When you create a user, it is only mandatory to fill out the Initial Password field on the Logon Data tab page. All other entries on this screen are optional. The fields are described in detail below.
Alias
You can assign an alias of up to 40 characters to a user to specify more descriptive names. Depending on the programming of the application, the user can then log on using either the (12 character) user name or the alias.
If an external user sets up a user account for himself or herself in the Internet, he or she automatically uses an alias instead of a user name to do this. The SAP system then creates a new user master record with this alias and an automatically generated 12 character user name. The user then reports, for example, password problems using his or her alias instead of the technical user name, which is unknown to the user. The system administration determines the correct user master record in the SAP system using the alias.
Initial Password
You have the following options when assigning initial passwords:
● Enter the password manually and repeat it in the Repeat Password field to avoid typographical errors.
● To generate the password, choose Wizard (
).
● To deactivate the password, choose Deactivate (
).
This means that the user can no longer log on using a password, but only with Single Sign-On variants (X.509 certificate, logon ticket). This is useful if you do not require password-based logon because logon is performed exclusively in other ways (such as using logon tickets, see SAP Note 177895). In this case, deactivating the password increases security, as passwords that are not used are usually still initial.
Although the deactivation of passwords cannot be made retrospectively, the administrator can define a new initial password at any time.
The deactivation of the password on the Logon Data tab page refers to the local system. If Central User Administration is in use, you can change or deactivate passwords system-specifically in user maintenance.
See also:
Password Rules
Login Parameters for password rules
User Maintenance Functions, Change Password section.
User Group
To assign the user to a user group, enter the group. This is necessary if you want to distribute user maintenance among several user administrators. Only the administrator that has authorization for a group can maintain users of the group. If you leave the field empty, the user is not assigned to any group (see Assigning User Groups). This means that the user can be maintained by any user administrator.
User Type
You can specify the following user types:
● Dialog (A)
User type for exactly one interactive user (all logon types including Internet users):
○ During a dialog log on, the system checks whether the password has expired or is initial. The user can change his or her password himself or herself.
○ Multiple dialog logons are checked and, where appropriate, logged.
● System (B)
User type for background processing and communication within a system (internal RFC calls).
○ A dialog logon is not possible.
○ The password change requirement does not apply to the passwords, that is, they cannot be initial or expired. Only a user administrator can change the password
○ Multiple logons are permissible.
● Communications (C)
User type for dialog-free communication between systems (such as RFC users for ALE, Workflow, TMS, and CUA):
○ A dialog logon is not possible.
○ Whether the system checks for expired or initial passwords depends on the logon method (interactive or not interactive). Due to a lack of interaction, no request for a change of password occurs.
● Service (S)
User type that is a dialog user available to a larger, anonymous group of users. Assign only very restricted authorizations for this user type:
○ During a log on, the system does not check whether the password has expired or is initial. Only the user administrator can change the password (transaction SU01, Goto ® Change Password).
○ Multiple logons are permissible.
○ Service users are used, for example, for anonymous system accesses through an ITS service. After an individual authentication, an anonymous session begun with a service user can be continued as a person-related session with a dialog user.
● Reference (L)
User type for general, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transactions SU01. You cannot log on to the system with a reference user.
To assign a reference user to a dialog user, specify it when maintaining the dialog user on the Roles tab page. In general, the application controls the assignment of reference users. This assignment is valid for all systems in a Central User Administration (CUA) landscape. If the assigned reference user does not exist in a CUA child system, the assignment is ignored.
You should be very cautious when creating reference users.
■ If you do not implement the reference user concept, you can deactivate this field in accordance with SAP Note 330067.
■ We also recommend that you set the value for the Customizing switch REF_USER_CHECK in table PRGN_CUST to "E". This means that only users of type REFERENCE can then be assigned. Changing the Customizing switch affects only new assignments of reference users. Existing assignments are retained.
■ We further recommend that you place all reference users in one particularly secure user group to protect them from changes to assigned authorizations and deletion.
Before release 4.6C, the SAP system categorized users into two basic types: dialog users and non-dialog users (also known as CPIC users or background users). We recommend using non-dialog users for communications between systems where the user ID and password are defined in the system (for example, in RFC destinations between systems). This ensures that no one logs on for a dialog session with this user.
We recommend that you assign the appropriate user type when creating users. For example, if the user does not need dialog access to the SAP system, then define it as a system user. If the user is an anonymous, public user that many different individuals can use, define it as a service user and keep its authorizations to a minimum.
Valid from... and Valid to...
You define the validity period of the user master record with these fields. If you do not want to restrict the validity, leave the fields empty.
Account Number
For each user or user group, assign an account name or number of your choice. The user appears in the RZ accounting system (ACCOUNTING EXIT) under this number.
A recommended account number would be the user’s cost center or company code, for example.
You should always enter an account name or number in the SAP accounting system. The user will otherwise be assigned to a general category without account number.
No comments:
Post a Comment