AllH2FY20 Managing SAP user accounts and access rights using Identity Manager
H2FY20 Managing SAP user accounts and access rights using Identity Manager
To access Business Objects
or execute SAP transactions,
which are both protected by
authorization objects (which are
explained below), a user requires
corresponding authorizations. The
authorizations represent instances
from unauthorized access.
The administrator assigns
authorizations to users to
control which actions each
user can execute in the SAP system
after he or she has logged onto the
system and authenticated.
Central services
Clients
(web browser)
Clients
(web browser)
Clients (web browser)
Enqueue
server
Internet
Message
server
Dispatcher
queue
Dispatcher
Gateway
Other application or SAP system
Message
server
JAVA
dispatcher
SDM
ICM
Memory
pipes
JAVA server processing
ABAP work processes
ABAP
SAP (web) application server
Database
JAVA
Database
Figure 2. The application server is the core of an SAP deployment.
SAP account
m:n
Authorization
Authorization
objects
1:10 Authorization
Generated
profile
Generated
authorization
Authorization
objects
1:10 Authorization
Authorization
Authorization
objects
Manual profile
Authorization
Authorization
Authorization
objects
m:n
field w. values
Single role
1:1
Single role
1:10
field w. values
Authorization
field w. values
Composite
profile
m:n
Manual profile
Figure 3. ABAP authorization components
3
Figure 3 shows the authorization
components and their relationships.
• User master record—The user
master record enables the user
to log onto the SAP system and
access the functions and objects
in it within the limits of the
authorization profiles specified in
the role. The user master record
contains all information about the
corresponding user, including the
authorizations. Changes to a user
master record take effect when
the user next logs onto the system.
Users who are logged on when
the change takes place are not
affected in their current session.
• Composite role—This consists
of any number of single roles.
• Single role—This is created with
the role administration tool and
allows the automatic generation of
an authorization profile. The role
contains the authorization data
and the logon menu for the user.
• Generated authorization
profile—This is generated in role
administration from the role data.
(User master record)
Composite roles
of generic authorization objects
and are defined depending on the
activity and responsibilities of the
employee. The authorizations are
combined in an authorization profile
that is associated with a role. The
user administrators then assign the
corresponding roles using the user
master record, so that the user can
use the appropriate transactions for
his or her tasks.
Authorization
objects
1:10 Authorization
field w. values
1:10 Authorization
field w. values
• Manual authorization profile—
To minimize the editing effort
if you are using authorization
profiles, do not usually enter
single authorizations in the
user master record, but rather
authorizations
combined into authorization
profiles. Changes to the
authorization rights take effect
for all users whose user master
record contains the profile the
next time they log on to the
system. Users who are already
logged on are not immediately
affected by the changes.
• Composite profile—This
consists of any number of
authorization profiles.
SAP account 1
activity. To do this, it compares
the field values specified in
the program with the values
contained in the authorizations of
the user master record.
SAP account n
(User master record) (User master record)
Universal within each SAP client
Application
SAP Server 1
SAP Server 2
SAP user administration
SAP Server n
SAP client installed
trans-SAP system
SAP system installed trans-server
Figure 4. You must maintain separate user master records for each client in the SAP system.
Shadow
SAP account
• You can change authorizations
manually. These changes take
effect for the relevant users
as soon as you activate the
authorization.
The programmer of a function
decides whether, where and
how authorizations are to be
checked. The program determines
whether the user has sufficient
authorization for a particular
Master SAP client
Replication
Master
SAP account
• You can extend and change
the SAP defaults with role
administration.
Replication
Administration
Changing an authorization
affects all users whose
authorization profile contains
these authorizations. As a system
administrator, you can edit
authorizations in the
following ways:
Replication
• Authorization field—This field
contains the value that you
define. It is connected to the
data elements stored with the
ABAP dictionary. You can specify
any number of single values or
value ranges for an authorization
field. You can also allow all
values, or allow an empty field as
a permissible value.
Replication
• Authorization object—
Authorization objects control what
actions users can perform within
the system. An authorization
object can contains up to ten
fields that are related by “AND”
operators, allowing complex
tests for multiple conditions. For
an authorization check to be
successful, all field values of the
authorization object must be
appropriately entered in the user
master record. Authorization
objects are divided into classes
for comprehensibility. An object
class is a logical combination
of authorization objects and
corresponds, for example, to
an application such as financial
accounting or human resources.
Subordinate
Subordinate
Subordinate
SAPSAP
client
Subordinate
client
SAP
client
SAP
client
Figure 5. In environments with multiple systems, one SAP client is promoted to be the
master and the other clients are subordinates.
4
To perform user administration,
you first create a user master
record for each user, with which
the users can log on to the SAP
system. Using the user master
record, assign one or more roles
to the users, which determine the
activities in the user menu and
which authorizations the user has.
User master records are clientspecific, so you need to maintain
separate user master records for
each client in the SAP system.
A SAP client can be configured
across multiple SAP systems. You
cannot transport user master
records. Instead, you can copy
them using a client copy, or use
Central User Administration to
distribute the user master records
from the central system to the
child systems.
Central User Administration
(CUA)
Central User Administration (CUA)
simplifies user maintenance
in environments with multiple
systems. One specific SAP client
is promoted to be the master,
and other clients are connected
and assigned as subordinates to
this master. These clients do not
necessarily have to reside on the
same SAP system.
It is worth noting that not all
clients need to have a role in a
CUA infrastructure. Individual
clients may stay independent
and keep their own user
management repository.
Logical systems are created in
a CUA for each client. Each of
these logical systems represents
Please complete the form to gain access to this content
