Amended Lifecycle for SAP S-User IDs (Status: June 2020)
Diesen Beitrag gibt es auch auf Deutsch.
SUMMARY: Starting June 2, 2020, S-user IDs required to access certain SAP webpages will come with an expiry date that administrators can easily extend. Super, cloud and user administrators are not affected, neither are Partner Security Managers and Technical Communication Users.
Of course, the user administrator is still free to simply delete an S-user ID at any time.
To use support applications in the SAP ONE Support Launchpad, purchase software in the SAP Store, or book training courses, customers need a user ID, commonly named an “S-user”. for new customers, SAP creates the first such ID. Afterwards, however, administration of users is completely passed on to the customer.
In the past, these S-users were valid for an unlimited period of time; they had to be deleted manually. Absorbed in everyday life, we might fail to register that colleagues leave the company but take the S-user with them. In principle, this would allow them continued access to internal company information (support tickets, licenses, systems, etc.).
To assist our customers’ user administrators and minimize such risks, starting June 2, 2020, S-user IDs will have an “expiry date”. If the administrator does not intervene – despite early notifications and enough lead time –, an ID will first be deactivated and, in a second step, even deleted.
Super, cloud and user administrators are not affected, neither are Partner Security Managers and Technical Communication Users.
More precisely, the situation is as follows:
- By default, a brand-new S-user will be valid for 24 months.
However, a shorter lifespan can be defined in the user request form. This can be an interesting option if, for example, within a project a set end date is known.
- The shortest possible validity period is 1 day.
- During the last 90 days the ID holder and administrators will be regularly informed that the S-user needs to be renewed.
Case 1 (most common case):
- One of the administrators extends the validity of the S-user ID. This time the default is 5 years, which the S-user gets granted with a single click.
- Optionally, like for brand-new users, an earlier expiry date can be defined. And of course, S-users can be extended at the discretion of administrators long before any notifications have been received.
- If all administrators ignore these alerts, at the end of the lifetime the S-user’s status changes to Expired. This means that the ID can no longer be used, although an administrator may “revive” it.
- The S-user is not deleted until a further 90 days have passed without any action by administrators. Once it has been deleted, the ID is for 12 months included in the list of all deleted S-users. Note that it cannot be reactivated, not even by SAP.
Case 2 will only occur if the administrators deliberately ignore all reminders. Usually the reason is that the S-user is indeed no longer needed. Of course, the notification can also be understood as a prompt to immediately delete the S-user manually instead of waiting for its automatic deletion.
All the above actions are performed in the Support User Management application of the SAP ONE Support Launchpad.
On the first day of every month, administrators receive a notification that lists all S-user IDs that are earmarked to expire within the next 90 days. Affected S-users get such an alert 30, 14, and 2 days before the expiry date.
Validity period for existing S-users
As mentioned above, by default new S-users are granted 24 months validity. But what happens to S-user IDs that already exist on the changeover date for the adapted process?
Their validity is initially also limited to 24 months, counted from the last logon date to an SAP website. (For S-users who have never logged on at all, counting starts on the day of their creation).
It could happen that on the changeover day June 2, 2020, an S-user who has been inactive for a very long time is set to Expired straightaway. To prevent this from happening, SAP has made the decision that the earliest expiry date for existing S-user IDs is October 20, 2020. A simple calculation, going back in time by 24 months, shows us that this affects S-users who last logged on before October 20, 2018 (or were created before that date and never logged on). They will start receiving notifications on September 20, 2020. Their administrators will be alerted even earlier: on August 1, September 1, and October 1, 2020.
(Click to enlarge image)