Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Do you really have to delete roles if you deactivate a user?

Former Member

‎12-19-2008 8:42 PM

0 Kudos

I was searching through threads trying to find a recommendation regarding the best way to deactivate users in SAP. I understand locking and changing the validity date, but I am also seeing recommendations to delete the roles... In addition to roles do you also recommend deleting profiles (ones not associated with a specific role)? I'm just asking because I was under the impression it was good for security purposes to know what roles/profiles (authorizations) the user had in the past if something happened that required research and the ability to identify "who had the ability to do what". If we delete all of that information from their account, is their still a way to determine what they did have when they were an active user? If it is OK to leave roles in and maybe just set their expiration date, how should profiles not associated to roles be handled?

I guess most importantly, is there a known recommendation straight from SAP that I can reference? My searches have come up empty.

5 REPLIES 5

Former Member

‎12-19-2008 11:56 PM

0 Kudos

In my opinion, best is to:

- Retire the user ID by locking the account (not just the password).

- Set the validity on the user account to expire (preferably when this is known already, and not when a piece of paper becomes current...).

- Setting the validity of roles is subject to the user compare to a large extent. It is very usefull.

- Manual profiles are a bugger - dirty trick is to import them as a template into a role.

> I guess most importantly, is there a known recommendation straight from SAP that I can reference? My searches have come up empty.

I know that the technical explanations of how it works is to a large extent available, release dependently.

If you search for the reports associated to the "user compare" (tcode PFUD) then you will find a lot of infos.

Recommendations are more tricky, as it depends on what you want. SAP enables a lot of stuff and is responsible for the correct checks in the programs. But how you build your roles and profiles is up to you, and you have a lot of freedom in that area. You can also shoot yourself in the foot

I am assuming that you are not on SAP release R/2. Perhaps a bit more details would help...

Cheers,

Julius

Former Member

‎12-20-2008 4:36 AM

0 Kudos

Hi Chanda,

In addition to what Julius has recommended (which is perfect no doubt ) I would suggest that you also change the user group of the user to an obsolete or not in use type. This will also prevent the security administrators from unknowingly reactivating the user , provided you are following proper naming conventions for segregation of admin responsibilities. You can also thereby determine the users that have been deactivated through reports.

Former Member
In response to Former Member

‎12-21-2008 11:08 AM

0 Kudos

You can download the table AGR_Users in this table you can determine what roles a user has.

It can be handy to download often and keep older versions on your harddrive!

The deletion or delimiting of roles to a user is an additional step in securing obsolete users, that is seen as best pratice! Be aware when you do not do this it can lead to questions in audits!

Former Member

‎12-23-2008 5:54 PM

0 Kudos

Thanks to you all for your suggestions. I will download the users' info as they currently stand, then lock and change the validity dates of the users themselves, change the validity dates of their roles, and finally remove any profiles not associated with roles. I know this may not be the "recommended" solution, but this will at least ensure their accounts are no longer available for use. I am serving as BASIS and security right now since we haven't gone live yet, but we will bring on a security administrator in the future. I will let them make the ultimate decision as to what process would best fit with our company standards. Thanks again everyone. Points were rewarded.

Former Member

‎12-23-2008 6:50 PM

0 Kudos

Here is the Best Practice for terminated users.

- Set the validity date to last working day.

- Change the user group to "TERMINATED"

- Lock the user

- Remove all the roles from the user master. (If at all there is any push back from the auditors to keep the role, you can set the validity of the role to last working day. However, I would suggest you to remove these roles as these role assignment will be pulled up in SUIM Reports & extracts from AGR_USERS. Everytime you will have to filter these reports. Best is remove the roles from the user master.

Sameek