User Admin Tasks
Transcript of User Admin Tasks
-
8/9/2019 User Admin Tasks
1/36
System Administration Made Easy 91
&KDSWHU 1RQVFKHGXOHG8VHU
$GPLQLVWUDWLRQ7DVNV
&RQWHQWV
Overview ..................................................................................................................92
User Groups..............................................................................................................92
Profile Generator.......................................................................................................92
Recommended Policies and Procedures .............................................................93
User Administration...................................................................................................93
System Administration ..............................................................................................95
New User Setup.......................................................................................................97
Prerequisites .............................................................................................................97
Installing the Frontend SoftwareSAPgui .................................................................98
Adding Additional Systems .....................................................................................916
Setting Up a New User ...........................................................................................919
Maintaining a User ................................................................................................926
Resetting a Password...........................................................................................928
Locking or Unlocking a User ...............................................................................929
User Groups ..........................................................................................................931
How to Create a User Group ..................................................................................932
Deleting a Users Session (Transaction SM04)..................................................933
How to Terminate a User Session ..........................................................................933
Maintaining a Table of Prohibited Passwords ...................................................934
-
8/9/2019 User Admin Tasks
2/36
Chapter 9: Nonscheduled User Administration Tasks
Overview
Release 4.0B92
2YHUYLHZ
User ad ministration is a serious fun ction, not just a necessary ad ministrative task because
security is at stake each time u sers access the system . Because the companys finan cial and
other p roprietary information is on the system, the adm inistrator is subject to external
requirements and recommend ations from the comp anys external aud itors, regulatory
agencies, and others. Users should consult with their external aud itors for au dit-related
internal control user ad ministration requ irements. Hum an Resources shou ld be consulted if
the HR mod ule is implemented or any sensitive personnel data is maintained on the system.
A full discussion on security and user ad ministration is beyond the scope of this guidebook.
We have limited ou r d iscussion to a small subset of this issue. Manually creating an d
maintaining security profiles and authorizations is also not covered.
8VHU*URXSV
User group s are created by an administrator to organize users into logical group s, such as:
-
8/9/2019 User Admin Tasks
3/36
Chapter 9: Nonscheduled User Administration Tasks
Recommended Policies and Procedures
System Administration Made Easy93
5HFRPPHQGHG3ROLFLHVDQG3URFHGXUHV
User ad ministration is a serious security and aud it issue. Some of the tasks in th is
guidebook are aimed at complying with comm on aud it procedu res. Obtaining proper
auth orization and d ocumentation should be a standard prerequ isite for all user
administration actions.
8VHU$GPLQLVWUDWLRQ
User ad ministration comp rises the following:
-
8/9/2019 User Admin Tasks
4/36
Chapter 9: Nonscheduled User Administration Tasks
Recommended Policies and Procedures
Release 4.0B94
-
8/9/2019 User Admin Tasks
5/36
Chapter 9: Nonscheduled User Administration Tasks
Recommended Policies and Procedures
System Administration Made Easy95
6\VWHP$GPLQLVWUDWLRQ
-
8/9/2019 User Admin Tasks
6/36
Chapter 9: Nonscheduled User Administration Tasks
Recommended Policies and Procedures
Release 4.0B96
Sample R/3 User Setup/Change/Delete Form:
Company ID:
R/3 User Change RequestSystem/Client No . PRD 300
QAS 200 210 220
DEV 100 110 120
Employee:
De partment Name/Cost Center Number:
User ID:
Type of Change W Change user
W Delete user
W Add user
Position: Expiration Date (mandatory
for temporary empl oyee s)
Secret Word:
Requester:
Requesters position:
Requesters phone:
Request Urgency W High
WMedium
W Low
Employees Job Function (If similar to others in department, name and user ID of a pe rson wi th simil ar job function):
Special Access/Functions :
Requester Signoff
Name Signature Date Signed
Manager Signoff
Name Signature Date Signed
Name Signature Date Signed
Name Signature Date Signed
Owner Signoff
Name Signature Date Signed
Security
Name Signature Date Signed
In addition to se curity approval (above ), is a signed copy of compu ter security and po licy statement attached?
W Yes W No
-
8/9/2019 User Admin Tasks
7/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
System Administration Made Easy97
1HZ8VHU6HWXS
3UHUHTXLVLWHV
*HQHUDO3URFHVVRU3URFHGXUH
Before you begin to set up a n ew u ser, you shou ld have in hand the user add form (with
all the required information and app rovals).
7KH8VHUV'HVNWRS
Find out if the users desktop meets the following criteria:
-
8/9/2019 User Admin Tasks
8/36
-
8/9/2019 User Admin Tasks
9/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
System Administration Made Easy99
+RZWR,QVWDOOWKH6$3JXL
*XLGHG7RXU
1. Map a d rive to the share on the netw ork wh ere the presentation CD has been copied.
2. Select the map ped dr ive to the
presentation CD software.
3. Navigate down to the directory
for your platform.
In this example Sim-cd on
Pal100767 (E:) sapgui-40b
Gui Windows Win32.
For other p latforms, select the
app ropriate platform d irectory;Os2, Unix (Aix, Common, Dec,
Hpux, Reliant, Solaris) an d win16.
4. Double-click on Sapsetup.exe.
The installation p rogram starts.
5. ChooseNext.
2
4
5
3
-
8/9/2019 User Admin Tasks
10/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
Release 4.0B910
6. Select Client installation.
7. ChooseNext.
8. At this point you have two
installation options:
-
8/9/2019 User Admin Tasks
11/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
System Administration Made Easy911
,QGLYLGXDO,QVWDOODWLRQRI&RPSRQHQWV
To install SAPlogon you must use individual installation.
1. SelectIndividual installation.
2. ChooseNext.
3. Choose (De)Select all to install all
components.
This toggle switch selects or
deselects all components.
3a. For this example w e have
selected all comp onents, for a
total of84MB.
4. Or, select specific comp onents by
clicking on their individu al
checkboxes.
4a. For this example, we have
selected tw o components
(SAPGUI 32-bitan d SAPlogon),
for a total of18MB.
4. ChooseNext.
5. From here continue with the Standard installation procedure.
1
2
4
3a
4a
3
-
8/9/2019 User Admin Tasks
12/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
Release 4.0B912
6WDQGDUG,QVWDOODWLRQ
1. ChooseLocal Installation, to install
the software on the desktop PC.
2. ChooseNext.
3. The installation p rogram defaults
to where to install SAPgui on you r
system. In most cases, you shou ld
accept the system d efault.
4. ChooseNext.
1
2
4
3
-
8/9/2019 User Admin Tasks
13/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
System Administration Made Easy913
5. Choosepossible entries to select a
language (for example, E for
English).
6. ChooseNext.
7. The installation p rogram informs
you wh ere the files will be
installed.
8. ChooseNext.
9. Enter the name of the ap plication
server in Application Server.
10.Enter the system (instance)
num ber in System N umber.
11.The SA P Router String is normally
left blank.
12.SelectR/3 System.
13.ChooseNext.
5
6
7
8
9
10
1112
13
-
8/9/2019 User Admin Tasks
14/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
Release 4.0B914
14. If the SAP online documentation
for Release 4.0B has been installed,
this step is not need ed. Skip this
step.
15.ChooseNext.
16.Enter the name for a program
group (or accept the default SA PFrontend 4.0B).
17.Enter the name for the working
directory (or accept th edefault,
c:\ SAPworkdir).
18.Choose Finish.
19.You w ill see a wind ow show ing
you the p rogress of the
installation.
The time to complete the installation depend s on the speed of your compu ter and the
speed that the files can be copied over the netw ork.
20.When the installation is complete,this window will appear.
21.Choose OK.
22.Test your connection by logging
on to the R/ 3 System.
14
15
16
17
18
21
-
8/9/2019 User Admin Tasks
15/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
System Administration Made Easy915
,QVWDOOLQJ6$3JXLIURPWKH3UHVHQWDWLRQ&'
When the network connection between th e SAPgui files on the netw ork and the user is too
slow to perm it installation, install SAPgu i from the presenta tion CD. A slow conn ection
could result from a slow mod em or a slow link in the network.
A copy should be mad e of the original presentation CD and the copy shipp ed to the user
site. You th en m aintain control of the original CD and redu ce the chance that it might get
lost. The SAPgui installation files can also be copied to other high-capacity rem ovable
med ia such as ZIP or optical disk, as approp riate for your comp any.
The CD (or other d elivery m edia) can then be safely sent to the users site. From there, it can
be either loaded on to a local file server for installation or installed d irectly from the delivery
media.
The prerequ isite for such an installation is that the user has a CD d rive or other d rive
compatible with the d elivery m edia (ZIP, optical, etc.) that the SAPgu i files are d elivered
on .
To install SAPgu i from a CD:
1. Insert the copy of theRelease 4.0B presentation CD into the CD ROM drive.
2. In Window sExplorer, choose the CD ROM drive.
3. Choose Gui Windows Win32 (or the app ropriate d irectory).
4. Double-click on Sapsetup.exe.
5. Follow the sam e procedu re as when loading from a file server.6. Test that you can connect and log on to the system.
-
8/9/2019 User Admin Tasks
16/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
Release 4.0B916
$GGLQJ$GGLWLRQDO6\VWHPV
You can ad d another system to the:
-
8/9/2019 User Admin Tasks
17/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
System Administration Made Easy917
*XLGHG7RXU
7R$GGD1HZ6\VWHPWRWKH6$3,FRQ*URXS
Load ba lancing will not function if the SAP icon group is used . For load balancing, the SAP logon is
required.
1. From the Window s desktop, choose StartPrograms SA P Frontend 4.0B SAPicon.
If you have changed the nam e of the group in the installation, choose that nam e instead ofSA P
Frontend 4.0B in the path above.
2. SelectR/3 system .
3. Enter the nam e of the server in
Servername.
The server name you enter will
app ear as the name un der the iconcreated. You can change the nam e
later using a function in Window s.
4. Enter the system (instance)
num ber in System ID.
5. Routerstring is norm ally left blank.
6. Choose OK.
7. The icon w ill be add ed to the SAP
icon group.
8. Test that you can connect and log
on to the ad ditional system.
5
4
2
3
6
-
8/9/2019 User Admin Tasks
18/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
Release 4.0B918
7R$GG$GGLWLRQDO6\VWHPVLQWKH6$3/RJRQ
1. On the SAP Logon window, choose
New.
2. Enter a short description of the
system (for example, Production
SAP, PRD)in Description.
3. Enter the name of the server (forexample, xsapprd or xsapdev)
in Application Server.
4. Enter the system (instance)
num ber that was assigned to the
server for which you are creating
the logon (for example, 01) in
System Number.
5. Select R/3.
6. Choose OK.
7. Test that you can connect and logon to the ad ditional system.
2
3
4
5
6
1
-
8/9/2019 User Admin Tasks
19/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
System Administration Made Easy919
6HWWLQJ8SD1HZ8VHU
The procedu ral prerequ isite is to check that all docum entation and author izations required
to set up a new u ser are present.
There are two ways to create a new u ser:
-
8/9/2019 User Admin Tasks
20/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
Release 4.0B920
3. In the Copy Users window , enter the
new user ID in to.
Follow your comp anys naming
convention for creating user IDs.
4. Choose Copy.
5. Enter an initial password (for
example, init). Re-enter the same
passw ord in the second field.
6. In User group, enter the user group
(for example, ACCT) to which the
user is to be assigned.
A user grou p m ust exist before a user
can be assigned to it.
7. You can u sepossible entries to get alist of user g roups to select.
3
4
7
5
6
-
8/9/2019 User Admin Tasks
21/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
System Administration Made Easy921
8. Enter dates in the Valid from an d
Valid to fields to limit the duration
that the users w ill have access to the
system.
Entering a valid to/ from date is
typically required for contractors and
other temporary personnel.
9. Choose theAddress tab to change the
users add ress data.
10.Enter the usersLast name.
11.Enter the users First name.
12.Enter the users job Function.
13.Enter the usersDepartment.
14.Enter the users location (for
example,Room no., Floor, Building).
15.Enter the users phone number.
A telephone num ber should be a
requ ired en try field. If there is a system
problem identified w ith the user, you
need to be able to contact that user.
16.ChooseDefaults.
8
9
10
11
1213
14 1414
15
16
-
8/9/2019 User Admin Tasks
22/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
Release 4.0B922
17.Check that theLogon language is set
correctly (for exam ple,ENfor
English).
If the system d efault langu age has
been set (for example, English), thenthis field is only used to log in u nd er
a language that is not the system
default (example, German).
18.Under Output Controller, select
Output immediately an d
Delete after output.
19.Check that the Personal time zone is
correct. A display ofpossible entries is
available on th is field.
20.UnderDecimal notation, select the
app ropriate notation (for example,
Point, for United States).
TheDecimal notation affects h ow
numbers are d isplayed. Setting it
correctly is critical to p reven t confusion
and mistakes.
21.UnderDate format, select the
app ropriate date format
(for example,MM/DD/YYYY).
22.Choose Save.
17
18
19
20
21
22
-
8/9/2019 User Admin Tasks
23/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
System Administration Made Easy923
&UHDWLQJD1HZ8VHUIURP6FUDWFK
Sometimes it becomes necessary to create a new user from scratch. You m ay need to create a new u ser
when you d o not have another user to copy from.
*XLGHG7RXU
1. In the Commandfield, enter transaction SU01 and chooseEnter
(or choose ToolsAdministration,then User maintenanceUsers).
2. Enter the u ser ID (for example,
gary) that you w ant to create.
3. Choose Create.
4. Enter the usersLast name.
5. Enter the users First name.
6. Enter the users job Function.
7. Enter the usersDepartment.
8. Enter the users location (forexample,Room no., Floor, Building).
9. Enter the users phone number.
A telephone num ber should be a
requ ired en try field. If there is a system
problem identified w ith the user, youneed to be able to contact that user.
10.ChooseLogon data.
2
3
4
5
67
8 88
9
10
-
8/9/2019 User Admin Tasks
24/36
-
8/9/2019 User Admin Tasks
25/36
Chapter 9: Nonscheduled User Administration Tasks
New User Setup
System Administration Made Easy925
15.Optional: Enter the ap prop riate
language code in Logon language (for
example,EN for English).
If the system d efault langu age has
been set (for example, English), thenthis field is only used to log in u nd er
a language that is not the system
default (example, German).
16.Under Output Controller, select
Output immediately an d
Delete after output.
17.Enter the approp riate time zone.
A list ofpossible entries is available to
select from .
18.UnderDecimal notation, select the
app ropriate notation (for example,
Point, for United States).
TheDecimal notation affects h ow
numbers are d isplayed. Setting it
correctly is imp ortant to p reventconfusion and mistakes.
19.UnderDate format, select the
app ropriate date format(for
example,MM/DD/YYYY).
20.Choose Save.
21.Assign security to the u ser by u sing the Profile Generator
(see theAuthorizations M ade Easy Guidebook).
15
16
17
18
19
20
-
8/9/2019 User Admin Tasks
26/36
Chapter 9: Nonscheduled User Administration Tasks
Maintaining a User
Release 4.0B926
0DLQWDLQLQJD8VHU
Before maintaining a user, have a properly completed and app roved u ser change form.
The user change d ocumentation is aud ited in a security audit.
:K\
You need to maintain a user to manage:
-
8/9/2019 User Admin Tasks
27/36
Chapter 9: Nonscheduled User Administration Tasks
Maintaining a Use
System Administration Made Easy927
TheMaintain Userscreen allows
you to change a users:
-
8/9/2019 User Admin Tasks
28/36
-
8/9/2019 User Admin Tasks
29/36
Chapter 9: Nonscheduled User Administration Tasks
Locking or Unlocking a User
System Administration Made Easy929
4. In the popup w indow, enter the
new temp orary password in the
New passwordand Repeat password
fields.
5. Choose Copy.
For security, you can only set an initial value for the users password . The u ser is then
required to change the password wh en they log on. You cannot see what the users current
passw ord is, nor can you set a perm anent password for the user.
/RFNLQJRU8QORFNLQJD8VHU
:KDW
The lock/ un lock function is part of the logon check, which allows th e user to log on (or
preven ts the user from logging on) to the R/ 3 System.
:K\
-
8/9/2019 User Admin Tasks
30/36
Chapter 9: Nonscheduled User Administration Tasks
Locking or Unlocking a User
Release 4.0B930
*XLGHG7RXU
1. In the Commandfield, enter transaction SU01 and chooseEnter
(or choose Tools Administration, then User maintenanceUsers).
2. Enter the u ser ID (for example,
GARYN) to be maintained.
3. ChooseLock/unlock.
4. A popup window appears.
In this examp le, an ad ministrator
has m anually locked the user ID.
5. ChooseLock/Unlock.
In this examp le, this step w illun lock the user.
6. A message at the bottom of the
screen ind icates that the u ser has
been unlocked.
2
3
5
6
-
8/9/2019 User Admin Tasks
31/36
-
8/9/2019 User Admin Tasks
32/36
Chapter 9: Nonscheduled User Administration Tasks
User Groups
Release 4.0B932
+RZWR&UHDWHD8VHU*URXS
*XLGHG7RXU
1. In the Commandfield, enter transaction SU01 and chooseEnter
(or choose ToolsAdministration, then User maintenanceUsers).
2. On the User Maintenance screen
(transaction SU01), choose
EnvironmentUser groups.
3. Choose Create.
4. Enter the name of the new user
group (for example, finance).
5. ChooseEnter.
6. The new user group FINANCEis
now in the list and is usable.
5
4
6
3
-
8/9/2019 User Admin Tasks
33/36
Chapter 9: Nonscheduled User Administration Tasks
Deleting a Users Session (Transaction SM04
System Administration Made Easy933
'HOHWLQJD8VHUV6HVVLRQ7UDQVDFWLRQ60
:KDW
Use transaction SM04 to terminate a users session.
:K\
Transaction SM04 may show a user as being active wh en the u ser has actually logged off.
This cond ition is usu ally caused by a n etwork failure, wh ich cuts off the user, or the user is
not p roperly closed ou t of the system. (For examp le, the u ser turn ed the PC off withou t
logging off the system.)
A user m ay be on the system and needs to have their session terminated :
-
8/9/2019 User Admin Tasks
34/36
Chapter 9: Nonscheduled User Administration Tasks
Maintaining a Table of Prohibited Passwords
Release 4.0B934
2. In the Commandfield, en ter
transaction SM04 and chooseEnter
(or choose ToolsAdministration,
then MonitorSystem monitoring
User overview).
3. Select the u ser ID that you w ant to
delete.
4. Choose Sessions.
In step 3 above, dou ble-check that the selected user is the one you really want to delete.
It is very easy to select the w rong u ser.
5. Select the session to be d eleted.
6. ChooseEnd session.
7. Repeat steps 5 and 6 until all
sessions for that u ser are deleted.
0DLQWDLQLQJD7DEOHRI3URKLELWHG3DVVZRUGV
:KDW
A table of prohibited p assword s is a user-defined list of passwords that are p rohibited from
being used in the R/ 3 System.
Interaction occurs betw een a system profile pa rameter and the table of prohibited
passw ords. If the minimu m p assword length is set to five characters, there is no reason to
proh ibit password s like 123 or SAP, because these passwords w ould fail the minimum
length test. However, if comp any security p olicy requires it, you could include all
passw ords that are considered risky in the table.
This table is not a substitute for good p assword policy and practices by the users.
6
3
5
4
-
8/9/2019 User Admin Tasks
35/36
Chapter 9: Nonscheduled User Administration Tasks
Maintaining a Table of Prohibited Passwords
System Administration Made Easy935
The following is a list of easily guessed p assword s that cannot be pu t into any table:
-
8/9/2019 User Admin Tasks
36/36
Chapter 9: Nonscheduled User Administration Tasks
Maintaining a Table of Prohibited Passwords