SAP Authorizations User administration (transaction SU01) - NW Admin

Direkt zum Seiteninhalt
User administration (transaction SU01)
Efficient SAP rollout through central, tool-supported management
Sometimes implementation consultants are also confronted with the situation that no authorization concept exists at all. This happens, for example, when changes in SAP SuccessFactors responsibilities occur on the customer side or different implementation partners were active in the past. However, a missing concept can lead to errors in the system. Users cannot perform certain actions, or worse, people see sensitive data that they should not see. This can, in the worst case, constitute a DSGVO violation and lead to a fine for the company.

After you have determined the data for the website, you must now generate the initial password and send it by e-mail and unlock the user if necessary. There are also different solutions - we describe a possible course of action. You can generate a password using the GENERATE_PWD import parameter of the BAPI BAPI_USER_CHANGE. The generated password is then set as the initial password and must be changed at the next login by the user. You must also set the PASSWORDX import parameter to display a password change. The generated password is returned using the export parameter GENERATED_PASSWORD. This is required if you want to call the BAPI BAPI_USER_CHANGE from a central system (e.g. from the ZBV) and send the relevant e-mail from that system. You should never save this password, but include it directly in your application in an email. Subsequently, you send this e-mail to the user whose e-mail address you can determine either directly in the SAP system (parameter ADDSMTP of BAPI_USER_GET_DETAIL) or within the scope of your web application (e.g. from the AD). Even if you find the email address in the AD, we advise you not to send the email from there. To avoid the password being unnecessarily transferred, it is better to initiate the despatch within your central SAPS system. In addition, we strongly advise you to send the emails encrypted with the initial passwords. To do this, the implementation of your self-service must set the encryption flag when creating the email. We describe details about the encryption of emails and an alternative sending of the initial password directly from the affected SAP system in Tip 98, "Encrypt emails".
SAP S/4HANA: Analysis and simple adjustment of your authorizations
SAPconnect uses the S/MIME (Secure/Multipurpose Internet Mail Extensions) standard for signing when sending emails or for verifying and decrypting received emails. S/MIME is supported by most email clients and requires X.509-based certificates.

The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.


Roles reflect access to data depending on the legitimate organisational values. This information should be part of the naming convention, as these roles differ only in their organisational but not in their functional form.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

Do you also work in a complex system landscape where roles are decentralised? Then, inconsistencies can occur by transporting profiles from different systems to a target system.

To access the system recommendations, you must have permission for the SM_FUNCS object (ACTVT = 03; SM_APPL = SYSTEM_ REC; SM_FUNC = , such as SECURITY).
NW BASIS
Zurück zum Seiteninhalt