Show TOC

Background documentationWindows Groups and Users in an SAP System Environment

 

Windows distinguishes between the following groups:

  • Domain groups

    In a Windows domain there are domain local, domain global and universal groups. Domain groups are valid within a Windows domain, not only on one server. Therefore, we recommend that you bundle the domain users into different activity groups, depending on their tasks. The domain administrator can export these activity groups to other domains, so the respective user can access all resources needed to administer the SAP system.

    Although you can choose the name of the group, the standard domain global group for SAP system administrators is defined as SAP_<SAPSID>_GlobalAdmin.

    For more information, see the installation guide for your SAP product on Windows, which you can find on SAP Service Marketplace at.

    Start of the navigation path http://service.sap.com/instguidesInformation published on SAP site Next navigation step SAP product Next navigation step <Release> End of the navigation path.

  • Local Groups

    Local user groups, as well as local users, exist locally on one server.

    During the installation of an SAP system, user rights are assigned to local users instead of groups. For example, the user <sapsid>adm gets the user right Log on as a service. However, to simplify user administration, we recommend that you assign server resources to local groups instead of single users. You can then assign the appropriate domain users and domain groups to the local group.

    Caution Caution

    Be careful when using domain controllers. If you define a local group of users, or a single local user on a domain controller, the group or user is known on all domain controllers within the domain. Therefore we do not support installing SAP systems on a domain controller.

    End of the caution.

The following relationships exist between users, local groups and domain groups:

  • A local user can only be a member of the local group.

  • A domain user can be a member of both a local group and a domain group.

  • A domain group can be included in a local group. You may also export a domain group to another Windows domain.

If several users need the same rights for a certain set of resources, you can create a group. You do not need to assign individual user rights to each of the files. Instead, you assign the rights to a group. Thereby, all users in the group automatically receive the rights of the group. The same applies to the users in a domain group that is itself the member of a local group.

To simplify your administrative tasks, we recommend adding all Windows users to user groups that are granted the appropriate rights at the operating system level.