Locking SAP user accounts
The way you lock user accounts depends on how they are managed.
Scenario:
The user account is linked to employees and is managed through account definitions.
User accounts managed through account definitions are locked when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. Accounts with the Full managed manage level are disabled depending on the account definition settings. The Lock user account and Unlock user account tasks cannot be applied to these accounts. For user accounts with a manage level, configure the required behavior using the template in the SAPUser.U_Flag column.
Scenario:
The user accounts are linked to employees. No account definition is applied.
User accounts managed through user account definitions are locked when the employee is temporarily or permanently disabled. The behavior depends on the QER | Person | TemporaryDeactivation configuration parameter
-
If the configuration parameter is set, the employee’s user accounts are locked when the employee is permanently or temporarily disabled. The Lock user account and Unlock user account tasks cannot be applied to these accounts.
-
If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.
To lock the user account when the configuration parameter is disabled
-
In the Manager, select the SAP R/3 > User accounts category.
-
Select the user account in the result list.
-
Select the Lock user account task.
-
Confirm the prompt with OK.
Scenario:
User accounts not linked to employees.
To lock a user account that is no longer linked to an employee
-
In the Manager, select the SAP R/3 > User accounts category.
-
Select the user account in the result list.
-
Select the Lock user account task.
-
Confirm the prompt with OK.
A process is generated, which publishes this user account modification in the target system. Once the lock has been published in the target system, the User account locked option is enabled on the Login data tab. The user can no longer log in with this user account.
To unlock a user account
- Select the SAP R/3 > User accounts category.
- Select the user account in the result list.
- Select the Unlock user account task.
- Confirm the prompt with OK.
This generates a process that publishes the change in the target system. The User account locked option is disabled as soon as the process is successfully completed.
Detailed information about this topic
For more information, see theOne Identity Manager Target System Base Module Administration Guide.
Related topics
Deleting and restoring SAP user accounts
NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the account definition assignment is removed, the user account that was created from this account definition, is deleted.
To delete a user account
- Select the SAP R/3 > User accounts category.
- Select the user account in the result list.
- Click
to delete the user account.
- Confirm the security prompt with Yes.
To restore a user account
- Select the SAP R/3 > User accounts category.
- Select the user account in the result list.
- Click
in the result list.
Configuring deferred deletion
You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or blocked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.Deferred deletion has no influence over the login permission in assigned child systems.
You have the following options for configuring deferred deletion.
-
Global deferred deletion: Deferred deletion applies to user accounts in all target system. The default value is 30 days.
In the Designer, enter a different value for deferred deletion in the Deferred deletion [days] property of the SAPUser table.
-
Object-specific deferred deletion: Deferred deletion can be configured depending on certain properties of the accounts.
To use object-specific deferred deletion, in the Designer, create a Script (deferred deletion) for the SAPUser table.
Example:
Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the table.
If Not $IsPrivilegedAccount:Bool$ Then
End If
For detailed information on editing table definitions and configuring deferred deletion in the Designer, see the One Identity Manager Configuration Guide.
Entering external user identifiers for an SAP user account
External authentication methods for logging in to a system can be used in SAP R/3. With One Identity Manager, you can maintain login data for logging in external system users, for example, Active Directory on an SAP R/3 environment.
You can use One Identity Manager to enter external user IDs and delete them. You can only change the option "Account is enabled" for existing user ID's.
To enter external IDs
- Select the SAP R/3 > External IDs category.
- Select the external identifier in the result list. Select the Change main data task.
- OR -
Click 
in the result list.
- Enter the required data on the main data form.
- Save the changes.
Enter the following data for an external identifier.
Table 54: External ID properties
| External user ID |
User login name for the user to log into external systems. The syntax you require depends on the type of authentication selected. The complete user identifier is compiled by template.
NOTE: The BAPI One Identity Manager uses the default settings RSUSREXT for generating the user identifier, which means that the user name is reset. The value provided in the interface is passed as prefix.
If you SAP R/3 environment uses something other than these default settings, modify the template for column SAPUserExtId.EXTID respectively. |
| External identifier type |
Authentication type for the external user. This results in the syntax for the external identifier.
Table 55: External identifier types
|
Distinguished Name for X.509 |
Login uses the distinguished name for X.509. |
|
Windows NTLM or password verification |
Login uses Windows NT Lan Manager or password verification with the Windows domain controller. |
| LDAP bind <user-defined > |
Login uses LDAP bind (for other authentication mechanisms). |
| SAML token |
Authentication uses an SAML token profile. |
The default type is specified in the "TargetSystem | SAPR3 | Accounts | ExtID_Type" configuration parameter. |
| Target system type |
Can be called up together with the external ID type to test the login data. The default type is specified in the "TargetSystem | SAPR3 | Accounts | TargetSystemID" configuration parameter. Permitted values are ADSACCOUNT and NTACCOUNT. |
| Account is enabled |
Specifies whether the user or an external authentication system can log in to the system. |
| User account |
Assignment of the external user ID to a user account. |
| Sequential number |
Sequential number, if a user account has more than one external identifiers. |
| Valid from |
Date from which the external user ID is valid. |
Related topics
SAP groups, SAP roles, and SAP profiles
Groups, roles, and profiles are mapped in the One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles, and profiles can be assigned to user accounts, requested, or inherited through hierarchical roles in One Identity Manager. No groups, roles, or profiles can be added or deleted.
Groups
You can share maintenance of user accounts over different administrators by assigning user accounts to groups.
Roles
A role includes all transactions and user menus that an SAP user requires to fulfill its tasks. Roles are separated into single and composite roles. Single roles can be grouped together into composite roles. User account member in the roles can be set for a limit period.
Profiles
Access permissions to the system are regulated though profiles. Profiles are assigned through single roles or directly to user accounts. Profiles can be grouped into composite profiles.
