2613056 - Details of SAP Admin, Support and Technical Users

This KBA describes each type of SAP Admin, Support and Technical Users in the system and their functionality.

• SAP Business ByDesign
• SAP Cloud for Customer

1. Why so many SAP users are necessary?
- As this is a cloud based product, these users are available for different sets of user groups (for example, Basis Administrators use ADMIN* users and the Customer Support team SUPP* users). As it is not feasible to create users for each of the basis admins in the team, it was created users for groups instead of per user. The rest is used for different activities, for example monitoring/update/upgrade/other provisioning related activities.

2. Which authorizations they have?
- Each user group has different set of authorizations and the system have different security policies for them. This information is available in the UI to be checked. Business related activities are restricted and basis administration authorizations are provided as per the audit compliance. 

3. Why the validity is unlimited?
Even if the validity is unlimited, the users will be locked and will be unlocked based on the requirement. Each user request is tracked and is part of an audit.

4. Is there a differentiation possible between dialog and non-dialog users?
Yes, there is a differentiation. Not all users are dialog.

5. When can support users request an access?

If support users receive a case and realize that the support team has to access the customer system in order to analyze the problem (for example, it is not possible to replicate the scenario in the internal test or development systems). In this case, the Cloud Access Manager (CAM) tool is used to generate a temporary access to the corresponding customer system. Support users are not allowed to share these details. The CAM tool keeps a log of which user generated which support user at what date and time. So it is always possible to link a generic support user back to the real person.

Dialog Users:
SAP_ADMIN001-SAP_ADMIN005 -> Operation Admin Users.
SAP_SUPP001 - SAP_SUPP010 -> Support Users.

For these users there are many access levels from L2 to L7 (basic log configuration to full system access). The minimal basic requirements have to be selected depending on the support tasks required.

Service Users:
SAP_ADEM001-SAP_ADEM005 -> Fallback Users for Operation Team.
SAP_SUEM001-SAP_SUEM005 -> Fallback Users for Support Team.

Non-dialog users (Technical):

SAPH0M3 - This user belongs to User Account SAP_SPC, which is related to the system_setup.

DDIC - for installation, software logistics, Initial System, Setup Lifecycle Management, Database Statistics Batch Jobs, TP Import Jobs and the ABAP dictionary (SAP_ALL).

SAP_BGRFCSUP - for background RFC connections.

SAP_DOCFSI - fast search index.

SAP_IAMLGN – health check/monitoring.

SAP_LMADM - for provisioning (SAP_ALL).

SAP_LMPRV - for provisioning.

SAP_LMUPD - for provisioning.

SAP_PDIOCS - for PDI.

SAP_SBB - bgRFC communication user.

SAP_SMDMON - for monitoring.

SAP_SMTP_IN - SMTP inbound communication.

SAP_SPC - automated SPC user self service.

SAP_SYSTEM - for job scheduling.

SAP_TLM - transactional user (RFC).

SAP_TREXADM - for TREX (FSI).

SAP_WSRT - communication user for webservice.

SAP* - superuser for client and system installation (SAP_ALL).

TMSADM - for transports.

XIB2BCONNECT - communication user to XI system.

DELAY_LOGON - Message based web service authentication.

SAP_PRELOADER - Generating the XREP and Runtime loads.

Aside from these users, the system creates a technical user whenever a communication arrangement is created. In case the arrangement is removed, the user remains in the system with status blocked.

Follow-up FAQ KBA: 2757453 - Frequently Asked Question on Type of Users Available in the System

Help Document: User Types

Technical, User, Business, End, SAP, Admin, Supp, Authorization, Access, Rights, DELAY_LOGON , KBA , bydesign user types , SRD-CC-IAM , Identity & Access Management , Problem

SAP Business ByDesign all versions ; SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions