Logon Data Tab Page
When you create a user, it is only mandatory to fill out the Initial Password field on the Logon Data tab page. All other entries on this screen are optional. The fields are described in detail below.
Alias
You can assign an alias of up to 40 characters to a user to specify more memorable names. Depending on the programming of the application, the user can then log on using either the (twelve character) user name or the alias.
If an external user sets up a user account for himself or herself in the Internet, he or she automatically uses an alias instead of a user name to do this. The SAP system then creates a new user master record with this alias and an automatically generated twelve character user name. The user then reports, for example, password problems using his or her alias instead of the technical user name, which is unknown to the user. The system administration determines the correct user master record in the SAP system using the alias.
Initial Password
You have the following options when assigning initial passwords:
-
Enter the password manually and repeat it in the Repeat Password field to avoid typographical errors.
-
To generate the password, choose the Generate button.
-
To deactivate the password, choose the Deactivate button.
This means that the user can no longer log on using a password, but only with Single Sign-On variants (X.509 certificate, logon ticket). This is useful if you do not require password-based logon because logon is performed exclusively in other ways (such as using logon tickets, see SAP Note 177895
). In this case, deactivating the password increases security, as passwords that are not used are usually still initial.Although the deactivation of passwords cannot be made retrospectively, the administrator can define a new initial password at any time.
The deactivation of the password on the Logon Data tab page refers to the local system. If Central User Administration is in use, you can change or deactivate passwords system-specifically in user maintenance with the Change Password function.
You can find further information in the following sections:
-
Login Parameters for password rules
-
User Maintenance Functions , Change Password section
Although the Password Status is always displayed when creating a user, it only shows the status for users that have been created (see also Password Status ).
User Group
To assign the user to a user group, enter the group. This is necessary if you want to distribute user maintenance among several user administrators. Only the administrator that has authorization for a group can edit users of the group. If you leave the field empty, the user is not assigned to any group (see Assigning User Groups ). This means that any user administrator can maintain any user.
User type
You can specify the following user types:
-
Dialog (A)
-
Individual system access (personalized)
-
It is possible to log on using SAP GUI. The user is therefore capable of interaction through SAP GUI.
-
The system checks whether the password has expired or is initial.
-
The user can change his or her password himself or herself.
-
The system checks multiple dialog logons, and logs these if necesary.
-
Purpose: for individual human users (including Internet users)
-
-
System (B)
-
System-related and internal system processes.
-
It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.
-
The password change requirement does not apply to the passwords, that is, they cannot be initial or expired.
-
Only a user administrator can change the password.
-
Multiple logons are permissible.
-
Purpose: background processing and communication within a system (internal RFC calls) and between multiple systems (external RFC calls). Purpose: for example, RFC users for ALE, workflow, TMS, CUA.
-
-
Communications (C)
-
Individual system access (personalized)
-
It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.
-
Although the system checks whether the password has expired or is initial, the implementation of the requirement to change the password, which exists in principle, depends on the logon method (interactive or non-interactive).
-
The user can change his or her password himself or herself.
-
Purpose: external RFC calls of individual human users.
-
-
Service (S)
-
Shared system access for a larger, anonymous group of users. Assign only very restricted authorizations for this user type.
-
It is possible to log on using SAP GUI. The user is therefore capable of interaction through SAP GUI.
-
During a log on, the system does not check whether the password has expired or is initial.
-
Only a user administrator can change the password.
-
Multiple logons are permissible.
-
Purpose: Anonymous system access (such as for public Web services). After an individual authentication, an anonymous session begun with a service user can be continued as a person-related session with a dialog user.
-
-
Reference (L)
-
It is not possible to log on to the system.
-
User type for general, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transaction SU01.
If you assign a reference user to a user, only the reference user's authorizations are inherited. You cannot copy any other role attributes or user attributes (such as the role menu). You can also only impart authorizations for one step. This means that you cannot assign a reference user to a reference user in order to cumulate the authorizations of both reference users.
To assign a reference user to a dialog user, specify it when maintaining the dialog user on the Roles tab page. In general, the application controls the assignment of reference users. This assignment is valid for all systems in a Central User Administration (CUA) landscape. If the assigned reference user does not exist in a CUA child system, the assignment is ignored.
You should be very cautious when creating reference users.
-
If you do not implement the reference user concept, you can deactivate this field in accordance with SAP Note 330067
. -
We also recommend that you set the value for the Customizing switch REF_USER_CHECK in table PRGN_CUST to E . This means that only users of type REFERENCE can then be assigned. Changing the Customizing switch affects only new assignments of reference users. Existing assignments are retained.
-
We further recommend that you place all reference users in one particularly secure user group to protect them from changes to assigned authorizations and deletion.
RecommendationPrior to Release 4.6C, the SAP System categorized users into two basic types: dialog users and non-dialog users (also referred to as CPIC users or background users). We recommend that you use non-dialog users for communication between systems in which the user ID and the password are defined in the system (such as for RFC destinations between systems). This ensures that no one logs on for a dialog session with this user.
We recommend that you assign the appropriate user type when creating users. For example, if the user does not need dialog access to the SAP system, define it as a system user. If the user is an anonymous, public user that many different individuals can use, define it as a service user and keep its authorizations to a minimum.
-
Valid from... and Valid to...
You define the validity period of the user master record with these fields. If you do not want to restrict the validity, leave the fields empty.
Account number
For each user or user group, assign an account name or number of your choice. The user appears in the RZ accounting system (ACCOUNTING EXIT) under this number.
An example of a suitable account number would be the user's cost center or company code.
We recommend that you always enter an account name or number in the computing center accounting system. The user will otherwise be assigned to a general category without account number.