User Administration

Creating a SAP Account / User Creation in SAP (SU01)

Step 1
To create an SAP user you should run transaction SU01 or Tools-> Administration->Maintain
Users-> Users. Then enter a user name for the user you want to create.
When creating a user, remember that that user only exists in that client. If you want a user to
have access to another client, you must create the user in that client.
When you create a new user, that user has various types of information associated with it.
Step 2
Entering a password.
The first field that you edit in a new User Master Record is the password field. You must add a
password for a new user. To protect against typing errors, you must enter the password twice.
SAP user passwords have various properties.
SAP passwords :
are case-sensitive
must be at least three characters long. have a maximum length of eight characters
may contain any characters which can be input from the keyboard. This includes digits, spaces
and punctuation marks
cannot begin with a question mark or exclamation mark
may not contain spaces within the minimum length. This is normally the first three characters
may not begin with three identical characters
may not be PASS or SAP*
may not be used if its use has been forbidden
may not start with a sequence of three characters which appears in the user name
When the user logs on for the first time, he or she must enter a new password.
When a user changes his or her password, the new password must be different to each of that
users last five passwords.
Step 3 (Optional)
User Group
A user group is the name of the group User Master Records to which this user is assigned.
If you plan to divide maintenance of User Master Records among user administrators, then you
must assign the user to a user group. If a user is assigned to a user group, then only an
administrator who is authorized for the user group can maintain the user.
A User Master Record that is not assigned to a user group can be altered by any user
administrator.

Step 4 (Optional )
Account Validity and Account Number
The account valid dates are the dates during which this account is valid. If you do not enter any
information in these fields your account will be valid immediately and never expire.
Account number: Enter a freely-selectable account name or number. The user's system usage is
assigned to this account if you are using the SAP accounting system. The account name or
number may be unique to each user or can be shared among groups of users.
SAP recommends entering a user's cost center or company code as the account number.
If you are using the accounting system, then you should always enter an account name or
number. Otherwise, the user's usage will be assigned to a collective "No account" category by
the accounting system.

Step 5 (Optional)
User type
Dialog
A normal dialog user is used by exactly one person for all logon types.
Dialog logons are checked for obsolete/initial passwords which must be changed.
Multiple dialog logons are checked and logged.
System
Use the user type System for dialog-free communication within one system. (for RFC or CPIC
service users) or for background processing in one system.
Dialog logon is not possible.
A user of this type is excluded from the standard settings for password validity period. The
password can only be changed by user administrators or in transaction Su01 (Goto -> Change
Password)
Communication
Use the user type Communication for dialog-free communication between systems (for RFC or
CPIC service users of different applications, for example, ALE, Workflow, TMS ZBV).
Dialog logon is not possible.
Service

A user of type Service is a dialog user available to a large anonymous set of users. It usually has
closely-restricted authorizations.
Service users are e.g. used for anonymous system access via an ITS service. You can change a
session which began as an anonymous session with a service user into a personal session under a
dialog user with an individual authentication.
There is no check for obsolete/initial passwords at logon. Only the user administrator can change
the password.
Multiple logon is allowed.
Reference
A Reference user is a general impersonal user like the Service user. You cannot logon with a
Reference user. The Reference user is to give Internet users identical authorizations.
You can specify a Reference user for additional dialog user authorizations, in the Roles tab. The
application generally controls the assignment of Reference users. The name of the Reference
user can be assigned in variables which should begin with "$". The assignment variableReference user is made in the transaction SU_REFUSERVARIABLE.
This assignment applies to all systems in a CUM landscape. If the assigned Reference user does
not exist in a CUM subsidiary system, the assignment is ignored.
Step 6
Put details like name
Communication type with which you can exchange documents and messages with a business
partner.
In the central address management you can specify a standard communication type which can be
used by programs to determine the communication type for sending messages.
Step 7 (Optional )
Name of an output device in the SAP System. The name is entered in the definition of the output
device. Users in the SAP System use this name (or the long name) to select the output device.
Maintaining the name: Enter any name you choose to identify an output device in the SAP
System. If you have many printers, they should be named according to naming convention. This
makes it easier to select a printer in spool administration using a generic selection.
Processing a spool request: Enter the SAP name of the output device you want to execute your
output request. Display a list of available printers and other devices with Possible entries . To set
a default name, choose System -> User profile ->Own data.
Selecting spool requests: Enter the SAP name of an output device to display the spool requests
to be executed by this device. Use Possible entries to display a list of available devices.

Step 8 (Optional )
A field can be filled with proposed values from SAP memory using a parameter ID.
Example
A user only has authorization for company code 001. This company code is stored in memory at
the beginning of a transaction under the corresponding parameter ID. Fields that refer to the data
element are automatically filled with the value 001 in all subsequent screen templates.
Dependencies
A field in the screen template is only filled automatically with the value stored under the
parameter ID of the data element if this was explicitly permitted in the Screen Painter.

Step 9
The SAP standard contains more than 1200 predefined single roles from all application areas.
If you assign a predefined role to a user, he or she is automatically given the user menu required
for his or her daily work and the authorizations required for it, when he or she logs on to the SAP
System.
He or she can also define his or her personal Favorites from the functions assigned to him or her.
The user calls transactions, programs or internet/intranet applications from the Favorites or the
job structure tree.
Before you start to create your own roles for your staff, check whether the roles delivered by
SAP can be used for the job descriptions in your company.

Step 10

User Profiles
The bottom row of the Maintain User screen contains fields for entering the names of profiles
which can be associated with the user. We will discuss how to add user profiles in a later
chapter.
The SAP System contains predefined profiles:
SAP_ALL: assign the profile SAP_ALL to users who are to have all R/3 authorizations
including super user authorization.
SAP_NEW: assign this profile to users who are to have access to all not yet protected
components.

Step 11 (Optional)
A User group is a logical grouping of users
The purpose of a user groups is to :
a.Provide administrative groups for users so they can be managed in these groups.
b.Apply Security

c.Create the group Trmin for terminated users. Lock all users in this group.

User Creation Complete

How to Change/ Delete/ Lock/ Unlock/ Copy SAP Account & How to Change Password Of SAP
Account
Changing SAP Account (SU01)
Deleting SAP Account (SU01)
Locking/Unlocking SAP Account (SU01)
Enter an existing user name and choose Lock/Unlock to grant or deny a user access to a system.
Locking or unlocking a user master record takes effect the next time a user attempts to log on.
Users who are logged on at the time that changes are made are not affected.
The system automatically locks users if twelve successive unsuccessful attempts are made to log
on. The lock is recorded in the system log, along with the terminal ID of the machine where the
logon attempt took place.
You can set the number of permissible unsuccessful logon attempts in a system profile parameter.
This automatic lock is released by the system at midnight. You can also remove the lock
manually before this time. Locks that you specifically set yourself apply indefinitely until you
release them.

Changing Password of SAP Account

Enter the user name and choose Change password.
This new password must fulfill the standard conditions regarding permissible passwords.
The new password is effective immediately. If users forget their password, they can use the new
one as soon as it has been set.
Users may change their passwords no more than once a day. System administrators, on the other
hand, may change user passwords as often as necessary.
Copying an existing user (SU01)
Choose Copy. Enter the name of a reference user and the new user name.
You can specify whether you want to copy only some of the user data or all of it. On the
following screen you can edit the new user master record as required.
You can also rename user master records if you simply want to replace one record with an
identical one of a different name.
How to creat User Group IN SAP ( SUGR )
Transaction code SUGR is used to create and maintain user groups in SAP system. The user
groups commonly used to to categorize user into a common denominator, sort users into logical
groups and allow segregation of user maintenance, this is especially useful in a large
organization. User groups can categorized as two types,
Authorization user group : In conjunction with S_USER_GROUP authorization object. It
allows to create security management authorization by user group. e.g. you can have a local
security administrator only able to manage users in his groups, Help-Desk to reset password for
all users except users in some group.
General user group : In conjunction with SUIM and SU10, to select all the users in a specific
group. User can only be member of one authorization user group but several general user group.
enter the name of New User Group in SUGR and click on create
then enter to user id of people which you want to add in group

Single Role Creation In SAP (PFCG)

ROLE: role means set of transactions
1. Go to Tcode PFCG
2. Enter New Role Name you want to create
3. Click "Role " button

4. Describe the Role in "Description" field

5. Click "Menu" tab

6. Click "Transaction" button to add Tcode

7. Click
8. Click "Authorizations" tab

9. Click "pencil" button to change authorization

10. Put "Org element value"

11. Save

12. Fill in the missing authorization

13. If We wish to give full authorization to this role , Hit the "check" button

This is the current BC_A Object class

And this is the whole roles list

14. Save the role.

15 Enter profile name.

(we can get auto generated profile name from system if we leave it blank).

16. Generate
for authorization
17. Click "user" tab to assign role to relevant users

18. Click

to make comparison of users

Composite role creation in SAP (PFCG)

Composite role: A group of one or more roles for administrative purpose is refereed as
composite role.

Step 1- go to PFCG

Step 2
enter composite role name and then click on "comp role"

Step 3
Specify the description
In composite role it doesn't contain authorizations tab.it is nothing but group of one or more
roles.

Step4
Specify the roles

Step 5
Click on Read menu tab.when you click on this read menu tab then it will fetch authorizations
from the single roles.

Step 6
Now in user tab enter user id of people which want this newly created composite role
then click on User Comparison
then save your composite role
composite role is created

How to Download/Upload Roles from PFCG in SAP

Download Role Authorization from PFCG

1.Goto PFCG
2.Enter role name( which you want to download)
3.Click on Role & Click on Download

How to Close / Terminate a user session in SAP (SM04)

In most implementations a client can close his own sessions. This is especially helpful when
dealing with problematic transactions or RFCs that hang and do not release the session.
GO to SM04 then user list will appear, Double-clicking on the User will bring up the sessions he
has open. To close a session, select it and then click the "End Session" button.

or
Sometimes there will be a requirement to terminate a user session.
For example: An user has run a report or program with inappropriate selection criteria, which
leads work process going to PRIV mode occupying so much memory impacting performance of
the system. In those cases, you will have to check with the user and terminate his session or
logoff user system wide if he is no longer working.

Upload Role Authorization from PFCG

1.Goto PFCG
2.Enter role name( which you want to upload)
3.Click on Role & Click on Upload

Next activity for generate role and assign to user or role

How to send popup / individual message to a specific user in SAP ( SE37 )
There is a very interesting function module, with the help of which you can send the pop up
messages to the users/friends who are logged into the SAP system.
The interesting function module name is TH_POPUP.
For this you and your friend should be logged on into the SAP system and you must know the
SAP user id of your friend to whom you are going to send the message.
STEPS :
1.

Go to transaction SE37 and enter the function module name TH_POPUP.

2. Pass the client, user name and the message which you want to send and execute the function
module.

Output :
The pop up will appear to the user/friends SAP system

Note - if user has logged on multiple systems then the message will be sent to multiple systems.

How to post system message in SAP ( SM02 )

How to Close / Terminate a user session in SAP (SM04)

In most implementations a client can close his own sessions. This is especially helpful when
dealing with problematic transactions or RFCs that hang and do not release the session.
GO to SM04 then user list will appear, Double-clicking on the User will bring up the sessions he
has open. To close a session, select it and then click the "End Session" button.

or
Sometimes there will be a requirement to terminate a user session.
For example: An user has run a report or program with inappropriate selection criteria, which
leads work process going to PRIV mode occupying so much memory impacting performance of
the system. In those cases, you will have to check with the user and terminate his session or
logoff user system wide if he is no longer working.
How To Protect Special Users In SAP
Default Passwords for Special Users
User
Description

Client
Default Password
000, 001, all new Hard-coded password is
SAP*
SAP Net Weaver AS system super user
clients
PASS.
ABAP dictionary and software
Master password set during
DDIC
000, 001
logistics super user
installation.
Dialog user for the Early Watch
Master password set during
EARLYWATCH
066
service in client 066
installation.
User for remote connections to legacy 000, 001, all new
SAPCPIC
ADMIN
SAP systems (4.5)
clients
User for transport management system
Master password set during
TMSADM
000
(TMS)
installation.

Since above users have standard names and passwords, you must secure them against
unauthorized use by outsiders who know of their existence.

How to protect SAP*

It is not possible to delete the SAP* user. The suggested measure is to create a new super-user
account with a complex password, and deactivatethe SAP* default account.
This can be done by activating the profile parameter login/no_automatic_user_sap* or
login/no_automatic_user_sapstar.
Even though the SAP* account is being deactivated, the default password for this account must
be changed.
How to protect DDIC
As for the DDIC user, this account cannot be deleted or deactivated either. And therefore, the
best protection is to change its default password.
How to protect EARLYWATCH
The EARLYWATCH account is used specifically for the Early Watch service, and its password
must be changed, and the account locked out. It should be unlocked when required, and relocked after use.
How to protect SAPCPIC
The SAPCPIC user can be either disable or its default password can be changed. Either method
involves disabling certain functionality. Therefore, this is an organization-specific issue where
the functionality required will decide which method is best.
Profile Parameters for Logon and Password (Login Parameters)
Parameter
Explanation
login/min_password_lng
Defines the minimum length of the
password.
Default value: 3; permissible values: 3 8
login/min_password_digits
Defines the minimum number of digits (09) in passwords.
Default value: 0; permissible values: 0 8
Available as of SAP Web AS 6.10
login/min_password_letters
Defines the minimum number of letters (AZ) in passwords.
Default value: 0; permissible values: 0 8
Available as of SAP Web AS 6.10
login/min_password_specials
Defines the minimum number of special
characters in the password Permissible

login/password_charset

login/min_password_diff

login/password_expiration_time

special characters are $%&/()=?'`*+~#-_.,;:

{[]}\<> and space
Default value: 0; permissible values: 0 8
Available as of SAP Web AS 6.10
This parameter defines the characters of
which a password can consist.
Permissible values:
0 (restrictive): The password can only
consist of digits, letters, and the following
(ASCII) special characters :!"@ $%&/
()=?'`*+~#-_.,;:{[]}\<>| and space
1 (backward compatible, default
value): The password can consist of any
characters including national special
characters (such as , , from ISO Latin1, 8859-1). However, all characters that are
not contained in the set above (for value =
0) are mapped to the same special
character, and the system therefore does not
differentiate between them.
2 (not backward compatible): The
password can consist of any characters. It is
converted internally into the Unicode
format UTF-8. If your system does not
support Unicode, you may not be able to
enter all characters on the logon screen.
This restriction is limited by the code page
specified by the system language.
With login/password_charset = 2,
passwords are stored in a format that
systems with older kernels cannot interpret.
You must therefore only set the profile
parameter to the value 2 after you have
ensured that all systems involved support
the new password coding.
Available in the standard system as of SAP
Web AS 6.40.
Defines the minimum number of characters
that must be different in the new password
compared to the old password.
Default value: 1; permissible values: 1 8
Available as of SAP Web AS 6.10
Defines the validity period of passwords in
days.
Default value: 0; permissible values: any

login/password_change_for_SSO

login/disable_password_logon

login/password_logon_usergroup

Multiple Logon
Parameter
login/disable_multi_gui_login
login/multi_login_users

Incorrect Logon
Parameter
login/fails_to_session_end

login/fails_to_user_lock

login/failed_user_auto_unlock

Initial Password: Limited Validity

numerical value
If the user logs on with Single Sign-On,
checks whether the user must change his or
her password.
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Controls the deactivation of passwordbased logon
This means that the user can no longer log
on using a password, but only with Single
Sign-On variants (X.509 certificate, logon
ticket). More information: Logon Data Tab
Page
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Controls the deactivation of passwordbased logon for user groups
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Explanation
Controls the deactivation of multiple dialog
logons
Available as of SAP Basis 4.6
List of excepted users, that is, the users that
are permitted to log on to the system more
than once.
Available as of SAP Basis 4.6
Explanation
Defines the number of unsuccessful logon
attempts before the system does not allow
any more logon attempts. The parameter is
to be set to a value lower than the value of
parameter login/fails_to_user_lock.
Default value: 3; permissible values: 1 -99
Defines the number of unsuccessful logon
attempts before the system locks the user.
By default, the lock applies until midnight.
Default value: 12; permissible values: 1 -99
Defines whether user locks due to
unsuccessful logon attempts should be
automatically removed at midnight.
Default value: 1 (Lock applies only on
same day); permissible values: 0, 1

Parameter
login/password_max_new_valid

login/password_max_reset_valid

SSO Logon Ticket

Parameter
login/accept_sso2_ticket
login/create_sso2_ticket
login/ticket_expiration_time
login/ticket_only_by_https
login/ticket_only_to_host

Other Login Parameters

Parameter
login/disable_cpic
login/no_automatic_user_sapstar
login/system_client
login/update_logon_timestamp
Other User Parameters
Parameter
rdisp/gui_auto_logout

Explanation
Defines the validity period of passwords
for newly created users.
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Defines the validity period of reset
passwords.
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Explanation
Allows or locks the logon using SSO ticket.
Available as of SAP Basis 4.6D, as of SAP
Basis 4.0 by Support Package
Allows the creation of SSO tickets.
Available as of SAP Basis 4.6D
Defines the validity period of an SSO
ticket.
Available as of SAP Basis 4.6D
The logon ticket is only transferred using
HTTP(S).
Available as of SAP Basis 4.6D
When logging on over HTTP(S), sends the
ticket only to the server that created the
ticket.
Available as of SAP Basis 4.6D
Explanation
Refuse inbound connections of type CPIC
Controls the emergency user SAP* (SAP
Notes 2383 and 68048)
Specifies the default client. This client is
automatically filled in on the system logon
screen. Users can type in a different client.
Specifies the exactness of the logon
timestamp.
Available as of SAP Basis 4.6
Explanation
Defines the maximum idle time for a user
in seconds (applies only for SAP GUI
connections).
Default value: 0 (no restriction);
permissible values: any numerical value

HOW TO DISABLE PFCG TRANSPORT BUTTON IN SAP ( SHD0 )

Tcode SHD0
Enter the follow

3. Button is invisible due to this variant. Deactivated this variant and transport button will visible
again

Difference Between SAP_ALL and SAP_NEW

What is the difference between SAP_ALL and SAP_NEW
Definition of SAP_NEW:SAP_NEW is a SAP standard Profile which is usually assigned to system users temporarily
during an upgrade to ensure that the activities and operations of SAP users is not hindered,
during the Upgrade. It contains all the necessary objects and transactions for the users to
continue their work during the upgrade. It should be withdrawn once all upgrade activities is
completed, and replaced with the now modified Roles as it has extensive authorizations than
required.
Definition of SAP_ALL:SAP_ALL is a SAP standard profile, which is used on need basis, to resolve particular issues
which may arise during the usage of SAP. It is used by Administrators/Developers only and is
applied on a need to use basis, then withdrawn. It contains all SAP system objects and
Transactions. SAP_ALL is very critical and only SAP* contains SAP_ALL attached to it in the
production system. No other dialog users have SAP_ALL attached to them.
SAP_NEW is used in the Production environment during a version upgrade whereas SAP_ALL
shouldn't be or not allowed be used in Production (for audit purposes obviously), except where
necessary, in a controlled manner with all proper approvals from the customer.

How to configure Logon groups in SAP ( SMLG )

Logon Groups:
Logon groups (or work groups) are configured to dynamically distribute the load being
processed by the dialog work processes.
In many cases, SAP systems will have 2 or more sap abap instances. In these cases, logon groups
can be configured to achieve dynamic distribution of dialog users on the ABAP instances.
A report runs in SAP every 5minutes which determines the load across each server and updates
in the memory area of the message server.
Other criteria:
Logon groups according to SAP application / module: Separate logon groups can be setup for
applications/modules such as HR, FI/CO, SD, MM etc. It means HR module users will be
restricted to logon to identified instances, similarly other module users are allowed to login to
their respective identified instances. The advantages of this method, is only the programs of the
respective module are loaded into the program buffer of the particular instances of that logon
group. Due to this, program buffer requires less memory and this helps to avoid buffer
displacements thus improving system performance.
Logon groups according to language, country or company division:
If your SAP system is operating across multiple countries or languages, in that case it is good
idea to create logon groups specific to a country or language. By this way the data and text
related to specific country or language will be loaded into the buffers of the respective instances.
This minimizes buffer displacements and improves system performance. Also less memory is
required for the table buffer.
Logon groups for certain user groups:
i)
We can setup separate logon groups for some department like sales whose work is
performance critical. For that logon groups we assign instances which operates with high level
of performance (e.g: high speed processors, less users per server, no background or update
workprocesses configured or a dedicated network etc)
ii)
Some department users may take time-consuming reports in dialog mode. For these
type of users, you may have to create separate logon group and assign an sap instance where
profile parameter rdisp/max_wprun_time is set to very high
In this way we can separate performance critical/resource intensive applications from others.
Logon groups for the SAP Web Dispatcher:

For direct ABAP web service requests, we can setup logon groups that the SAP Web Dispatcher
can use. If logon groups are not configured for web dispatcher, the load is distributed to all
ABAP instances on which ICM is configured. Also, based on URLs we can distribute certain
group of requests to dedicated logon groups.
Logon groups for ALE/RFC:
Asynchronous RFCs are used to process in parallel. However if the parallel processes are not
limited properly, they can occupy all the available processes which impacts dialog users and can
bring down the application. So, it is good idea to create separate logon groups for incoming RFC
calls so that RFCs are kept separate from workprocesses of online users and thus avoids impact
to dialog users.
Guide lines:
After assigning instances to logon groups
i)
We need to verify whether the instances of logon groups are evenly distributed or not.
ii)
If an instance hangs or temporarily got disconnected, you should be able to redistribute
the users
So, you need to setup at least 2 sap instances for each logon group.
iii)
Setting up logon groups involves extra administration and monitoring. So,
unnecessarily large number of logon groups shouldnt be setup
How to setup logon groups?
SMLG transaction code is used for creating logon groups.
Logon to SAP system and goto SMLG transaction as shown below:

In the above example there are 2 instances (00 and 09) in this SAP system. These are not yet
assigned to any logon group.
We can create a new logon group by clicking on highlighted create icon on the above screen. It
results in below screen.

In the above screen, either select logon group from dropdown or provide its name if you are
newly creating. After that assign instance for that logon group and click on copy to save the
assignment.
In this example iam creating two logon groups hr and fico and assigning instances 00 and 09
respectively. Please find below screenshots which explains the same.

Repeat the same step and create logon group fico and assign instance 09 for it as shown above.
After doing this, you can see following logon groups in SMLG

Once you are done with logon group setup, please log off from SAP system and goto SAPGUI of
the respective SAP system.

Click on properties of the respective GUI entry and goto to connection tab as shown below.

Please select Group/Server selection option from the drop down of Connection Type as shown
above and maintain description and system id of the instance as shown above.
Now, you should be able to view the newly created logon groups as shown in below figure:

Also, please note you are able to view logon group SPACE also which gets created by default
Now, you can configure any desired logon group to the users as shown below:

For example in the above screen fico group is assigned to the end users in his GUI so that now
onwards, he will login into instance number 09 only.
How to delete logon group or assignment?
If you no longer require any logon group, you can delete by proceeding as shown below:
i)Goto SMLG transaction
ii) Select the respective row and click on delete assignment which deletes the assignment of an
instance to a logon group (highlighted in green color in below screen)

Click on delete icon above which confirms deletion of assignment

iii)If you wish to delete logon group itself, then select the respective logon group and click on
delete group in the above screen highlighted in red color (please refer screen 1 of point ii
above). This deletes the logon group itself and removes all assignments related to this group.
How to check logon load distribution in SAP?
Goto transaction code SMLG as shown below and click on highlighted icon below to view the
load distribution across instances

Alternatively, you can view this by navigating to Goto -> Load Distribution or by pressing F5
key in the above screen