Different Types of Users
There are 5 different
User type:
1. Dialog(A)
2. System(B)
3. Communication(C)
4. Service(S)
5. Reference(L)
Description about the
above User types:
1. Dialog User:-
Initial password and expiration of password and Multi GUI
Logins are checked.
Individual system access
(personalized)
It is possible to log on
using SAP GUI. The user is therefore capable of interaction through SAP GUI.
The system checks
whether the password has expired or is initial.
The user can change his
or her password himself or herself.Which users are using
Creating Dialog User in SAP
======================
1. Goto SU01 --
username : sapuser
|-->Create.
2. In default settings, give
:Mr
first name : sap
lastname : user
3. Goto next tab,
give initial password :1234
repeat password : 1234
4. Goto profiles.
type- sap_all (say enter)
sap_new (say enter)
Then save....
See the message in status bar, (user created successfully)
5. Login with the new user. change the password. now this user contains all superuser authorizations
Give user name in user tab and press create tab (F8)
Give username and password
Give SAP Profile/Roles
Then save
and exit
2.Change the SAP User(Shift+F6)
3.Display SAP User(F7)
4.Delete SAP User(Shift+F2)
5.Copy SAP User (Shift+F5)
6.Lock and Unlock(Ctrl+F5)
or
Execute program EWULKUSR in SE38
2. System User:-
Windows Operating System
User Settings in an SAP System Use
This section informs about users that exist or are needed in an SAP system on Windows. It also describes some security settings to take for them.
Overview of SAP
System-Related Users
Windows built-in
users
Administrator:- The local user who has
unlimited access to all local resources.
Guest :- A local guest account who has guest access to all local resources.
SYSTEM:- The user SYSTEM is a built-in account without
password. You cannot log on as user SYSTEM. However, this account has complete
access to the local Windows system.
SAP system
users <sapsid>adm The SAP system
administrator who has unlimited access to all local resources related to SAP
systems.
SAPService<SAPSID>
A special user who runs the Windows services related to SAP systems.
Database
users <database-specific users> One
or more special users who run database-specific Windows services or access the
database resources with utility programs. Some databases also need certain
users at the operating system level. Their name and availability depend on the
database you use. For more information, see the database-specific security
guide on Windows.
Note the following:
•
Windows automatically creates the users Administrator and Guest during the
installation. You do not need them for SAP system operations.
•
Windows Server 2008 (R2) introduces a new security concept called User Account
Control (UAC). WhenUser Account Control is enabled (default setting), a process
running on a Windows Server 2008 (R2) does not automatically have the
membership in the Local Administrators group even if the account is a member of
this group. The user has to elevate a process to use the Administrators Group
membership, by right-clicking on a program entry in the Windows explorer
( Start Programs <Program
Entry> ) and start it with Run as Administrator:
• You
must enable the guest account to grant non-authenticated users (that have not
specified a valid user name or password) access to resources on a computer. The
Windows built-in group Everyone includes authenticated users and guests.
However, non-authenticated guest users only have access to resources that are
secured with Everyone if the guest account is enabled. SAP strongly recommends
to disable the guest account.
For a System User
GUI Login is not possible, Initial password and expiration of password are not
checked.
System-related and
internal system processes.
It is not possible to
log on using SAP GUI. The user is therefore incapable of interaction through
SAP GUI.
The password change
requirement does not apply to the passwords, that is, they cannot be initial or
expired.
Only a user
administrator can change the password.
Multiple logons are
permissible.
Roles for system
user : SAP_BC_USR_CUA_CENTRAL
SAP_BC_USR_CUA_CENTRAL_BDIST
Purpose of System User
is for background processing and communication within a system (internal RFC
calls) and between multiple systems (external RFC calls).(such as RFC users for ALE, Workflow, TMS, TREX and
CUA). Eg;-user : sysuser
pass:1234556
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/5e/9834429692b76be10000000a155106/content.htm
3. Communication User:-
Creating RFC Users (SAP
ECC)
To enable communication
between the SAP ERP back-end system and other SAP systems, you have to create
an RFC user in the SAP ERP system.
The RFC user in the
application client enables multiple RFC connections. Skip this activity if an
RFC user has already been created.
Procedure
1.
Logon to the SAP ECC system.
2.
Access the activity using one of the following navigation options:
• Call
transaction code SU01.
• In
the SAP ERP GUI, choose Tools Administration User
Maintenance Users .
3. In
the User field, enter CRM2ERP.
4.
Choose Create (F8).
5. On
the Maintain User screen, enter the following data in the tab entry screens:
• On
the Address tab page, enter the following:
o Last
Name: CRM2ERP
o
Function: <your function>
• On
the Logon Data tab page, enter the following:
o User
Type: Communication Data
o
Password: <your password>
• On
the Defaults tab page, enter the following:
o
Logon Language: EN
• On
the Profiles tab page, enter the following:
o
Profile: SAP_ALL and SAP_NEW
6.
Save your entries (Ctrl + S).
Connecting SAP CRM (SAP
ECC)
Procedure
1.
Logon to the SAP ECC system.
2. To
define an RFC destination in the SAP ERP system, access the activity using one
of the following navigation options:
• Call
transaction code SM59.
• In
the SAP ERP IMG menu, choose SAP NetWeaver Application
Server IDocInterface/Application Link Enabling (ALE)
Communication Create RFC Connections .
3. On
the Display and maintain RFC destinations screen, choose Create and enter the
data according to the RFC destination:
Field
name User action and default values
RFC
Destination
Erp_<ERPSID><ERPCLIENT>_to_Crm_<CRMSID><CRMCLIENT>
(for example:
Erp_ER1001_to_Crm_CR1005)
Connection
type 3
(Connection to ABAP
system)
Description
SAP CRM system
4.
Choose ENTER.
Technical Settings
Load
Balancing No
Target
host <SAP CRM target host name>
(for example: pwdf0421)
System
number <SAP CRM target system name>
(for example: 74)
Save
as IP Address
Logon/Security
Security Options
Trusted
system No
Logon
Screen deselect
SNC
Inactive
Logon
Language
EN
Client
<SAP CRM target client>
(for example: 001)
User
ERP2CRM
Password
<your password>
(password you have
chosen in user maintenance)
Current
User deselect
Unencrypted Password
(2.0) deselect
5.
Choose ENTER.
MDMP & Unicode
Communication Type with
target system Set Unicode flag if the Unicode test has been
executed successfully.
This test can be
performed by choosing Unicode Test in the menu area. The RFC destination has to
be saved before the test can be performed. An information message appears
(Example of a message: Target is a Unicode system (character size 2)).
6.
Choose ENTER.
7. In
the Special Options tab page, deselect Trace and Slow RFC Connection.
8.
Choose ENTER.
9.
Save your RFC destination.
10. To
test your newly created RFC connection, choose Connection Test.
For a
Communication User login is not possible, Users are allowed to change password
through some software in middle tierIndividual system access (personalized)
It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.
Although the system checks whether the password has expired or is initial, the implementation of the requirement to change the password, which exists in principle, depends on the logon method (interactive or non-interactive).
Assign the communication users for the child systems and the communication user CUA_ADM the roles Z_SAP_BC_USR_CUA_SETUP_CENTRAL and Z_SAP_BC_USR_CUA_CENTRAL.
It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.
Although the system checks whether the password has expired or is initial, the implementation of the requirement to change the password, which exists in principle, depends on the logon method (interactive or non-interactive).
Assign the communication users for the child systems and the communication user CUA_ADM the roles Z_SAP_BC_USR_CUA_SETUP_CENTRAL and Z_SAP_BC_USR_CUA_CENTRAL.
4.Service User:-
A user of the type Service is a dialog user that is available to an anonymous, larger group of users. Generally, this type of user should only be assigned very restricted authorizations.
For example, service users are used for anonymous system access using an ITS service or a public Web service. Once an individual has been authenticated, a session that started anonymously using a service user can be continued as a personal session using a dialog user (see SUSR_INTERNET_USERSWITCH)
During logon, the system does not check for expired and initial passwords. Only the user administrator can change the password.
Multiple logon is allowed.
Some central service users are required for dialog-free communication between the central components of SAP NetWeaver usage type PI and between application systems and PI.
After the installation of usage type PI, the following service users already exist together with a password in the client of the Integration Server and in the exchange profile. They are retrieved from there by the Java components of PI when the system is started.
They service users are listed below together with the roles assigned to them.
Service users available after installation
Service User Description Assigned Role
PILSADMIN User for the Change Management Server SAP_XI_CMS_SERV_USER
PIREPUSER User for the Enterprise Services Repository SAP_XI_IR_SERV_USER_MAIN
PIDIRUSER User for the Integration Directory SAP_XI_ID_SERV_USER_MAIN
PILDUSER User for the System Landscape Directory (SLD) SAP_BC_AI_LANDSCAPE_DB_RFC
PIAPPLUSER User for sender applications SAP_XI_APPL_SERV_USER
PIRWBUSER User for the Runtime Workbench SAP_XI_RWB_SERV_USER_MAIN
PIAFUSER User for the Advanced Adapter Engine SAP_XI_AF_SERV_USER_MAIN
PIISUSER User for the Integration Server SAP_XI_IS_SERV_USER_MAIN
PIPPUSER User for principal propagation SAP_XI_APPL_SERV_USER
Passwords are specified for these users during installation. The names of the users as well as the password may be changed as required. Ensure, however, that they are always assigned the roles listed above.
The roles were created for each of the PI components, so that each component only needs this single service user.
Within PI, the roles provide you with all the authorizations required by the respective component for dialog-free access to the other components of PI. They are therefore also available on the Java side. To access the Java components, corresponding authorization assignments (security roles) on usage type AS Java are required. These are automatically performed when the Java components are deployed.
Description of the Service User Roles
The following service user roles are available:
● SAP_XI_CMS_SERV_USER
Service user role for the Change Management Server (CMS).
Within PI, this role supplies all the authorizations required by the CMS for dialog-free access to the other components of PI, mainly the Enterprise Services Repository and Integration Directory.
● SAP_XI_IR_SERV_USER_MAIN
Service user role for the Enterprise Services Repository.
Within PI, this role supplies all the authorizations required by the Enterprise Services Repository for dialog-free access to the other PI components.
● SAP_XI_ID_SERV_USER_MAIN
Service user role for the Integration Directory.
Within PI, this role supplies all the authorizations required by the Integration Directory for dialog-free access to the other PI components.
● SAP_BC_AI_LANDSCAPE_DB_RFC
Service user role for the SLD.
This role supplies all the authorizations required by the SLD for dialog-free access to the database of the SAP NetWeaver Application Server. This role is usually assigned to exactly one service user or communication user, which must be defined in the administration of the SLD for database consistency.
● SAP_XI_APPL_SERV_USER
Service user role for application systems that are sender business systems.
This role supplies all the authorizations required by application systems (ABAP and Java) for dialog-free access to the components of PI.
● SAP_XI_RWB_SERV_USER_MAIN
Service user role for the Runtime Workbench.
Within PI, this role supplies all the authorizations required by the Runtime Workbench for dialog-free access to the other components of PI.
● SAP_XI_AF_SERV_USER_MAIN
Service user role for the Advanced Adapter Engine.
This role supplies all the authorizations required for communication between SLD, Integration Server, and Adapter Framework.
● SAP_XI_IS_SERV_USER_MAIN
Service user role for the Integration Server.
This role supplies all PI-specific authorizations required by the Integration Server for dialog-free access to business systems based on SAP NetWeaver.
Service users that have to be created in business systems for this purpose generally need additional authorizations that are specific to the service to be accessed.
Creating Service Users
You require two service users:
• One service user for synchronization
This service user is used to perform an anonymous synchronization. This is useful, for example, in the following situations:
o To get the UTC time (when using a TIME_AGENT parameter set)
o To generate error messages when errors occur during the synchronization process
o To create setup packages using the Mobile Administrator
• One service users for administration
This user is required for communication between the systems, for example, to display data in the Mobile Administrator.
Note
Alternatively, you can also use an individual administrator user here. For security reasons, we recommend using a service user with limited authorizations and without a dialog authorization.
The service user for the administration is used to access systems using an RFC. For example, you would enter this service user in the following cases:
o When deploying the JRA for the Mobile Administrator (see Deploying the JRA for the Mobile Administrator )
o When establishing the JCo-RFC connection (see Enabling Mobile Component Uploads )
o When setting up the synchronization monitors (see Activating Synchronization Monitors )
Caution
If you configured the MI usage type automatically using the template installer in the SAP NetWeaver Administrator, you do not have to create the service users for the administration.
Defining Roles for Service Users for the Synchronization Process
Check whether the role for the service user exists. If not, define one:
1. Create an authorization profile without a template and add the following authorization objects to it.
Authorization Objects for the Service User (Synchronization)
Authorization Object Field Value
S_ME_SYNC ACTVT 38 (Synchronization)
S_RFC ACTVT 16
RFC_NAME SUSO (Detailed error message determination)
ME_USER (Synchronization)
BWAF_MW (Synchronization)
BWAF_MOMO (Synchronization)
SYST
SRFC
SG00
SDIFRUNTIME
RFC1
1. Generate the profile and save the role you created.
Defining Roles for Service Users for the Administration
Check whether the role for the service user exists. If not, define one:
1. Create an authorization profile without a template and add the following authorization objects to it.
Authorization Objects for the Service User (Administration)
Authorization Object Field Value
S_RFC ACTVT 16
RFC_NAME RFC1 (Java Connector)
SDIFRUNTIME (Java Connector)
SYST (Java Connector)
SG00 (Java Connector)
SRFC (Java Connector)
SYSU (Java Connector)
SUSO (Detailed error message determination)
MEMGMT* (Mobile Administrator)
MEREP_INSTTK_MPC (Creation of setup packages)
MEREP_JAVACLIENT (Uploading SyncBO definitions from the back-end system)
ME_CENTRAL_TRACING (Tracing)
ME_CONFIG_INFO (Monitoring)
BWAF_MW (Synchronization)
BWAF_MOMO (Synchronization)
BAPT
BWAF_INSTALLATION (Setup packages)
MI_PACKAGE_GEN (Setup packages)
ME_MON_SHLP (Monitors)
ME_QUEUE_MON (Monitors)
ME_TECH_MON (Monitors)
ME_REPLIC_MON (Monitors)
ME_RESOURCE_MON (Monitors)
RFC2 (Monitors)
SDDO (Monitors)
ME_USER
SU_USER
S_TCODE TCD DEVICE_CONFIG (Device configuration)
SMOMO (Device removal)
S_MI_MGMT ACTVT *(Device administration and device configuration)
MI_GROUP Stored in table MEMGMT_AUTH_GRP, transaction MGMT_AUTHORITY
(For the definition of groups with different authorizations, for example, ADMIN and SUPPORT)
S_USER_GRP ACTVT 3 (Display user in Mobile Administrator)
1. Generate the profile and save the role you created.
Defining Service Users
1. Start transaction SU01 and create two service users (for example, MI_SERVICEADMIN and MI_SERVICESYNC).
Note
For the password, only use the characters contained in the ISO 8859-1 character set.
2. Assign each of the users with one of the roles created.
5.Reference Users:-
Like the service user, a reference user is a general user, not assigned to a particular person. You cannot log on using a reference user. The reference user is only used to assign additional authorization. Reference users are implemented to equip Internet users with identical authorizations.
On the Roles tab, you can specify a reference user for additional rights for dialog users. Generally, the application controls the allocation of reference users. You can allocate the name of the reference user using variables. The variables should begin with "$". You assign variables to reference users in transaction SU_REFUSERVARIABLE.
This assignment applies to all systems in a CUA landscape. If the assigned reference user does not exist in one of the CUA child systems, the assignment is ignored.
Creating Reference Users
Reference users are used to simplify authorization maintenance. You assign authorization roles to a reference user. The system then assigns the reference user to new users that are created for Web shop customers.
The user for a Web shop customer inherits all of the reference user’s role attributes and their authorization profile, which determines which activities and transactions are allowed.
Since customers use self-registration in the Web shop, you must use reference users to assign authorizations.
You assign reference users to a Web shop, regardless of whether you are using an SAP CRM or SAP ERP backend.
Prerequisites
The required authorization roles exist. For more information, see Creating and Changing Authorization Roles.
Procedure
1. In the SAP Easy Access screen, access transaction SU01.
Create a user, and in the Logon Data tab, select the user type Reference.
2. Assign authorization roles to the reference user in the Roles tab.
3. Assign the reference users in the User module of Web Channel Builder, in the field Reference User.
Result
The Web shop customer, when prompted by the system, enters the necessary registration details. The system uses these details to create a new user, and assign the reference user to the master record in the back-end system. The reference user contains authorizations, which are passed to the new Web shop customer.
The Web shop customer, when prompted by the system, enters the necessary registration details. The system uses these details to create a new user, and assign the reference user to the master record in the back-end system. The reference user contains authorizations, which are passed to the new Web shop customer.
selenium trainings
ReplyDeletepython training
SAP ABAP training
SSAP PP online training
data science training