Locking SAP User Accounts

Locking SAP User Accounts

The way you lock user accounts depends on how they are managed.

Scenario:

• The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are locked when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. User accounts with the manage level "Full managed" are disabled depending on the account definition settings. You cannot apply the tasks Lock user account and Unlock user account to these user accounts. For user accounts with another manage level, modify the column template SAPUser.U_Flag accordingly.

Scenario:

• The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are locked when the employee is temporarily or permanently disabled. The behavior depends on the configuration parameter "QER\Person\TemporaryDeactivation".

• If the configuration parameter is set, the employee’s user accounts are locked if the employee is permanently or temporarily disabled. You cannot apply the tasks Lock user account and Unlock user account to these user accounts.
• If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To lock a user account when the configuration parameter is disabled

3. Select the category SAP R/3 | User accounts.
4. Select the user account in the result list.
5. Select Lock user account from the task view.
6. Confirm the prompt with OK.

Scenario:

• User accounts not linked to employees.

To lock a user account, which is not linked to an employee

2. Select the category SAP R/3 | User accounts.
3. Select the user account in the result list.
4. Select Lock user account from the task view.
5. Confirm the prompt with OK.

A process is generated, which publishes this user account modification in the target system. Once the lock has been published in the target system, the option User account locked is enabled on the master data form, Login data tab. The user can no longer log in with this user account.

To unlock a user account

1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Unlock user account from the task view.
4. Confirm the prompt with OK.

   This generates a process that publishes the change in the target system. The option User account locked is enabled the moment the process is successfully completed.

Detailed information about this topic

For more information, see theOne Identity Manager Target SystemAn instance of a target system in which the employees managed by One Identity Manager have access to network resources. Example: An Active Directory domain X for target system type "Active Directory", a directory Y for target system type "LDAP", a client Z for target system type "SAP R/3". Base Module Administration Guide.

Related Topics

• Setting Up Account Definitions
• Setting Up Manage Levels

Deleting and Restoring SAP User Accounts

Deleting and Restoring SAP User Accounts

To delete a user account

1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Click to delete the user account.
4. Confirm the security prompt with Yes.

To restore user account

1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Click in the result list toolbar.

Configuring Deferred Deletion

By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user account are deleted from the database and cannot be restored anymore.You can configure an alternative deletion delay on the table SAPUser in the Designer. Deferred deletion has no influence over the login permission in assigned CUACentral user administration. child systems.

Entering External User Identifiers for an SAP User Account

Entering External User Identifiers for an SAP User Account

External authentication methods for logging on to a system can be used in SAP R/3. With One Identity Manager, you can maintain login data for logging in external system users, for example, Active Directory on an SAP R/3 environment.

You can use One Identity Manager to enter external user IDs and delete them. You can only change the option "Account is enabled" for existing user ID's.

To enter external IDs

1. Select the category SAP R/3 | External IDs.
2. Select the external identifier in the result list. Select Change master data in the task view.

   - OR -

   Click in the result list toolbar.

3. Enter the required data on the master data form.
4. Save the changes.

Enter the following data for an external identifier.

Table 60: External ID Properties

Property	Description
External user ID	User login name for the user to log into external systems. The syntax you require depends on the type of authentication selected. The complete user identifier is compiled by template. NOTE: The BAPI One Identity Manager uses default settings of the program RSUSREXT for generating the user identifier, that means, the user name is reset. The value provided in the interface is passed as prefix. If you SAP R/3 environment uses something other than these default settings, modify the template for column SAPUserExtId.EXTID respectively.
External identifier type	Authentication type for the external user. This results in the syntax for the external identifier. Table 61: External Identifier Types Distinguished Name for X.509 Login uses the distinguished name for X.509. Windows NTLM or password verification Login uses Windows NT Lan Manager or password verification with the Windows domain controller. LDAP bind <user defined> Login uses LDAP bind (for other authentication mechanisms). SAML token Authentication uses an SAML token profile. The default type is specified in the configuration parameter "TargetSystem\SAPR3\Accounts\ExtID_Type".
Target system typeGrouping similar target systems. Examples: Active Directory, LDAP, SharePoint.	Can be called up together with the external ID type to test the login data. The default type is specified in the configuration parameter "TargetSystem\SAPR3\Accounts\TargetSystemID". Permitted values are ADSACCOUNT and NTACCOUNT.
Account is enabled	Specifies whether the user or an external authentication system can log onto the system.
User account	Assignment of the external user ID to a user account.
Sequential number	Sequential number, if a user account has more than one external identifiers.
Valid from	Date from which the external user ID is valid.

Related Topics

• External Identifier Types

SAP Groups, SAP Roles and SAP Profiles

SAP Groups, SAP Roles and SAP Profiles

Groups, roles and profiles are mapped in the One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles and profiles can be assigned to user accounts, requested or inherited through hierarchical roles in One Identity Manager. No new groups, roles or profiles can be added or deleted.

Groups

You can share maintenance of user accounts over different administrators by assigning user accounts to groups.

roles

A role includes all transactions and user menus that an SAP user requires to fulfill its tasks. Roles are separated into single and collective roles. Single roles can be group together into collective roles. User account member in the roles can be set for a limit period.

Profiles

Access permissions to the system are regulated though profiles. Profiles are assigned through single roles or directly to user accounts. Profiles can be grouped into collective profiles.