user perform ABAP workbench activities.

    But having a S_DEVELOP authorization object with the ACTVT

    This document is the intellectual property of Jo Spencer and may not be edited withoutpermission.

    authorization value set to Display (03) means that the user is limited to display only in the ABAP

    workbench transactions. Thus we see that authorization objects grant while authorizations limit. It

    is important to remember, however, that a user with a profile having a S_DEVELOP with full

    authorizations still cannot access an ABAP workbench transaction until a matching S_TCODE

    (start up transaction code) has been added as well. In other words, a user may have the rights to

    add, modify and delete ABAP programs but until an entry for SE38 has been added to the

    S_TCODE authorization object, he cannot access transaction SE38 which is the ABAP Editor.

    All authorization objects and authorizations are grouped into profiles before being attached to

    users. Profiles use a combination of authorization objects and their respective authorizations, and

    their creation can be complex as well as tedious. In order to simplify the creation of profiles, the

    Profile Generator (transaction PFCG) was created. Roles are created via a more user-friendly

    interface which generates profiles based on the information added via this interface.

    Manually creating profiles is the old way of doing things. There are times, such as the start of a

    new SAP landscape where no roles exist, that the use of profiles is handy. But once the landscape

    has been completed all users, with the exception of the Basis team, should be attached to roles.

    There should never be a need to manually create a SAP new profile. To add a new role, the easiest

    method is to copy an existing role that matches your needs as closely as possible and make the

    changes you need for the new role.

    This documentation covers changing user security via both methods.

    Adding Authorization Objects and/or Authorizations to a Profile

    Remember that profiles are NOT the standard way to implement SAP security

    1. Log on to the appropriate client in the appropriate SAP system.

    2. Go to transaction SU02.

    3. In the Manually edit authorization profiles section of the Profile: Initial Screen screen, enter the

    Profile you want to change. Make sure the Active only is checked. Click the Create work area for

    profiles button.

    4. On the Profile List screen, double-click the profile to be changed.

    5. A profile can contain authorization objects only (single profile) or one or more other profiles

    (collective profile). If the next screen is titled Maintain Profile, this is a single profile, and you

    should proceed to the next step. If the next screen is titled Collect Profiles, this is a collective

    profile and you should skip to step 13.6. On the Maintain Profile screen, you must decide if you need to add a new authorization object

    and one or more of its authorizations, or add a new authorization to an authorization object

    already in the profile. If you need to add a new authorization to an authorization object already in

    the profile, skip to step 7. Otherwise, scroll down the Consisting of authorizations list until you

    find a blank line. Type the authorization object you need to add and press Enter. You will need to

    scroll through the list again until you find the authorization object you just added (it is was to find

    since the Authorization column should still be blank). Once you find the new entry line, use the

  • 8/13/2019 Types of Users in SAP

    7/9

    drop down to fill in the Authorization column. Click on the Save picture-icon.

    7. If you need to add another authorization to an authorization object already in the profile list,

    click on the +Add authorization button.

    8. From the Maintain Profiles: Object Classes screen, double-click the Object class of the

    authorization you are adding.

    9. On the Maintain Profiles: List of Authorizations screen, select the authorization you need to addby double-clicking the appropriate line. This

    This document is the intellectual property of Jo Spencer and may not be edited without

    permission.

    will return you to the Maintain Profile screen where you can see that your authorization has been

    added.

    10. On the Maintain Profile screen, click the Save picture-icon. Then click the lit match picture-

    icon to activate the new profile changes.

    11. On the Activate Profile: Execution Screen screen, click on the lit match picture-icon to

    complete the profile activation process.

    12. You may now leave the SU02 transaction.

    13. In order the change a profile collection, you must make the changes in one or more of the

    dependent profiles, save the changes in the dependent profile(s), activate the dependent

    profile(s), save the collection owner profile, and activate the collection owner profile. On the

    Collect Profiles screen, double-click on the profile you want to change.

    14. You will be taken to the Maintain Profile screen. Perform steps 6 to 11. Then use the white

    arrow on green picture-icon to go back.

    15. On the Collect Profiles screen, click the Save picture-icon. Then click the lit match picture-icon

    to activate the new profile changes.

    16. On the Activate Profile: Execution Screen screen, click on the lit match picture-icon to

    complete the profile activation process.

    17. You may now leave the SU02 transaction.

    Return to Index...

    Adding Authorization Objects and/or Authorizations to a Role

    1. Log on to client 100 in the DEV SAP system.

    2. Go to transaction PFCG.

    3. On the Role Maintenance screen, enter the Role you want to change. Click the Change button.

    4. On the Change Role screen, click the Authorizations tab and then click the pencil picture-icon.

    5. If you are only adding a start up transaction to the role, skip to step 10. Otherwise, the

    assumption is that a new authorization object is to be added. On the Change role: Authorizations

    screen, click the +Manually button.

    6. On the Manual selection of authorizations popup, enter the authorizations objects that need to

    be added (ie S_DEVELOP, S_PROGRAM, etc.) Click the green when you are finished.7. Back on the Change role: Authorizations screen, if all the displayed signal lights are green, skip

    to step 8. Otherwise, fully expand the lines that are yellow and/or red and supply the necessary

    information. All signal lights should be green before moving to the next step.

    8. On the Change role: Authorizations screen, click the Save picture-icon. You will receive a Data

    saved confirmation message in the status bar at the bottom of the screen.

    9. On the Change role: Authorizations screen, click the red-and-white beach ball picture-icon to

    generate a profile from the saved role. Reply affirmatively if any confirmation popups. You will

  • 8/13/2019 Types of Users in SAP

    8/9

    receive a Profile(s) created message in the status bar at the bottom of the screen. If you do not

    need to add any start up transactions to the profile, you may now leave the PFCG transaction.

    10. On the Change Role: Authorizations screen, expand the Cross-application Authorization

    Objects Authorization Check for Transaction Start Authorization Check for Transaction Start

    until you see the Transaction code entry line. Double-click on the entry portion of the Transaction

    code line.11. In the Maintain Field Values popup, scroll down the list until you find a blank From and To line.

    Enter the transaction(s) to be added, and click the Save picture-icon when you have finished.

    This document is the intellectual property of Jo Spencer and may not be edited without

    permission.

    12. On the Change role: Authorizations screen, click the Save picture-icon. You will receive a Data

    saved confirmation message in the status bar at the bottom of the screen.

    13. On the Change role: Authorizations screen, click the red-and-white beach ball picture-icon to

    generate a profile from the saved role. Reply affirmatively if any confirmation popups. You will

    receive a Profile(s) created message in the status bar at the bottom of the screen.

    14. You may now leave the PFCG transaction.

    Return to Index...

    Granting Transaction Access to a User via Profile

    *** Since SAP R/3 4.5, this is not the standard for user authorizations.

    ***

    Return to Index...

    Granting Transaction Access to a User via Role

    1. Log on to the applicable SAP instance and client.

    2. Go to transaction SU01.

    3. On the User Maintenance: Initial Screen screen, fill in the User ID for the user you want to

    change, either by typing it in or choosing it from the drop down. Click the little yellow pencil

    Change button.

    4. On the Maintain User screen, click on the Roles tab. Fill in the new role in the first available Role

    field. Press ENTER to confirm that the role exists. Click the Save button.

    5. Make sure to use transaction PFCG to run a user comparion to rebuilt the role-to-user

    connections.

    6. You may now leave the PFCG transaction.

    Return to Index...

    Revoking Authorizations from a User via Profile

    *** Since SAP R/3 4.5, this is not the standard for user authorizations.

    ***

    Return to Index...

    Revoking Authorizations from a User via RoleUse the same procedure as Adding Authorization Objects and/or Authorizations to a

    Role

    Return to Index...

    Revoking Transaction Access from a User via Profile

    *** Remember that profiles are NOT the standard way to implement SAP security. ***

    Return to Index...

    This document is the intellectual property of Jo Spencer and may not be edited without

  • 8/13/2019 Types of Users in SAP

    9/9

    permission.

    Attaching a Profile to a User

    *** Since SAP R/3 4.5, this is not the standard for user authorizations.

    ***

    Return to Index...

    Attaching a Role to a User1. Log on to the applicable SAP instance and client.

    2. Go to transaction SU01.

    3. On the User Maintenance: Initial Screen screen, fill in the User ID for the user you want to

    change, either by typing it in or choosing it from the drop down. Click the little yellow pencil

    Change button.

    4. On the Maintain User screen, click on the Roles tab. Fill in the new role in the first available Role

    field. Press ENTER to confirm that the role exists. Click the Save button.

    5. Make sure to use transaction PFCG to run a user comparion to rebuilt the role-to-user

    connections.

    6. You may now leave the PFCG transaction.