Escolar Documentos
Profissional Documentos
Cultura Documentos
$GPLQLVWUDWLRQ7DVNV
&RQWHQWV
Overview ..................................................................................................................9–2
User Groups..............................................................................................................9–2
Profile Generator.......................................................................................................9–2
Recommended Policies and Procedures .............................................................9–3
User Administration...................................................................................................9–3
System Administration ..............................................................................................9–5
New User Setup.......................................................................................................9–7
Prerequisites .............................................................................................................9–7
Installing the Frontend Software–SAPgui .................................................................9–8
Adding Additional Systems .....................................................................................9–16
Setting Up a New User ...........................................................................................9–19
Maintaining a User ................................................................................................9–26
Resetting a Password...........................................................................................9–28
Locking or Unlocking a User ...............................................................................9–29
User Groups ..........................................................................................................9–31
How to Create a User Group ..................................................................................9–32
Deleting a User’s Session (Transaction SM04)..................................................9–33
How to Terminate a User Session ..........................................................................9–33
Maintaining a Table of Prohibited Passwords ...................................................9–34
2YHUYLHZ
User administration is a serious function, not just a necessary administrative task because
security is at stake each time users access the system. Because the company’s financial and
other proprietary information is on the system, the administrator is subject to external
requirements and recommendations from the company’s external auditors, regulatory
agencies, and others. Users should consult with their external auditors for audit-related
internal control user administration requirements. Human Resources should be consulted if
the HR module is implemented or any sensitive personnel data is maintained on the system.
A full discussion on security and user administration is beyond the scope of this guidebook.
We have limited our discussion to a small subset of this issue. Manually creating and
maintaining security profiles and authorizations is also not covered.
8VHU*URXSV
User groups are created by an administrator to organize users into logical groups, such as:
< Basis
< Finance
< Shipping
For additional information, refer to the section User Groups on page 9–31.
3URILOH*HQHUDWRU
The Profile Generator is a tool used to simplify the creation and maintenance of SAP
security. It reduces (but does not eliminate) the need for specialized security consultants.
The value of the Profile Generator is more significant for smaller companies with limited
resources that cannot afford to have dedicated security administrators.
For additional information on the Profile Generator, see the Authorizations Made Easy
guidebook.
Release 4.0B
9–2
Chapter 9: Nonscheduled User Administration Tasks
Recommended Policies and Procedures
5HFRPPHQGHG3ROLFLHVDQG3URFHGXUHV
User administration is a serious security and audit issue. Some of the tasks in this
guidebook are aimed at complying with common audit procedures. Obtaining proper
authorization and documentation should be a standard prerequisite for all user
administration actions.
8VHU$GPLQLVWUDWLRQ
User administration comprises the following:
< User ID naming conventions
The employee’s company ID number (for example, e0123456)
Last name, first initial, or first name, last initial
In a small company where names are often used as ID, it is common to use the
employee’s last name and first initial of the first name or the employee’s first name
and first initial of the last name (for example, jonesb or barbaraj).
Clearly identifiable user IDs for temporary employees and consultants.
Examples: T123456, C123456
< Adding or changing a user
The user’s manager should sign a completed user add-or-change form.
The form should indicate the required security, job role, etc., that defines how
security is assigned in your company.
If security crosses departments or organizations, the affected managers should also
approve.
If the user is not a permanent employee, or if the access is to be for a limited
duration, the time period and the expiration date should be indicated.
The forms should be filed by employee name or ID.
A periodic audit should be performed, where all approved authorizations are
verified against what was assigned to the user.
Group Responsibility
Similar to banks, there should be a “secret word” that users could use to verify their
identity over the phone. This word would be used when the user needs their password
reset or their user ID unlocked.
Release 4.0B
9–4
Chapter 9: Nonscheduled User Administration Tasks
Recommended Policies and Procedures
6\VWHP$GPLQLVWUDWLRQ
< Special user IDs
The two user IDs SAP* and DDIC should only be used for tasks that specifically
require either of those user IDs. Any user requiring similar “super user” security rights
should have a copy of the SAP* user security.
The security rights of SAP* and DDIC are extensive, dangerous, and pose a security risk.
Anyone requiring or requesting similar security rights should have a very valid reason
for the request. Convenience is not a valid reason. The security profile that serves as the
“master key” is SAP_ALL, and to a lesser degree, SAP_NEW.
The user ID SAP* should never be deleted. Instead, the password should be changed. If
the user ID SAP* is deleted, logon and access rights are gained by rights programmed
into the R/3 System. The user ID SAP* then gains security rights that you do not know
about and cannot control.
The user IDs SAP* and DDIC should have their passwords changed to prevent
unauthorized use of these special user IDs.
An external audit procedure checks the security of these two user IDs.
For medium- and large-size companies, granting developers SAP* equivalent security
rights in the development and test systems is usually inappropriate. SAP* equivalent
security in the production system is a security and audit issue and should be severely
limited.
Company ID:
R/3 User Change Request System/Client No. PRD 300
QAS 200 210 220
DEV 100 110 120
Employee: Type of Change W Change user
Department Name/Cost Center Number: W Delete user
W Add user
User ID:
Position: Expiration Date (mandatory
for temporary employees)
Secret Word: Request Urgency W High
Requester: W Medium
Requester’s position: W Low
Requester’s phone:
Employee’s Job Function (If similar to others in department, name and user ID of a person with similar job function):
Special Access/Functions:
Requester Signoff
Name Signature Date Signed
Manager Signoff
Name Signature Date Signed
Owner Signoff
Name Signature Date Signed
Release 4.0B
9–6
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
1HZ8VHU6HWXS
3UHUHTXLVLWHV
*HQHUDO3URFHVVRU3URFHGXUH
Before you begin to set up a new user, you should have “in hand” the user add form (with
all the required information and approvals).
7KH8VHU·V'HVNWRS
Find out if the user’s desktop meets the following criteria:
< Does the system configuration meet the minimum requirements for SAP?
< Is the display resolution set to a minimum of 800 x 600?
< Is there sufficient space on the hard disk to install the SAPgui with sufficient room for
desktop application to run?
For windows, a minimum of 50MB free space should remain after installing SAPgui. A
practical minimum however, is at least 100MB of free space.
1HWZRUN)XQFWLRQDOLW\
Find out if the network functionality meets the following criteria:
< Can the user log on to the network?
From the user’s computer:
< Can you “ping” the SAP application server(s) that the user will be logging onto?
< If the SAPgui will be loaded from a file server, can you access the file server from where
the SAPgui will be loaded?
)RU,QVWDOODWLRQRI6$3JXL
Before you install the SAPgui, you should have the server name and the system (instance)
number (for example, xsysdev and 00). You will need to enter this information during the
installation.
5HFRPPHQGHG3UHUHTXLVLWHIRUWKH*8,,QVWDOODWLRQ
The online documentation should be installed according to the instructions in the SAP
document Installing the Online documentation (Release 4.0B). Note that the online
documentation installation and access method has changed since Release 3.x.
,QVWDOOLQJWKH)URQWHQG6RIWZDUH²6$3JXL
The SAPgui or frontend installation instructions are in the installation guide, Installing SAP
Frontend Software for PCs.
The SAPgui can be installed from:
< A copy of the presentation CD on a file server
< The presentation CD or a copy of the CD
,QVWDOOLQJ6$3JXLIURPD)LOH6HUYHU
The preferred method is to install SAPgui from a file server because you do not need to
carry the presentation CD around. Also, remote installations can be completed without
shipping out and potentially losing the original CD.
The following is a list of the prerequisites to install SAPgui from a file server:
< Copy the SAPgui load files from the presentation CD to a shared directory on a file
server.
< Have access to the shared directory from the user’s PC.
Release 4.0B
9–8
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
+RZWR,QVWDOOWKH6$3JXL
*XLGHG7RXU
1. Map a drive to the share on the network where the presentation CD has been copied.
2. Select the mapped drive to the
presentation CD software.
3. Navigate down to the directory
for your platform.
In this example Sim-cd on 2
‘Pal100767’ (E:) → sapgui-40b →
Gui → Windows → Win32.
For other platforms, select the
appropriate platform directory; 4
Os2, Unix (Aix, Common, Dec,
Hpux, Reliant, Solaris) and win16.
4. Double-click on Sapsetup.exe.
3
The installation program starts.
5. Choose Next.
Release 4.0B
9–10
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
,QGLYLGXDO,QVWDOODWLRQRI&RPSRQHQWV
To install SAPlogon you must use individual installation.
1. Select Individual installation.
2. Choose Next.
4. Choose Next.
5. From here continue with the Standard installation procedure.
6WDQGDUG,QVWDOODWLRQ
1. Choose Local Installation, to install
the software on the desktop PC.
2. Choose Next.
Release 4.0B
9–12
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
13
14
15
17
18
The time to complete the installation depends on the speed of your computer and the
speed that the files can be copied over the network.
21
Release 4.0B
9–14
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
,QVWDOOLQJ6$3JXLIURPWKH3UHVHQWDWLRQ&'
When the network connection between the SAPgui files on the network and the user is too
slow to permit installation, install SAPgui from the presentation CD. A slow connection
could result from a slow modem or a slow link in the network.
A copy should be made of the original presentation CD and the copy shipped to the user
site. You then maintain control of the original CD and reduce the chance that it might get
lost. The SAPgui installation files can also be copied to other high-capacity removable
media such as ZIP® or optical disk, as appropriate for your company.
The CD (or other delivery media) can then be safely sent to the user’s site. From there, it can
be either loaded onto a local file server for installation or installed directly from the delivery
media.
The prerequisite for such an installation is that the user has a CD drive or other drive
compatible with the delivery media (ZIP®, optical, etc.) that the SAPgui files are delivered
on.
To install SAPgui from a CD:
1. Insert the copy of the Release 4.0B presentation CD into the CD ROM drive.
2. In Windows Explorer, choose the CD ROM drive.
3. Choose Gui → Windows → Win32 (or the appropriate directory).
4. Double-click on Sapsetup.exe.
5. Follow the same procedure as when loading from a file server.
6. Test that you can connect and log on to the system.
$GGLQJ$GGLWLRQDO6\VWHPV
You can add another system to the:
< SAP icon group
< SAP logon
The method you choose depends on how your company has been set up.
,FRQ*URXS
The icon group is the SAPgui default installation. If your user only logs in to one server the
icon group is sufficient.
6$3/RJRQ
Prerequisites:
< SAP Logon is installed using the Individual Installation.
SAP Logon is used when:
< SAP Logon is required to use load balancing.
< For system administrators and others who have to log in to many systems.
You do not have to deal with many separate icons to log into the different systems. All
instances can be configured in the one SAP Logon menu.
Release 4.0B
9–16
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
*XLGHG7RXU
7R$GGD1HZ6\VWHPWRWKH6$3,FRQ*URXS
Load balancing will not function if the SAP icon group is used. For load balancing, the SAP logon is
required.
1. From the Windows desktop, choose Start → Programs → SAP Frontend 4.0B → SAPicon.
If you have changed the name of the group in the installation, choose that name instead of SAP
Frontend 4.0B in the path above.
2. Select R/3 system.
3. Enter the name of the server in
Servername.
The server name you enter will
appear as the name under the icon 2
created. You can change the name
later using a function in Windows. 3
4. Enter the system (instance) 4
number in System ID. 5
5. Routerstring is normally left blank.
6. Choose OK.
7R$GG$GGLWLRQDO6\VWHPVLQWKH6$3/RJRQ
1. On the SAP Logon window, choose
New.
Release 4.0B
9–18
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
6HWWLQJ8SD1HZ8VHU
The procedural prerequisite is to check that all documentation and authorizations required
to set up a new user are present.
There are two ways to create a new user:
< Copy an existing user
< Create a new user from scratch
&RS\LQJDQ([LVWLQJ8VHU
You can copy from an existing user if you have a good match. The new user will have the
same security profiles as the existing user. This process is the easiest and thus recommended
method for a small company.
Create “template” users for the various job functions that can be copied to create new
users.
Prerequisite:
A valid user ID to copy is identified on the user setup form.
*XLGHG7RXU
5
6 7
Release 4.0B
9–20
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
12
13
14 14 14
A telephone number should be a
required entry field. If there is a system
problem identified with the user, you 15
need to be able to contact that user.
16. Choose Defaults.
Release 4.0B
9–22
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
&UHDWLQJD1HZ8VHUIURP6FUDWFK
Sometimes it becomes necessary to create a new user “from scratch.” You may need to create a new user
when you do not have another user to copy from.
*XLGHG7RXU
6
7
8 8 8
A telephone number should be a
required entry field. If there is a system
problem identified with the user, you 9
need to be able to contact that user.
10. Choose Logon data.
14
Release 4.0B
9–24
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
0DLQWDLQLQJD8VHU
Before maintaining a user, have a properly completed and approved user change form.
:K\
You need to maintain a user to manage:
< Job changes to an existing job or position
< New jobs or positions
< User data changes, such as name, address, phone number, etc.
*XLGHG7RXU
Release 4.0B
9–26
Chapter 9: Nonscheduled User Administration Tasks
Maintaining a User
5HVHWWLQJD3DVVZRUG
:K\
The most common reason to reset a user’s password is that the user forgot their password.
In this situation, it is likely that the user has attempted to log on too many times using an
incorrect password and has locked their user ID. You will also have to unlock their user ID.
Make certain the person who requests their password to be reset is indeed the valid user.
A basic user verification method is, to have a display telephone so that you can compare the
displayed caller’s “caller ID” number against the user’s phone number stored in the system
or found in the company phone directory.
We recommend that you use a method similar to banks where the user has a “secret word”
that is used to verify their identity over the phone. Remember that this method is not
perfect either because someone can overhear the secret word.
You should maintain a security log of password resets. This log should be periodically
audited to look for potential problems.
*XLGHG7RXU
Release 4.0B
9–28
Chapter 9: Nonscheduled User Administration Tasks
Locking or Unlocking a User
For security, you can only set an initial value for the user’s password. The user is then
required to change the password when they log on. You cannot see what the users current
password is, nor can you set a permanent password for the user.
/RFNLQJRU8QORFNLQJD8VHU
:KDW
The lock/unlock function is part of the logon check, which allows the user to log on (or
prevents the user from logging on) to the R/3 System.
:K\
< Locking a user
If a user leaves the company, is assigned to a different group, or is on leave, their R/3
access should be removed. The lock function allows the user ID and security profile for
that user to remain on the system but does not allow the user to log on. This function is
ideal for temporary personnel or consultants where the user ID is locked unless they
need access.
< Unlocking a user
A user is automatically locked out of the system if they attempt to incorrectly log on
more that the allowed number of times (usually the result of the user forgetting their
password). The administrator must unlock the user ID and more than likely reset the
user’s password.
Before unlocking a user, determine if the request is valid. Do not unlock a user who
has been manually locked without first finding out why this was done. You may
discover an important reason why the user should not access the system.
*XLGHG7RXU
Release 4.0B
9–30
Chapter 9: Nonscheduled User Administration Tasks
User Groups
8VHU*URXSV
:KDW
A user group is a logical grouping of users (for example, shipping, order entry, and finance).
The following restrictions apply to user groups:
< A user can belong to only one user group.
< A user group must be created before users can be assigned to it.
< A user group provides no security until the security system is configured to use user
group security.
Create the group “term” for terminated users. Lock all users in this group and, for most of
these users, delete the security profiles. This process maintains the user information for
terminated users, and prevents the user ID from being used to log on.
:K\
The purpose of a user group is to:
< Provide administrative groups for users so they can be managed in these groups.
< Apply security.
8VDJH
Following are a few recommended special groups:
Group Definition
TERM Terminated users. This way, user records can be kept in the system for
identification.
< All users in this group should be “locked.”
< If it is not being used as a template, all security profiles should be
removed from the user.
SUPER Users with SAP* and DDIC equivalent profiles.
TEMPLATE Template users to be used to create real users.
+RZWR&UHDWHD8VHU*URXS
*XLGHG7RXU
Release 4.0B
9–32
Chapter 9: Nonscheduled User Administration Tasks
Deleting a User’s Session (Transaction SM04)
'HOHWLQJD8VHU·V6HVVLRQ7UDQVDFWLRQ60
:KDW
Use transaction SM04 to terminate a user’s session.
:K\
Transaction SM04 may show a user as being active when the user has actually logged off.
This condition is usually caused by a network failure, which cuts off the user, or the user is
not properly closed out of the system. (For example, the user turned the PC off without
logging off the system.)
A user may be on the system and needs to have their session terminated:
< The user’s session may be “hung” and terminating the session is the only way to remove
the user’s session.
< The user may have gotten into a “one way” menu path without an exit or cancel option.
This situation is dangerous, and the only safe option is to terminate the session.
+RZWR7HUPLQDWHD8VHU6HVVLRQ
*XLGHG7RXU
1. Verify that the user is actually logged off from R/3 and that there is no SAPgui window minimized on
the desktop. Verification is done by physically checking the user’s computer.
Verification is important because users may have forgotten that they minimized a
session.
In step 3 above, double-check that the selected user is the one you really want to delete.
It is very easy to select the wrong user.
0DLQWDLQLQJD7DEOHRI3URKLELWHG3DVVZRUGV
:KDW
A table of prohibited passwords is a user-defined list of passwords that are prohibited from
being used in the R/3 System.
Interaction occurs between a system profile parameter and the table of prohibited
passwords. If the minimum password length is set to five characters, there is no reason to
prohibit passwords like “123” or “SAP,” because these passwords would fail the minimum
length test. However, if company security policy requires it, you could include all
passwords that are considered “risky” in the table.
This table is not a substitute for good password policy and practices by the users.
Release 4.0B
9–34
Chapter 9: Nonscheduled User Administration Tasks
Maintaining a Table of Prohibited Passwords
The following is a list of easily guessed passwords that cannot be put into any table:
< <your name>
< <your spouse’s name>
< <your child’s name>
< <your pet’s name>
< <your car’s license plate>
A company password policy should be prepared and distributed to all users to make them
aware that they should not use these easy to guess passwords.
:K\
There are many lists circulating of commonly used user passwords. If a user uses one of
these passwords, the chances of an unauthorized person accessing a user’s account
increases.
+RZ
Changes will be made to table USR40 using transaction SM31 (the general “table
maintenance” transaction. For more information, see chapter 10, Nonscheduled System
Administration Tasks: Table Maintenance.). This change creates a transport that can then be
transported throughout the landscape.
Keep a log of changes made to this table in your security log.
Suggestions for table entries:
Release 4.0B
9–36