SU01 - MAINTAIN USERS

SU01-MAINTAIN USERS
 
As an administrator, you control who has access to applications by creating users and providing these users with a means of authenticating themselves to an application. To simplify user administration, users can be collected in groups according to criteria such as the users' function in a company or the department they work in. Roles define the users' authorizations. Roles can be assigned to either users or groups. 
Tools- Administration - User Maintenance - Users 
Or  
SU01

Administration

The  lists of administrative tasks, general and specific, for the management of users, groups, and roles.

Daily Tasks

1.      Managing Users, Groups, and Roles

2.    Assigning Principals to Roles or Groups

3.      Locking or Unlocking Users

4.      Password Management

1.      Managing Users, Groups, and Roles

This function enables you to create, modify, and delete users, groups, and roles with the user management engine (UME). This enables you to define these objects so you can then group them according to your access management strategy.

Prerequisites

To manage users, groups, or roles, you must be assigned a role that includes the relevant actions or combination of actions. For example, to assign roles to users, your role assignments must include UME actions that enable you to change both principals, roles and users, such as UME.Manage_Roles and UME.Manage_Users. The figure below summarizes the UME actions available by default

UME Actions According to Principal and Role

Along the top of the figure is a list of role archetypes. For example, if you are an overall administrator, under Administrators All is a list of actions appropriate to that role. The rows represent the different permission areas or principals for which the actions are relevant. For example, the top row of blocks lists actions relevant to working with users, from full access to read-access to only your own profile. The last two rows refer to specific functions, such as permission to access the import and export functions, or profile-specific actions. Some actions are subsets of other actions. For example, UME.Manage_My_Profile includes UME.Manage_My_Password. Standard UME roles include such actions. The UME role Administrator includes UME.Manage_All, which enables you to display and change everything. By default, administrator roles are only assigned to administrators.

   ACTIVITIES                                                                                 

   a) Search for a user, group, or role (simple search) :- In the search area, choose the type of object you are looking for: user, group, or role.Enter a string to search for.The search function searches for this string in the user ID (users only) and name.Use the asterisk as a wildcard. If you do not enter any text, the search function returns a list of all users, groups, or roles, depending on the object you chose.Choose Go.A list of search results appears in the Search view.
b) View detailed information on a user, group, or role :- In the search results list, select the user, group, or role. The detailed information appears in the Details view.

c) Create new user, group, or role :- In the search area, choose the type of object you wish to create. Choose Create. Enter data as required in the Details view.
 
 
 

d) Copy an existing user :- In the search results list, select the user you want to copy. Choose Copy to New. Enter a logon ID and define a password. Choose Save.
2.     Assigning Principals to Roles or Groups
You can assign principals (users, roles, and groups) to roles and groups as follows:

?      Roles

-         ?       Users

-         ?       Groups

-         ?       Actions

?      Groups

-         ?       Users

-         ?       Groups

-         ?       Roles

Roles

Roles reflect a user's function. By assigning a role to a user, you provide the user with the authorizations or functions that he or she needs to fulfill specific tasks. You can also indirectly assign a role to a user by assigning the group to which the user belongs to the role.

You can display the following types of roles:

?      Portal roles

These roles define how content is grouped together and how it is displayed in the SAP NetWeaver Portal. By assigning a user or group to a portal role, you define which content that user or group sees in the portal. During assignment, the system checks the Role Assigner permission to see if you have the proper rights to assign the role.

?      User management engine (UME) roles

These roles define a set of authorizations. By assigning a user or group to a UME role, you grant the set of authorizations that the role defines to the assigned user or group.

. 
Do not assign roles that are in the SAP namespace, for example, roles that begin with com.sap.portals. Instead, assign users to delta links of roles that are in the SAP namespace. This prevents your changes from being overwritten when you upgrade your portal.

By default, roles that contain the SAP namespace com.sap.portals are not displayed in the role assignment function.

Groups

Restrictions

Restrictions to group assignments (if any) depend on the data source where the principals reside. For more information, see the following:

?      Database Only as Data Source

?      LDAP Directory as Data Source

?      User Management of Application Server ABAP as Data Source

Prerequisites

To assign principals, you must be assigned a role that includes the relevant actions. For example, to assign users to a role, you must have the right to manage both users and roles.

3.      Locking or Unlocking Users

Locked users are deactivated and cannot access applications. There are two ways of locking users:

i)       Automatically

The system can lock a user automatically if the user tries to log on too many times with the wrong password. This is a password lock. Optionally the system can unlock the user automatically after a configurable amount of time elapses. These are configured with the following settings:

-             Maximum Number of Failed Logon Attempts

-               Auto Unlock Time

ii)        Explicitly

An administrator can lock a user. The administrator must subsequently unlock the account for the user to regain access to the system.

2.     Password Management

Users require a password to be able to log on with user ID and password. As administrator you need to define or generate an initial password for newly created users. If users forget their passwords, you can also define or generate a new password for them. You can provide a link on the logon screen where users can reset their passwords themselves. If you enable self-management, users can view their profile and change their own passwords.

You can also disable a user's password. A user with a disabled password cannot log on with a password, but can still log on under certain circumstances.

The security policy defines the password rules. For example, you can define how long until a password expires or how many digits a password must contain.

On Demand Tasks

1.   Creating a Technical User

2.   Maintaining the User's Certificate Information

3.   Import and Export of User Management Data

1.   Creating a Technical User

To create a user for system to system communication. In most cases applications create their own users for communication automatically, but some applications may require you to create such a user manually.

In the Details view, on the General Informationtab, enter the following data:

-               Log On ID

-               Password

-                Last Name
2.   Maintaining the User's Certificate Information

When using SSL and client certificates for user authentication, the user is identified using a client certificate. To allow the J2EE Engine to identify users, their client certificate must be available in their user account on the J2EE Engine. There are several options:

-         The administrator imports users certificates manually and adds them to the user's data. The following procedure describes the steps required.

-         Users map their own certificates to their user ID at logon. The administrator does not need to perform any steps.

2.     Import and Export of User Management Data

The following functions are available:

-         UME Object Data Import :- This function enables you to import users, groups, and roles.

-         UME Object Data Export :- This function enables you to export users, groups, and roles.

Required Actions

To import and export user data, you must be assigned a role with the action UME.Batch_Admin. To import and export user data for all companies, you must be assigned a role with the action UME.Manage_All_Companies.