S-User Lifetime

SAP is introducing the S-user lifetime process for all S-user IDs.

To help protect your sensitive company information and ensure GDPR compliance, SAP is assisting customers and partners in their responsibility of user administration by assigning an expiry date to all S-users, starting June 2nd, 2020.

Read the S-user lifetime one-pager for more information.

S-User Lifetime Process

New S-users

  • With S-user lifetime, S-user IDs now have an "expiry date." This means all new users will have a default validity period of 24 months.
  • When requesting a new S-user ID, there is a mandatory field to enter an expiry date (max 24 months).
  • For short-term resources such as contractors or interns, administrators will have the ability to set a shorter expiration date as needed.
  • After creation, you can adjust the expiry date as required at any time (reduce to min 1 day, extend to max 60 months).

Expiring S-user IDs

  • Three months before the expiration of an S-user ID, the respective administrator will be notified. There is no impact to the S-user at the time of these notifications.
  • S-users will be notified via email three times at 30 days, 14 days, and 2 days before their S-user ID expires.
  • Administrators may choose to extend the S-user lifetime of each user or allow them to expire. Note: administrators should only extend S-users that are required to continue transacting on behalf of the company.
     

Expired S-user IDs

  • For 90 days after the expiry date passes, the S-user ID will be disabled (please note that the S-user ID will not be deleted yet).
  • The S-user will be unable to authenticate into SAP platforms and systems.
  • Administrators can see this in the user management tools.
  • Administrators can reactivate the S-user ID up until the S-user ID is deleted.

Deleted S-user IDs

  • 90 days after the S-user ID has expired, it will be deleted.
  • Administrators can view deleted S-user IDs for 12 months; however, the S-user ID will be unable to be reactivated. 
  • If the deleted S-user requires access to SAP systems again, the administrator will have to create a new S-user ID for that individual (the deleted S-user ID will no longer exist). 
  • Please note: SAP cannot bring this S-user ID back.
  • The deleted S-user's history will also be deleted from the SAP systems permanently.

Notifications

  • Every month, administrators with the permission to manage S-user IDs will be notified of all S-user IDs expiring during the upcoming 90 days. They can adjust the expiry date of a user at any time.
  • S-users will be notified 30 days before the ID expires. At any time they may request an extension of their ID's expiry date via a self-service.

Interfaces

  • Administrators can see the expiration date and last login date of the S-user IDs inside of the User Management application for Customers and the Manage My Users application for partners.
  • S-users can also see their ID's expiration date in their User Profile.

General FAQ

Frequently asked questions:

All new and existing S-users are in scope except for super, cloud or user administrators, Security Managers, technical communication users and P-users.

Yes, administrators can update the lifetime of a specific user at any point before they expire. If using the mass update functionality, it can only be used for S-users in the expiring or expired status; the expiry date of S-users can only be set to a maximum of 12 months.

Note: Administrators should only extend S-users that are required to continue transacting on behalf of the company.

All administrators (i.e. super, cloud, or user administrators as well as Partner Security Managers) will be notified about the expiring S-user IDs.

Yes, administrators may delete any S-user IDs at any time.

The incident handling process will not be affected even if the S-user ID of the Reporter has been deleted/expired. However, if your S-user ID has already expired, contact your user administrator to request reactivation and extension of your expiry date. Once completed, you should again be able to access your incident(s). However, if your S-user gets deleted, you will need to request a new S-user ID to resume incident processing. Meanwhile, any other active user within the company with incident authorization can take over and process the incident.

If you are a VAR-d partner using SAP Solution Manager, please check the partner section of the FAQ.

S-user lifetimes are mandatory for all customers and partners as part of the new user management processes starting June 2nd, 2020.

The customer/partner user administrators can use the SAP ONE Support Launchpad "Support User Management" tile (Manage My Users application for Partners) to check the 'Expiry Date' of their users. One can extend the expiry date via the 'Action' column.

Some icons are greyed out because these S-users have the Administrator function and, by default, have an expiry date of 31.12.9999.


As a user administrator, you will receive an email notification on the first day of the month if any S-user IDs are expiring during the upcoming 90 days. The system will notify S-user owners via email 30, 14, and 2 days before expiration.

A user administrator can extend the expiry date at any time.

No. There is no automatic extension capability within the S-user Lifetime functionality. During the creation of a new S-user ID, the validity period defaults to 2-years. The user administrator can further extend the validity date if needed. The 'last log in' date can be used by the user administrator to determine whether the S-user ID is still being used, and thus merit an extension.


You may check the status and expiration date of an S-user ID via the "Support User Management" tile. The user administrator also receives a monthly notification if any S-user IDs expire within the next 90 days. The S-user ID owners also receive a notification 30, 14, and 2 days before their expiration dates. 

 

The S-user ID owners will also receive email notifications when their S-user ID is about to expire. This email will be received 30, 14, and 2 days prior to expiry. The S-user ID owner should then inform their company user administrator to extend their S-user ID expiration date if the S-user ID is still being used.

An S-user ID gets the "inactive" status when their S-user ID information does not have valid email address information. Inactive S-user IDs cannot be used. User administrators must provide the missing information to reactive the S-user ID.

An individual's certification will continue to be visible for any S-user ID provided their email address is maintained. Therefore, if your S-user ID has expired, request your user administrator to reactivate your ID. In the unfortunate event that your S-user ID was deleted, ask your user administrator to create a new S-user ID for you with the same email address as your previous S-user ID. Your certifications will be available under your new S-user ID.

Please note that if an individual changes their email address, s/he will need to contact SAP Education to request a transfer of their certificates to their new S-user ID (e.g., when moving from one company to another).

Please refer to the SAP Knowledge Based Article 2928052 for more information. If you are still facing challenges, please raise an official Support ticket for the support team to investigate further.

VAR-Delivered Support Partner FAQ

VAR-delivered partner specific frequently asked questions:

The same guidelines and rules apply to VAR-d partners: administrators must maintain S-user IDs regularly. Like customers, partners will also receive notifications for expiring users within your organization.  

Also, if you are using SAP Solution Manager for incident management, please ensure that S-user IDs in your AISUSER table are still active. Those S-user IDs are used for incident forwarding to SAP Support. Incident forwarding to SAP Support is not possible if the S-user IDs used are either expired, inactive, or deleted.

No. Only your end customers will receive such notifications for their own S-user IDs. It is your customer's responsibility to manage their own S-user IDs.

Yes, VAR-d user administrators can see all S-user IDs within their organization. 

For VAR-d end customers, only the customer user administrators will be informed of the expiring S-user IDs within their organization. As their Support Provider, you cannot see your end customer's S-user ID status and expiration date. This needs to be managed by the customer organization themselves.

Your SAP Solution Manager system will still be able to read and update your incidents within SAP Solution Manager, even if the end customer's or your own S-user ID of the end customer becomes expired or deleted. However, it will not be possible for the SAP Solution Manager to send or forward your incident back to SAP if any S-user ID involved (either the "Reporter" or the "Creator") in forwarding to SAP is either expired or deleted. Therefore, if the S-user ID has expired, please contact your user administrator to reactivate the S-user ID and extend its expiry date.  

It is important that your end customer ensure that they keep track and ensure that their S-user ID expiry dates are updated accordingly. If S-user IDs are not maintained, then incident exchange with SAP may be disrupted. 

Yes. If the VAR-d partner knows which end customer S-user ID is active, s/he can change the "Contact Person" entry from the AISUSER table to the active S-user ID. Please also reference SAP Note 2511493.

No, it is also relevant for logging into various SAP portals and systems.

Yes, your customers will need to manage, review all created S-user IDs for their organization and decide for themselves which ones to extend and which ones to allow to expire (or they can already delete them manually, if applicable). For this purpose, the user administrators can reference the "last login" date, which provides some information on whether the S-user ID is still being used. VAR-d end customers also need to be conscious and check with their Service Providers which S-user IDs are being used by the Service Provider when sending incidents to SAP. VAR-d customers need to ensure that those S-user IDs do not expire. Otherwise they will be impacted when forwarding incidents to SAP Solution Manager.

For general partner User Lifetime information and FAQ, see here.