Escolar Documentos
Profissional Documentos
Cultura Documentos
Step 4 (Optional )
Account Validity and Account Number
The account valid dates are the dates during which this account is valid. If you do not enter any
information in these fields your account will be valid immediately and never expire.
Account number: Enter a freely-selectable account name or number. The user's system usage is
assigned to this account if you are using the SAP accounting system. The account name or
number may be unique to each user or can be shared among groups of users.
SAP recommends entering a user's cost center or company code as the account number.
If you are using the accounting system, then you should always enter an account name or
number. Otherwise, the user's usage will be assigned to a collective "No account" category by
the accounting system.
Step 5 (Optional)
User type
Dialog
A normal dialog user is used by exactly one person for all logon types.
Dialog logons are checked for obsolete/initial passwords which must be changed.
Multiple dialog logons are checked and logged.
System
Use the user type System for dialog-free communication within one system. (for RFC or CPIC
service users) or for background processing in one system.
Dialog logon is not possible.
A user of this type is excluded from the standard settings for password validity period. The
password can only be changed by user administrators or in transaction Su01 (Goto -> Change
Password)
Communication
Use the user type Communication for dialog-free communication between systems (for RFC or
CPIC service users of different applications, for example, ALE, Workflow, TMS ZBV).
Dialog logon is not possible.
Service
A user of type Service is a dialog user available to a large anonymous set of users. It usually has
closely-restricted authorizations.
Service users are e.g. used for anonymous system access via an ITS service. You can change a
session which began as an anonymous session with a service user into a personal session under a
dialog user with an individual authentication.
There is no check for obsolete/initial passwords at logon. Only the user administrator can change
the password.
Multiple logon is allowed.
Reference
A Reference user is a general impersonal user like the Service user. You cannot logon with a
Reference user. The Reference user is to give Internet users identical authorizations.
You can specify a Reference user for additional dialog user authorizations, in the Roles tab. The
application generally controls the assignment of Reference users. The name of the Reference
user can be assigned in variables which should begin with "$". The assignment variableReference user is made in the transaction SU_REFUSERVARIABLE.
This assignment applies to all systems in a CUM landscape. If the assigned Reference user does
not exist in a CUM subsidiary system, the assignment is ignored.
Step 6
Put details like name
Communication type with which you can exchange documents and messages with a business
partner.
In the central address management you can specify a standard communication type which can be
used by programs to determine the communication type for sending messages.
Step 7 (Optional )
Name of an output device in the SAP System. The name is entered in the definition of the output
device. Users in the SAP System use this name (or the long name) to select the output device.
Maintaining the name: Enter any name you choose to identify an output device in the SAP
System. If you have many printers, they should be named according to naming convention. This
makes it easier to select a printer in spool administration using a generic selection.
Processing a spool request: Enter the SAP name of the output device you want to execute your
output request. Display a list of available printers and other devices with Possible entries . To set
a default name, choose System -> User profile ->Own data.
Selecting spool requests: Enter the SAP name of an output device to display the spool requests
to be executed by this device. Use Possible entries to display a list of available devices.
Step 8 (Optional )
A field can be filled with proposed values from SAP memory using a parameter ID.
Example
A user only has authorization for company code 001. This company code is stored in memory at
the beginning of a transaction under the corresponding parameter ID. Fields that refer to the data
element are automatically filled with the value 001 in all subsequent screen templates.
Dependencies
A field in the screen template is only filled automatically with the value stored under the
parameter ID of the data element if this was explicitly permitted in the Screen Painter.
Step 9
The SAP standard contains more than 1200 predefined single roles from all application areas.
If you assign a predefined role to a user, he or she is automatically given the user menu required
for his or her daily work and the authorizations required for it, when he or she logs on to the SAP
System.
He or she can also define his or her personal Favorites from the functions assigned to him or her.
The user calls transactions, programs or internet/intranet applications from the Favorites or the
job structure tree.
Before you start to create your own roles for your staff, check whether the roles delivered by
SAP can be used for the job descriptions in your company.
Step 10
User Profiles
The bottom row of the Maintain User screen contains fields for entering the names of profiles
which can be associated with the user. We will discuss how to add user profiles in a later
chapter.
The SAP System contains predefined profiles:
SAP_ALL: assign the profile SAP_ALL to users who are to have all R/3 authorizations
including super user authorization.
SAP_NEW: assign this profile to users who are to have access to all not yet protected
components.
Step 11 (Optional)
A User group is a logical grouping of users
The purpose of a user groups is to :
a.Provide administrative groups for users so they can be managed in these groups.
b.Apply Security
c.Create the group Trmin for terminated users. Lock all users in this group.
7. Click
8. Click "Authorizations" tab
13. If We wish to give full authorization to this role , Hit the "check" button
(we can get auto generated profile name from system if we leave it blank).
16. Generate
for authorization
17. Click "user" tab to assign role to relevant users
18. Click
Step 1- go to PFCG
Step 2
enter composite role name and then click on "comp role"
Step 3
Specify the description
In composite role it doesn't contain authorizations tab.it is nothing but group of one or more
roles.
Step4
Specify the roles
Step 5
Click on Read menu tab.when you click on this read menu tab then it will fetch authorizations
from the single roles.
Step 6
Now in user tab enter user id of people which want this newly created composite role
then click on User Comparison
then save your composite role
composite role is created
or
Sometimes there will be a requirement to terminate a user session.
For example: An user has run a report or program with inappropriate selection criteria, which
leads work process going to PRIV mode occupying so much memory impacting performance of
the system. In those cases, you will have to check with the user and terminate his session or
logoff user system wide if he is no longer working.
2. Pass the client, user name and the message which you want to send and execute the function
module.
Output :
The pop up will appear to the user/friends SAP system
Note - if user has logged on multiple systems then the message will be sent to multiple systems.
or
Sometimes there will be a requirement to terminate a user session.
For example: An user has run a report or program with inappropriate selection criteria, which
leads work process going to PRIV mode occupying so much memory impacting performance of
the system. In those cases, you will have to check with the user and terminate his session or
logoff user system wide if he is no longer working.
How To Protect Special Users In SAP
Default Passwords for Special Users
User
Description
Client
Default Password
000, 001, all new Hard-coded password is
SAP*
SAP Net Weaver AS system super user
clients
PASS.
ABAP dictionary and software
Master password set during
DDIC
000, 001
logistics super user
installation.
Dialog user for the Early Watch
Master password set during
EARLYWATCH
066
service in client 066
installation.
User for remote connections to legacy 000, 001, all new
SAPCPIC
ADMIN
SAP systems (4.5)
clients
User for transport management system
Master password set during
TMSADM
000
(TMS)
installation.
Since above users have standard names and passwords, you must secure them against
unauthorized use by outsiders who know of their existence.
login/password_charset
login/min_password_diff
login/password_expiration_time
login/password_change_for_SSO
login/disable_password_logon
login/password_logon_usergroup
Multiple Logon
Parameter
login/disable_multi_gui_login
login/multi_login_users
Incorrect Logon
Parameter
login/fails_to_session_end
login/fails_to_user_lock
login/failed_user_auto_unlock
numerical value
If the user logs on with Single Sign-On,
checks whether the user must change his or
her password.
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Controls the deactivation of passwordbased logon
This means that the user can no longer log
on using a password, but only with Single
Sign-On variants (X.509 certificate, logon
ticket). More information: Logon Data Tab
Page
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Controls the deactivation of passwordbased logon for user groups
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Explanation
Controls the deactivation of multiple dialog
logons
Available as of SAP Basis 4.6
List of excepted users, that is, the users that
are permitted to log on to the system more
than once.
Available as of SAP Basis 4.6
Explanation
Defines the number of unsuccessful logon
attempts before the system does not allow
any more logon attempts. The parameter is
to be set to a value lower than the value of
parameter login/fails_to_user_lock.
Default value: 3; permissible values: 1 -99
Defines the number of unsuccessful logon
attempts before the system locks the user.
By default, the lock applies until midnight.
Default value: 12; permissible values: 1 -99
Defines whether user locks due to
unsuccessful logon attempts should be
automatically removed at midnight.
Default value: 1 (Lock applies only on
same day); permissible values: 0, 1
Parameter
login/password_max_new_valid
login/password_max_reset_valid
Explanation
Defines the validity period of passwords
for newly created users.
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Defines the validity period of reset
passwords.
Available as of SAP Web AS 6.10, as of
SAP Basis 4.6 by Support Package
Explanation
Allows or locks the logon using SSO ticket.
Available as of SAP Basis 4.6D, as of SAP
Basis 4.0 by Support Package
Allows the creation of SSO tickets.
Available as of SAP Basis 4.6D
Defines the validity period of an SSO
ticket.
Available as of SAP Basis 4.6D
The logon ticket is only transferred using
HTTP(S).
Available as of SAP Basis 4.6D
When logging on over HTTP(S), sends the
ticket only to the server that created the
ticket.
Available as of SAP Basis 4.6D
Explanation
Refuse inbound connections of type CPIC
Controls the emergency user SAP* (SAP
Notes 2383 and 68048)
Specifies the default client. This client is
automatically filled in on the system logon
screen. Users can type in a different client.
Specifies the exactness of the logon
timestamp.
Available as of SAP Basis 4.6
Explanation
Defines the maximum idle time for a user
in seconds (applies only for SAP GUI
connections).
Default value: 0 (no restriction);
permissible values: any numerical value
3. Button is invisible due to this variant. Deactivated this variant and transport button will visible
again
For direct ABAP web service requests, we can setup logon groups that the SAP Web Dispatcher
can use. If logon groups are not configured for web dispatcher, the load is distributed to all
ABAP instances on which ICM is configured. Also, based on URLs we can distribute certain
group of requests to dedicated logon groups.
Logon groups for ALE/RFC:
Asynchronous RFCs are used to process in parallel. However if the parallel processes are not
limited properly, they can occupy all the available processes which impacts dialog users and can
bring down the application. So, it is good idea to create separate logon groups for incoming RFC
calls so that RFCs are kept separate from workprocesses of online users and thus avoids impact
to dialog users.
Guide lines:
After assigning instances to logon groups
i)
We need to verify whether the instances of logon groups are evenly distributed or not.
ii)
If an instance hangs or temporarily got disconnected, you should be able to redistribute
the users
So, you need to setup at least 2 sap instances for each logon group.
iii)
Setting up logon groups involves extra administration and monitoring. So,
unnecessarily large number of logon groups shouldnt be setup
How to setup logon groups?
SMLG transaction code is used for creating logon groups.
Logon to SAP system and goto SMLG transaction as shown below:
In the above example there are 2 instances (00 and 09) in this SAP system. These are not yet
assigned to any logon group.
We can create a new logon group by clicking on highlighted create icon on the above screen. It
results in below screen.
In the above screen, either select logon group from dropdown or provide its name if you are
newly creating. After that assign instance for that logon group and click on copy to save the
assignment.
In this example iam creating two logon groups hr and fico and assigning instances 00 and 09
respectively. Please find below screenshots which explains the same.
Repeat the same step and create logon group fico and assign instance 09 for it as shown above.
After doing this, you can see following logon groups in SMLG
Once you are done with logon group setup, please log off from SAP system and goto SAPGUI of
the respective SAP system.
Click on properties of the respective GUI entry and goto to connection tab as shown below.
Please select Group/Server selection option from the drop down of Connection Type as shown
above and maintain description and system id of the instance as shown above.
Now, you should be able to view the newly created logon groups as shown in below figure:
Also, please note you are able to view logon group SPACE also which gets created by default
Now, you can configure any desired logon group to the users as shown below:
For example in the above screen fico group is assigned to the end users in his GUI so that now
onwards, he will login into instance number 09 only.
How to delete logon group or assignment?
If you no longer require any logon group, you can delete by proceeding as shown below:
i)Goto SMLG transaction
ii) Select the respective row and click on delete assignment which deletes the assignment of an
instance to a logon group (highlighted in green color in below screen)
Alternatively, you can view this by navigating to Goto -> Load Distribution or by pressing F5
key in the above screen