Skip to Content
Personal Insights

Amended Lifecycle for SAP Support User (S-User) IDs

Diesen Beitrag gibt es auch auf Deutsch.

SUMMARY: Starting around mid-2020, S-user IDs required to access certain SAP webpages will come with an expiry date that administrators can easily extend. Super, cloud and user administrators are not affected, neither are Partner Security Managers and Technical Communication Users.

To use support applications in the SAP ONE Support Launchpad, purchase software in the SAP Store, or book training courses, customers need a user ID, commonly named an “S-user”. for new customers, SAP creates the first such ID. Afterwards, however, administration of users is completely passed on to the customer.

In the past, these S-users were valid for an unlimited period of time; they had to be deleted manually. Absorbed in everyday life, we might fail to register that colleagues leave the company but take the S-user with them. In principle, this would allow them continued access to internal company information (support tickets, licenses, systems, etc.).

To assist our customers’ user administrators, and minimize such risks, SAP is currently working on an adapted process: In the future, S-user IDs will have an “expiry date”. If the administrator does not intervene – despite early notifications and enough lead time – an ID will first be deactivated, and in a second step, even deleted.

Super, cloud and user administrators are not affected, neither are Partner Security Managers and Technical Communication Users.

More precisely, the situation is as follows:

  • By default, a brand-new S-user will be valid for 24 months.
    However, a shorter lifespan can be defined in the user request form. This can be an interesting option if, for example, within a project a set end date is known.
  • During the last 3 months, the ID holder and administrators will be regularly informed that the S-user needs to be renewed.

Case 1 (most common case):

  • One of the administrators extends the validity of the S-user ID. This time the default is 60 months, 5 years, which the S-user gets granted with a single click.
    Optionally, like for brand-new users, an earlier expiry date can be defined. And of course, S-users can be extended at the discretion of administrators long before any notifications have been received.

Case 2:

  • If all administrators ignore these alerts, at the end of the lifecycle the S-user’s status changes to Expired. This means that the ID can no longer be used, although an administrator may “revive” it.
  • The S-user is not actually deleted until a further 3 months have passed without any action by administrators. Deletion then has the usual consequences: For 12 months the ID is included in the list of all deleted S-users, and it can only be reactivated by SAP.

Case 2 will only occur if the administrators deliberately ignore all reminders. Usually the reason is that the S-user is indeed no longer needed. Of course, the notification can also be understood as a prompt to immediately delete the S-user manually instead of waiting for its automatic deletion.

All the above actions are performed in the Support User Management application of the SAP ONE Support Launchpad.

Validity period for existing S-users

As mentioned above, by default new S-users are granted 24 months validity. But what happens to S-user IDs that already exist on the changeover date for the adapted process?

Their validity is initially also limited to 24 months, counted from the last logon date to an SAP website. (For S-users who have never logged on at all, counting starts on the day of their creation).

In exceptional cases, namely if the S-user has been inactive for a very, very long time (21 months or longer), it might happen that on the changeover day the S-user is set to Expired or even gets deleted straightaway. To prevent this, such S-users are granted an additional 3 months before they expire. Administrators of such S-users will therefore receive notifications of the pending deactivation directly from day one. For 3 months, these IDs are then listed in the status Expired, and only then will they indeed get deleted.

4 Comments
You must be Logged on to comment or reply to a post.
  • Hello Peter,

    thanks for this advance information.
    But what about the user administrators, will they expire as well? Who is entitled to extend user administrators?

    Thanks, Roland

    • Dear Mr. Koethnig,

      Good point, and indeed I had omitted this small, but important, detail in my blog post. Super, cloud and user administrators are not affected by the process change, neither are Partner Security Managers and Technical Communication Users. I have corrected the blog post accordingly. Thanks for pointing this out.

      Best regards, herzliche Grüße,
      Peter Kappelmann

  • Hello Peter,

     

    Thanks for your article, these are good news for administrators.

     

    We have a doubt about S-user deletion: What happen with incidents created by an S-user after this user is deleted? (being them open or yet closed).

     

    Thanks,

    Pedro Restrepo

     

    • Hello Pedro,

      Whether the user is auto-deleted (because the lifespan didn’t get extended) or manually deleted, the implications are always the same: Objects associated with the user ID are not affected. In particular, incidents reported by the user can still be found using the incident search or in the incident inbox (My Company’s Incidents), and colleagues with the appropriate authorizations can work on behalf of the (now deleted) reporter.

      Best regards,
      Peter