Solved: Mass deletion of ancient manual profiles and autho...

Former Member · ‎11-26-2009

Dear gurus,

I am implementing new roles on an ECC 6.0 system. Over the past 25 years the various legacy concepts are all still available in the system although we have replaced them with a new role concept.

Removing the obsolete roles and SAP standard roles on mass is fine (see [SAP Note 313587|https://service.sap.com/sap/support/notes/313587] ) but I cannot find anything comparable to it for removing the old profiles on mass...

The manual procedure is:

1) Check in SUIM that all users only have generated authorizations from roles.

2) Delete all composite profiles and composites within composites etcin SU02 until only SAP_ALL is left over.

3) Delete all single profiles no long assigned directly to a user or indirectly to the previously deleted composites in SU02.

4) Delete all authorizations per object in SU03 which are no long assigned to the previsously deleted single profiles.

I fear that it will take me about 25 years to undo this again...

Does anyone know of an easier way or utility to do this? Perhaps in one mouse click?

I was hoping to find some utility report no luck in the system or OSS. My plan B was to try some script of sorts, but SU02 and SU03 don't have input fields, there is a lot of scrolling involved and they throw a lot of popups so I am not too confident about it...

Cheers,

Julius

Bernhard_SAP · ‎11-27-2009

Hi Julius,

pls have a look at FM SUSR_INTERFACE_PROF (using ACTION=06)....

Unfortunately the selection of PROFILE has to be performed seperately before hand (UST10s - UST04 content????)

I hope this could be helpful...

b.rgds,

Bernhard

Bernhard_SAP · ‎11-27-2009

Hi Julius,

pls have a look at FM SUSR_INTERFACE_PROF (using ACTION=06)....

Unfortunately the selection of PROFILE has to be performed seperately before hand (UST10s - UST04 content????)

I hope this could be helpful...

b.rgds,

Bernhard

Former Member · ‎11-27-2009

Thanks Bernhard!

I will already prior have to make sure that UST04 is empty (from the perspective of manual profiles of any form) by replacing them with generated ones (for the new roles).

The problem is that after deleting all the composite and single profiles in SU02 (manually) there are still many many many manual authorizations left in USR12 and UST12 which are the main hassle in the clean up

So, I created a DUMMY profile and assigned authorizations to it in SU03 using the "insert all" button which can be used at the class level already!

Then I delete that one DUMMY with the FuBa and it does exactly what I was looking for:

FORM delete_profile_with_auths USING p_profile LIKE usr10-profn.

Thanks again and enjoy the weekend!

Julius

Former Member · ‎11-27-2009

That "trick" only worked in theory.

I soon reached the maximum limit of authorizations for the profile, and SU02 was displaying all the &SAP_ALL and T-* authorizations as well

Anyway, it is still better than searching and single mouse click deleting individually each time.

I will leave the thread open still for a while incase someone comes up with something faster.

Cheers,

Julius

Bernhard_SAP · ‎11-30-2009

Hi Julius,

I think adapting the report AGR_MASS_STAR_0_PROBLEM into Z_AGR_MASS_STAR_0_PROBLEM according to your needs is not too much effort. After you have removed the USR10-entries, the ust10 entries are cleaned and for usr12/ust12 you need to change from 'generated' to manual (but I am not a developer )

b.rgds, Bernhard

Former Member · ‎11-30-2009

Hi Bernard,

I had already tried something very similar by deleting the USR10 entries directly (in a sandbox) and then running SUSR_SYNC_USER_TABLES = X . But it didn't clean out the authorizations. I was thinking of doing the same for USR12 and then running the sync again.

A copy of a standard report is a "nicer" way, except my program did make some authorization checks...

The system is very old and there are anyway entries which will need to be deleted directly --> objects which don't exist (at all), objects without any fields (one of them is even used in an authority-check , etc.

I have a plan B using a script idea which I will be able to test later in the week (they are setting up a fresh sandbox for me).

Cheers and thanks again,

Julius

Former Member · ‎01-12-2010

> pls have a look at FM SUSR_INTERFACE_PROF (using ACTION=06)....

> Unfortunately the selection of PROFILE has to be performed seperately before hand (UST10s - UST04 content????)

We ended up using this FM as it meant that we only need to prior select the profiles, and not "hit" any SAP tables.

The FM does a good job and performance is great, but it will also delete profiles which are still assigned to users so you need to perform several checks in advance.

Important ones: You have to take care of this in the select-options from USR10, and clean out any entries found once in UST04 as well as remove any CP = *SAP_ALL*, *SAP_NEW*, *TMS*, *CPIC* , etc ...

For BW systems, some profiles are still in widespread use, so you need to deal with them case-by-case. We toasted them...

Then afterwards call SUSR_SYNC_USER_TABLES where TABLETYP = 'X' and the junk and hacks are gone.

Of course, you first need to replace the access with proper roles for the users. Don't forget that part

Cheers,

Julius

Mass deletion of ancient manual profiles and authorizations