Diesen Beitrag gibt es auch auf Deutsch.
SUMMARY: Starting around mid-2020, S-user IDs required to access certain SAP webpages will come with an expiry date that administrators can easily extend. Super, cloud and user administrators are not affected, neither are Partner Security Managers and Technical Communication Users.
To use support applications in the SAP ONE Support Launchpad, purchase software in the SAP Store, or book training courses, customers need a user ID, commonly named an “S-user”. for new customers, SAP creates the first such ID. Afterwards, however, administration of users is completely passed on to the customer.
In the past, these S-users were valid for an unlimited period of time; they had to be deleted manually. Absorbed in everyday life, we might fail to register that colleagues leave the company but take the S-user with them. In principle, this would allow them continued access to internal company information (support tickets, licenses, systems, etc.).
To assist our customers’ user administrators, and minimize such risks, SAP is currently working on an adapted process: In the future, S-user IDs will have an “expiry date”. If the administrator does not intervene – despite early notifications and enough lead time – an ID will first be deactivated, and in a second step, even deleted.
Super, cloud and user administrators are not affected, neither are Partner Security Managers and Technical Communication Users.
More precisely, the situation is as follows:
- By default, a brand-new S-user will be valid for 24 months.
However, a shorter lifespan can be defined in the user request form. This can be an interesting option if, for example, within a project a set end date is known.
- During the last 3 months, the ID holder and administrators will be regularly informed that the S-user needs to be renewed.
Case 1 (most common case):
- One of the administrators extends the validity of the S-user ID. This time the default is 60 months, 5 years, which the S-user gets granted with a single click.
Optionally, like for brand-new users, an earlier expiry date can be defined. And of course, S-users can be extended at the discretion of administrators long before any notifications have been received.
- If all administrators ignore these alerts, at the end of the lifecycle the S-user’s status changes to Expired. This means that the ID can no longer be used, although an administrator may “revive” it.
- The S-user is not actually deleted until a further 3 months have passed without any action by administrators. Deletion then has the usual consequences: For 12 months the ID is included in the list of all deleted S-users, and it can only be reactivated by SAP.
Case 2 will only occur if the administrators deliberately ignore all reminders. Usually the reason is that the S-user is indeed no longer needed. Of course, the notification can also be understood as a prompt to immediately delete the S-user manually instead of waiting for its automatic deletion.
All the above actions are performed in the Support User Management application of the SAP ONE Support Launchpad.
Validity period for existing S-users
As mentioned above, by default new S-users are granted 24 months validity. But what happens to S-user IDs that already exist on the changeover date for the adapted process?
Their validity is initially also limited to 24 months, counted from the last logon date to an SAP website. (For S-users who have never logged on at all, counting starts on the day of their creation).
In exceptional cases, namely if the S-user has been inactive for a very, very long time (21 months or longer), it might happen that on the changeover day the S-user is set to Expired or even gets deleted straightaway. To prevent this, such S-users are granted an additional 3 months before they expire. Administrators of such S-users will therefore receive notifications of the pending deactivation directly from day one. For 3 months, these IDs are then listed in the status Expired, and only then will they indeed get deleted.