Académique Documents
Professionnel Documents
Culture Documents
&RQWHQWV
Overview ................................................................................................................12–2
Recommended Policies and Procedures ...........................................................12–3
New User Setup.....................................................................................................12–7
Maintaining a User (SU01)..................................................................................12–24
Resetting a Password (SU01) ............................................................................12–26
Locking or Unlocking a User (SU01).................................................................12–27
User Groups ........................................................................................................12–29
Deleting a User’s Session (Transaction SM04)................................................12–32
2YHUYLHZ
User administration is a serious function, not just a necessary administrative task. Security is
at stake each time the system is accessed. Because the company’s financial and other
proprietary information is on the system, the administrator is subject to external
requirements from the company’s external auditors, regulatory agencies, and others.
Customers should consult with their external auditors for audit-related internal control user
administration requirements. For example, human resources should be consulted if the HR
module is implemented or if personnel data is maintained on the system.
A full discussion on security and user administration is beyond the scope of this guidebook.
For example, manually creating and maintaining security profiles and authorizations is also
not covered. Our discussion is limited to a general introduction and a list of the major
issues related to security. The two sections below affect all aspects of security, which is why
we begin with them.
8VHU*URXSV
User groups are created by an administrator to organize users into logical groups, such as:
< Basis
< Finance
< Shipping
For additional information, refer to the section User Groups on page 12–29.
3URILOH*HQHUDWRU
The Profile Generator is a tool used to simplify the creation and maintenance of SAP
security. It reduces (but does not eliminate) the need for specialized security consultants.
The value of the Profile Generator is more significant for smaller companies with limited
resources that cannot afford to have dedicated security administrators. For more
information on the Profile Generator, see the Authorizations Made Easy guidebook.
Release 4.6A/B
12–2
Chapter 12: User Administration
Recommended Policies and Procedures
5HFRPPHQGHG3ROLFLHVDQG3URFHGXUHV
Some of the tasks in this guidebook are aimed at complying with common audit procedures.
Obtaining proper authorization and documentation should be a standard prerequisite for all
user administration actions.
8VHU$GPLQLVWUDWLRQ
User administration tasks comprise the following:
< User ID naming conventions
The employee’s company ID number (for example, e0123456)
Last name, first initial, or first name, last initial
In a small company where names are often used as ID, it is common to use the
employee’s last name and first initial of the first name or the employee’s first name
and first initial of the last name (for example, doej or johnd, for John Doe).
Clearly identifiable user IDs for temporary employees and consultants (for example,
T123456, C123456).
< Adding or changing a user
The user’s manager should sign a completed user add-or-change form.
The form should indicate the required security, job role, etc., that defines how
security is assigned in your company.
If security crosses departments or organizations, the affected managers should also
give their approval.
If the user is not a permanent employee, or if the access is to be for a limited time, the
time period and the expiration date should be indicated.
The forms should be filed by employee name or ID.
A periodic audit should be performed, where all approved authorizations are
verified against what was assigned to the user.
< Users leaving the company or changing jobs
This event is particularly sensitive.
The policies and procedures for this event must be developed in advance and be
coordinated by many groups. As an example, see the table below.
Group Responsibility
Similar to banks, there should be a “secret word” that users could use to verify their
identity over the phone. This word would be used when the user needs their password
reset or their user ID unlocked. But, realize that others can “overhear” this secret word
and render it useless.
Release 4.6A/B
12–4
Chapter 12: User Administration
Recommended Policies and Procedures
6\VWHP$GPLQLVWUDWLRQ
< Special user IDs
The two user IDs (SAP* and DDIC) should only be used for tasks that specifically
require either of those user IDs. A user who requires similar “super user” security rights
should have a copy of the SAP* user security.
The security rights of SAP* and DDIC are extensive, dangerous, and pose a security
risk. Anyone who requires or requests similar security rights should have an extremely
valid reason for the request. Convenience is not a valid reason. The security profiles
that serves as the “master key” are SAP_ALL, and to a lesser degree, SAP_NEW.
The user IDs SAP* and DDIC should have their default passwords changed to prevent
unauthorized use of these special user IDs.
An external audit procedure checks the security of these two user IDs.
For medium- and large-size companies, granting developers SAP* equivalent security
rights in the development and test systems is usually inappropriate. SAP* equivalent
security in the production system is a security and audit issue and should be severely
limited.
Company ID:
R/3 User Change Request
System/Client No. PRD 300
QAS 200 210 220
DEV 100 110 120
Employee: Type of Change W Change user
Department Name/Cost Center Number: W Delete user
W Add user
User ID:
Position: Expiration Date (mandatory
for temporary employees)
Secret Word: Request Urgency W High
Requester: W Medium
Requester’s position: W Low
Requester’s phone:
Employee’s Job Function (If similar to others in department, name and user ID of a person with similar job function):
Special Access/Functions:
Requester Signoff
Name Signature Date Signed
Manager Signoff
Name Signature Date Signed
Owner Signoff
Name Signature Date Signed
Release 4.6A/B
12–6
Chapter 12: User Administration
New User Setup
1HZ8VHU6HWXS
3UHUHTXLVLWHV
*HQHUDO3URFHVVRU3URFHGXUH
Before you set up a new user, have “in hand” the user add form (with all the required
information and approvals).
7KH8VHU·V'HVNWRS
Does the user’s desktop meet the following criteria:
< Does the system configuration meet the minimum requirements for SAP?
< Is the display resolution set to a minimum of 800 x 600?
< Is there sufficient space on the hard disk to install the SAP GUI with sufficient room for
desktop application to run?
For windows, a minimum of 50MB free space should remain after installing SAP GUI. A
practical minimum however, is at least 100MB of free space.
1HWZRUN)XQFWLRQDOLW\
Can the user log on to the network?
From the user’s computer:
< Can you “ping” the SAP application server(s) that the user will be logging onto?
< If the SAP GUI will be loaded from a file server, can you access the file server from the
user’s computer where the SAP GUI will be installed?
)RU,QVWDOODWLRQRI6$3*8,
Before you install the SAP GUI, you should have the R/3 server name and the R/3 System
(instance) number (for example, xsysdev and 00). You will need to enter this information
during the installation.
5HFRPPHQGHG3UHUHTXLVLWHIRUWKH*8,,QVWDOODWLRQ
The online documentation should be installed according to the instructions in the SAP
document Installing the Online documentation. The online documentation installation and
access method has changed since Release 3.x.
,QVWDOOLQJWKH)URQWHQG6RIWZDUH²6$3*8,
The SAP GUI or frontend installation instructions are in the installation guide, Installing SAP
Frontend Software for PCs.
The SAP GUI can be installed from:
< A copy of the presentation CD on a file server
< The presentation CD or a copy of the CD
,QVWDOOLQJ6$3*8,IURPD)LOH6HUYHU
The preferred method is to install SAP GUI from a file server because you do not need to
carry the presentation CD around. Also, remote installations can be completed without
shipping out and potentially losing the original CD.
The following is a list of the prerequisites to install SAP GUI from a file server:
< Copy the SAP GUI load files from the presentation CD to a shared directory on a file
server.
< Have access to the shared directory from the user’s PC.
+RZWR,QVWDOOWKH6$3*8,
*XLGHG7RXU
1. Map a drive to the shared drive on the network where the presentation CD has been copied.
Select the mapped drive to the
presentation CD software.
In this example, Sim-cd on
‘Pal100767’ (E:).
2. Navigate down to the directory for 1
the gui. 2
Release 4.6A/B
12–8
Chapter 12: User Administration
New User Setup
4. Choose Next.
7. Choose Next.
8. Select SAPgui.
Steps 9–12 are optional.
9. Click on Desktop Interfaces.
10. Choose Change option. 9
8
10
12
Release 4.6A/B
12–10
Chapter 12: User Administration
New User Setup
13
14
15
16
17
19
19
20
21
Release 4.6A/B
12–12
Chapter 12: User Administration
New User Setup
22
24
25
To add systems to the SAP Logon see section Adding Systems in the SAP Logon.
,QVWDOOLQJ6$3*8,IURPWKH3UHVHQWDWLRQ&'
When the network connection between the SAP GUI files on the network and the user is too
slow to permit installation, install SAP GUI from the presentation CD. A slow connection
could result from a slow modem or a slow network link.
A copy should be made of the original presentation CD and the copy shipped to the user
site. You then maintain control of the original CD and reduce the chance that it might get
lost. The SAP GUI installation files can also be copied to other high-capacity removable
media such as ZIP® or optical disk, as appropriate for your company.
The copy of the presentation CD can then be safely sent to the user’s site. From there, it can
be either loaded onto a local file server for installation or installed directly from the delivery
media. The prerequisites for such an installation is that the user has a CD drive or other
drive compatible with the delivery media (ZIP®, optical, etc.) on which the SAP GUI files are
delivered.
To install SAP GUI from a CD:
1. Insert the CD into the drive.
2. In Windows Explorer, choose this drive.
3. Choose Gui → Win32.
4. Double-click on Setup.exe.
5. Follow the same procedure as when loading from a file server.
6. Test your connection
7. Log on to the system.
Release 4.6A/B
12–14
Chapter 12: User Administration
New User Setup
$GGLQJ$GGLWLRQDO6\VWHPV
*XLGHG7RXU
7R$GG$GGLWLRQDO6\VWHPVLQWKH6$3/RJRQ
1. On the SAP Logon window, choose
New.
6HWWLQJ8SD1HZ8VHU68
The procedural prerequisite is to check that all documentation and authorizations required
to set up a new user are present.
There are two ways to create a new user:
< Copy an existing user
< Create a new user from scratch
&RS\LQJDQ([LVWLQJ8VHU68
You can copy from an existing user if you have a good match. The new user will have the
same security profiles as the existing user. This process is the easiest and is the
recommended method for a small company.
Create “template” users for the various job functions that can be copied to create new
users.
Prerequisite:
A valid user ID to copy is identified on the user setup form.
Release 4.6A/B
12–16
Chapter 12: User Administration
New User Setup
*XLGHG7RXU
Release 4.6A/B
12–18
Chapter 12: User Administration
New User Setup
13
14
A telephone number should be a 15 15 15
required entry field. If there is a
system problem identified with the
user, you need to contact that user. 16
Release 4.6A/B
12–20
Chapter 12: User Administration
New User Setup
&UHDWLQJD1HZ8VHU68
Sometimes it becomes necessary to create a completely new user. You may need to create a new user when
you do not have another user from which to copy.
*XLGHG7RXU
6
7
8 8 8
A telephone number should be a
required entry field. If there is a
system problem identified with the
user, you need to contact that user. 9
12
Release 4.6A/B
12–22
Chapter 12: User Administration
New User Setup
21
0DLQWDLQLQJD8VHU68
Before maintaining a user, have a properly completed and approved user change form.
:K\
Release 4.6A/B
12–24
Chapter 12: User Administration
Maintaining a User (SU01)
*XLGHG7RXU
5HVHWWLQJD3DVVZRUG68
:K\
The most common reason to reset a password is that users forget their password. In this
situation, the user has probably attempted to log on too many times with an incorrect
password. The user has probably also locked their user ID, which also needs to be unlocked.
Make certain the person who requests their password to be reset is indeed the valid user.
A basic user verification method is to have a telephone with a display so that the displayed
caller’s phone number can be compared to the user’s phone number, which is stored in the
system or can be found in the company phone directory.
We recommend that you use a method similar to what banks use where the user has a
“secret word” that verifies their identity on the phone. This method is not foolproof because
someone can overhear the secret word.
You should maintain a security log of password resets. This log should be periodically
audited to look for potential problems.
*XLGHG7RXU
Release 4.6A/B
12–26
Chapter 12: User Administration
Locking or Unlocking a User (SU01)
For security, you can only set an initial value for the user’s password. Users are then
required to change the password when they log on. You cannot see what the users current
password is, nor can you set a permanent password for the user.
/RFNLQJRU8QORFNLQJD8VHU68
:KDW
The lock/unlock function is part of the logon check, which allows the user to log on (or
prevents the user from logging on) to the R/3 System.
:K\
< Locking a user
R/3 access should be removed if a user:
Leaves the company
Is assigned to a different group
Is on leave
The lock function allows the user ID and the user’s security profile remains on the
system but does not allow the user to log on. This function is ideal for temporary
personnel or consultants where the user ID is locked unless they need access.
< Unlocking a user
Users are automatically locked out of the system if they attempt to incorrectly log on
more than a specified number of times. The administrator must unlock the user ID and
more than likely reset the user’s password.
Maintain a security log of unlocking users, which should be periodically audited for
potential problems.
*XLGHG7RXU
Release 4.6A/B
12–28
Chapter 12: User Administration
User Groups
8VHU*URXSV
:KDW
A user group is a logical grouping of users (for example, shipping, order entry, and finance).
The following restrictions apply to user groups:
< A user can belong to only one user group.
< A user group must be created before users can be assigned to it.
< A user group provides no security until the security system is configured to use user
group security.
Create the group “term” for terminated users. Lock all users in this group and, for most of
these users, delete the security profiles. This process maintains the user information for
terminated users, and prevents the user ID from being used to log on.
:K\
8VDJH
Group Definition
+RZWR&UHDWHD8VHU*URXS68
*XLGHG7RXU
Release 4.6A/B
12–30
Chapter 12: User Administration
User Groups
'HOHWLQJD8VHU·V6HVVLRQ7UDQVDFWLRQ60
:KDW
:K\
Transaction SM04 may show a user as being active when the user has actually logged off.
This condition is usually caused by a network failure, which cuts off the user, or that the
user has not properly logged off the system. (For example, the user turned the PC off
without logging off the system.)
A user may be on the system and needs to have their session terminated:
< The user’s session may be “hung” and terminating the session is the only way to remove
the user’s session.
< The user may have gotten into a “one way” menu path without an exit or cancel option.
This situation is dangerous, and the only safe option is to terminate the session.
Release 4.6A/B
12–32
Chapter 12: User Administration
Deleting a User’s Session (Transaction SM04)
+RZWR7HUPLQDWHD8VHU6HVVLRQ
*XLGHG7RXU
1. Verify that the user is actually logged off from R/3 and that there is no SAP GUI window minimized
on the desktop. Verification is done by physically checking the user’s computer.
Verification is important because users may have forgotten that they minimized a
session.
In step 3 above, double-check that the selected user is the one you really want to delete.
It is very easy to select the wrong user.
$FWLYH8VHUV7UDQVDFWLRQV60DQG$/
:KDW
These transactions display all the users who are currently logged on to the system. They
show both the user’s ID and terminal name.
:K\
In a smaller company, the administrator can recognize user IDs logged on to “unfamiliar”
terminals. This recognition may indicate that someone—other than the designated user—is
using that user ID.
A user logged on to more than one terminal indicates that the user ID is being:
< Used by someone else
< Used or shared by several people
3UREOHPV
Transaction SM04 may show a user as active, when in fact the user has actually logged off.
Because the user session was not properly closed, the system “thinks” that the user is still
logged on.
This condition can be caused by the following (among others):
< A network failure, which cuts off the user from the network or R/3.
< The user turning off their computer without logging off from the R/3 System.
Release 4.6A/B
12–34
Chapter 12: User Administration
Deleting a User’s Session (Transaction SM04)
6LQJOH,QVWDQFH6\VWHP7UDQVDFWLRQ60
*XLGHG7RXU
0XOWL,QVWDQFH6\VWHP7UDQVDFWLRQ$/
If you have several instances in your system, using AL08 is easier, because you can
simultaneously see all users in all instances.
Release 4.6A/B
12–36