S-User Lifetime

SAP is introducing the S-user lifetime process for all S-user IDs.

To help protect your sensitive company information and ensure GDPR compliance, SAP is assisting customers and partners in their responsibility of user administration by assigning an expiry date to all S-users, starting June 2nd, 2020.

Read the S-user lifetime one-pager for more information.

S-User Lifetime Process

New S-users

  • With S-user lifetime, S-user IDs now have an "expiry date." This means all new users will have a default validity period of 24 months.
  • When requesting a new S-user ID, there is a mandatory field to enter an expiry date (max 24 months).
  • For short-term resources such as contractors or interns, administrators will have the ability to set a shorter expiration date as needed.
  • After creation, you can adjust the expiry date as required at any time (reduce to min 1 day, extend to max 60 months).

Existing S-users

  • All existing S-users (excluding super, cloud, or user administrators, Security Managers and technical communication users) will have an S-user lifetime applied to their IDs.
  • Depending on which date is furthest away, the expiration of the S-user ID will be:
    • Two years from S-user ID creation
    • Two years from the last login
    • October 20, 2020
  • You may extend an existing user for the required length of time (min 1 day, max 60 months).

Expiring S-user IDs

  • Three months before the expiration of an S-user ID, the respective administrator will be notified. There is no impact to the S-user at the time of these notifications.
  • S-users will be notified via email three times at 30 days, 14 days, and 2 days before their S-user ID expires.
  • Administrators may choose to extend the S-user lifetime of each user or allow them to expire. Note: administrators should only extend S-users that are required to continue transacting on behalf of the company.
     

Expired S-user IDs

  • For 90 days after the expiry date passes, the S-user ID will be disabled (please note that the S-user ID will not be deleted yet).
  • The S-user will be unable to authenticate into SAP platforms and systems.
  • Administrators can see this in the user management tools.
  • Administrators can reactivate the S-user ID up until the S-user ID is deleted.

Deleted S-user IDs

  • 90 days after the S-user ID has expired, it will be deleted.
  • Administrators can view deleted S-user IDs for 12 months; however, the S-user ID will be unable to be reactivated. 
  • If the deleted S-user requires access to SAP systems again, the administrator will have to create a new S-user ID for that individual (the deleted S-user ID will no longer exist). 
  • Please note: SAP cannot bring this S-user ID back.
  • The deleted S-user's history will also be deleted from the SAP systems permanently.

Notifications

  • Every month, administrators will be notified of all S-user IDs expiring during the upcoming 90 days. They can adjust the expiry date of a user at any time.
  • S-users will be notified 30 days before the ID expires. At any time they may request an extension of their ID's expiry date via a self-service.

Interfaces

  • Administrators can see the expiration date and last login date of the S-user IDs inside of the User Management application for Customers and the Manage My Users application for partners.
  • S-users can also see their ID's expiration date in their User Profile.

FAQs

Frequently asked questions:

All new and existing S-users are in scope except for super, cloud or user administrators, Security Managers, technical communication users and P-users.

Yes, administrators can update the lifetime of a specific user at any point before they expire. If using the mass update functionality, it can only be used for S-users in the expiring or expired status; the expiry date of S-users can only be set to a maximum of 12 months.

Note: Administrators should only extend S-users that are required to continue transacting on behalf of the company.

All administrators (i.e. super, cloud, or user administrators as well as Partner Security Managers) will be notified about the expiring S-user IDs.

Yes, administrators may delete any S-user IDs at any time.

The incident management will not be affected even if the "reporter" has been deleted/expired. All other active users within the company with incident authorization can take over and process the incident.

S-user lifetimes are mandatory for all customers and partners as part of the new user management processes starting June 2nd, 2020.