Users and authorization data are client-dependent data
User Administration
One Role Consist of many Roles and a Role Consists of Authorization
Users are assigned authorizations using roles the authorizations are combined in roles and the roles are entered in the user master record.
Creating a User SU01
This data is divided into the following tab pages:
Address: Address data
Logon Data: Password and validity period of the user
Defaults: Default values for a default printer, the logon language, and so on.
Parameters: User-specific values for standard fields in SAP systems.
Roles and Profiles: Roles and profiles that are assigned to the user.
Groups: For the grouping of users for mass maintenance
You must maintain at least the following input fields when creating a
user: Last name on the Address tab page, initial password and identical
repetition of password on the Logon Data tab page.
Creating Users
- Start Transaction SU01 enter the name admin## in user field and choose create.
- Maintain the first and last names of the user.
- Assign an initial password to the user (and remember it), and assign the user to the SUPER User Group for Authorization Checks.
- Enter a default value for the logon language for the user (such as EN or DE).
- Save the user master record.
Authorization
permission to perform a certain action in the SAP system.
Role Maintenance (transaction PFCG)
A role can be assigned to various users. Changes to a role therefore have an effect on multiple users. Users can be assigned various roles.
You can access role maintenance with transaction PFCG or by choosing Tools → Administration → User Maintenance → Role Administration → Roles. Enter the name of the role and choose the icon for Create or Change. Choose the Menu tab page.
Select and change functions: The menu tree can be adjusted for the individual roles as required.
You can insert transactions into the tree structure or delete them from it.
By choosing the Report button, you can integrate Reports. In this case role maintenance creates transaction codes with which the reports can be called.
By choosing the Other button, you can add Internet addresses or links to files (such as tables or text files). When integrating files, you must use the storage paths instead of URLs. You can also specify BW Web Reports, and links to external mail systems and Knowledge Warehouse.
Role maintenance automatically creates the authorizations that are associated with the transactions specified in the menu tree. However, all authorization values must be manually checked and adjusted if required in accordance with the actual requirements and authorities.
Change menus: You can create, move, delete, and rename directories and subdirectories as required. You can use the Drag&Drop function in role maintenance.
Choose the Authorizations tab page and choose Change Authorization Data. Check the scope and contents of the authorizations.
In the authorization overview
green traffic light indicates that the role maintenance can automatically create an authorization.
yellow traffic light indicates that the authorization must be manually maintained after
it has been created
Once all authorizations are maintained as required, the authorization profile can be generated by choosing Generate.
Important: The second character of the profile name must not be an underscore
Users and Roles
Assigning Role to the user is done by PFCG or SU01 select the user id when u select the user id then the system uses the current date as the start of the validity period and 31.12.9999
as the end date.
Mass comparison (transaction PFUD). You can individually specify the desired.
Copy a Role Template
1. Start transaction PFCG. Place the cursor on the input field for roles. Use the F4 help to select the delivered single role SAP_BC_ENDUSER. Choose Copy. In the dialog box that appears, enter ZSAP_BC_ENDUSER in the To role field and choose Copy All.
2. Choose the Authorizations tab page and then choose Change Authorization Data. Check the authorizations for the role and maintain open authorizations if necessary, by, for example, clicking the yellow traffic light icon and confirming the system query as to whether full authorization should be assigned with Execute. Save your profile settings and confirm the dialog box by choosing Execute. Choose Generate. Leave the Change Roles: Authorizations screen by choosing Back.
3. Assign the role to the user ADMIN##.
Choose the User tab page and enter ADMIN## in the User ID field.
4. Perform a user comparison.
Choose User Comparison and then choose Complete Reconciliation.
Create Your Own Role (Optional)
- Start transaction PFCG. Enter the name ZMONITOR## in the input field for roles and choose the Create Role button.
- Choose the Menu tab page. Choose the Transaction button and enter transactions SM50, SM51, SM04, and PFUD. Then choose Assign Transactions.
- Choose the Authorizations tab page and then choose Change Authorization Data. Enter the value 01 in the From Value column for the Plan Version and save this value. Check the authorizations for the role and maintain open authorizations if necessary, by, for example, clicking the yellow traffic light icon and confirming the system query as to whether full authorization should be assigned with Execute. Choose Generate and confirm the query by choosing Execute. Leave the Change Roles: Authorizations screen by choosing Back.
- Choose the User tab page and enter .Admin##. in the User ID field.
- Choose User Comparison and then choose Complete Reconciliation.
Assign a Role with Transaction SU01
- Start transaction SU01. Enter the name ADMIN## in the User field and choose Change. Choose the Roles tab page and check whether the role .ZSAP_BC_ENDUSER. is entered. Choose the Profiles tab page, and check that the corresponding profile is entered.
- Choose the Roles tab page and enter .ZPFUD. in the Role field and confirm with Return. Save your entries.
Login Parameters
|
System Profile parameters
|
Default
|
Value Range
|
|
minimum password length digits, letters, or special characters
login/min_password_lng
login/min_password_digits,
login/min_password_letters,
login/min_password_specials.
|
3
|
3-8
|
|
Valid Period for the Password
login/password_expiration_time
|
0
|
0-999 days
|
|
Validity period for reset Password
login/password_max_reset_valid
|
0
|
0 - 2400 days
|
|
Validity Period for password for new User
login/password_max_new_valid
|
0
|
0 – 2400 days
|
0 the user does not need to change his or her password.
. Must be different from the last five passwords
. Must be at least three characters long
. Must not begin with .?., .!., or . .
. Must not be .pass.
. Must not begin with three identical characters
You can define additional password restrictions in table USR40.
|
System Profile parameters
|
Default
|
Value Range
|
|
Ending the logon Process
login/fails_to_session_end.
|
3
|
1-99
|
|
You can set the number of failed logon attempts after which SAP GUI is terminated using the parameter login/fails_to_session_end. If the user wants to try again, he or she must restart SAP GUI.
|
|
Failed Login Attempt
login/fails_to_user_lock
|
12
|
1-99
|
|
The users locked by failed logon attempts are automatically unlocked by the system at midnight (server time)
|
|
Deactivate of automatic Unlocking
login/failed_user_auto_unlock
|
0
|
0-1
|
|
Deactivate of multiple dialog logon
login/disable_multi_gui_login
|
0
|
0-1
|
Note: to allow multiple logon to particular user please specify then with this paremeter login/multi_login_users, username u can add multiple username separated with coma.
Determining User Information Transaction SUIM
You can obtain an overview of user master records, authorizations, profiles, roles, change dates, and so on using the information system.
You can display the last failed authorization check (transaction SU53) by
- Which users have been locked in the system by administrators or failed logon attempts?
- When did a user last log on to the system?
- Which changes were made in the authorization profile of a user?
- In which roles is a certain transaction contained?
choosing System → Utilities → Display Authorization Check.
System Trace ST01
You can record authorization checks in your own and other sessions using the system trace function Tools → Administration → Monitor → Traces → SAP System Trace (transaction ST01).
Download attached file: You must be Loged in to download file