SAP UAM User Guide

SAP User Authorization Management

User Guide

Document SAP UAM User Guide

Document Author: F. Pausch / D. Schoen

Document Version: V1.0 2017-08-04

V2.0 2018-02-16

V3.0 2019-02-08

V4.0 2020-05-04

Page 1 of 29
SAP UAM User Guide

Introduction ............................................................................................................................................ 3
What is SAP UAM? ....................................................................................................................... 3
Process and Workflow .................................................................................................................. 3
General information ............................................................................................................................... 5
User interface ................................................................................................................................ 5
Create new request for SAP access rights ............................................................................................ 6
Go to “New Request” .................................................................................................................... 6
Decide who should be the recipient .............................................................................................. 7
Select SAP system(s) ................................................................................................................. 10
Select the SAP user on the target system(s) .............................................................................. 11
Search and select SAP roles ...................................................................................................... 12
3.5.1. Role view ............................................................................................................................. 12
3.5.2. How to request access rights .............................................................................................. 13
Information during the request process ...................................................................................... 16
SOD-Check ................................................................................................................................. 16
Summary of the request .............................................................................................................. 17
Cart and start workflow ............................................................................................................... 17
Copying UAM requests ............................................................................................................... 18
Approve requests as supervisor .......................................................................................................... 19
Approval email............................................................................................................................. 19
Approval step and actions ........................................................................................................... 20
Manage your approvals ............................................................................................................... 22
Approve requests as business owner/keyuser .................................................................................... 22
Approval email............................................................................................................................. 23
Approval step and actions ........................................................................................................... 23
Manage your approvals ............................................................................................................... 24
Manage deputies ................................................................................................................................. 25
Manager and keyuser in 1 person ....................................................................................................... 25
Password Self-Service Tool ................................................................................................................. 27

Page 2 of 29
SAP UAM User Guide

Introduction
What is SAP UAM?
 Easy to use self service tool for SAP user authorization request
 SOX-compliant documentation and support of segregation of duties (SoD)
 Integration within Magna Global IT environment (Active Directory and SAP Solution Manager)
 SAP UAM supports following functionalities
o Request SAP authorization roles for named user and system user
o Request and create SAP user
o Standardized workflow (supervisor and business owner approval)
o Segregation of Duty (SoD) check (integration with SAST tool)
o Remove SAP authorization roles from user
o Configuration per division

Process and Workflow

Overview

Page 3 of 29
 SAP UAM User Guide

Workflow Detail

Page 4 of 29
SAP UAM User Guide

General information
User interface

Link: http://mitapps-sapuam.magna.global/

New Request
Start new (User-, Role-)request for
you or a third person.

Change Language
The default application language is
derived from your browser settings.
You can switch the application
language from DE to EN.

Your Login Data Manage and review your

This area is for you information requests
and shows you username, login Here you can see the status of
and location. your requests.

Page 5 of 29
SAP UAM User Guide

Create new request for SAP access rights

Go to “New Request”

Page 6 of 29
 SAP UAM User Guide

Decide who should be the recipient

You have the following options for a recipient of your request:

Personal request
1
Request a role or a SAP user for yourself (for your own account).

Thi Third party request – search by Windows username

2
Request a role or SAP user for a third person, who already has an active Windows user account.

Page 7 of 29
SAP UAM User Guide

User: Search the Recipient by Windows username or Mailadress

Info-Mail: Automatically
Superior: Automatically
Location: Automatically

Click

Third party request – search by SAP username

3 Request a role or SAP user for a third person or account, who has no active Windows user
account but an existing SAP account within any SAP system of Magna. For example for external
contractors or system user.

SAP-Login: Search by SAP username

Info-Mail: Automatically
Superior: Search superior by username oder email (windows accounts)
Location: Select your location

Click

Page 8 of 29
SAP UAM User Guide

Third party request – new user

4
Here you can request a completely new user (and roles for the user).

Name: Fill in the username for the new SAP user

Info-Mail: Fill in a email which belongs to the user
Superior: Search for a Magna superior (needs to approve the request)
Location: Search the appropriate location

Click

Page 9 of 29
SAP UAM User Guide

Select SAP system(s)

Switch the tabs to select between Production and Quality/Development systems. Select one or
more systems for which you want to request.

NOTE:
If a user does not have an SAP account, all systems are shown automatically.
For users who have already an SAP account, only actual assigned SAP systems for the account
are automatically shown.
If additional systems are needed, the following checkbox can be deactivated so that all systems for
selection are shown.

Page 10 of 29
 SAP UAM User Guide

Select the SAP user on the target system(s)

Within this step select the SAP acoount you want to use for your request (has to be done for each system
you selected before).

If the user has one or more SAP If the user has no SAP account
accounts on the selected on the selected system
system

In case the user for whom you request has one or more SAP accounts within the selected system you
can select the appropriate account by clicking the dropdown menue.

If the person for whom you request does not have an SAP account you can request a new user.

The system will provide you a suggested username based on the Windows username of the recipient. In
this step you can also overwrite this suggested username and suggest your own name (in this case the
manager and the UAM Division Administrator has to approve this new username).

NOTE: The matching between the recipient´s user (Windows user) and the SAP user will be done with
the email address.

Page 11 of 29
 SAP UAM User Guide

Search and select SAP roles

You can select roles by

- Structured role list
- Search role
- Roles from user
- Role by transaction
- Role description (free text)

3.5.1. Role view

GREEN
The role is already assigned to the
selected user and system.

GREY
The role is currently not available.

(Please note that if a division is already using the new role kernel (roles named X*/Y*, old z*-roles will not
be maintained within UAM.)

If you mouseover the rolename you get more information about the role:

Role description

Assigned Keyuser/Business owner

(will be responsible to release the
approval workflow)

Page 12 of 29
SAP UAM User Guide

3.5.2. How to request access rights

3.5.2.1. Select roles by “Role List” and search roles

Select the tab “Role List” (default) to search the roles within a defined structure. In this view
you can also search by role name.

Search by role name

Level 1 Hyperion Code – Magna Division Name

Level 2 SAP Module
Level 3 SAP Role

As soon as you select a role by clicking the checkbox next to the role title, the role will appear
on the right side under ‘selected roles’:

If you want to limit the access for the role you can set a valid to date by clicking the clock
symbol and selecting a date.

Page 13 of 29
SAP UAM User Guide

3.5.2.2. Search roles from other uses

You can search the roles by looking into other users account (email or username).

3.5.2.3. Roles by transaction

Search by transaction code to get roles which belong to the transaction.

Page 14 of 29
SAP UAM User Guide

3.5.2.4. Role description

Describe the authorization which is required. Your request will then come to the step
“Resolve Roles”. The SAP team will assign the appropriate roles.

3.5.2.5. Remove roles

In case you need to remove roles from an existing user select the tab “Remove roles”. All
existing roles will be shown in a table, you can remove the role immedatly or with a target
date.

Select the roles you want to remove, if you don´t set a target date, the roles will be removed
immediately If you select a role and set the targt date the role will be removed at End Of
Business (CET) on the selected day.

In case of a roles removal the Keyuser/Business owner approval step will not be
neccassary, just the Supervisor/Manager has to approve this.

Page 15 of 29
 SAP UAM User Guide

Information during the request process

During the whole request process you will have a live information of your current status (on the right side
of the window).

Role description
Information of your description of roles you
need

Selected Roles
Roles you selected from the role list

Existing Roles
Roles which are already assigned to your user
within this system (you can´t select them
anymore from the list). Roles which will be
deleted in future are marked in red with the
deletion date in the tool tip.

Roles to remove
Roles which you have selected to be removed.

SOD-Check

The SoD check will be performed with all requests (can be deactivated per division). The check will be
done on an external system and can take up to 5 minutes (depends on the number of roles).

In case there are no conflicts following message will be shown:

If conflicts are found, following results will be shown up as “to be mitigated”:

Page 16 of 29
 SAP UAM User Guide

Criticality 1 red, arrow up

Ciritcality 2 roange, arrow right up

You have two possibilities:

1. Go Back and select/deselect roles which causes this risks

2. Accept risk with a reason

(In the workflow the manager has to review and accept your accepted risks.)

Summary of the request

In this step you can review your request and send it to the cart.

Cart and start workflow

After you send your request to the cart you can start the approval workflow.

or delete the cart

Page 17 of 29
 SAP UAM User Guide

Copying UAM requests

If you have more than 1 request with the same needed settings/access rights it is possible to copy an
UAM request:

Select ‘requests’ – ‘open’ on the left side – the ‘copy request’ button is available as soon as there was no
action from the manager:

If you use the function ‘copy request’ the settings for the new request will be filled out automatically –
therefore you have to overwrite the recipient, username ,…

Page 18 of 29
 SAP UAM User Guide

Approve requests as supervisor

Approval email

You will be notified via email. If you click the link in the notification mail you will be automatically
forwarded to the approval page within UAM.

Page 19 of 29
 SAP UAM User Guide

Approval step and actions

Following page will be shown:

In this section you can see what you Review and

have to approve approve the SoD
information

Actions

Accept (default) or decline individual roles by clicking the box next to role description

Cancel the approval process, no changes will be saved, the request

remains pending on “Supervisor/Manager approval” step.
You can send a message or info-mail to the requester or any other
person (also add attachements). The person will be informed per
email and can reply directly to your inquiry (will be documented in the
system).

You can see the conversation in the “Comments” section.

Page 20 of 29
 SAP UAM User Guide

See the complete history of the request, including persons who are
eligible to approve the request.
Delegation of approval step to a third person (add the reason for
delegation).
Save the current status

Approve the request and release the workflow.

Review and change SAP username (in case a new user has been requested):

Mouseover to the Recipient (clicking the blue information sign)

If there was a new user request the title “New User:” followed by the proposed name will be shown.

Click on “change” if you want to change the username.

The system will check if the username is already in use witin the SAP systems.

The naming convention of new user accounts is the decision of each division.
Recommendation: AD-name should be used for new SAP accounts.

Page 21 of 29
 SAP UAM User Guide

Manage your approvals

Within ‘Tasks’ (Inbox) you see all requests of your division which have to be handled by your role.
You can also search for specific requests by entering the appropriate info like ‘task at’.

Approve requests as business owner/keyuser

Page 22 of 29
 SAP UAM User Guide

Approval email

As soon as the manager approval was done, the request will be sent to the business owner/keyuser
approval step.

The assigned business owner/keyuser will be notified with a email:

Approval step and actions

In this section you can see what

you have to approve

Actions

Accept (default) or decline individual roles by clicking the box next to role description

Page 23 of 29
 SAP UAM User Guide

Cancel the approval process, no changes will be saved, the request

remains pending on “Supervisor/Manager approval” step.
You can send a message or info-mail to the requester or any other
person (also add attachements). The person will be informed per
email and can reply directly to your inquiry (will be documented in the
systems).

You can see the conversation in the “Comments” section.

See the complete history of the request, including persons who are
eligible to approve the request.
Delegation of approval step to a third person (add the reason for
delegation).
Save the current status

Approve the request and release the workflow.

Normally, more than one keyuser per role is assigned. Only 1 of the defined keyuser can approve/decline
the role.
Example: If you are one of three defined keyusers and another keyuser already approved a role for which
you are also keyuser, it is not possible anymore for you to approve the role again as keyuser.

Manage your approvals

Within ‘Tasks’ (Inbox) you see all requests of your division which have to be handled by your role.
You can also search for specific requests by entering the appropriate info like ‘task at’.

Page 24 of 29
 SAP UAM User Guide

Manage deputies
If you are in the role of a manager or keyuser, please set a deputy for the time you are not in the office.
The requests will be forwarded to your deputy in the mentioned period.

By selecting ‘Deputies’ in the menu bar you can search for deputies which are involved in the workflows.

Add a deputy for your role by selecting ‘New Deputy’.

Manager and keyuser in 1 person

If you are manager and keyuser within the same request, UAM informs you within the keyuser step that
you already approved as manager.

In this case please delegate the to be approved roles to someone else.

After clicking ‘OK’, you have to delegate the role to someone else:

Page 25 of 29
 SAP UAM User Guide

Mark the roles/tree, select a person and click ‘delegate selected roles’.

A confirmation appears in green.

After that, click the ‘Exit’ button on the left side to leave the request.

Page 26 of 29
 SAP UAM User Guide

Password Self-Service Tool

Magna-IT offers a Password Self-Service Tool within supported SAP systems. This tool is connected to
UAM and can be used in several scenarios.
1. Reset the password in one system and meanwhile the user will be automatically unlocked if it is
locked before.
2. Reset the password in all systems and meanwhile the user will be automatically unlocked if it is
locked before.
3. Unlock the user in one system without password reset
4. Unlock the user in all systems without password reset

The link for the password-reset web tool is listed on the logon screen of each SAP system – for this
example it is the production system ITP:

Copy the following link to a web browser such as Internet Explorer or Google Chrome:
https://sap-sm3.magna.global:8001/pwreset
(We also recommend you to add the link to the favorites folder in your browser.)
Once opening the website, you will see the following application screen.

Page 27 of 29
 SAP UAM User Guide

Enter the mandatory information:

 Fill in username or email address, and then click Enter
 After that the drop down menu for ‘System Landscape’, ‘System-ID’ and ‘Client’ will be
filled automatically in most cases. However, you have a user in multiple systems, you
have to choose the right system manually.
Note:
System Landscape -> collection of systems: development/test/production system),
System-ID -> three-digit name for identification of SAP system
 Client -> entity with independent information and data; in most systems automatically
entered in login screen
 Afterwards, choose the one from the following four options:

 Finally, click button ‘start’

Email confirmation window appears and ask if the mentioned mail address is the right one.
If you confirm with ‘yes’ an email will be sent to you.
If you negate, MIT helpdesk will be informed to check the mail address which is listed within your SAP
account.

As soon you got the activation mail please confirm the link within the mail:

You will get a new mail with a password:

For the first login, you have to change your password after entering the generated password which you
got before per mail (generated password is valid 7 days).

Page 28 of 29
SAP UAM User Guide

For any questions or problems please contact our SAP helpdesk:

Mail: sap.global@magna.com
Phone: +49 6093 9942 5062

Page 29 of 29