How to create a new SAP User

As part of your role and job as SAP Security Administrator you are often asked to create a new SAP User.

You do this from,
1. SAP Menu -> Tools -> User Maintenance -> Users or directly to transaction SU01.

Create SAP User
SAP User Maintenance Menu

2. From the initial screen of SU01 enter SAP User Name you want to create and click “Create” Button.

Create New SAP User
Create New SAP User

3. Fill with necessary data such as full name and email. After that click “Logon data” tab.

Data for sap user creation
Data for SAP user creation

4. Fill with the initial password or use the generated one.

Password for SAP User
Password for SAP User

5. Here you enter the User Type, Validity date  and password.

SAP User validity date
SAP user validity date

Note about User Type:

Dialog ‘A’

A normal dialog user is used by one person only for all types of logon.

During a dialog logon, the system checks for expired and initial passwords and provides an option to change the password.

Multiple dialog logons are checked and logged if necessary.

System ‘B’

You use a user of type System for communication without dialog within one system (for RFC or CPIC service users) or for background processing within one system.

Dialog logon is not possible.

A user of this type is excluded from the general settings for password validity. Only the user administrator can change the password using transaction SU01 (Goto -> Change Password).

Communication ‘C’

You use a user of type Communication for communication without dialog between systems (for RFC or CPIC service users for various applications, for example, ALE, Workflow, TMS, CUA).

Dialog logon is not possible.

Service ‘S’

A user of the type Service is a dialog user that is available to an anonymous, larger group of users. Generally, this type of user should only be assigned very restricted authorizations.

For example, service users are used for anonymous system access via an ITS service. Once an individual has been authenticated, a session that started anonymously using a service user can be continued as a personal session using a dialog user.

During logon, the system does not check for expired and initial passwords. Only the user administrator can change the password.

Multiple logon is allowed.

Reference ‘L’

Like the service user, a reference user is a general user, not assigned to a particular person. You cannot log on using a reference user. The reference user is only used to assign additional authorization. Reference users are implemented to equip Internet users with identical authorizations.

On the Roles tab, you can specify a reference user for additional rights for dialog users. Generally, the application controls the allocation of reference users. You can allocate the name of the reference user using variables. The variables should begin with “$”. You assign variables to reference users in transaction SU_REFUSERVARIABLE.

This assignment applies to all systems in a CUA landscape. If the assigned reference user does not exist in one of the CUA child systems, the assignment is ignored.

6.  On tab “Default” enter the time zone.

Time zone for SAP User
Time Zone for SAP User

7. Enter SAP Role. (read this article to create SAP Role)

SAP Role for user
SAP Role for user

Save and make sure the user is successfully created.

To get complete reference about SAP User Maintenance, I recommend these guide books for your additional reference: Authorizations in SAP Software: Design and Configuration and SAP Administration – Practical Guide.


Leave a Reply