Permalink: support.sap.com/user-admin-concept

About the User, Authorization and Administrator Concept

To review critical company data or access the support applications in the SAP for Me portal, visitors need a user ID, commonly named "S-user", and, in most cases, special permissions. For new customers, SAP creates the first user ID and assigns it the highest level of authorization, which makes it a so-called "super administrator" or, in case of an SAP cloud customer, a "cloud administrator".

After this initial stage, for security reasons SAP is not entitled to create or administer additional S-users for customers.

Apart from very few exceptions — outlined in this document —, SAP customers maintain their user data and authorizations themselves:

Related topics

Important

Never share your S-user ID and password with others, not even colleagues in your team or company!

First, owners of an S-user ID can also use it to join discussions or publish blogs in the SAP Community, to download product documentation from the SAP Help Portal or buy software in the SAP Store — all under your name.

Second, if a person you shared your S-user ID with leaves the company, this can cause serious security issues.

Sharing an S-user ID with parties outside your company without SAP's prior written consent constitutes a breach of the Terms of Use for SAP for Me.

Good to know

An S-user ID is always assigned to exactly one of your customer numbers. It cannot be reassigned to another one.

This has got implications for value contract customers where multiple customer numbers are organized in a Customer Center of Expertise (Customer CoE), see below.

Authorization concept

Authorization management deals with permissions that are required to fulfill certain tasks using the applications that are offered in SAP for Me, for instance, create cases, download software, or pay invoices. Most authorizations contain not only the user's right to perform a specific task, but also the level at which the user can exercise this right.

Example: A user may be allowed to create cases for one particular SAP product that your company has licensed (represented by a so-called "installation"), but not for others.

The following table provides an overview on which levels the individual authorizations can be assigned:

AuthorizationUsers with this authorization can...CommentCan be granted on level ...
Case ManagementCase ManagementCase ManagementCase Management
Display CasesSearch for and display cases that were created for systems under the specified authorization level. Customer CoE (1)

Installation
Display all CasesSearch for and display all of their company's cases. Global (2)
Report a Technical IssueCreate cases for systems under the specified authorization level.Sending new cases to SAP requires the Send Cases to SAP authorization.Customer CoE
Installation
Report a Technical IssueResend their own case to SAP if it had been sent to SAP before, and SAP had come back with inquiries.In this case, the Send Cases to SAP authorization is not required.Customer CoE
Installation
Report a Technical IssueSearch for and display all of their company's cases. Customer CoE
Installation
Send Cases to SAPCreate cases for systems under the specified authorization level. Customer CoE
Installation
Send Cases to SAPSend cases that were created for systems under the specified authorization level to SAP.If a case had already been sent to SAP and comes back for further inquiries, all the reporter needs is the Report a Technical Issue authorization to resend this case to SAP.Customer CoE
Installation
Send Cases to SAPSearch for and display all of their company's cases. Customer CoE
Installation
Send Cases to SAPEdit cases for systems under the specified authorization level. Customer CoE
Installation
Close CasesConfirm the solution provided by SAP for cases that had been reported for systems under the specified authorization level. Customer CoE
Installation
Close CasesSearch for and display all of their company's cases. Customer CoE
Installation
Installation and System ManagementInstallation and System ManagementInstallation and System ManagementInstallation and System Management
Manage InstallationsRequest technical installations without interacting with the SAP contracts department. Customer CoE
Manage InstallationsChange name and country information for technical installations. Customer CoE
Manage InstallationsDelete technical installations. Customer CoE
Request License KeysRequest license keys, i.e. activate software for new systems.If software is used outside the scope of the license, additional costs may arise for the company. However, requesting a license key is not associated with such a risk. Only if a license key is installed in a system, there can potentially be a violation of your license agreement.Customer CoE
Installation
Request License KeysAdd additional license keys to existing systems.If software is used outside the scope of the license, additional costs may arise for the company. However, requesting a license key is not associated with such a risk. Only if a license key is installed in a system, there can potentially be a violation of your license agreement.Customer CoE
Installation
Request License KeysRequest license keys for systems with changed hardware platforms.If software is used outside the scope of the license, additional costs may arise for the company. However, requesting a license key is not associated with such a risk. Only if a license key is installed in a system, there can potentially be a violation of your license agreement.Customer CoE
Installation
Request License KeysIn combination with the Edit System Data authorization: Reactivate deleted systems and associated license keys. Customer CoE
Installation
Request License KeysRenew maintenance certificates Customer CoE
Installation
Display System DataDisplay system details like product or server information.No authorization is required to see high-level system data, e.g. name, type, associated installation.Customer CoE
Installation
Display System DataAccess cloud service availability information. Customer CoE
Installation
Edit System DataChange system data, for instance system name, type, usage, product version.Changing the system type can have implications on the result of system measurements.Customer CoE
Installation
Edit System DataReassign systems to another installation. Customer CoE
Installation
Edit System DataDelete systems. Customer CoE
Installation
Edit System DataIn combination with the Request License Keys authorization: Reactivate deleted systems (including associated license keys). Customer CoE
Installation
Edit System DataFlag systems as EU data protection-relevant (through activating "EU Access Service from SAP"), thus preventing SAP from delivering services from SAP subsidiaries outside the European Union. Customer CoE
Installation
Edit System DataRemove this "EU access only" limitation.This can potentially affect the customer's data protection requirements.Customer CoE
Installation
Register Object KeysRequest object keys for installations under the specified authorization level.Object keys are required if a developer wants to change SAP sources or dictionary objects in a system under a particular installation.Customer CoE
Installation
Register Object KeysDisplay all object keys for installations under the specified authorization level. Customer CoE
Installation
Register Object KeysReassign these object keys to a different installation. Customer CoE
Installation
Register Object KeysDelete object keys for installations under the specified authorization level. Customer CoE
Installation
Register Object and Developer KeysRequest, display, reassign, and delete object keys (see Register Object Keys) for installations under the specified authorization level. Customer CoE
Installation
Register Object and Developer KeysRequest developer keys for installations under the specified authorization level.Developer keys characterize particular users as developers and allow them to change SAP sources or dictionary objects in systems under a particular installation.Customer CoE
Installation
Register Object and Developer KeysDisplay all developer keys for installations under the specified authorization level. Customer CoE
Installation
Register Object and Developer KeysReassign these developer keys to a different installation. Customer CoE
Installation
Register Object and Developer KeysDelete developer keys for installations under the specified authorization level. Customer CoE
Installation
Reserve NamespacesRequest a development namespace from SAP for company-specific developments. Customer CoE
Installation
Deactivate Remote Access RestrictionsRemove the "EU access only" limitation temporarily (for instance in emergencies): Allow SAP to access systems remotely from non-EU subsidiaries.When granting this authorization, keep in mind your company's data protection requirements. To remove the "EU access only" limitation permanently — and to set it in the first place —, the Edit System Data authorization is required.Customer CoE
Installation
Manage Shared Hardware & Cloud MeasurementsAccess measurements that have been performed with the SAP HANA hardware and cloud management tools and shared by other users of their company. For more information, see the SAP HANA Hardware and Cloud Management Tools guide available on SAP Help Portal. Global
Remote SupportRemote SupportRemote SupportRemote Support
Edit my Login DataStore login data in the Customer Remote Logon Depot application. Share login credentials and details with authorized SAP support experts to grant them access to systems remotely. Global
Edit my Login DataDisplay, change and delete logon data that they had specified themselves.Users with this authorization can see if passwords have been stored by others, however they are obscured.Global
Edit my Login DataMaintain SAProuter passwords Global
Edit all Login DataStore login data in the Customer Remote Logon Depot application. Share login credentials and details with authorized SAP support experts to enable them access to systems remotely. Global
Edit all Login DataDisplay, change, and delete all logon data — including passwords —, even those specified by others. Global
Open Remote ConnectionsOpen service connections allowing SAP service staff to access the customer's system. Customer CoE
Installation
User ManagementUser ManagementUser ManagementUser Management
Edit User DataCreate user IDs.  
Edit User DataMaintain basic user data, e.g. contact details.Users with this authorization cannot change or reset another user's password.Customer CoE
Edit User DataAssign users to departments. Customer CoE
Edit User DataDelete user IDs. Customer CoE
Edit User DataRun authorization reports. Customer CoE
Edit AuthorizationsGrant or revoke permissions for SAP support applications, either for individual users or through mass updates. Customer CoE
User
Edit AuthorizationsDefine and apply authorization packages. Customer CoE
User
Security Contact

Receive urgent security notification e-mails from SAP.

 

These notifications are different from the ones that are sent out by the SAP for Me portal and that any user can opt-in to.Global
Security ContactView SAP Security Notes in the Notes Recommendation feature of the Maintenance Planner. Global
Software DownloadSoftware DownloadSoftware DownloadSoftware Download
Software DownloadDownload SAP software from the SAP Software Download Center through the Download Basket. Global
ReportsReportsReportsReports
Service Reports and Feedback

Access service messages and service reports, including the following apps:

  • SAP EarlyWatch Alert Reports
  • SAP EarlyWatch Alert Workspace
  • SAP EarlyWatch Alert Dashboard
  • SAP EarlyWatch Alert Solution Finder
  • Custom Code Analytics
  • Data Volume Management
  • Financial Data Quality
  • Guided Service Preparation for Remote Service Delivery
  • Service Messages
  • Technical Downtime Optimization
 Customer CoE
Service Reports and FeedbackShare feedback about the delivered service with SAP. Customer CoE
Display Security Alerts in SAP EarlyWatch Alert WorkspaceEnable access to security-related content in the SAP EarlyWatch Alert Workspace. This includes access of the card Security Status, and to display alerts of the category Security in the SAP EarlyWatch Alert Solution Finder. Global
My Support Program ReportRequest SAP Enterprise Support reports (ESR). Customer CoE
My Support Program ReportAccess SAP Enterprise Support reports (ESR). Customer CoE
Support Desk EvaluationGain insight into the fulfillment rate of cases forwarded to SAP.This is in particular relevant for customers who have set up a Customer Center of Expertise (Customer CoE) or intend to do so.Global
Display Support Situation Reporting
Controls access to the Reporting dashboard on the SAP for Me portal, an interactive, integrated and comprehensive overview of support statistics for your SAP solutions. Customer CoE
Installation
Manage Alert(s) in SAP EarlyWatch Alert for all S-users
Lets users edit the alert visibility in the SAP EarlyWatch Alert Workspace system-wide for all users. This includes activation of the Hide Alert and Snooze Alert buttons in the SAP EarlyWatch Alert Solution Finder.
 Global
Display SAP Readiness Check AnalysisLets users of the SAP Readiness Check application get insights into analysis summaries. Customer CoE
Manage SAP Readiness Check AnalysisAllows users to start a new, or read, update, delete, and share the content of an existing analysis in the SAP Readiness Check application. Customer CoE
SSL CertificateSSL CertificateSSL CertificateSSL Certificate
SSL Certificate Administrator (Ordering and Renewing)Order SSL server certificates for secure and confidential data transmission.Ordering SSL server certificates incurs a small fee.Global
SAP Cloud ProductsSAP Cloud ProductsSAP Cloud ProductsSAP Cloud Products
Display Cloud DataDisplay/enable cloud data for SAP cloud products. Installation
Edit Cloud DataTrigger cloud provisioning self-service for an entitlement product in the SAP for Me portal. Customer CoE
Installation
Display Service RequestDisplay all service requests for cloud products, non-billable and billable. Customer CoE
Installation
Create Service RequestDisplay all service requests for cloud products, non-billable and billable, and create non-billable ones. Customer CoE
Installation
Create Billable Service RequestDisplay and create all service requests for cloud products, non-billable and billable. Customer CoE
Installation
PartnerPartnerPartnerPartner
Request License Keys (Partner)Request license keys for their customers, i.e. activate software for their customers' new or changed systems. Global
Customer Incident Management (Partner)Manage incidents (cases) for customer installations managed by the VAR-delivered support partner (VAR-d partner). Global
Service Reports (Partner)View EarlyWatch Alert (EWA) reports for customers of SAP PartnerEdge Sell partners who provide VAR-delivered (VAR-d) support. Global
Service Reports (Partner)

Access service messages and service reports, including the following apps:

  • SAP EarlyWatch Alert Reports
  • SAP EarlyWatch Alert Workspace
  • SAP EarlyWatch Alert Dashboard
  • SAP EarlyWatch Alert Solution Finder
  • Custom Code Analytics
  • Data Volume Management
  • Financial Data Quality
  • Guided Service Preparation for Remote Service Delivery
  • Service Messages
  • Technical Downtime Optimization
 Global
Service Reports (Partner)Share feedback about the delivered service with SAP. Global
Partner Employee - Basic Access to SAP for MeAccess the Partner space in the SAP for Me portal. Global
Partner User - Display Sales InformationDisplay sales information in the SAP for Me portal. Global
Partner - Access to SAP for Me Marketing and Funds CardsSecures the Partner Administration card in the SAP for Me portal. Global
Partner - Access to SAP for Me Order Management CardsControls access to partner order cards in the SAP for Me portal. Global
Partner - Access to SAP for Me Consulting & Development CardsSecures the Partner Administration card in the SAP for Me portal. Global
Partner User - Access to the Partner Business Planning CardGives access to the Partner Business Planning card in SAP For Me. Global
Partner - Access to SAP for Me eSigner CardsControls access to eSigner cards in the SAP for Me portal. Global
SAP for Me PortalSAP for Me PortalSAP for Me PortalSAP for Me Portal
Edit Contact-Role Assignment in SAP for MeEnables visitors of the SAP for Me portal to change the names of contacts that are listed as holders of product-related roles in orders, for instance Enablement Contact or Security Contact. Note that this authorization does not entitle the user to edit the critical roles Main Contact, Technical Contact, or Financial Contact. Customer CoE
Installation
Edit Main, Technical or Financial Contact Person in SAP for MeEnables visitors of the SAP for Me portal to change all contacts that are listed in orders, including the more sensitive information about Main ContactTechnical Contact, or Financial Contact.Lets users also edit names of contacts that are listed as holders of product-related roles in orders (see Edit Contact-Role Assignment in SAP for Me).Customer CoE
Installation
Display Order Information in SAP for MeControls access to information about your company's cloud product orders. Customer CoE
Installation
Manage Invoices and PaymentsEnables users to view and pay invoices in the SAP for Me Finance & Legal dashboard Customer CoE
Purchase LicensesAllows the user to renew existing or buy new licenses in the SAP Store via the SAP for Me portal. Customer CoE
Access License Utilization for OnPremControls access to entitlement and consumption information for on-premise solutions in the SAP for Me portal. Customer CoE
Access License Utilization for CloudControls access to entitlement and consumption information for cloud solutions in the SAP for Me portal. Customer CoE
Installation
Access License Utilization for Private CloudControls access to entitlement and consumption information for private cloud solutions in the SAP for Me portal. Customer CoE
Manage cloud credits for eligible cloud servicesControls access to the My Enterprise Agreements card on the SAP for Me portal. Customer CoE
Display Company-Wide Learning Status in SAP for MeControls access to company-wide learning adoption status information in the SAP for Me portal. Customer CoE
Installation

(1) The level Global is the highest level possible for your company — Customer CoE for value contract customers, Customer or Installation in other cases —, but without the option to administer authorizations on a granular sub-level.

(2) The level Customer CoE is only relevant for value contract customers with several customer numbers that are grouped together in a Customer Center of Expertise (Customer CoE).

If a new authorization is generated for a use case that did not exist before, SAP assigns it to super or cloud administrators, who can then start distributing the permission within their company.

In combination with the administrator concept, this concept is very flexible and enables customers to match various requirements and hierarchies.

Enter the My Settings section on the SAP for Me portal to check your own authorizations.

Important functions

Selected people in your company — not necessarily having an S-user ID — may hold an important function, often serving as point of contact for SAP concerning a particular topic. Some functions are maintained by SAP. Other functions are maintained (via authorizations) by the customer.

List of important functions

All people holding an important function in your company are listed on the Users & Contacts dashboard. Please ensure that the correct persons are maintained for each function. In the following overview you will find more details on the available functions:

  • Super administrator:
    This user has all authorizations assigned at the highest possible level. Especially the first user of a new customer, generated by the SAP contracts department, is a super administrator who can then start creating additional user IDs.
  • Cloud administrator:
    This role applies to customers who have licensed an SAP cloud product.

    Cloud administrators are the initial users created by SAP. They receive all authorizations that are required to fulfill SAP cloud-related tasks on SAP for Me. Where the customer is licensed for cloud products only, the cloud administrator will be responsible for all S-user management, including assignment and removal of authorizations to other users.

    Please note: Cloud administrators have authorizations specific to certain cloud installations. As a result, they can only assign authorizations according to these installations.
  • User administrator:
    User administrators also have the ability to assign or remove authorizations, based on their own authorization profile. They have at least Edit Authorizations and Edit User Data authorizations.
  • Security contact:
    SAP will address urgent security topics to the named security contacts in your company. By assigning the Security Contact authorization, a user receives these notifications by e-mail.

    It is recommended that you only assign this authorization to users who must receive urgent security notifications, due to the sensitivity of such notifications. You can change contact persons in this area yourself by removing the Security Contact authorization from one S-user and assigning it to another user instead.
  • Software recipient:
    Software recipients receive physical software deliveries for one or more installations.

    This function is maintained at an installation level. The contact for this function is initially defined by customers during an installation call-off, and can be changed by SAP upon request.

    There can only be one recipient of software deliveries for each installation. In case the listed contact is not correct and should be removed, you need to specify another contact person for this function.
  • Technical contact person of an installation:
    A contact with this function is the main recipient of service summaries (about services like SAP EarlyWatch Alert or SAP Going Live Check) if in the service order no contact person has been specified.
  • Center of Expertise Contact:
    For value contract customers where multiple customer numbers are grouped in a Customer Center of Expertise using the corporate function concept, these are SAP's contacts at your Customer CoE. They are initially defined during an audit, and are maintained by SAP per customer number. One or more contacts can be named.
  • Development activities contact:
    To provide customers with up-to-date information regarding SAP development activities, a named customer contact person is needed for SAP. The listed contacts are initially defined during the Customer CoE audit, and are maintained by SAP per customer number. One or more contacts can be named. The Customer CoE ensures that his contact data (name, e-mail-address and postal address) is provided to SAP. The Customer CoE auditor updates the data appropriately.
  • License audit contact:
    This is SAP's contact regarding license auditing. If applicable, a user holding this function will receive the invitation to system measurements. He is initially named by the customer (e.g. to the SAP sales representative), and maintained by SAP per customer number. A maximum of one contact (per customer number) can be named.
  • Partner contact:
    If a customer is also an active SAP partner, their users can hold additional permissions and roles specifically related to partner business applications such as the SAP PartnerEdge portal, SAP Learning Hub, SAP PartnerEdge Launchpad. These permissions are assigned by the company's Partner User Administrator in the Manage My Users application, which is dedicated to user management specifically related to partner business applications. Users can also request additional permissions themselves. More information can be found in SAP Note 1848439.

Contacts maintained by SAP can be changed upon request: If a particular function shall be transferred to somebody else, create a case using component XX-SER-FORME and nominate a contact person who is to assume the function of its previous owner.

For some of the functions, at least one contact person per installation or customer number needs to be defined. Therefore, you can only delete S-user IDs who have these functions assigned if the function is first assigned to another contact person. You can find these functions in the overview table below.

FunctionIs an S-user ID required?Who maintains the functions?How are the functions maintained?Can S-user ID be deleted without assigning the function to another contact?
Super administratorYes

Customer

(SAP only provides the first super administrator per customer number/ Customer CoE)

Super administrator grants user all authorizations on customer or Customer CoE levelYes, but at least one super administrator needs to be available per customer number/Customer CoE
Cloud administratorYes

Customer

(SAP only provides the first cloud administrator per installation)

Cloud administrator grants user all cloud-related authorizations for an installationYes, as long as at least one cloud administrator is available for the installation
User administratorYesCustomerUser administrator grants user the authorizations Edit User Data and Edit Authorizations Yes
Security contactYesCustomerUser administrator grants user the authorization Security Contact Yes
Software recipientYesSAPInitially defined by customers during an installation call-off. Super administrators can request changes by creating a case under component XX-SER-FORME.No
Technical contact person of an installationYesSAPSuper administrators can request changes by creating a case under component XX-SER-FORME.No
Center of Expertise ContactNoSAPInitially defined during an audit. Super administrators can request changes by creating a case under component XX-SER-FORME.Yes
Development activities contactNoSAPInitially defined during the Customer CoE audit. Super administrators can request changes by creating a case under component XX-SER-FORME.Yes
License audit contactNoSAPInitially a maximum of one contact per customer number is named by the customer. Super administrators can request changes by creating a case under component XX-SER-LAS.Yes
Partner contactYes

Customer

(Partner Security Manager)

Defined by Partner Security ManagerNo, unless the partner company has lost it's partner status. Please refer to KBA 1848439 - How to maintain the Partner Contact (PRM) role for S-user ID.

You can check your own important functions in the SAP for Me portal's My Settings section.

Administrator concept

Administrators are S-users who have got the authorization to administer other users. They can request any number of S-user IDs and maintain their authorizations.

Note

Administrators can only assign those authorizations that they have been granted themselves.

Therefore, administrators are usually assigned all or almost all authorizations. However, a customer can also define administrators who only have a few authorizations, just sufficient to administer users. Depending on the set of authorizations an administrator has, SAP distinguishes between the following administrators:

Super administrators

Super administrators have all authorizations for all applications in the SAP for Me portal at the highest possible level, i.e. usually for all installations under the customer number (and in case of a Customer Center or Expertise for all customer numbers under the Customer CoE). Note that this also comprises all support authorizations that normally only an SAP partner would require.

SAP creates the first S-user ID for new customers and assigns this user the highest level of authorization. If, in exceptional cases, this ID is generated before the contract is posted, it only receives restricted rights since no valid installation is yet available. As soon as the first installation has been created by the contracts department, the missing authorizations are automatically added by SAP. In case the super administrator does not have full authorization, create a case using the XX-SER-FORME component and request the assignment of the missing authorizations.

SAP recommends that you create at least two additional super administrators who can support you or substitute for you if needed.

If a super administrator leaves the company, and there is no second super administrator who could delete his S-user ID, create a case using the XX-SER-FORME component and specify the user ID of the employee who should be super administrator for your company.

Tasks of a super administrator

Super administrators especially have user administrators' permissions. Hence they share a user administrator's tasks. In addition, the super administrator is typically responsible for requesting license keys for new systems and for system data maintenance. Of course this can also be done by a local administrator who is responsible for specific installations.

Defining further administrators

SAP recommends that you create at least two additional super administrators who can support you or substitute for you if needed.

In addition, you can define local user administrators or local system administrators:

A local user administrator requires at least the Edit Authorizations and Edit User Data authorizations on the authorization level on which he is supposed to act (e.g. a particular customer number).

A local system administrator needs the Edit System Data and Request License Keys authorizations on the respective authorization level (e.g. to maintain system data for a particular installation).

Requesting license keys

Each new SAP system requires a permanent license key four weeks after it has been installed. You can request this key in the License Key application. All systems for which you have obtained permanent license keys are listed under the Systems tab of the Systems & Provisioning dashboard in SAP for Me and other system-based support applications, e.g., case management.

Maintaining system data

System detail pages entered from the Systems & Provisioning dashboard in SAP for Me enable you to centrally review and maintain data about your system landscape: installed product version, hardware or license information for your systems. The data is integrated into numerous system-based support applications: For example, you can carry out a system-based search that only retrieves results that are relevant for the selected system. Furthermore, detailed knowledge of your system data enables SAP to provide a faster solution for reported problems.

Cloud administrators

This role applies to customers who have licensed an SAP cloud product.

Cloud administrators are the initial users created by SAP. They receive all authorizations that are required to fulfill SAP cloud-related tasks on the SAP for Me portal. Where the customer is licensed for cloud products only, the cloud administrator will be responsible for all S-user management, including assignment and removal of authorizations to other users. Cloud administrators can also invite service partner S-users to interact with SAP Product Support on behalf of the customer. More ...

Please note: Cloud administrators have authorizations specific to certain cloud Installations. As a result, they can only assign authorizations according to these installations.

The following table outlines which authorizations have to be assigned (and on which level) to make a cloud user a cloud administrator:

AuthorizationLevel
Display Cloud DataCloud installation number
User Management
Edit User DataCustomer
Edit AuthorizationsCustomer
Case Management
Report a Technical IssueCloud installation number
Send Cases to SAPCloud installation number
Display CasesCloud installation number
Display all CasesGlobal
Close CasesCloud installation number
Software Download
Software DownloadGlobal
SAP Enterprise Cloud Services (ECS) Products
Display Service RequestCloud installation number
Create Service RequestCloud installation number
Create Billable Service RequestCloud installation number
SAP for Me Portal
Display Order Information in SAP for MeCloud installation number
Manage Invoices and PaymentsCloud installation number
Purchase LicensesCloud installation number
Access License Utilization for CloudCloud installation number
Edit Cloud DataCloud installation number
Edit Contact-Role Assignment in SAP for MeCloud installation number
Edit Main, Technical or Financial Contact Person in SAP for MeCloud installation number
Other authorizations
Display System DataCloud installation number
Edit my Login DataGlobal
Display SAP Enterprise Support Reporting CockpitCloud installation number

SAP recommends that you create at least two additional cloud administrators who can support you or substitute for you if needed. Only cloud administrators can assign/remove all authorizations from other users, since they have all authorizations assigned at the highest possible authorization level.

Important

As a cloud administrator for an SAP SuccessFactors solution, make sure to give other cloud users at least the authorization Display Cloud Data in addition to other chosen authorizations.

This will ensure that on top of regular case management applications they also get access to tools that are SAP SuccessFactors-specific. 

A cloud administrator cannot administer himself. A change to their authorizations can only be made by another cloud administrator in the company.

A cloud administrator's S-user ID can only be deleted if at least one additional cloud administrator remains available for the installation.

Service Partner Users

This feature is available to all cloud administrators except for SAP Concur solutions.

Through the Manage Service Partner Users application, cloud administrators can invite service partner S-users and authorize them to interact with SAP Product Support. These Service Partner S-users are then enabled to create and process cases on behalf of the customer.

More...

User administrators

User administrators are users who have the authorization to grant all authorizations that they have themselves to other users or revoke them. They are responsible for creating and administering S-user IDs.

Tasks of a user administrator
Assigning or removing authorizations of S-user IDs

As a user administrator, check the authorization level of your S-users and adapt it to your needs. To do so, use the User Management application. To get an overview of your users' authorizations you can use the Reports & Updates section.

Note

User administrators cannot maintain their own authorizations; this can only be done by another user administrator in the company.

The easiest way to maintain authorizations is to use the Copy User's Authorizations function to copy the authorizations of an S-user to one or several other ones. This feature can only be used by super or cloud administrators.

If you want to assign several S-users the same authorizations at the same time, you can also use the Mass Updates of Authorizations feature.

Creating new S-user IDs

Using the User Management application, you can request S-user IDs for your colleagues and assign them the required authorizations. The new user will receive an e-mail with an activation link, which is valid for 10 days. Once the S-user ID has been generated, the user is removed from the Requested Users list and displayed under the Users tab instead.

Note that for security reasons SAP is not entitled to create or administer S-users for customers.

Deleting S-user IDs

When a user no longer works for your company or does not need access to SAP support applications any more, you are responsible for deleting his S-user ID to prevent unauthorized access.

Users can be deleted in the User Management application. They are then listed in the Deleted Users section of this application for twelve months and cannot be reactivated (see KBA 1811859).

Users with special functions (such as software recipient for the installation) cannot be deleted. This is only possible once SAP has transferred the function to somebody else. To do this, create a case using component XX-SER-FORME and nominate a contact person who is to assume the function of the user to be deleted. It is, of course, also possible to request such a change without deleting a user ID.

When a user ID is deleted, related objects are not affected:

Additional information for Customer Centers of Expertise (Customer CoE)
using the corporate function concept

For value contract customers, multiple customer numbers (often representing different subsidiaries of a corporate group) can be bundled in a so-called "Customer Center of Expertise" (Customer CoE). From a technical perspective, customer numbers for the corporate group are assigned to an existing parent company customer number.

Note

This concept is not intended for use by partners and their end customers.

The Customer CoE concept enables users with the corresponding authorization to execute all functions (for example, create cases, request license keys, and perform central user management) for all customer numbers and all installations of the corporate group with one S-user ID.

An exception to this is the software download application: A user can only access software that is licensed under his user ID's customer number, not software for the whole Customer CoE (unless in the user's company a technical installation refers to the Customer CoE's parent company — for more information, consult your account manager or contracts department).

When grouping together customer numbers using the Customer CoE concept, you have to nominate a super administrator who then receives maximum authorization from SAP. You request that authorization be assigned to the super administrator at the same time as requesting activation of the respective customer numbers from SAP by creating a case under component XX-SER-SAPSMP-COE.

For more information about the Customer CoE concept, see SAP Knowledge Base Article 2632518 - Information about the SAP Corporate Group (CCC) function.

Different types of "S-users"

In a nutshell

  • S-user IDs are typically associated with a "natural person". Customers request them via the User Management application. For new customers, they are generated by SAP.
  • Technical S-user IDs are S-user IDs that can be used by a person to enter an SAP website, but which in addition (or even exclusively) are used for technical purposes, for system-to-system connections between your landscape and the SAP Support backbone.

    SAP strongly recommends to refrain from doing so!
  • Technical communication users are exclusively used for technical purposes. Though these IDs also begin with an "S", their administration is different.

    It is technically impossible to access SAP websites, e.g. the SAP for Me portal, SAP Community or SAP Store, with a technical communication user.

Detailed explanation

S-user IDs are requested by customers via the User Management application or, for new customers, created by SAP. Typically this is done for a natural person.

In the past, however, such S-user IDs were not only used by people to visit an SAP portal (SAP for Me, SAP Community, SAP Store etc.), but also for technical processes, for instance:

  • Connecting the customer's SAP Solution Manager to the SAP Support backbone systems;
  • Automated import of corrections contained in an SAP Note into a customer system through the Note Assistant, transaction SNOTE, performed by a "system user" with the respective authorization;
  • Download of software through the SAP Download Manager, a stand-alone tool that lets you download multiple files at once or at a later point in time (scheduled downloads);
  • Semi-automatic opening of a service connection through the Service Line Opener Program.

Some of these technical connections still use old RFC technology or basic authentication for direct logon to SAP Support backbone systems. S-user IDs that are used either

  • exclusively for such technical processes or
  • in a "hybrid" manner (both for portal access through a person as well as in technical scenarios),

are called "technical S-user IDs".

Technical communication users, on the other hand, are exclusively used for technical purposes, for system-to-system connections between your landscape and the SAP Support backbone. Though they also begin with an "S", their administration is different. And it is technically impossible to access SAP websites, e.g. the SAP for Me portal, SAP Community or SAP Store, with a technical communication user.

For scenarios of system-to-system connections where both, technical S-user ID and technical communication user, can be used, SAP recommends that you use technical communication users rather than, as in the past, "proper" S-user IDs that were intended for use by natural persons. In the near future, SAP will prevent direct access to the legacy support backbone system (OSS) and its successor via legacy RFC technology and switch to modern alternatives instead. However, due to the many customer systems that have not yet been converted, for a transition period SAP will continue to tolerate access to its support backbone systems through technical S-user IDs.

Already today, and depending on the release of your system, many scenarios no longer support technical S-user IDs. In these cases, please use (modern) technical communication users instead.

SAP Knowledge Base Article 2668288 outlines the differences between personalized S-user IDs and technical communication users.