Managing SAP users is one of the core tasks of every SAP administration team. This process ensures system security and order while maintaining compliance across your organization.
SAP administrators and IT managers face the challenge of creating user accounts correctly, assigning the right authorizations, and avoiding Segregation of Duties (SoD) conflicts.
In this guide, we walk you step by step through creating SAP users via transaction SU01 and setting up roles with transaction PFCG.
With transaction SU01, you can create, edit, and manage SAP users. But creating a new account involves more than just entering a user ID – several important steps ensure the account is secure and compliant.
Open User Maintenance with transaction code SU01.
On the start screen, enter a user ID and click Create. Always follow your company’s naming conventions.
Go to the Address tab and enter at least the last name (mandatory). Add details such as first name, email address, and phone number for compliance purposes.
Save the user master record, then assign required roles under the Roles tab. Apply the principle of least privilege to avoid SoD conflicts.
Please consider the following security aspects when creating SAP users:
With PFCG role maintenance, administrators can define complex SAP roles and authorizations for ABAP applications that meet both business and compliance requirements.
1. Launch PFCG in SAP: Enter transaction PFCG.
2. Create a Single SAP Role: Click on Single Role and then Create.
Tip: Assign a meaningful name to the new role. Ideally, it should start with “Z” or “Y”, which are reserved for the SAP customer namespace.
3. Maintain the Role Menu: Go to the Menu tab and add the required transactions, function modules, and other menu objects.
4. Generate Authorizations in PFCG: Switch to the Authorizations tab and click on Expert Mode for Profile Generation. The system will then perform an automatic authorization comparison against SU24 proposals and provide the required authorizations.
5. Maintain Authorization Fields: The authorizations will be available based on the SU24 proposal values of the menu objects. Adjust the authorization objects and their fields as needed.
Note: Pay attention to the authorization status indicators. The statuses “Maintained” and “Standard” ensure traceability via SU24, while “Manual” and “Changed” lose the SU24 context and should generally be avoided.
Status lights in the tree view:
6. Generate the Role Profile: Click Generate to create the new authorization profile. The system automatically generates the profile name.
Once the role has been created, you can assign it to the desired users under the User tab.
When creating SAP users, you must consider various security principles – such as the principle of least privilege and strict Segregation of Duties (SoD) – as well as applicable compliance requirements.
Assign only the permissions absolutely necessary for each role.
Enforce strong password rules and consider SAP Single Sign-On (SSO).
A conflict of separation of duties exists when a person can simultaneously perform critical tasks in a business process, the combination of which poses a high risk of error, manipulation, or fraud. If such conflicts exist, they can – whether intentional or unintentional – cause significant harm to the system or to business processes.
Examples of critical SoD conflicts include:
Note: Also check for cross-system SoD risks (e.g., Ariba + S/4HANA).
Weak SoD management can cause compliance violations and legal consequences. Auditors regularly review SAP authorization structures.
Xiting helps automate SAP user creation and role management while ensuring compliance.
With years of expertise, we developed the Xiting Authorizations Management Suite (XAMS) – an SAP-certified solution that streamlines user, role, and authorization processes.
SAP distinguishes between dialog users, system users, service users, communication users and reference users. Each type has a specific use case, for example interactive logon, background processes or interface communication.
The cost of an SAP user depends on the license type (e.g., Employee Self-Service User, Employee User, Limited Professional User, or Professional User).
Exact prices vary depending on your SAP product, contract volume, and licensing model. After a contract conversion to S/4HANA, the new licensing model is applied for calculation. In this case, license costs are determined based on the assigned authorizations.
For more details, see SAP S/4HANA License Analysis & Optimization with XAMS.
User groups are freely definable categories, for example by department, role, or function, that can be assigned to users in the SAP system. They are primarily used for the administration, organization, and, in some cases, control of certain authorization or administration tasks. This greatly simplifies mass maintenance, the assignment of authorizations, and reporting, and enables targeted restrictions on who is allowed to access certain groups, for example, for reading or changing purposes.
