User Creation, Modification and Deactivation Process
1. Creating or modifying a user id in SAP Production system should only be done by the Security
Administrator on the basis of some kind of Approval. Different Operating companies follow different
processes like some may use hard copies of the SAP User Access form, some may use electronic
version of it or some may just have approval via email. Whatever is the case, these user access
documents should be retained for the Audit purpose.
Note: Auditors might take a sample of user ids created in a period of time and then look for the user
access approval document.
2. Similarly any deactivation, disabling or deletion of the user ids should have a procedure and should
be part of SAP Security Administrator SOP. It could use the same format as is being used for
creation or modification of the user ids.
Note: Auditors might like to see that every terminated user is properly disabled from the SAP system.
They might take a sample of users terminated in a period of time and ask for the user deactivation or
termination document.
Please make sure you get the information from your HR team for every user leaving your company
and disable or deactivate them on a daily basis.
Also if you do not delete the user ids in case of termination but disable those by changing the valid to
date and lock them then please make sure that you have a method to differentiate users locked
because of termination and those you have locked because of 90 days inactivity. One method could
be to use a User group Terminated for terminated users and Inactive for users who are inactive
because of not logging in the system for 90 days.