UCF SAP LEVEL 1

Table of Contents

Introduction to SAP
1. User account Creation/Deletion
2. User-role assignment
3. User account password unlock/reset
4. Deactivation of User account

Introduction to SAP:-
SAP stands for System, Application and Products in Data Processing. SAP started operations in
Germany in 1972 and currently it is the world’s largest vendor of standard application
Software’s.

SAP can be distinctively configured to fit the needs and requirements of customer operations
(within limits).

SAP is a German company that develops business software. ERP stands for Enterprise Resource
Planning, and is the term use to describe an integrated software solution that incorporates the
key business function of an organization.

For every organization; in order to function properly in a systematic manner; it is must to have
a standard defined security model. This model sets some expectation with reference to security
of the existing and transactional data.
While setting up the security model; we always need to have below mentioned points in mind:
· What needs to be protected?
· From whom this needs to be protected. This could be internal or external threats?
· What action we need to take in order to prevent the treats?

Once you have identified the above threats/danger and steps; you can build/develop a security
model.
SAP provides us the flexibility to maintain the security at various levels. Each level has its own
Protection mechanism. So while implementing the security model; you need to implement the
security at all level.

In a standard SAP project system, it is divided into three environments, Development, Quality
Assurance and Production.

The development system is where most of the implementation work takes place. The quality
assurance system is where all the final testing is conducted before moving the transports to the
production environment. The production system is where all the daily business activities
occur. It is also the client that all the end users use to perform their daily job functions.

To all company, the production system should only contains transport that have passed all the
tests.

SAP is an ERP (Enterprise Resource Planning) module; ECC is the version of SAP, like 4.6, 4.6c
and 4.7 in that series new version is ECC-6. It’s known as Enterprise core component.

Below is SAP GUI:-

The below screen shot explains about each tab and its functionality.

Maintaining all these tabs will build user master record. To access the SAP system and work in
the system. A user master record with authorization required. The assignment of this
authorization can be controlled individually for each user, but also, to an extent, using mass
maintenance.

User master record is client-specific so we need to maintain user master record specific for
every SAP client.

Corresponding to each tab; see the below explanation:

Address:
This tab contains the basic information about the user like; First Name, Last Name, Dept. Email

etc. In order to create any user Last name is mandatory without which user cannot be created.

Alias:
Alias is an alternative ID for SAP user which can be of 40 characters long.

User Group for Authorization Check:

This help to divide the users in different groups which can be maintained by different user
administrator.

User Type:
Normal user should be of Dialog user type. We have other users also which can be user based on the
requirement.
Dialog User A:

  To login with this user type; password is required 

 For this user type; multiple logon is not possible 
 For this user type; password will be expired 
System User B:
  This user is used for background processing and RFC communication. 
  Dialog logon is not possible for this user. 
  Password never expired for this user 
  Also does not ask for password change. 
 Multiple logon are possible 

Communication User C:
  This user is for dialog free communication between systems. 
  Dialog logon not possible 
 Password never expired. 

Service User S:
  Dialog logon are possible. 
 Multiple logon are possible 

Reference User L:
  This user type is used for additional authorization. 
 Logon not possible with Reference user. 

Validity period:
This provides the option to validate the user account for specific duration.

Other Data:
For each user we should assign Accounting no. like cost center, Company code etc.

Defaults:
This tab contains the below fields.

Start Menu:
This field provides the area menu for user. For example if you will enter FRMN as start menu; the SAP
menu will display only transactions related to credit management.
Logon Language:
When user will login in to the system; he will get the same language which you will define here.

Output Device:
Here you may define/enter the printer or other output device.

Time Zone:
This option helps to set the time zone for users.
Dacimal/Date Format:
In this section you can define the currency/date format for user.

User Administration:
In security implementation; user administration plays a very vital role. This is the very first check point
for anyone who will try to connect with the system in order to fetch the information.

If a user is having access to system; it does not mean that he can do everything possible in the system.
Having access to system is totally different than having access to data.

While setting up the user in the system; we must have to be very clear on what access user needs and
what would be user’s functionality in the organization.

For user administration we usually perform either single user administration (SU01) or mass user (SU10)
administration.
 1. User account Creation/Deletion
Single User Administration:

In SAP single user administration is when we handle one user at a time. To perform the administration
activity for single user we use transaction code (TCODE) SU01 – User Maintenance.

Using this transaction we can manage the following thing:

 Creation 

 Change 

 Display 

 Delete 

 Copy 

 Lock/Unlock Account 

 Password set/Reset 

Login into SAP:

To Login into SAP System Enter User name and your Password.

Default SAP Clients:-

In the SAP landscape, a client is an entity with independent data and information. So let’s check the
default SAP clients a little bit closer…

000,001 and 066 are default clients of SAP that you get at the time of installation and you cannot use it
for production.
000 this client is called as golden client which is provided by SAP as template/reference client, you
cannot use this client in production processing either.

001 this client is called as configuration client which have all the SAP standard customizing client.

066 is the Earlywatch client for monitoring and performance to SAP use.

All these clients are comes with standard users: SAP* and DDIC
SAP* Default Password: 06071992
DDIC Default Password: 19920706

If your parameter “login/no_automatic_user_sapstar” value equal to 0 (zero) then you can regenerate
the SAP*user with default password “PASS” after deletion process.
Also you can use EARLYWATCH user with password SUPPORT on client 066

Creation:
To create user in SU01, Put the user name in User block and click on the create button as shown in
the figure below and follow the steps mentioned:
After this a new screen (Maintain User) will appear as below. Last Name is mandatory to create a user.
Main tabs that we have to take care are Address, Logon Data, Defaults, Parameters and Roles.
While creating the user always take care about the user type, whether the user type is Dialog, System,
Communication Data, Reference or Service.

Initial Password essential to enter here.

Under default tab you can set your date format, Logon Language, Time Zone & printer setting etc.

This tab is used to set the parameter value for users. With the help of parameter value; a field can be
filled with the default value.
Role assignment to user can be done in Role tab:-
Below are the assigned roles:-
Under this tab you will assign the roles related to the user’s profile. These roles could be single role as
well as composite role. Concept of single and composite role will be explained later under Role Creation
Heading.

Rest all other tab could be used as per the project requirements.

After this click on the Save button on the Menu Bar

User will be created and at the bottom of the screen a message will be appear as below:
Mass User Administration:

Creation:

Mass user maintenance is used when you need to create/modify/change more than 1 users. To perform
mass maintenance you need to execute transaction code SU10. This will lead you to the below screen:

/n used to change the transaction and /o is used to change transaction while keeping original session.

Here in the column you will put the user ID which you need to create/change/modify. All other steps
would be same as you have learned in transaction SU01.

There some major points to be remember in this mass maintenance.

All the changes should be same for each user (Lock Users, Unlock Users, Create Users, Assign Roles &
Revoke Roles)

You cannot set the password using SU10 while creating the new users. Password will be automatically
set by system and you will get the details of password in logs after you will save the users.



Using SU10 following activity can be done:-

Select Users from System/clipboard:-

Transfer user into clipboard.
 2. User-role assignment
When user is already exists and need to be updating some details then this option comes in scenario.
Role can be assigned using transaction SU01, SU10 & SU10.

In order to assign the role to any user; we can choose any of the two ways.

  Role assignment to user via Transaction SU01 

 User assignment to role via Transaction PFCG. 

Types of Role:
SAP has segregated roles in different categories in order to setup and provide the best security with
minimum efforts. This segregation of roles we can use in various organization as per the requirement.

We have specifically 2 types of roles:

 Single Role 
 Composite Role 

Single roles further divided in Parent Role and Derived Role. See the below screen shot.

Single Role:
Single role actually contains Transactions/web links/reports and authorizations. We can directly assign
single role to any user.

Composite Roles:
Composite role actually contains one or more than one single roles. If you assign composite role to any
user; user will be assigned to single role also.

Derived Role/Parent Role:

 Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the
functions included (transactions, reports, Web links, and so on) from the role referenced. A role
can only inherit menus and functions if no transaction codes have been assigned to it before. 

 The higher-level role passes on its authorizations to the derived role as default values which can
be changed afterwards. Organizational level definitions are not passed on. They must be created
anew in the inheriting role. User assignments are not passed on either

 Derived roles are an elegant way of maintaining roles that do not differ in their functionality
(identical menus and identical transactions) but have different characteristics with regard to the
organizational level. 
 Transaction PFCG is used to create/maintain/modify the roles in SAP system.
Change:

Click on change:-
Now you can change the required tab. In role tab you can enter additional Roles.
 Click on the save button again.

Display:
In Display Field you can check the user detail but cannot change.
If you want to make changes in database then click on the change button any time. Then you will be in
change mode and can edit the data.

If user would not be exists in the SAP System it will display the following message:

Delete:
To delete the existing user from SAP first put the user name under the User name field then click on
the delete button.

A dialogue box will appear for the confirmation of the user deletion. Click yes to delete otherwise click
no.
Click on “Yes”.

Copy:
While creating the new user this option gives you the freedom to copy the data from the existing user.
This will ask you to choose the field that you want to copy from one user to other user.

Here you can chose the required part then click on the copy. Thus all the selected filed of the user
“TEST_USER1” will be copied to user “TEST_USER” and you will be redirected to another screen as
shown in the below figure. Here you have to set the password for the new user “TEST_USER” then click
on the save button.
 3. User account password unlock/reset
Lock/Unlock Account:

Normally if a user put his password wrong for continuous 3 times. Then the user will get locked.

To check this put the user name and click on display button. Then go to logon data tab. If the use is
locked then you will get a message as shown in figure below:

To unlock this user click on the button with a symbol of lock.

Click on the unlock button and then user will be unlocked.

Below is Lock status:-

User status Reason
0 User not locked
32 (Hex 20) Locked by CUA central administrator
64 (Hex 40) Locked by administrator
128 (Hex 80) Locked after failed logon
192 Locked by administrator + Locked after failed logon
96 Locked by CUA central administrator + Locked after failed logon
160 Locked by CUA central administrator + Locked after failed logon

Password Set/Reset:

To Set/Reset the password. Click on the button Change password.

Put the new password and then click on “Copy”.

 4. Deactivation of User account:-
To perform the administration activity for single user we use transaction code (TCODE) SU01 – User
Maintenance.

Change Valid through date to as date before day.

Change role valid to as date before day.
Click on Save.

Below is basic SAP transaction:-

SU01D:- User Display
SU1:- Maintain Own User Address
SU2:- Maintain Own User Parameters
SU3:- Maintain Users Own Data

SUIM: - User Information System

SU53:- Evaluate Authorization Check