User Master Record

User Master Record

T-code: SU01

Components of the User Master Record

User Master Record

Address: Personal data, Communication data, Company add.

Logon Data: User group, user type, validity period

Defaults: Start menu, logon language, default printer

Parameters: Default values for parameter IDs

Roles: Assignment of profiles

Profiles: Assignment of user groups

Groups: Global User Manager

Personalization: Assignment of personalization

License Data: Assignment of license data

User Master Record

A user can only logon to an SAP system if a user master record with a corresponding password exists. The scope of activity of individual users in the SAP system is defined in the master record by one or more roles, and is restricted by the assignment of the appropriate authorizations.

User master records are client-specific. You must maintain your own user master records for every client in SAP systems.

The following authorization objects are required to create and maintain user master records:

• Authorization to create or maintain a user master record, and to assign it to a user group (object S_USER_GRP)
• Authorization for the authorization profiles that you assign to users (object S_USER_PRO)
• Authorization to create and maintain authorizations (object S_USER_AUTH)
• Authorization to protect roles. With this authorization object, you specify which roles can be edited, and which activities (display, change, create, and so on) are intended for the role(s) (object S_USER_AGR)
• Authorization for transactions that you may assign to the role and for which you can assign authorization to start the transaction in the Profile Generator (object S_USER_TCD)
• Authorization to restrict values that the system administrator can include in a role or change in the Profile Generator (S_USER_VAL)

SU3

By choosing System-->User Profile-->Own Data (transaction .SU3.), users can themselves maintain the Address, Defaults, and Parameters tabs.

Profiles

Each profile grants the user a number of authorizations. Remember that we recommend that you structure the contents of authorizations using transaction PFCG. and not using manual profiles..

Caution:

Never enter the generated profiles directly on the Profiles tab page, since transaction PFUD. deletes these assignments if there is no entry for them on the Roles tab page. When you assign a role to a user on the Roles tab page, the profile generated for this role is automatically entered on the Profiles tab page, and the profiles in the user master record and compared with the roles.

The SAP system contains predefined profiles, such as:

• SAP_ALL: To assign all authorizations that exist in the SAP system to users, assign the profile SAP_ALL.
• SAP_NEW: Composite profile to bridge the differences in releases in the case of new or changed authorization checks for existing functions, so that your users can continue to work as normal.

Caution:

This composite profile contains very extensive authorizations, since, for example, organizational levels are assigned with the full authorization asterisk(s).

Mass Changes using SU10

Defaults

Logon Date

Roles

Profiles

Parameters

Passwords

User Change Documents Table

Archive Procedure: online --> offline

Online

Related tables for user change documents

Change history for logon data: USH02

Change history for authorizations: USH04

Change history for authorization profiles: USH10

Change history for authorization values: USH12

Offline

Archive Files-->Tape