User Admin Tasks

8/9/2019 User Admin Tasks

1/36

System Administration Made Easy 91

&KDSWHU 1RQVFKHGXOHG8VHU

$GPLQLVWUDWLRQ7DVNV

&RQWHQWV

Overview ..................................................................................................................92

User Groups..............................................................................................................92

Profile Generator.......................................................................................................92

Recommended Policies and Procedures .............................................................93

User Administration...................................................................................................93

System Administration ..............................................................................................95

New User Setup.......................................................................................................97

Prerequisites .............................................................................................................97

Installing the Frontend SoftwareSAPgui .................................................................98

Adding Additional Systems .....................................................................................916

Setting Up a New User ...........................................................................................919

Maintaining a User ................................................................................................926

Resetting a Password...........................................................................................928

Locking or Unlocking a User ...............................................................................929

User Groups ..........................................................................................................931

How to Create a User Group ..................................................................................932

Deleting a Users Session (Transaction SM04)..................................................933

How to Terminate a User Session ..........................................................................933

Maintaining a Table of Prohibited Passwords ...................................................934


2/36

Chapter 9: Nonscheduled User Administration Tasks

Overview

Release 4.0B92

2YHUYLHZ

User ad ministration is a serious fun ction, not just a necessary ad ministrative task because

security is at stake each time u sers access the system . Because the companys finan cial and

other p roprietary information is on the system, the adm inistrator is subject to external

requirements and recommend ations from the comp anys external aud itors, regulatory

agencies, and others. Users should consult with their external aud itors for au dit-related

internal control user ad ministration requ irements. Hum an Resources shou ld be consulted if

the HR mod ule is implemented or any sensitive personnel data is maintained on the system.

A full discussion on security and user ad ministration is beyond the scope of this guidebook.

We have limited ou r d iscussion to a small subset of this issue. Manually creating an d

maintaining security profiles and authorizations is also not covered.

8VHU*URXSV

User group s are created by an administrator to organize users into logical group s, such as:


3/36


Recommended Policies and Procedures

System Administration Made Easy93

5HFRPPHQGHG3ROLFLHVDQG3URFHGXUHV

User ad ministration is a serious security and aud it issue. Some of the tasks in th is

guidebook are aimed at complying with comm on aud it procedu res. Obtaining proper

auth orization and d ocumentation should be a standard prerequ isite for all user

administration actions.

8VHU$GPLQLVWUDWLRQ

User ad ministration comp rises the following:


4/36



Release 4.0B94


5/36




6\VWHP$GPLQLVWUDWLRQ


6/36



Release 4.0B96

Sample R/3 User Setup/Change/Delete Form:

Company ID:

R/3 User Change RequestSystem/Client No . PRD 300

QAS 200 210 220

DEV 100 110 120

Employee:

De partment Name/Cost Center Number:

User ID:

Type of Change W Change user

W Delete user

W Add user

Position: Expiration Date (mandatory

for temporary empl oyee s)

Secret Word:

Requester:

Requesters position:

Requesters phone:

Request Urgency W High

WMedium

W Low

Employees Job Function (If similar to others in department, name and user ID of a pe rson wi th simil ar job function):

Special Access/Functions :

Requester Signoff

Name Signature Date Signed

Manager Signoff




Owner Signoff


Security


In addition to se curity approval (above ), is a signed copy of compu ter security and po licy statement attached?

W Yes W No


7/36


New User Setup


1HZ8VHU6HWXS

3UHUHTXLVLWHV

*HQHUDO3URFHVVRU3URFHGXUH

Before you begin to set up a n ew u ser, you shou ld have in hand the user add form (with

all the required information and app rovals).

7KH8VHUV'HVNWRS

Find out if the users desktop meets the following criteria:


8/36


9/36


New User Setup


+RZWR,QVWDOOWKH6$3JXL

*XLGHG7RXU

1. Map a d rive to the share on the netw ork wh ere the presentation CD has been copied.

2. Select the map ped dr ive to the

presentation CD software.

3. Navigate down to the directory

for your platform.

In this example Sim-cd on

Pal100767 (E:) sapgui-40b

Gui Windows Win32.

For other p latforms, select the

app ropriate platform d irectory;Os2, Unix (Aix, Common, Dec,

Hpux, Reliant, Solaris) an d win16.

4. Double-click on Sapsetup.exe.

The installation p rogram starts.

5. ChooseNext.

2

4

5

3


10/36


New User Setup

Release 4.0B910

6. Select Client installation.

7. ChooseNext.

8. At this point you have two

installation options:


11/36


New User Setup


,QGLYLGXDO,QVWDOODWLRQRI&RPSRQHQWV

To install SAPlogon you must use individual installation.

1. SelectIndividual installation.

2. ChooseNext.

3. Choose (De)Select all to install all

components.

This toggle switch selects or

deselects all components.

3a. For this example w e have

selected all comp onents, for a

total of84MB.

4. Or, select specific comp onents by

clicking on their individu al

checkboxes.

4a. For this example, we have

selected tw o components

(SAPGUI 32-bitan d SAPlogon),

for a total of18MB.

4. ChooseNext.

5. From here continue with the Standard installation procedure.

1

2

4

3a

4a

3


12/36


New User Setup

Release 4.0B912

6WDQGDUG,QVWDOODWLRQ

1. ChooseLocal Installation, to install

the software on the desktop PC.

2. ChooseNext.

3. The installation p rogram defaults

to where to install SAPgui on you r

system. In most cases, you shou ld

accept the system d efault.

4. ChooseNext.

1

2

4

3


13/36


New User Setup


5. Choosepossible entries to select a

language (for example, E for

English).

6. ChooseNext.

7. The installation p rogram informs

you wh ere the files will be

installed.

8. ChooseNext.

9. Enter the name of the ap plication

server in Application Server.

10.Enter the system (instance)

num ber in System N umber.

11.The SA P Router String is normally

left blank.

12.SelectR/3 System.

13.ChooseNext.

5

6

7

8

9

10

1112

13


14/36


New User Setup

Release 4.0B914

14. If the SAP online documentation

for Release 4.0B has been installed,

this step is not need ed. Skip this

step.

15.ChooseNext.

16.Enter the name for a program

group (or accept the default SA PFrontend 4.0B).

17.Enter the name for the working

directory (or accept th edefault,

c:\ SAPworkdir).

18.Choose Finish.

19.You w ill see a wind ow show ing

you the p rogress of the

installation.

The time to complete the installation depend s on the speed of your compu ter and the

speed that the files can be copied over the netw ork.

20.When the installation is complete,this window will appear.

21.Choose OK.

22.Test your connection by logging

on to the R/ 3 System.

14

15

16

17

18

21


15/36


New User Setup


,QVWDOOLQJ6$3JXLIURPWKH3UHVHQWDWLRQ&'

When the network connection between th e SAPgui files on the netw ork and the user is too

slow to perm it installation, install SAPgu i from the presenta tion CD. A slow conn ection

could result from a slow mod em or a slow link in the network.

A copy should be mad e of the original presentation CD and the copy shipp ed to the user

site. You th en m aintain control of the original CD and redu ce the chance that it might get

lost. The SAPgui installation files can also be copied to other high-capacity rem ovable

med ia such as ZIP or optical disk, as approp riate for your comp any.

The CD (or other d elivery m edia) can then be safely sent to the users site. From there, it can

be either loaded on to a local file server for installation or installed d irectly from the delivery

media.

The prerequ isite for such an installation is that the user has a CD d rive or other d rive

compatible with the d elivery m edia (ZIP, optical, etc.) that the SAPgu i files are d elivered

on .

To install SAPgu i from a CD:

1. Insert the copy of theRelease 4.0B presentation CD into the CD ROM drive.

2. In Window sExplorer, choose the CD ROM drive.

3. Choose Gui Windows Win32 (or the app ropriate d irectory).

4. Double-click on Sapsetup.exe.

5. Follow the sam e procedu re as when loading from a file server.6. Test that you can connect and log on to the system.


16/36


New User Setup

Release 4.0B916

$GGLQJ$GGLWLRQDO6\VWHPV

You can ad d another system to the:


17/36


New User Setup


*XLGHG7RXU

7R$GGD1HZ6\VWHPWRWKH6$3,FRQ*URXS

Load ba lancing will not function if the SAP icon group is used . For load balancing, the SAP logon is

required.

1. From the Window s desktop, choose StartPrograms SA P Frontend 4.0B SAPicon.

If you have changed the nam e of the group in the installation, choose that nam e instead ofSA P

Frontend 4.0B in the path above.

2. SelectR/3 system .

3. Enter the nam e of the server in

Servername.

The server name you enter will

app ear as the name un der the iconcreated. You can change the nam e

later using a function in Window s.

4. Enter the system (instance)

num ber in System ID.

5. Routerstring is norm ally left blank.

6. Choose OK.

7. The icon w ill be add ed to the SAP

icon group.

8. Test that you can connect and log

on to the ad ditional system.

5

4

2

3

6


18/36


New User Setup

Release 4.0B918

7R$GG$GGLWLRQDO6\VWHPVLQWKH6$3/RJRQ

1. On the SAP Logon window, choose

New.

2. Enter a short description of the

system (for example, Production

SAP, PRD)in Description.

3. Enter the name of the server (forexample, xsapprd or xsapdev)

in Application Server.

4. Enter the system (instance)

num ber that was assigned to the

server for which you are creating

the logon (for example, 01) in

System Number.

5. Select R/3.

6. Choose OK.

7. Test that you can connect and logon to the ad ditional system.

2

3

4

5

6

1


19/36


New User Setup


6HWWLQJ8SD1HZ8VHU

The procedu ral prerequ isite is to check that all docum entation and author izations required

to set up a new u ser are present.

There are two ways to create a new u ser:


20/36


New User Setup

Release 4.0B920

3. In the Copy Users window , enter the

new user ID in to.

Follow your comp anys naming

convention for creating user IDs.

4. Choose Copy.

5. Enter an initial password (for

example, init). Re-enter the same

passw ord in the second field.

6. In User group, enter the user group

(for example, ACCT) to which the

user is to be assigned.

A user grou p m ust exist before a user

can be assigned to it.

7. You can u sepossible entries to get alist of user g roups to select.

3

4

7

5

6


21/36


New User Setup


8. Enter dates in the Valid from an d

Valid to fields to limit the duration

that the users w ill have access to the

system.

Entering a valid to/ from date is

typically required for contractors and

other temporary personnel.

9. Choose theAddress tab to change the

users add ress data.

10.Enter the usersLast name.

11.Enter the users First name.

12.Enter the users job Function.

13.Enter the usersDepartment.

14.Enter the users location (for

example,Room no., Floor, Building).

15.Enter the users phone number.

A telephone num ber should be a

requ ired en try field. If there is a system

problem identified w ith the user, you

need to be able to contact that user.

16.ChooseDefaults.

8

9

10

11

1213

14 1414

15

16


22/36


New User Setup

Release 4.0B922

17.Check that theLogon language is set

correctly (for exam ple,ENfor

English).

If the system d efault langu age has

been set (for example, English), thenthis field is only used to log in u nd er

a language that is not the system

default (example, German).

18.Under Output Controller, select

Output immediately an d

Delete after output.

19.Check that the Personal time zone is

correct. A display ofpossible entries is

available on th is field.

20.UnderDecimal notation, select the

app ropriate notation (for example,

Point, for United States).

TheDecimal notation affects h ow

numbers are d isplayed. Setting it

correctly is critical to p reven t confusion

and mistakes.

21.UnderDate format, select the

app ropriate date format

(for example,MM/DD/YYYY).

22.Choose Save.

17

18

19

20

21

22


23/36


New User Setup


&UHDWLQJD1HZ8VHUIURP6FUDWFK

Sometimes it becomes necessary to create a new user from scratch. You m ay need to create a new u ser

when you d o not have another user to copy from.

*XLGHG7RXU

1. In the Commandfield, enter transaction SU01 and chooseEnter

(or choose ToolsAdministration,then User maintenanceUsers).

2. Enter the u ser ID (for example,

gary) that you w ant to create.

3. Choose Create.

4. Enter the usersLast name.

5. Enter the users First name.

6. Enter the users job Function.

7. Enter the usersDepartment.

8. Enter the users location (forexample,Room no., Floor, Building).

9. Enter the users phone number.

A telephone num ber should be a

requ ired en try field. If there is a system

problem identified w ith the user, youneed to be able to contact that user.

10.ChooseLogon data.

2

3

4

5

67

8 88

9

10


24/36


25/36


New User Setup


15.Optional: Enter the ap prop riate

language code in Logon language (for

example,EN for English).

If the system d efault langu age has

been set (for example, English), thenthis field is only used to log in u nd er

a language that is not the system

default (example, German).

16.Under Output Controller, select

Output immediately an d

Delete after output.

17.Enter the approp riate time zone.

A list ofpossible entries is available to

select from .

18.UnderDecimal notation, select the

app ropriate notation (for example,

Point, for United States).

TheDecimal notation affects h ow

numbers are d isplayed. Setting it

correctly is imp ortant to p reventconfusion and mistakes.

19.UnderDate format, select the

app ropriate date format(for

example,MM/DD/YYYY).

20.Choose Save.

21.Assign security to the u ser by u sing the Profile Generator

(see theAuthorizations M ade Easy Guidebook).

15

16

17

18

19

20


26/36


Maintaining a User

Release 4.0B926

0DLQWDLQLQJD8VHU

Before maintaining a user, have a properly completed and app roved u ser change form.

The user change d ocumentation is aud ited in a security audit.

:K\

You need to maintain a user to manage:


27/36


Maintaining a Use


TheMaintain Userscreen allows

you to change a users:


28/36


29/36


Locking or Unlocking a User


4. In the popup w indow, enter the

new temp orary password in the

New passwordand Repeat password

fields.

5. Choose Copy.

For security, you can only set an initial value for the users password . The u ser is then

required to change the password wh en they log on. You cannot see what the users current

passw ord is, nor can you set a perm anent password for the user.

/RFNLQJRU8QORFNLQJD8VHU

:KDW

The lock/ un lock function is part of the logon check, which allows th e user to log on (or

preven ts the user from logging on) to the R/ 3 System.

:K\


30/36


Locking or Unlocking a User

Release 4.0B930

*XLGHG7RXU


(or choose Tools Administration, then User maintenanceUsers).

2. Enter the u ser ID (for example,

GARYN) to be maintained.

3. ChooseLock/unlock.

4. A popup window appears.

In this examp le, an ad ministrator

has m anually locked the user ID.

5. ChooseLock/Unlock.

In this examp le, this step w illun lock the user.

6. A message at the bottom of the

screen ind icates that the u ser has

been unlocked.

2

3

5

6


31/36


32/36


User Groups

Release 4.0B932

+RZWR&UHDWHD8VHU*URXS

*XLGHG7RXU


(or choose ToolsAdministration, then User maintenanceUsers).

2. On the User Maintenance screen

(transaction SU01), choose

EnvironmentUser groups.

3. Choose Create.

4. Enter the name of the new user

group (for example, finance).

5. ChooseEnter.

6. The new user group FINANCEis

now in the list and is usable.

5

4

6

3


33/36


Deleting a Users Session (Transaction SM04


'HOHWLQJD8VHUV6HVVLRQ7UDQVDFWLRQ60

:KDW

Use transaction SM04 to terminate a users session.

:K\

Transaction SM04 may show a user as being active wh en the u ser has actually logged off.

This cond ition is usu ally caused by a n etwork failure, wh ich cuts off the user, or the user is

not p roperly closed ou t of the system. (For examp le, the u ser turn ed the PC off withou t

logging off the system.)

A user m ay be on the system and needs to have their session terminated :


34/36


Maintaining a Table of Prohibited Passwords

Release 4.0B934

2. In the Commandfield, en ter

transaction SM04 and chooseEnter

(or choose ToolsAdministration,

then MonitorSystem monitoring

User overview).

3. Select the u ser ID that you w ant to

delete.

4. Choose Sessions.

In step 3 above, dou ble-check that the selected user is the one you really want to delete.

It is very easy to select the w rong u ser.

5. Select the session to be d eleted.

6. ChooseEnd session.

7. Repeat steps 5 and 6 until all

sessions for that u ser are deleted.

0DLQWDLQLQJD7DEOHRI3URKLELWHG3DVVZRUGV

:KDW

A table of prohibited p assword s is a user-defined list of passwords that are p rohibited from

being used in the R/ 3 System.

Interaction occurs betw een a system profile pa rameter and the table of prohibited

passw ords. If the minimu m p assword length is set to five characters, there is no reason to

proh ibit password s like 123 or SAP, because these passwords w ould fail the minimum

length test. However, if comp any security p olicy requires it, you could include all

passw ords that are considered risky in the table.

This table is not a substitute for good p assword policy and practices by the users.

6

3

5

4


35/36




The following is a list of easily guessed p assword s that cannot be pu t into any table:


36/36



User Admin Tasks

Documents

Transcript of User Admin Tasks