Solved: What are the Rules recommended by SAP for User Ids...

Former Member · ‎01-03-2016

Hello All,

Good Evening.

What are the parameters that I need to consider for proposing SAP User Ids in Implementation Project? I could see that newly installed SAP system allows spaces also for username.

Could you please suggest me on below questions

1. User Id naming convention?

2. Min and Max length of SAP User Ids, and Where can I define these parameters?

3. No spaces and Special Characters should be allowed(what need to be set up to achieve this)

Please help me with the implementation plan, if you already have any on user Id design...

Thanks in advance..

Regards,

Ch.

mvoros · ‎01-03-2016

Hi,

1. Different companies have different naming conventions. It's common to use something like employee number as a user name. Also it's common to use some combination of first and last name. But be aware of technical limits. See the next point.

2. Minimum is 1 character and maximum is 12 if I remember correctly. You can't have user names longer than 12 characters. Hence you have to take this limit into consideration when you are defining your naming convention.

3. I am not aware of any standard way how to achieve this. I am wondering why you have to do this. The solution does not have to always be technical. Only a limited set of people will have authorization to create a user in the system. I guess these people should be trusted that they will follow the naming convention.

To be honest, if you want to have something robust and future proof you should not be creating users manually. You should feed your users from central repository. Some kind of identity management solution. If that's the case then you probably already have some naming convention defined that you can re-use. Unless you have a problem with 12 character limit for user names. In that case you can work around this using SAML and map users to shorter user names.

Cheers

michael_kozlowski · ‎01-03-2016

There is available a pretty good documentation about this topic but only in German Language. However it will give you valuable input

Prüfleitfaden SAP® ERP 6.0

Former Member · ‎01-04-2016

Hello Michael,

Thanks for the reply...

I tired to find the same doc in English, unfortunately I couldn't...

Could you please help in getting the same doc in English, as I'm very bad in German :-)... I'm sorry... But this seems to be the perfect doc.

Thanks,

Ch.

michael_kozlowski · ‎01-05-2016

AFAIK there is no English translation of this document. Please check link for similar docs in English Audit Control &amp; Security - File Library | UKISUG

mvoros · ‎01-03-2016

Hi,

1. Different companies have different naming conventions. It's common to use something like employee number as a user name. Also it's common to use some combination of first and last name. But be aware of technical limits. See the next point.

2. Minimum is 1 character and maximum is 12 if I remember correctly. You can't have user names longer than 12 characters. Hence you have to take this limit into consideration when you are defining your naming convention.

3. I am not aware of any standard way how to achieve this. I am wondering why you have to do this. The solution does not have to always be technical. Only a limited set of people will have authorization to create a user in the system. I guess these people should be trusted that they will follow the naming convention.

To be honest, if you want to have something robust and future proof you should not be creating users manually. You should feed your users from central repository. Some kind of identity management solution. If that's the case then you probably already have some naming convention defined that you can re-use. Unless you have a problem with 12 character limit for user names. In that case you can work around this using SAML and map users to shorter user names.

Cheers

Former Member · ‎01-04-2016

Hello Martin,

Thanks for the reply.

Yes, we can have max. of 12 characters for any user id. but how to restrict the minimum length of User Id.

We have the naming convention for Uesr Id now is, first alphabet of First-Name followed by Last-Name.

Could you please help me in achieving below.

Can we limit the minimum User Id length as 8?

No space or special characters should be allowed in User Ids.

Please help me.

mvoros · ‎01-04-2016

Hi,

I am questioning if you need to achieve this requirement using technical control. Why can't you just specify in naming convention that it has to be at least 8 characters. Who will be allowed to create a user in the system? What's the risk associated with creating user with less than 8 characters. Btw what about people with really short surnames?

Anyway, if you want to really implement this than based on your release you may be lucky. I jsut checked one system and there seems to be BADI called BADI_IDENTITY_CHECK which address your requirement. It's well documented and there is an example of implementation. Hence talk to your friendly developer. I am not sure which release introduced this BADI.

Cheers

Colleen · ‎01-05-2016

adding to Martin's comment another thing to consider is that the User Id is the primary key for the user record and stored throughout the system (change documents). It is not a label like other systems where you can edit the user Id when you need to change it but retain the overall record

Therefore, when devising your naming convention and security design for identity you need to think through the User id. If you use a permutation of name, what happens if someone wants to change it (e.g. marriage, divorce, gender change with a change in name, person just wants to legally change their name, etc).

Many places attempt to have the lifetime user id concept (or at least only issue the single user id to the same person). If they choose a name change then the user master record for firstname and surname is updated but the User Id remains the same

It's frustrating when users get upset that you won't reissue an Id (if you do then you have to consider audit trail and also the user favourites, report variants, change documents, etc are not copied across to the new Id).

I prefer the use of employee number or a central identity which has connection back to HR. This way you have a better audit trail of who actually owns the account

Regards

Colleen

Former Member · ‎01-05-2016

Hello Martin,

Thanks for the suggestion...

This recommendation is for Good practice in avoid confusions with spaces and special characters on User ids... In hurry, people forget recommendations while creating User Ids... So finding way to make this mandate in Application...

Let me check with developer and will update you if I get any solution on this BADI.

Thanks,

Ch.

Former Member · ‎01-05-2016

Hello Colleen,

So as per your suggestion, will it be good if give only First name and for new user ids we'll append the user id by numbers in case of duplicates.

If we follow Employee number, I guess this will have an impact on HR system...

What justification can be given on suggesting Employee numbers as User ids?

Please help me in understanding the negatives of this...

Thanks,

Ch.

mvoros · ‎01-05-2016

Hi Colleen,

I can see that you are talking from own experience. The problem with using employee number as an Id is that most of the GUI transactions just display a user name and that's not really user friendly. Fortunately, the Fiori design guidelines are forcing developers to display full name so this won't be a problem with new apps.

But I agree that I would suggest to stick to some unique identifier that will never change. With SAML a user may be actually using email address for logging into the system. But I noticed that most of the users do not have a problem to memorize their employee number.

Cheers

Former Member · ‎01-05-2016

In hindsight it might have been nice to use the USR02 kernel side data as a technical key and via address data unique to the key have application specific first name last name combinations and abbreviations like JVDB or JB7BASIS or personal number or even nicknames for "nickname type apps" and a funky searchhelp to the unique technical key behind it.

Much like TADIR hashes, once could then also have an application identity without a login capable technical key in the system and still be done things to or even do some simple things which are not directly authority-check relevant. But application specific concepts could still work with the user and without some address data being maintained, the application would simply not be available either.

But without that and the given state, the easiest is IMO 1st character of first name and then family name and truncate with a numerical counter at the end until you reach users MSMITH reaches 999999999999 in the same system.

For non-SAPGui users in application specific scenarios (eg. SAML for webservices) where they do not even need to know their technical kernel side USR02 user ID name, I know some customers who already use number ranges with a prefix as identifier for business partner accounts - much the same as described above.

Cheers,

Julius

Colleen · ‎01-06-2016

Hi Martin

That's the trade off

Yes, I'm speaking from experience (got berated by an end user when she wanted her User Id changed due to a name change).

I do wish SAP would do one simple enhancement on change documents fields (e.g. FB03 display changes) to include a button which would show the Address Tab (at least name) so users knew whose account it is.

Another improvement would be if SAP could introduce a new field - UserName (leave Alias alone as clients have other usage) which is the label and use for logon screen. Therefore, UserId can remain a random number or whatever and the Username can be changed without impact to change documents, etc. Anyone able to ask the S4HANA developers to consider this?

As much as I try not to use name as part of the User Id it's usually one of the options I will put to a client. In a lot of cases, I'll try to match their network User Id to make it easier. But then it network admins change the Id I have a problem.

User Id naming conventions need to consider:

how to Achieve uniqueness
Is the Id permanent
- my point before - can you edit and change the user name or do you need to recreate the account
- in some systems (e.g. ABAP) you cannot change the Id without reissuing an account
- in other systems (like SuccessFactors) you can change the username but the Userid remains the same
Field Length (ABAP system is limited to 12 characters)
- Email address as a User Id is out for ABAP systems but could be acceptable for others
Special characters and character sets
- any characters that should not be used in the system
- impacts to extraction & analysis of data (if a comma is in a user id and you have a CSV file - just an example to illustrate a point and not something I would do)
- wildcard searching (grrr to SAP deciding to have a user name SAP*)
System Landscape
- what are the different User Id rules across the system
- how do you link the User Ids to a central identity (two systems could have different Ids for the same person)
Searching and lookup
- how easy it will be to find a person
- example if you have 25k or more users and the surname SMITH. The standard search screens can be a bit frustrating to find your user
- sorting of users and analysis for reports
how the account is going to be created
- do you have a Identity Management solution
- Is it manually created by admin
- do you have custom program or 3rd party solution which will derive the Id
company policy and procedures
- these could be used to dictate User Id conventions or need to be written as a result of the design
- example - if you use name as a part of the Id then you need a policy or procedure for name change. Do you update the User Address Data only or do you reissue the the account. If you reissue the User Id how do you maintain record of two accounts really belonging to the same person, etc.

There's probably a lot more to consider but this was just on top of my mind. If people see value, I could develop this into a blog for the community (won't waste my time if this is seen as common sense)

Regards

Colleen

mvoros · ‎01-06-2016


Julius von dem Bussche wrote:

But without that and the given state, the easiest is IMO 1st character of first name and then family name and truncate with a numerical counter at the end until you reach users MSMITH reaches 999999999999 in the same system.

Here you assume that user has a family name. This is not true in some countries 😉

Cheers

Former Member · ‎01-16-2016

If there only is a first name, then you have to put it into into family name as that is mandatory.

Like BAPI_USER_CREATE1 does when family name is initial, then it transfers bname to family name -> sensible bname user ID based on first name achieves the same.

Women who get married (or divorced) and change their family name when not initial are admittedly the bigger problem.

One customer of mine has:

family name (2), first name (1), integer as identifier for org group (2) and location (3). That works quite well as the first 3 are a good hint but no reason to cgange the name, integer can change if you change your job function from IT to business etc, and location is where you first started in the global organisation. So identifier and source location is fixed, only job can potentially change significantly.

For larger organizations I can reconmend this as a variant option ad well.

But under lets say 10k users you are normally fine with first name last name IMO.

Cheers,

Julius

What are the Rules recommended by SAP for User Ids?