Assigning Groups

Windows supports two levels of groups:

·        Global groups

You create global groups at the domain level. Global groups are known to all servers within the domain.

·        Local Groups

You create local groups on a single server. They are only known on that server.

Exception: If you define a local group of users on one domain controller (PDC or BDC), the group is known on all domain controllers within the domain.

Global Groups

Global user groups are valid within a Windows domain, not only on one server. Therefore, we recommend you bundle the domain users into different activity groups, depending on their tasks. The domain administrator may export these activity groups to other domains, so the respective user can access all resources needed to administer the SAP system.

Although you may choose the name of the group as you wish, the standard global group for SAP system administrators is defined as SAP_<SAPSID>_GlobalAdmin according to the Installation guide for your SAP component on Windows which you can find in the SAP Service Marketplace at ® SAP NetWeaver  ® Release 04 ® Installation ® SAP Web AS  ® <Release> or at  ® SAP Components ® <Release>.

Local Groups

Local user groups (as well as local users) exist locally on one server. During installation, user rights are assigned to local users instead of groups. (For example, the user <sapsid>admreceives the user right Log on as a service.) However, to simplify user administration, we recommend you assign server resources to local groups instead of single users. You can then assign the appropriate global users and global groups to the local group.

Local user groups increase the security and validity scope of user rights. However, be careful when using domain controllers. A single local user right defined on a domain controller is valid on all domain controllers. We therefore do not recommend installing SAP systems on a domain controller!

The following relationships are possible between users, local groups and global groups:

·        A user can be a member of both a local group and a global group.

·        A global group can be included in a local group. You may also export a global group to another Windows domain.

If several users need the same rights for a certain set of resources, you can create a group. It is then no longer necessary to assign each individual user his or her rights to each of the files. Instead, you assign the rights to a group. Thereby, all of the users in the group automatically receive the rights as assigned to the group. The same applies to the users in a global group that is itself the member of a local group.