|QER\Person\TemporaryDeactivation||This configuration parameter specifies whether user accounts for an employee are locked if the employee is temporarily or permanently disabled.|
The way you
User accounts managed through account definitions are
User accounts managed through user account definitions are
To lock a user account when the configuration parameter is disabled
To lock a user account, which is not linked to an employee
A process is generated, which publishes this user account modification in the target system. Once the lock has been published in the target system, the option User account locked is enabled on the master data form, Login data tab. The user can no longer log in with this user account.
To unlock a user account
This generates a process that publishes the change in the target system. The option User account locked is enabled the moment the process is successfully completed.
|NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the account definition assignment is removed, the user account created through this account definition, is deleted.|
To delete a user account
To restore user account
By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user account are deleted from the database and cannot be restored anymore.You can configure an alternative deletion delay on the table SAPUser in the Designer. Deferred deletion has no influence over the login permission in assigned CUACentral user administration. child systems.
External authentication methods for logging on to a system can be used in SAP R/3. With One Identity Manager, you can maintain login data for logging in external system users, for example, Active Directory on an SAP R/3 environment.
You can use One Identity Manager to enter external user IDs and delete them. You can only change the option "Account is enabled" for existing user ID's.
To enter external IDs
- OR -
Click in the result list toolbar.
Enter the following data for an external identifier.
|External user ID||
User login name for the user to log into external systems. The syntax you require depends on the type of authentication selected. The complete user identifier is compiled by template.
|External identifier type||
Authentication type for the external user. This results in the syntax for the external identifier.
The default type is specified in the configuration parameter "TargetSystem\SAPR3\Accounts\ExtID_Type".
|Target system typeGrouping similar target systems. Examples: Active Directory, LDAP, SharePoint.||Can be called up together with the external ID type to test the login data. The default type is specified in the configuration parameter "TargetSystem\SAPR3\Accounts\TargetSystemID". Permitted values are ADSACCOUNT and NTACCOUNT.|
|Account is enabled||Specifies whether the user or an external authentication system can log onto the system.|
|User account||Assignment of the external user ID to a user account.|
|Sequential number||Sequential number, if a user account has more than one external identifiers.|
|Valid from||Date from which the external user ID is valid.|
Groups, roles and profiles are mapped in the One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles and profiles can be assigned to user accounts, requested or inherited through hierarchical roles in One Identity Manager. No new groups, roles or profiles can be added or deleted.
You can share maintenance of user accounts over different administrators by assigning user accounts to groups.
A role includes all transactions and user menus that an SAP user requires to fulfill its tasks. Roles are separated into single and collective roles. Single roles can be group together into collective roles. User account member in the roles can be set for a limit period.
Access permissions to the system are regulated though profiles. Profiles are assigned through single roles or directly to user accounts. Profiles can be grouped into collective profiles.