Administration Tasks Contents Overview..................................................................................................................92 User Groups..............................................................................................................92 Profile Generator.......................................................................................................92 Recommended Policies and Procedures .............................................................93 User Administration...................................................................................................93 System Administration ..............................................................................................95 New User Setup.......................................................................................................97 Prerequisites .............................................................................................................97 Installing the Frontend SoftwareSAPgui .................................................................98 Adding Additional Systems .....................................................................................916 Setting Up a New User ...........................................................................................919 Maintaining a User ................................................................................................926 Resetting a Password...........................................................................................928 Locking or Unlocking a User ...............................................................................929 User Groups ..........................................................................................................931 How to Create a User Group ..................................................................................932 Deleting a Users Session (Transaction SM04)..................................................933 How to Terminate a User Session ..........................................................................933 Maintaining a Table of Prohibited Passwords ...................................................934
Chapter 9: Nonscheduled User Administration Tasks
Overview Release 4.0B 92 Overview User administration is a serious function, not just a necessary administrative task because security is at stake each time users access the system. Because the companys financial and other proprietary information is on the system, the administrator is subject to external requirements and recommendations from the companys external auditors, regulatory agencies, and others. Users should consult with their external auditors for audit-related internal control user administration requirements. Human Resources should be consulted if the HR module is implemented or any sensitive personnel data is maintained on the system. A full discussion on security and user administration is beyond the scope of this guidebook. We have limited our discussion to a small subset of this issue. Manually creating and maintaining security profiles and authorizations is also not covered. User Groups User groups are created by an administrator to organize users into logical groups, such as: < Basis < Finance < Shipping For additional information, refer to the section User Groups on page 931. Profile Generator The Profile Generator is a tool used to simplify the creation and maintenance of SAP security. It reduces (but does not eliminate) the need for specialized security consultants. The value of the Profile Generator is more significant for smaller companies with limited resources that cannot afford to have dedicated security administrators. For additional information on the Profile Generator, see the Authorizations Made Easy guidebook. Chapter 9: Nonscheduled User Administration Tasks Recommended Policies and Procedures System Administration Made Easy 93 Recommended Policies and Procedures User administration is a serious security and audit issue. Some of the tasks in this guidebook are aimed at complying with common audit procedures. Obtaining proper authorization and documentation should be a standard prerequisite for all user administration actions. User Administration User administration comprises the following: < User ID naming conventions The employees company ID number (for example, e0123456) Last name, first initial, or first name, last initial In a small company where names are often used as ID, it is common to use the employees last name and first initial of the first name or the employees first name and first initial of the last name (for example, jonesb or barbaraj). Clearly identifiable user IDs for temporary employees and consultants. Examples: T123456, C123456 < Adding or changing a user The users manager should sign a completed user add-or-change form. The form should indicate the required security, job role, etc., that defines how security is assigned in your company. If security crosses departments or organizations, the affected managers should also approve. If the user is not a permanent employee, or if the access is to be for a limited duration, the time period and the expiration date should be indicated. The forms should be filed by employee name or ID. A periodic audit should be performed, where all approved authorizations are verified against what was assigned to the user. Chapter 9: Nonscheduled User Administration Tasks Recommended Policies and Procedures Release 4.0B 94 < Users leaving the company or changing jobs This is a particularly sensitive event. The policies and procedures for this event must be developed in advance and be coordinated by many groups. As an example, see the following table: Group Responsibility Human Resources Legal or personnel matters External auditors Internal control issues related to financial audit IT Procedures to terminate network access Senior management Policy approval Employees manager Handover or training period for the employees replacement To manage terminated employees: < The users manager should send a form or e-mail indicating that the employee is leaving. < The users ID should be locked and the user assigned to the user group term for terminated. If the users ID is not required as a template, the security profiles assigned to the user should be deleted (use transaction SU01 and under the Task profile and Profile tabs, delete the profiles). < Check Background Jobs (transaction SM37) for jobs scheduled under that user ID. The jobs will fail when the user ID is locked or deleted. < If the user leaves one job for another and needs to maintain access for handover, this handover should be documented. The duration of the handover access must be defined and the expiration (Valid to) date entered in the R/3 System. < All temporary employees or consultants should have expiration (Valid to) dates on their user IDs. Similar to banks, there should be a secret word that users could use to verify their identity over the phone. This word would be used when the user needs their password reset or their user ID unlocked. Chapter 9: Nonscheduled User Administration Tasks Recommended Policies and Procedures System Administration Made Easy 95 8ystem Administration < Special user IDs The two user IDs SAP* and DDIC should only be used for tasks that specifically require either of those user IDs. Any user requiring similar super user security rights should have a copy of the SAP* user security. The security rights of SAP* and DDIC are extensive, dangerous, and pose a security risk. Anyone requiring or requesting similar security rights should have a very valid reason for the request. Convenience is not a valid reason. The security profile that serves as the master key is SAP_ALL, and to a lesser degree, SAP_NEW. The user ID SAP* should never be deleted. Instead, the password should be changed. If the user ID SAP* is deleted, logon and access rights are gained by rights programmed into the R/3 System. The user ID SAP* then gains security rights that you do not know about and cannot control. The user IDs SAP* and DDIC should have their passwords changed to prevent unauthorized use of these special user IDs. An external audit procedure checks the security of these two user IDs. For medium- and large-size companies, granting developers SAP* equivalent security rights in the development and test systems is usually inappropriate. SAP* equivalent security in the production system is a security and audit issue and should be severely limited. < User passwords Parameters that define and restrict the user password are defined by entries in the system profiles. Passwords should be set to expire periodically. Recommended time period is no more than 90 days. Minimum password length of five (5) characters should be set. User should be locked after three unsuccessful logon attempts. The table of prohibited passwords (USR40) should be maintained. Chapter 9: Nonscheduled User Administration Tasks Recommended Policies and Procedures Release 4.0B 96 Sample R/3 User Setup/Change/Delete Form: Company ID: R/3 User Change Request System/Client No. PRD 300 QAS 200 210 220 DEV 100 110 120 Employee: Department Name/Cost Center Number: User ID: Type of Change W Change user W Delete user W Add user Position: Expiration Date (mandatory for temporary employees) Secret Word: Requester: Requesters position: Requesters phone: Request Urgency W High W Medium W Low Employees Job Function (If similar to others in department, name and user ID of a person with similar job function): Special Access/Functions: Requester Signoff Name Signature Date Signed Manager Signoff Name Signature Date Signed Name Signature Date Signed Name Signature Date Signed Owner Signoff Name Signature Date Signed Security Name Signature Date Signed In addition to security approval (above), is a signed copy of computer security and policy statement attached? W Yes W No Chapter 9: Nonscheduled User Administration Tasks New User Setup System Administration Made Easy 97 New User 8etup Prerequisites General Process or Procedure Before you begin to set up a new user, you should have in hand the user add form (with all the required information and approvals). The User's Desktop Find out if the users desktop meets the following criteria: < Does the system configuration meet the minimum requirements for SAP? < Is the display resolution set to a minimum of 800 x 600? < Is there sufficient space on the hard disk to install the SAPgui with sufficient room for desktop application to run? For windows, a minimum of 50MB free space should remain after installing SAPgui. A practical minimum however, is at least 100MB of free space. Network Functionality Find out if the network functionality meets the following criteria: < Can the user log on to the network? From the users computer: < Can you ping the SAP application server(s) that the user will be logging onto? < If the SAPgui will be loaded from a file server, can you access the file server from where the SAPgui will be loaded? For nstallation of 8APgui Before you install the SAPgui, you should have the server name and the system (instance) number (for example, xsysdev and 00). You will need to enter this information during the installation. Recommended Prerequisite for the GU nstallation The online documentation should be installed according to the instructions in the SAP document Installing the Online documentation (Release 4.0B). Note that the online documentation installation and access method has changed since Release 3.x. Chapter 9: Nonscheduled User Administration Tasks New User Setup Release 4.0B 98 nstalling the Frontend 8oftware-8APgui The SAPgui or frontend installation instructions are in the installation guide, Installing SAP Frontend Software for PCs. The SAPgui can be installed from: < A copy of the presentation CD on a file server < The presentation CD or a copy of the CD In most situations, accept the installation defaults. nstalling 8APgui from a File 8erver The preferred method is to install SAPgui from a file server because you do not need to carry the presentation CD around. Also, remote installations can be completed without shipping out and potentially losing the original CD. The following is a list of the prerequisites to install SAPgui from a file server: < Copy the SAPgui load files from the presentation CD to a shared directory on a file server. < Have access to the shared directory from the users PC. Chapter 9: Nonscheduled User Administration Tasks New User Setup System Administration Made Easy 99 How to nstall the 8APgui Guided Tour 1. Map a drive to the share on the network where the presentation CD has been copied. 2. Select the mapped drive to the presentation CD software. 3. Navigate down to the directory for your platform. In this example Sim-cd on Pal100767 (E:) sapgui-40b Gui Windows Win32. For other platforms, select the appropriate platform directory; Os2, Unix (Aix, Common, Dec, Hpux, Reliant, Solaris) and win16. 4. Double-click on Sapsetup.exe. The installation program starts. 5. Choose Next. 2 4 5 3 Chapter 9: Nonscheduled User Administration Tasks New User Setup Release 4.0B 910 6. Select Client installation. 7. Choose Next. 8. At this point you have two installation options: < Individual installation < Standard installation (the default) With these options, you can view and select all of the components (standard installation) or only those you need (individual installation). 6 7 8 Chapter 9: Nonscheduled User Administration Tasks New User Setup System Administration Made Easy 911 ndividual nstallation of Components To install SAPlogon you must use individual installation. 1. Select Individual installation. 2. Choose Next. 3. Choose (De)Select all to install all components. This toggle switch selects or deselects all components. 3a. For this example we have selected all components, for a total of 84MB. 4. Or, select specific components by clicking on their individual checkboxes. 4a. For this example, we have selected two components (SAPGUI 32-bit and SAPlogon), for a total of 18MB. 4. Choose Next. 5. From here continue with the Standard installation procedure. 1 2 4 3a 4a 3 Chapter 9: Nonscheduled User Administration Tasks New User Setup Release 4.0B 912 8tandard nstallation 1. Choose Local Installation, to install the software on the desktop PC. 2. Choose Next. 3. The installation program defaults to where to install SAPgui on your system. In most cases, you should accept the system default. 4. Choose Next. 1 2 4 3 Chapter 9: Nonscheduled User Administration Tasks New User Setup System Administration Made Easy 913 5. Choose possible entries to select a language (for example, E for English). 6. Choose Next. 7. The installation program informs you where the files will be installed. 8. Choose Next. 9. Enter the name of the application server in Application Server. 10. Enter the system (instance) number in System Number. 11. The SAP Router String is normally left blank. 12. Select R/3 System. 13. Choose Next. 5 6 7 8 9 10 11 12 13 Chapter 9: Nonscheduled User Administration Tasks New User Setup Release 4.0B 914 14. If the SAP online documentation for Release 4.0B has been installed, this step is not needed. Skip this step. 15. Choose Next. 16. Enter the name for a program group (or accept the default SAP Frontend 4.0B). 17. Enter the name for the working directory (or accept the default, c:\SAPworkdir). 18. Choose Finish. 19. You will see a window showing you the progress of the installation. The time to complete the installation depends on the speed of your computer and the speed that the files can be copied over the network. 20. When the installation is complete, this window will appear. 21. Choose OK. 22. Test your connection by logging on to the R/3 System. 14 15 16 17 18 21 Chapter 9: Nonscheduled User Administration Tasks New User Setup System Administration Made Easy 915 nstalling 8APgui from the Presentation CD When the network connection between the SAPgui files on the network and the user is too slow to permit installation, install SAPgui from the presentation CD. A slow connection could result from a slow modem or a slow link in the network. A copy should be made of the original presentation CD and the copy shipped to the user site. You then maintain control of the original CD and reduce the chance that it might get lost. The SAPgui installation files can also be copied to other high-capacity removable media such as ZIP
or optical disk, as appropriate for your company.
The CD (or other delivery media) can then be safely sent to the users site. From there, it can be either loaded onto a local file server for installation or installed directly from the delivery media. The prerequisite for such an installation is that the user has a CD drive or other drive compatible with the delivery media (ZIP
, optical, etc.) that the SAPgui files are delivered
on. To install SAPgui from a CD: 1. Insert the copy of the Release 4.0B presentation CD into the CD ROM drive. 2. In Windows Explorer, choose the CD ROM drive. 3. Choose Gui Windows Win32 (or the appropriate directory). 4. Double-click on Sapsetup.exe. 5. Follow the same procedure as when loading from a file server. 6. Test that you can connect and log on to the system. Chapter 9: Nonscheduled User Administration Tasks New User Setup Release 4.0B 916 Adding Additional 8ystems You can add another system to the: < SAP icon group < SAP logon The method you choose depends on how your company has been set up. con Group The icon group is the SAPgui default installation. If your user only logs in to one server the icon group is sufficient. 8AP Logon Prerequisites: < SAP Logon is installed using the Individual Installation. SAP Logon is used when: < SAP Logon is required to use load balancing. < For system administrators and others who have to log in to many systems. You do not have to deal with many separate icons to log into the different systems. All instances can be configured in the one SAP Logon menu. Chapter 9: Nonscheduled User Administration Tasks New User Setup System Administration Made Easy 917 Guided Tour To Add a New 8ystem to the 8AP con Group Load balancing will not function if the SAP icon group is used. For load balancing, the SAP logon is required. 1. From the Windows desktop, choose Start Programs SAP Frontend 4.0B SAPicon. If you have changed the name of the group in the installation, choose that name instead of SAP Frontend 4.0B in the path above. 2. Select R/3 system. 3. Enter the name of the server in Servername. The server name you enter will appear as the name under the icon created. You can change the name later using a function in Windows. 4. Enter the system (instance) number in System ID. 5. Routerstring is normally left blank. 6. Choose OK. 7. The icon will be added to the SAP icon group. 8. Test that you can connect and log on to the additional system. 5 4 2 3 6 Chapter 9: Nonscheduled User Administration Tasks New User Setup Release 4.0B 918 To Add Additional 8ystems in the 8AP Logon 1. On the SAP Logon window, choose New. 2. Enter a short description of the system (for example, Production SAP, PRD)in Description. 3. Enter the name of the server (for example, xsapprd or xsapdev) in Application Server. 4. Enter the system (instance) number that was assigned to the server for which you are creating the logon (for example, 01) in System Number. 5. Select R/3. 6. Choose OK. 7. Test that you can connect and log on to the additional system. 2 3 4 5 6 1 Chapter 9: Nonscheduled User Administration Tasks New User Setup System Administration Made Easy 919 8etting Up a New User The procedural prerequisite is to check that all documentation and authorizations required to set up a new user are present. There are two ways to create a new user: < Copy an existing user < Create a new user from scratch Copying an Existing User You can copy from an existing user if you have a good match. The new user will have the same security profiles as the existing user. This process is the easiest and thus recommended method for a small company. Create template users for the various job functions that can be copied to create new users. Prerequisite: A valid user ID to copy is identified on the user setup form. Guided Tour In the Command field, enter transaction SU01 and choose Enter (or choose Tools Administration, then User maintenance Users). 1. Enter the user ID (for example, gary) that you want to copy. 2. Choose User names Copy. 1 2 Chapter 9: Nonscheduled User Administration Tasks New User Setup Release 4.0B 920 3. In the Copy Users window, enter the new user ID in to. Follow your companys naming convention for creating user IDs. 4. Choose Copy. 5. Enter an initial password (for example, init). Re-enter the same password in the second field. 6. In User group, enter the user group (for example, ACCT) to which the user is to be assigned. A user group must exist before a user can be assigned to it. 7. You can use possible entries to get a list of user groups to select. 3 4 7 5 6 Chapter 9: Nonscheduled User Administration Tasks New User Setup System Administration Made Easy 921 8. Enter dates in the Valid from and Valid to fields to limit the duration that the users will have access to the system. Entering a valid to/from date is typically required for contractors and other temporary personnel. 9. Choose the Address tab to change the users address data. 10. Enter the users Last name. 11. Enter the users First name. 12. Enter the users job Function. 13. Enter the users Department. 14. Enter the users location (for example, Room no., Floor, Building). 15. Enter the users phone number. A telephone number should be a required entry field. If there is a system problem identified with the user, you need to be able to contact that user. 16. Choose Defaults. 8 9 10 11 12 13 14 14 14 15 16 Chapter 9: Nonscheduled User Administration Tasks New User Setup Release 4.0B 922 17. Check that the Logon language is set correctly (for example, EN for English). If the system default language has been set (for example, English), then this field is only used to log in under a language that is not the system default (example, German). 18. Under Output Controller, select Output immediately and Delete after output. 19. Check that the Personal time zone is correct. A display of possible entries is available on this field. 20. Under Decimal notation, select the appropriate notation (for example, Point, for United States). The Decimal notation affects how numbers are displayed. Setting it correctly is critical to prevent confusion and mistakes. 21. Under Date format, select the appropriate date format (for example, MM/DD/YYYY). 22. Choose Save. 17 18 19 20 21 22 Chapter 9: Nonscheduled User Administration Tasks New User Setup System Administration Made Easy 923 Creating a New User from 8cratch Sometimes it becomes necessary to create a new user from scratch. You may need to create a new user when you do not have another user to copy from. Guided Tour 1. In the Command field, enter transaction SU01 and choose Enter (or choose Tools Administration, then User maintenance Users). 2. Enter the user ID (for example, gary) that you want to create. 3. Choose Create. 4. Enter the users Last name. 5. Enter the users First name. 6. Enter the users job Function. 7. Enter the users Department. 8. Enter the users location (for example, Room no., Floor, Building). 9. Enter the users phone number. A telephone number should be a required entry field. If there is a system problem identified with the user, you need to be able to contact that user. 10. Choose Logon data. 2 3 4 5 6 7 8 8 8 9 10 Chapter 9: Nonscheduled User Administration Tasks New User Setup Release 4.0B 924 11. Enter an initial password (for example, init). Re-enter the same password in the second field. 12. In User group, enter the user group to which the user is to be assigned. A list of possible entries is available to select from. A user group must exist before a user can be assigned to it. 13. Enter dates in the Valid from and Valid to fields to limit the duration that the users will have access to the system. Entering a valid to/from date is typically required for contractors and other temporary personnel. 14. Choose Defaults. 11 12 13 14 Chapter 9: Nonscheduled User Administration Tasks New User Setup System Administration Made Easy 925 15. Optional: Enter the appropriate language code in Logon language (for example, EN for English). If the system default language has been set (for example, English), then this field is only used to log in under a language that is not the system default (example, German). 16. Under Output Controller, select Output immediately and Delete after output. 17. Enter the appropriate time zone. A list of possible entries is available to select from. 18. Under Decimal notation, select the appropriate notation (for example, Point, for United States). The Decimal notation affects how numbers are displayed. Setting it correctly is important to prevent confusion and mistakes. 19. Under Date format, select the appropriate date format(for example, MM/DD/YYYY). 20. Choose Save. 21. Assign security to the user by using the Profile Generator (see the Authorizations Made Easy Guidebook). 15 16 17 18 19 20 Chapter 9: Nonscheduled User Administration Tasks Maintaining a User Release 4.0B 926 Maintaining a User Before maintaining a user, have a properly completed and approved user change form. The user change documentation is audited in a security audit. Why You need to maintain a user to manage: < Job changes to an existing job or position < New jobs or positions < User data changes, such as name, address, phone number, etc. Guided Tour 1. In the Command field, enter transaction SU01 and choose Enter (or choose Tools Administration, then User maintenance Users). 2. Enter the user ID (for example, garyn) to be maintained. 3. Choose Change. 3 2 Chapter 9: Nonscheduled User Administration Tasks Maintaining a User System Administration Made Easy 927 The Maintain User screen allows you to change a users: < Address < Logon data < Defaults < Password < User group < Other 4. When you finish making the changes, choose Save. 4 Chapter 9: Nonscheduled User Administration Tasks Resetting a Password Release 4.0B 928 Resetting a Password Why The most common reason to reset a users password is that the user forgot their password. In this situation, it is likely that the user has attempted to log on too many times using an incorrect password and has locked their user ID. You will also have to unlock their user ID. Make certain the person who requests their password to be reset is indeed the valid user. A basic user verification method is, to have a display telephone so that you can compare the displayed callers caller ID number against the users phone number stored in the system or found in the company phone directory. We recommend that you use a method similar to banks where the user has a secret word that is used to verify their identity over the phone. Remember that this method is not perfect either because someone can overhear the secret word. You should maintain a security log of password resets. This log should be periodically audited to look for potential problems. Guided Tour 1. In the Command field, enter transaction SU01 and choose Enter (or choose Tools Administration, then User maintenance Users). 2. Enter the user ID (for example, GARYN) to be maintained. 3. Choose Change password. 2 3 Chapter 9: Nonscheduled User Administration Tasks Locking or Unlocking a User System Administration Made Easy 929 4. In the popup window, enter the new temporary password in the New password and Repeat password fields. 5. Choose Copy. For security, you can only set an initial value for the users password. The user is then required to change the password when they log on. You cannot see what the users current password is, nor can you set a permanent password for the user. Locking or Unlocking a User What The lock/unlock function is part of the logon check, which allows the user to log on (or prevents the user from logging on) to the R/3 System. Why < Locking a user If a user leaves the company, is assigned to a different group, or is on leave, their R/3 access should be removed. The lock function allows the user ID and security profile for that user to remain on the system but does not allow the user to log on. This function is ideal for temporary personnel or consultants where the user ID is locked unless they need access. < Unlocking a user A user is automatically locked out of the system if they attempt to incorrectly log on more that the allowed number of times (usually the result of the user forgetting their password). The administrator must unlock the user ID and more than likely reset the users password. Before unlocking a user, determine if the request is valid. Do not unlock a user who has been manually locked without first finding out why this was done. You may discover an important reason why the user should not access the system. 4 5 Chapter 9: Nonscheduled User Administration Tasks Locking or Unlocking a User Release 4.0B 930 Guided Tour 1. In the Command field, enter transaction SU01 and choose Enter (or choose Tools Administration, then User maintenance Users). 2. Enter the user ID (for example, GARYN) to be maintained. 3. Choose Lock/unlock. 4. A popup window appears. In this example, an administrator has manually locked the user ID. 5. Choose Lock/Unlock. In this example, this step will unlock the user. 6. A message at the bottom of the screen indicates that the user has been unlocked. 2 3 5 6 Chapter 9: Nonscheduled User Administration Tasks User Groups System Administration Made Easy 931 User Groups What A user group is a logical grouping of users (for example, shipping, order entry, and finance). The following restrictions apply to user groups: < A user can belong to only one user group. < A user group must be created before users can be assigned to it. < A user group provides no security until the security system is configured to use user group security. Create the group term for terminated users. Lock all users in this group and, for most of these users, delete the security profiles. This process maintains the user information for terminated users, and prevents the user ID from being used to log on. Why The purpose of a user group is to: < Provide administrative groups for users so they can be managed in these groups. < Apply security. Usage Following are a few recommended special groups: Group Definition TERM Terminated users. This way, user records can be kept in the system for identification. < All users in this group should be locked. < If it is not being used as a template, all security profiles should be removed from the user. SUPER Users with SAP* and DDIC equivalent profiles. TEMPLATE Template users to be used to create real users. Chapter 9: Nonscheduled User Administration Tasks User Groups Release 4.0B 932 How to Create a User Group Guided Tour 1. In the Command field, enter transaction SU01 and choose Enter (or choose Tools Administration, then User maintenance Users). 2. On the User Maintenance screen (transaction SU01), choose Environment User groups. 3. Choose Create. 4. Enter the name of the new user group (for example, finance). 5. Choose Enter. 6. The new user group FINANCE is now in the list and is usable. 5 4 6 3 Chapter 9: Nonscheduled User Administration Tasks Deleting a Users Session (Transaction SM04) System Administration Made Easy 933 Deleting a User's 8ession {Transaction 8M04} What Use transaction SM04 to terminate a users session. Why Transaction SM04 may show a user as being active when the user has actually logged off. This condition is usually caused by a network failure, which cuts off the user, or the user is not properly closed out of the system. (For example, the user turned the PC off without logging off the system.) A user may be on the system and needs to have their session terminated: < The users session may be hung and terminating the session is the only way to remove the users session. < The user may have gotten into a one way menu path without an exit or cancel option. This situation is dangerous, and the only safe option is to terminate the session. How to Terminate a User 8ession Guided Tour 1. Verify that the user is actually logged off from R/3 and that there is no SAPgui window minimized on the desktop. Verification is done by physically checking the users computer. Verification is important because users may have forgotten that they minimized a session. Chapter 9: Nonscheduled User Administration Tasks Maintaining a Table of Prohibited Passwords Release 4.0B 934 2. In the Command field, enter transaction SM04 and choose Enter (or choose Tools Administration, then Monitor System monitoring User overview). 3. Select the user ID that you want to delete. 4. Choose Sessions. In step 3 above, double-check that the selected user is the one you really want to delete. It is very easy to select the wrong user. 5. Select the session to be deleted. 6. Choose End session. 7. Repeat steps 5 and 6 until all sessions for that user are deleted. Maintaining a Table of Prohibited Passwords What A table of prohibited passwords is a user-defined list of passwords that are prohibited from being used in the R/3 System. Interaction occurs between a system profile parameter and the table of prohibited passwords. If the minimum password length is set to five characters, there is no reason to prohibit passwords like 123 or SAP, because these passwords would fail the minimum length test. However, if company security policy requires it, you could include all passwords that are considered risky in the table. This table is not a substitute for good password policy and practices by the users. 6 3 5 4 Chapter 9: Nonscheduled User Administration Tasks Maintaining a Table of Prohibited Passwords System Administration Made Easy 935 The following is a list of easily guessed passwords that cannot be put into any table: < <your name> < <your spouses name> < <your childs name> < <your pets name> < <your cars license plate> A company password policy should be prepared and distributed to all users to make them aware that they should not use these easy to guess passwords. Why There are many lists circulating of commonly used user passwords. If a user uses one of these passwords, the chances of an unauthorized person accessing a users account increases. How Changes will be made to table USR40 using transaction SM31 (the general table maintenance transaction. For more information, see chapter 10, Nonscheduled System Administration Tasks: Table Maintenance.). This change creates a transport that can then be transported throughout the landscape. Keep a log of changes made to this table in your security log. Suggestions for table entries: SAP GOD ABC QWERTY SEX XYZ PASS PASSWORD 123 12345* 54321* *12345* Other table entries: < Days of the week; Monday*, Tuesday*, Mon*, Tue*, etc. < Months of the year; January*, February*, Jan*, Feb*, etc. < <your company name> < <your product names> < <names of competitors> < <names of competitors products> Chapter 9: Nonscheduled User Administration Tasks Maintaining a Table of Prohibited Passwords Release 4.0B 936