Users & Authorizations

Why are 100/JANE and 200/JANE entirely distinct users in SAP S/4HANA?

What's the relationship between roles and authorization profiles?

In an authorization matrix, what are the header, columns, and rows — and what does * mean?

Which transaction does SAP recommend for an authorization trace, and why over ST01?

What's the difference between a single role and a composite role, and what can't a composite contain?

What happens if a role has an associated menu (Menu tab)?

What is the hierarchy of authorization data inside a role?

What's the recommended way to customize an SAP standard role?

What's the final step of authorization maintenance, and what does choosing Save instead do?

Why is directly assigning profiles discouraged, and what's the exception and its safeguard?

What happened to the SAP_NEW profile in SAP S/4HANA?

In CUA, how does the authority to create a user differ from setting an initial password?

What technology underlies CUA communication, and why does every CUA client need a logical system?

What does Transaction SCUM control in CUA, and what are its key distribution options?

Where do you view CUA synchronization logs, and how do you chase an unconfirmed sync?

What are the rules for an SAP user name (length, characters, first character)?

What are the Valid From / Valid To fields used for?

Why must password policy parameters go in DEFAULT.PFL rather than an instance profile?

What does rdisp/gui_auto_logout do, and what's notable about changing it?

Which transaction maintains roles, and how does role transport differ from normal development objects?

How does ABAP verify a user's authorization, and when does the check pass?

What are the two predefined users in a new SAP client, and what is each for?

Which transaction manages individual users, and what do Create Technical User and Copy do?

What are the five SAP user types and their key traits?

How is a user's license type audited, and what's the cost trap of leaving it blank?

What user-master changes are audited automatically, and which are not?

What do login/min_password_lng, login/password_expiration_change, and login/password_history_size control?

What does login/password_compliance_to_current_policy = 1 do after you tighten the password policy?

Why is it good practice to create named superusers as copies of SAP* and then disable SAP*?

What does a user group (SUGR) achieve for delegated administration?

What does SU10 do, and why can't it set an initial password when creating users?

Why can't you delete an authorization object from a role while it's green (Maintained), and how do you proceed?

What does Central User Administration (CUA) centralize, and where does it run?

How does the SAP authorization system connect objects, roles, and users?

What are the two types of authorization fields?

How are roles normally distributed across the landscape, and what's included vs not?

Where is the CUA distribution model created, and what's the fastest way to check a client's CUA role?

What's special about the password an administrator sets for a user?

What are the default minimum constraints on a password's content?

Why must SAP* never be deleted, and what parameter guards against the danger?

How do you apply a stricter-than-default security policy to specific users?

What does locking a user (SU01) block, and what two ways can a lock happen?

Which parameters control auto-lock after failed logons, and how is the lock released?

What does login/disable_multi_gui_login = 1 block, and what's exempt from it?

What three approaches find which authorization objects and values a business process needs?

On the PFCG Authorizations tab, what does a yellow triangle indicate?

What does the ACTVT field do, and what do activity codes 01, 02, and 03 always mean?

Why is the authorization object S_TCODE special compared with other objects?

After assigning a role to users in PFCG, what must you run and why?

How are time-restricted role assignments granted and withdrawn at the right time?

What is the User Information System (SUIM) good for?

How does CUA log on for RFC communication between master and child clients?