VIDEO
HIGHLIGHT
Log InSign up
Day 3 - SAP User Administration
SummaryTranscriptChat

Day 3 - SAP User Administration

Understanding User Master Record Tabs in SAP

Overview of User Master Record Tabs

  • The user master record consists of 10 tabs, including address, logon data, SNC (Secure Network Communication), and defaults. Each tab serves a specific purpose in managing user information.

Secure Network Communication (SNC)

  • SNC allows users to log into the SAP system without entering a password when activated. This feature is primarily for security and basis teams who need access across multiple systems.
  • By eliminating the need for passwords, SNC enhances security by ensuring that only authorized personnel can access sensitive systems without remembering multiple passwords. This is crucial for efficiency in their roles.
  • Activation of SNC is limited to support users like technical staff; it is not available to other teams or general users to maintain security integrity.

Defaults Tab Configuration

  • The defaults tab requires input on date formats, time formats, printer details, and time zones which are standardized across all users within an organization except for printers that may vary by location.
  • For example, different locations may have distinct printer setups while maintaining uniformity in other default settings such as date and time formats among all users.

Parameters and Roles Assignment

  • The parameters tab is used only when specific requests arise; it does not require regular input from administrators or users unless prompted.
  • Roles are assigned through this section to grant authorizations necessary for user functions within the system; profiles also provide similar access but are interlinked with roles discussed further in subsequent sessions.

User Groups and Licensing Information

  • Users can belong to multiple groups; additional groups can be defined under the groups tab if necessary while primary group assignments are made under logon data. This ensures proper categorization of user permissions based on their roles within the organization.

Understanding User Licensing and Management

User Licensing Insights

  • Large companies often purchase umbrella licenses, which allow unlimited software usage regardless of the number of users. This diminishes concerns about individual licensing.
  • The focus on license terms is minimal when dealing with large organizations that have extensive user bases.

User Data Management

  • The system allows for creating, modifying, and deleting user data through various tabs, including address, login data, and roles.
  • When copying a user profile, certain fields like address and password are not duplicated to ensure unique identification for each user.

Locking and Unlocking Users

  • Users can be locked or unlocked within the system; the status can be checked under the login data tab.
  • Locking a user changes their status to "locked," which can be confirmed visually in the interface.

Password Management

  • Password changes can be executed directly from an icon or through edit mode by entering a new password twice for confirmation.
  • A total of seven icons are available for managing user accounts effectively within the system interface.

Types of Users in System Management

Overview of User Types

  • There are five types of users defined in the system: dialogue, system communication reference, service users among others.

Dialogue Users Explained

  • Dialogue users are interactive users who engage with the system by entering commands and receiving responses based on those commands.
  • Specific password parameters apply to dialogue users, such as minimum length requirements and expiration dates to enhance security.

GUI Login Features

  • GUI (Graphical User Interface) logins are permitted for dialogue users; this method requires entering a user ID and password into a designated screen.

Employee Access Definition

Understanding Dialogue Users and Service IDs in System Logins

Overview of Dialogue Users

  • Every employee, including those from the ID company and support end users, is classified as a dialogue user. This classification allows for multiple dialogue logons using a service ID.

Functionality of Service IDs

  • A dialogue user can log into the system with their dialogue ID and utilize various service IDs (e.g., service ID 1, service ID 2) to act as different users simultaneously. This capability enhances flexibility in user management.
  • The primary purpose of a service ID is to enable multiple logons for a single dialogue user without restrictions on password parameters, meaning passwords do not expire or have limitations.

Firefighter IDs and Their Characteristics

  • The firefighter ID (FFID) concept in Governance, Risk Management, and Compliance (GRC) serves as an example where password parameters are not applied, allowing GUI login access. This contrasts with standard dialogue users where such parameters are enforced.
  • Firefighter IDs are defined within GRC systems primarily to facilitate emergency access without the usual password constraints. Test IDs also fall under this category as service IDs.

Internal Communication via System IDs

  • System IDs are designated for internal communication within systems; they cannot be used for GUI logins nor do they have password restrictions. These IDs are essential for executing background jobs and internal Remote Function Calls (RFCs).
  • Background job scheduling relies heavily on system IDs due to their unique characteristics that allow seamless internal operations without direct user interaction through GUIs.

External Communication Using Communication IDs

  • Communication IDs differ from system IDs by facilitating external communication between different systems while also lacking GUI login capabilities and password restrictions. This distinction is crucial for understanding how data flows between disparate systems securely.

Reference User Concept

  • When a user's role limit reaches three profiles, additional access can be granted through reference users who provide extra roles beyond the standard limits assigned to individual users. This mechanism ensures that necessary permissions can still be allocated when needed without compromising security protocols.
  • The creation of reference users allows existing dialogue users to leverage roles from both their own profile and those assigned to the reference user, enhancing operational efficiency while maintaining control over role assignments within security frameworks.

Conclusion on Role Management

  • Achieving the maximum limit of three profiles per user is considered an unrealistic scenario in practice; it indicates poor role management practices within an organization’s security framework that need addressing for better compliance and governance standards.

User Management and Roles in System Administration

Understanding Reference Users

  • The concept of a reference user is introduced, emphasizing its theoretical purpose to provide additional access to dialogue users.
  • A demonstration of creating a reference user is provided, highlighting the importance of filling mandatory fields such as last name and password.
  • The distinction between roles assigned to different users is explained; the reference user has two roles while another user (Mirza S1) has one role, totaling three accessible roles for Mirza S1.
  • It is noted that the password for a reference user is typically deactivated when access limits are reached, preventing direct login through GUI.

Types of User Accounts

  • Different types of users are discussed, with an emphasis on potential interview questions regarding distinctions between dialogue, service/system users, and communication users.
  • FAQs related to user management will be provided for preparation purposes.

Change Documents Overview

  • Change documents track modifications made to user accounts over time. Instructions on accessing these documents via SU01 T code are shared.
  • An example illustrates how change documents log events such as account creation and password changes by specific users at designated times.

User Locking Mechanisms

  • Various locking mechanisms for user accounts are detailed:
  • 0 = Not locked
  • 32 = Global lock (related to CUA)
  • 64 = Administrator lock
  • 128 = Incorrect log-in locks due to multiple failed attempts

Importance of Following Procedures

  • Emphasis on the critical nature of documenting changes in systems through change documents; unauthorized changes can lead to issues without proper proof or requests.
  • Recommendations stress obtaining written approval before making any system changes. Oral communications should not suffice due to lack of documentation.

Adhering to Organizational Processes

  • New employees are advised to strictly follow established processes during their initial months in an organization. Deviating from these processes can lead to complications later on.

User Administration in SAP

Overview of Standard Users in SAP

  • The speaker discusses the lack of external help during trouble, emphasizing that standard users are created by default in SAP upon installation. A list of these users and their passwords is provided.
  • Initial login into the system utilizes specific user IDs, particularly highlighting the "SAP star" ID with a password format for first-time access.
  • Additional standard IDs include ddIC and SAP CPS, each associated with specific clients and passwords. The early watch ID is also mentioned as being client-specific.

Ownership and Responsibilities of Standard IDs

  • Base stream personnel take ownership of these standard IDs to perform monitoring activities related to CCMS (Computer Center Management System).
  • These users change passwords regularly to prevent misuse, ensuring security within the system.

User ID Creation Guidelines

  • User ID naming conventions vary by organization; typically, they combine parts of the user's first and last names. An example illustrates this process.
  • The maximum number of profiles assigned to one user is 312. Mandatory fields for creating a user ID include last name and password.

User Tables and Future Discussions

  • Mentioned briefly are user-related tables starting with "us," which will be discussed in detail later in another class session.

Recap and Q&A Session

  • The session concludes with a recap of user administration topics covered over two classes, encouraging students to review materials before returning on Monday.
  • Students are invited to ask questions about today's topic regarding user types, locks, and standard users before closing the session.

Clarifications on Security Features

  • A student requests attachments via email instead of physical copies; this highlights communication preferences among participants.
  • A discussion arises about an S&C feature that allows bypassing password entry during login for certain roles like security and basis teams due to their frequent system access needs.
  • It’s noted that while other teams log into specific systems only when needed, security/basis teams must remember multiple passwords across different systems due to varied credential requirements.

Password Management Insights

  • Password management becomes complex over time as systems require regular resets every three months; thus, maintaining consistent credentials can be challenging across various platforms.

Alternative Login Methods

Playlists: SAP Security by Sridhar Gajulapalli
Video description

SAP User Administration by Sridhar Gajulapalli