09-15-2008 11:39 AM
Hi gurus, we are facing a strange situation.
due to the politics implemented in our company , we are not allowed to delete the user record once this guy has finished in the company. We need to have an historic of users to consult who has made something in our R3 4.7 ERP
We use instead the fiel VALID TO in the user record, so the user can´t access the system once the date is reached (it is the same thing that the standard transaction HRUSER manages the validity of the users...)
The problem is that the roles assigned to the users are not limited the same way, I mean if an user has the validity of a role form the 2008/01/01 to 9999/21/31 its not limited.
That means that in PFGC you can see the roles with user assigned but they are not really actives...
Please, is there any possibility to limit also this range of dates in PFCG in an automatic way? It will help us a lot to have the role assignments up to date
Thanks in advance
Best regards.
09-15-2008 11:43 AM
due to the politics implemented in our company , we are not allowed to delete the user record once this guy has finished in the company. We need to have an historic of users to consult who has made something in our R3 4.7 ERP
Good! There are many discussions in the forum on the disadvantage of deleting users.
We use instead the fiel VALID TO in the user record, so the user can´t access the system once the date is reached (it is the same thing that the standard transaction HRUSER manages the validity of the users...)
The problem is that the roles assigned to the users are not limited the same way, I mean if an user has the validity of a role form the 2008/01/01 to 9999/21/31 its not limited.
What's wrong with taking away all roles from these users? You can always retreive their previous assignments from the change documents.
09-15-2008 11:52 AM
Hi Jurjen, thanks for your quick reply!!
The problem is that we don´t know how to do it in an automatic way. The HRUSER transaction allows you to limit the field VALID TO for a 1000 users in seconds, but the role assignment is not touched, the field VALID TO in the role assigment is not changed ......so you have the roles fulled of non active users.....
We want to delete also this roles assigment. How can we do it?
Thanks in advance.....
09-15-2008 11:59 AM
If you really want to automate it you should have an abaper look in to the security/user related bapi's.
What you can do semi-manually is list all users which have expired, (SUIM), list their role assignments (table AGR_USERS) and combine these lists to create:
1 - a list of users whose role assignments can be deleted
2 - a list of roles relevant for these users
3 - the first known assignment date
4 - the highest known assignment end date
With this information you can go to SU10, enter the users, enter the roles, specify a begindate before the first date and an enddate higher than/equal to the last date. That should take care of the roles.
Jurjen
09-15-2008 12:03 PM
Thanks Jurjen, so it means that there is no standard way to achieve it....we wanted to avoid the development if possible.
09-15-2008 12:08 PM
> Thanks Jurjen, so it means that there is no standard way to achieve it....
Nope. The role expiry date in combination with PFCG_TIME_DEPENDENCY takes care of all possible security issues as the profiles are taken from the users' master records. Cleanup is still manual labour
However, the SU10 route I've described is reasonably easy, especially when carried out on a regular basis.
Jurjen
09-15-2008 12:12 PM
You can get the list of users whose validity has expired using usr02 table. Search by giving the necessary value in the "valid through" field.
Now go to agr_users table.
Give the users that you got from usr02 table. Give the "End date" as the last date for role assignment validity (e.g. greater than today's date .. as >09/15/2008).
From here you get the list of users whose validity has expired but still hold the roles with valid date.
From SU01/SU10 , you can delete these role assignments.
09-15-2008 12:14 PM
Hi Jurjen,
Is it possible to delete roles from users using SU10 in one shot even if they contain different combination of roles? or do we need to give only roles common to users?
Thanks!
09-15-2008 12:19 PM
It seems to be a lack of functionality ....or a missing one.
The question is ...why the stardad HR transaction that allows you to create / limit users for the ESS uses this way of limiting the users cannot be completed with the PFCG_TIME_DEPENDENCY and you can do it in one shot?
Maybe in future versions / patches it will be implemented?
09-15-2008 12:24 PM
> Is it possible to delete roles from users using SU10 in one shot even if they contain different combination of roles? or do we need to give only roles common to users?
As far as I know you can do it in one shot. So if you enter alle roles for the group of users and make sure the dates are well before and after the actual assignment dates you should be fine.