BEST PRACTISE on users deletions HR/SU01

Former Member · ‎09-25-2008

Hi

we use CUA/SSO.

The records are fed from HR records and sent to Active Directory (AD)

AD brings backs the records and creates/changes users in SU01

A function module populates the CVR (timesheet) parameter dependent on whether you are an employee or a contractor

Occasionally, our HR department request records to be deleted from the SAP Support team - for example if the employee or contractor hasn't in fact joined the company.

Until some time ago, the deletion was causing problems because:

a) the record does not get deleted in AD and there is no way to send the deletion across after

b) when AD tries to reprocess that specific record, LDAP connector will not find it as HR record so what happens in SU01 for some reasons, the VALID from field gets wiped out and the CVR parameter for Timesheet also...

We have changed the process for the deletion however, I would like to ask if you know what is the best practise for this?? HR want to delete the record so it can be re-utilised

I cannot delete those records from UMR unless I am 100% sure they have never used the system (will have to check that)

I hope I have provided enough info on what the issue is..

Thank you

Nadia

Former Member · ‎09-25-2008

Best practice is not to delete.

> HR want to delete the record so it can be re-utilised

So many people with the same name? Perhaps a suffix of 2 numbers when the ID naming convention produces a clash. Besides, do your AD admins not want unique names in the AD as well?

E.g. (just an imperfect example)

MUSTERMA = Alfred MUSTERMan

MUSTERMM = Manfred MUSTERMan

MUSTER01 = Mechtilde MUSTERMuller

> I cannot delete those records from UMR unless I am 100% sure they have never used the system (will have to check that)

Surest way is to determine that they have never logged on before. But that does not exclude that records might exist for them, which may eventually do a "user existence check" to be read. One such example is the Security Audit Log, e.g. there may have been failed login attempts.

Good luck,

Julius

Former Member · ‎09-25-2008

Thanks Julius!

we use Personnel Numbers rather than names. Does that apply also?

Thanks

Nadia

jurjen_heeck · ‎09-25-2008

> HR want to delete the record so it can be re-utilised

> we use Personnel Numbers rather than names. Does that apply also?

HR wants to re-use personnel numbers? That sounds really strange to me.

Anyway, I agree with julius, usernames (BNAME in SAP) should never be re-used to identify a second (or third) person. Adding a sequence number is the easiest way to go in my opinion.

Former Member · ‎09-25-2008

> we (re) use Personnel Numbers rather than names. Does that apply also?

It would apply regardless of your naming convention when re-usable ....

If a newbie got his timing right, he could start on Monday as CEO ...

jurjen_heeck · ‎09-25-2008

> If a newbie got his timing right, he could start on Monday as CEO ...

Or, if slightly less lucky, he/she finds out the previous owner of the userid had some very fancy roles. I can already see him/her persuade the support desk to: "give me back my rights, I used to have them but they were taken away without anybody asking me!"

Former Member · ‎09-25-2008

Or want his previous salary back again when noticing what it was via ESS...

My conclusion:

- Use unique names.

- Dont delete user IDs.

- Needs a naming convention.