Friday, October 12, 2007



What are user groups and how can we use them?

Your auditer asked you to implement user groups in SAP, but you have no idea what are user group.

Transaction SUGR - have a look. Purpose for example is to give certain system admin rights to unlock / change password only to a given user group. You assign user group to an user id via SU01.


User group can be used for different reasons and in different way.


In the latest versions of SAP, actually two types of usergroup exist, the authorization user group and the general user groups.


Naturally the main reason of user groups is to categorize user into a common denominator.


The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc...


The general user group can be used in conjunction with SUIM and SU10, to select all the users in a specific group. User can only be member of one authorization user group but several general user group.


One of the Primary uses of user groups is to sort users into logical groups.


This allows users to be categorised in a method that is not dependent on roles/AG's/Responsibilities/Profiles etc.


User Groups also allow segregation of user maintenance, this is especially useful in a large organisation as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team.


The most important factor identified is that the lack of user groups is an indication that there may be problems with the user build process. This is very "fuzzy" but is a bit of a warning flag.


The Auditors job is to provide assurance that SAP is set up and administered in a way that minimises risks to the financial data produced. If the only thing they have picked up on is the lack of usergroups then you will be fine.


If you are in any doubt whatsoever ASK THE AUDITOR. They would have produced a report listing why they feel there is a risk by not having User Groups implemented. If you feel that the risk is mitigated by other measures then let them know. It works best as a 2 way process and both parties can learn something.

No comments: