User Administration and Authorization


Different Types of Users
There are 5 different User type:

1. Dialog(A)
2. System(B)
3. Communication(C)
4. Service(S)
5. Reference(L)

Description about the above User types:

1. Dialog User:-

Initial password and expiration of password and Multi GUI Logins are checked.
Individual system access (personalized)
It is possible to log on using SAP GUI. The user is therefore capable of interaction through SAP GUI.

The system checks whether the password has expired or is initial.
The user can change his or her password himself or herself.Which users are using 



Creating Dialog User in SAP
======================

1. Goto SU01 -- 
    username : sapuser 
    |-->Create. 
2. In default settings, give 
                            :Mr 
   first name          : sap 
   lastname            : user 
3. Goto next tab, 
     give       initial password  :1234 
                repeat password : 1234 
4. Goto profiles. 
    type-    sap_all     (say enter) 
                sap_new   (say enter) 
    Then save.... 
    See the message in status bar,  (user created successfully) 
5. Login with the new user. change the password. now this user contains all superuser authorizations




Give user name in user tab and press create tab (F8)


Give username and password



Give SAP Profile/Roles

Then  save and exit



2.Change the SAP User(Shift+F6)



3.Display SAP User(F7)

4.Delete SAP User(Shift+F2)

5.Copy  SAP User (Shift+F5)





6.Lock and Unlock(Ctrl+F5)

You can also use transaction code EWZ5 to mass lock/unlock the users 
or 
Execute program EWULKUSR in SE38 



2. System User:-

Windows Operating System User Settings in an SAP System Use

This section informs about users that exist or are needed in an SAP system on Windows. It also describes some security settings to take for them.

Overview of SAP System-Related Users

Windows built-in users
    Administrator:-    The local user who has unlimited access to all local resources.
  
   Guest :-   A local guest account who has guest access to all local resources.    

  SYSTEM:-    The user SYSTEM is a built-in account without password. You cannot log                       on as user SYSTEM. However, this account has complete access to the local                         Windows system.   
  SAP system users    <sapsid>adm    The SAP system administrator who has unlimited                           access to all local resources related to SAP systems.
  SAPService<SAPSID>    A special user who runs the Windows services related to SAP                       systems.   
 Database users    <database-specific users>    One or more special users who run database-specific Windows services or access the database resources with utility programs. Some databases also need certain users at the operating system level. Their name and availability depend on the database you use. For more information, see the database-specific security guide on Windows.

Note the following:

•    Windows automatically creates the users Administrator and Guest during the installation. You do not need them for SAP system operations.

•    Windows Server 2008 (R2) introduces a new security concept called User Account Control (UAC). WhenUser Account Control is enabled (default setting), a process running on a Windows Server 2008 (R2) does not automatically have the membership in the Local Administrators group even if the account is a member of this group. The user has to elevate a process to use the Administrators Group membership, by right-clicking on a program entry in the Windows explorer (   Start   Programs   <Program Entry>  ) and start it with Run as Administrator:

•    You must enable the guest account to grant non-authenticated users (that have not specified a valid user name or password) access to resources on a computer. The Windows built-in group Everyone includes authenticated users and guests. However, non-authenticated guest users only have access to resources that are secured with Everyone if the guest account is enabled. SAP strongly recommends to disable the guest account.
 

 For a System User GUI Login is not possible, Initial password and expiration of password are not checked.

System-related and internal system processes.

It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.
The password change requirement does not apply to the passwords, that is, they cannot be initial or expired.
Only a user administrator can change the password.
Multiple logons are permissible.

  Roles for system user : SAP_BC_USR_CUA_CENTRAL

                                       SAP_BC_USR_CUA_CENTRAL_BDIST


Purpose of System User is for background processing and communication within a system (internal RFC calls) and between multiple systems (external RFC calls).(such as RFC users for ALE, Workflow, TMS, TREX and CUA). Eg;-user : sysuser pass:1234556


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/5e/9834429692b76be10000000a155106/content.htm 



3. Communication User:-  



Creating RFC Users (SAP ECC)

To enable communication between the SAP ERP back-end system and other SAP systems, you have to create an RFC user in the SAP ERP system.
The RFC user in the application client enables multiple RFC connections. Skip this activity if an RFC user has already been created.

Procedure

1.    Logon to the SAP ECC system.
2.    Access the activity using one of the following navigation options:
•    Call transaction code SU01.
•    In the SAP ERP GUI, choose   Tools  Administration  User Maintenance  Users  .
3.    In the User field, enter CRM2ERP.
4.    Choose Create (F8).
5.    On the Maintain User screen, enter the following data in the tab entry screens:
•    On the Address tab page, enter the following:
o    Last Name: CRM2ERP
o    Function: <your function>
•    On the Logon Data tab page, enter the following:
o    User Type: Communication Data
o    Password: <your password>
•    On the Defaults tab page, enter the following:
o    Logon Language: EN
•    On the Profiles tab page, enter the following:
o    Profile: SAP_ALL and SAP_NEW
6.    Save your entries (Ctrl + S).
Connecting SAP CRM (SAP ECC)
Procedure
1.    Logon to the SAP ECC system.
2.    To define an RFC destination in the SAP ERP system, access the activity using one of the following navigation options:
•    Call transaction code SM59.
•    In the SAP ERP IMG menu, choose   SAP NetWeaver  Application Server  IDocInterface/Application Link Enabling (ALE)  Communication  Create RFC Connections  .
3.    On the Display and maintain RFC destinations screen, choose Create and enter the data according to the RFC destination:
Field name    User action and default values
RFC Destination    Erp_<ERPSID><ERPCLIENT>_to_Crm_<CRMSID><CRMCLIENT>
(for example: Erp_ER1001_to_Crm_CR1005)
Connection type    3
(Connection to ABAP system)
Description    SAP CRM system
4.    Choose ENTER.
Technical Settings
Load Balancing    No
Target host    <SAP CRM target host name>
(for example: pwdf0421)
System number    <SAP CRM target system name>
(for example: 74)
Save as    IP Address
Logon/Security
Security Options
Trusted system    No
Logon Screen    deselect
SNC    Inactive
Logon
Language    EN
Client    <SAP CRM target client>
(for example: 001)
User    ERP2CRM
Password    <your password>
(password you have chosen in user maintenance)
Current User    deselect
Unencrypted Password (2.0)    deselect
5.    Choose ENTER.
MDMP & Unicode
Communication Type with target system    Set Unicode flag if the Unicode test has been executed successfully.
This test can be performed by choosing Unicode Test in the menu area. The RFC destination has to be saved before the test can be performed. An information message appears (Example of a message: Target is a Unicode system (character size 2)).
6.    Choose ENTER.
7.    In the Special Options tab page, deselect Trace and Slow RFC Connection.
8.    Choose ENTER.
9.    Save your RFC destination.
10.    To test your newly created RFC connection, choose Connection Test.



 For a Communication User login is not possible, Users are allowed to change password through some software in middle tierIndividual system access (personalized)
It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.
Although the system checks whether the password has expired or is initial, the implementation of the requirement to change the password, which exists in principle, depends on the logon method (interactive or non-interactive).

  Assign the communication users for the child systems and the communication user CUA_ADM the roles Z_SAP_BC_USR_CUA_SETUP_CENTRAL and Z_SAP_BC_USR_CUA_CENTRAL.


4.Service User:-




A user of the type Service is a dialog user that is available to an anonymous, larger group of users. Generally, this type of user should only be assigned very restricted authorizations.

For example, service users are used for anonymous system access using an ITS service or a public Web service. Once an individual has been authenticated, a session that started anonymously using a service user can be continued as a personal session using a dialog user (see SUSR_INTERNET_USERSWITCH)

During logon, the system does not check for expired and initial passwords. Only the user administrator can change the password.

Multiple logon is allowed.


Some central service users are required for dialog-free communication between the central components of SAP NetWeaver usage type PI and between application systems and PI.
After the installation of usage type PI, the following service users already exist together with a password in the client of the Integration Server and in the exchange profile. They are retrieved from there by the Java components of PI when the system is started.
They service users are listed below together with the roles assigned to them.
Service users available after installation


Service User                   Description                                              Assigned Role

PILSADMIN    User for the Change Management Server    SAP_XI_CMS_SERV_USER
PIREPUSER    User for the Enterprise Services Repository    SAP_XI_IR_SERV_USER_MAIN
PIDIRUSER    User for the Integration Directory    SAP_XI_ID_SERV_USER_MAIN
PILDUSER    User for the System Landscape Directory (SLD)    SAP_BC_AI_LANDSCAPE_DB_RFC
PIAPPLUSER    User for sender applications    SAP_XI_APPL_SERV_USER
PIRWBUSER    User for the Runtime Workbench    SAP_XI_RWB_SERV_USER_MAIN
PIAFUSER    User for the Advanced Adapter Engine    SAP_XI_AF_SERV_USER_MAIN
PIISUSER    User for the Integration Server    SAP_XI_IS_SERV_USER_MAIN
PIPPUSER    User for principal propagation    SAP_XI_APPL_SERV_USER

Passwords are specified for these users during installation. The names of the users as well as the password may be changed as required. Ensure, however, that they are always assigned the roles listed above.
The roles were created for each of the PI components, so that each component only needs this single service user.
Within PI, the roles provide you with all the authorizations required by the respective component for dialog-free access to the other components of PI. They are therefore also available on the Java side. To access the Java components, corresponding authorization assignments (security roles) on usage type AS Java are required. These are automatically performed when the Java components are deployed.


Description of the Service User Roles


The following service user roles are available:
●  SAP_XI_CMS_SERV_USER
Service user role for the Change Management Server (CMS).
Within PI, this role supplies all the authorizations required by the CMS for dialog-free access to the other components of PI, mainly the Enterprise Services Repository and Integration Directory.
●  SAP_XI_IR_SERV_USER_MAIN
Service user role for the Enterprise Services Repository.
Within PI, this role supplies all the authorizations required by the Enterprise Services Repository for dialog-free access to the other PI components.
●  SAP_XI_ID_SERV_USER_MAIN
Service user role for the Integration Directory.
Within PI, this role supplies all the authorizations required by the Integration Directory for dialog-free access to the other PI components.
●  SAP_BC_AI_LANDSCAPE_DB_RFC
Service user role for the SLD.
This role supplies all the authorizations required by the SLD for dialog-free access to the database of the SAP NetWeaver Application Server. This role is usually assigned to exactly one service user or communication user, which must be defined in the administration of the SLD for database consistency.
●  SAP_XI_APPL_SERV_USER
Service user role for application systems that are sender business systems.
This role supplies all the authorizations required by application systems (ABAP and Java) for dialog-free access to the components of PI.
●  SAP_XI_RWB_SERV_USER_MAIN
Service user role for the Runtime Workbench.
Within PI, this role supplies all the authorizations required by the Runtime Workbench for dialog-free access to the other components of PI.
●  SAP_XI_AF_SERV_USER_MAIN
Service user role for the Advanced Adapter Engine.
This role supplies all the authorizations required for communication between SLD, Integration Server, and Adapter Framework.
●  SAP_XI_IS_SERV_USER_MAIN
Service user role for the Integration Server.
This role supplies all PI-specific authorizations required by the Integration Server for dialog-free access to business systems based on SAP NetWeaver.
Service users that have to be created in business systems for this purpose generally need additional authorizations that are specific to the service to be accessed.


Creating Service Users

You require two service users:


•    One service user for synchronization
This service user is used to perform an anonymous synchronization. This is useful, for example, in the following situations:
o    To get the UTC time (when using a TIME_AGENT parameter set)
o    To generate error messages when errors occur during the synchronization process
o    To create setup packages using the Mobile Administrator
•    One service users for administration
This user is required for communication between the systems, for example, to display data in the Mobile Administrator.
Note

Alternatively, you can also use an individual administrator user here. For security reasons, we recommend using a service user with limited authorizations and without a dialog authorization.
The service user for the administration is used to access systems using an RFC. For example, you would enter this service user in the following cases:
o    When deploying the JRA for the Mobile Administrator (see Deploying the JRA for the Mobile Administrator )
o    When establishing the JCo-RFC connection (see Enabling Mobile Component Uploads )
o    When setting up the synchronization monitors (see Activating Synchronization Monitors )
Caution
If you configured the MI usage type automatically using the template installer in the SAP NetWeaver Administrator, you do not have to create the service users for the administration.
Defining Roles for Service Users for the Synchronization Process
Check whether the role for the service user exists. If not, define one:
1.    Create an authorization profile without a template and add the following authorization objects to it.
Authorization Objects for the Service User (Synchronization)
Authorization Object    Field    Value
S_ME_SYNC    ACTVT    38 (Synchronization)
S_RFC    ACTVT    16
     RFC_NAME    SUSO (Detailed error message determination)
ME_USER (Synchronization)
BWAF_MW (Synchronization)
BWAF_MOMO (Synchronization)
SYST
SRFC
SG00
SDIFRUNTIME
RFC1
1.    Generate the profile and save the role you created.
Defining Roles for Service Users for the Administration
Check whether the role for the service user exists. If not, define one:
1.    Create an authorization profile without a template and add the following authorization objects to it.
Authorization Objects for the Service User (Administration)
Authorization Object    Field    Value
S_RFC    ACTVT    16
     RFC_NAME    RFC1 (Java Connector)
SDIFRUNTIME (Java Connector)
SYST (Java Connector)
SG00 (Java Connector)
SRFC (Java Connector)
SYSU (Java Connector)
SUSO (Detailed error message determination)
MEMGMT* (Mobile Administrator)
MEREP_INSTTK_MPC (Creation of setup packages)
MEREP_JAVACLIENT (Uploading SyncBO definitions from the back-end system)
ME_CENTRAL_TRACING (Tracing)
ME_CONFIG_INFO (Monitoring)
BWAF_MW (Synchronization)
BWAF_MOMO (Synchronization)
BAPT
BWAF_INSTALLATION (Setup packages)
MI_PACKAGE_GEN (Setup packages)
ME_MON_SHLP (Monitors)
ME_QUEUE_MON (Monitors)
ME_TECH_MON (Monitors)
ME_REPLIC_MON (Monitors)
ME_RESOURCE_MON (Monitors)
RFC2 (Monitors)
SDDO (Monitors)
ME_USER
SU_USER
S_TCODE    TCD    DEVICE_CONFIG (Device configuration)
SMOMO (Device removal)
S_MI_MGMT    ACTVT    *(Device administration and device configuration)
     MI_GROUP    Stored in table MEMGMT_AUTH_GRP, transaction MGMT_AUTHORITY
(For the definition of groups with different authorizations, for example, ADMIN and SUPPORT)
S_USER_GRP    ACTVT    3 (Display user in Mobile Administrator)
1.    Generate the profile and save the role you created.
Defining Service Users
1.    Start transaction SU01 and create two service users (for example, MI_SERVICEADMIN and MI_SERVICESYNC).
Note
For the password, only use the characters contained in the ISO 8859-1 character set.
2.    Assign each of the users with one of the roles created.

5.Reference Users:-


Like the service user, a reference user is a general user, not assigned to a particular person. You cannot log on using a reference user. The reference user is only used to assign additional authorization. Reference users are implemented to equip Internet users with identical authorizations.

On the Roles tab, you can specify a reference user for additional rights for dialog users. Generally, the application controls the allocation of reference users. You can allocate the name of the reference user using variables. The variables should begin with "$". You assign variables to reference users in transaction SU_REFUSERVARIABLE.

This assignment applies to all systems in a CUA landscape. If the assigned reference user does not exist in one of the CUA child systems, the assignment is ignored.

Creating Reference Users

Reference users are used to simplify authorization maintenance. You assign authorization roles to a reference user. The system then assigns the reference user to new users that are created for Web shop customers.
The user for a Web shop customer inherits all of the reference user’s role attributes and their authorization profile, which determines which activities and transactions are allowed.
Since customers use self-registration in the Web shop, you must use reference users to assign authorizations.
You assign reference users to a Web shop, regardless of whether you are using an SAP CRM or SAP ERP backend.
Prerequisites
The required authorization roles exist. For more information, see Creating and Changing Authorization Roles.

Procedure

1.    In the SAP Easy Access screen, access transaction SU01.
Create a user, and in the Logon Data tab, select the user type Reference.
2.    Assign authorization roles to the reference user in the Roles tab.
3.    Assign the reference users in the User module of Web Channel Builder, in the field Reference User.

Result
The Web shop customer, when prompted by the system, enters the necessary registration details. The system uses these details to create a new user, and assign the reference user to the master record in the back-end system. The reference user contains authorizations, which are passed to the new Web shop customer.
  1. How to create user in SAP?
  2. How to delete the user in SAP?
Total SU01 transaction usage
Total SU01 transaction usage

No comments:

Post a Comment

Subscribe to: Posts (Atom)