Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Role optimization / clean up

Former Member
0 Kudos

Hello Experts,

As security consultant working especially in AO engagements we invariably come across a situation where we have lot of unsed / under utilised roles across landscape and also roles which are not consistent with their definition or temporay roles created in produtcion system , etc.

I am looking for any such checks / repots that can help us identify these roles for optimization (which might be cleaned off from the system).

Request your inputs / suggestions on this.

Thanks,

Shailesh

8 REPLIES 8

former_member215759
Active Participant
0 Kudos

Hi,

In SUIM -> roles -> roles by complex selection criteria, you may select and check roles according certain criteria, such as, "changed since".

I hope this helps.

Regards,

Snow

0 Kudos

Thanks Snow,

But the information I am looking forward to is not exacly on "How" to get thee reports but " Which" reports should I pull out that can help me in Role optimization / clean up...I am aware that this might differ from project to project but looking for some generic checks. e.g.

- Role which have not been assigned to any users in last X months

- Roles which have obsolete t-codes in it, etc

Regards,

Shailesh

0 Kudos

Hi Shaliash,

we can get the list of unused roles from SUIM -> roles ->by user assignment and select without user assignment and excute.

Waiting to know more on this one!!!!

0 Kudos

> - Roles which have obsolete t-codes in it, etc

If the admins regularly used SU25 after each SP or upgrade, there shouldn't be such 'obsolete' t-codes contained in roles....

Nevertheless you can use table content of prgn_corr2 to find 'outdated' t-codes .

b.rgds, Bernhard

0 Kudos

Hi Shailesh,

You can check the expired roles from table AGR_USERS.

Goto SE16 --> AGR_USERS.

It will help you incleaning up the system.

Former Member
0 Kudos

Hi,

More often or not when any security administrator creates a temp role directly in Production, they would have followed some kind of naming convention. So the first step would be to identify that and then run a report using SUIM to find all those temp roles. Once you have those you can take corrective action on those. Some validated systems would not let you delete even the temp roles from the system so would be better to understand the policy of the company.

Again using SUIM you can find the roles that have not been assigned to Users by going to Roles by Complex selection criteria -> Selection according to User assignment -> without user assignment. Again what you do with those roles depends on whether they really are redundant or just something that nobody is having it now but there is possibility of it being used in future. Your best bet would be talk to person in Business who also has idea of how roles have been configured functionality wise.

Finding out redundant t-codes are more difficult then the others. If I have to find the t-codes here are the steps I would do..

1. Find all the t-codes that exist in our custom Business or IT roles.

2. Look in the SM20 ( Audit log ) data or ST03N data for about atleast 3 months and see if they are being used anytime by any users and mark a check if they are. If I still find t-codes that exist in our custom roles but have never been used in this time period, I will go to the functional or Business owner of that role where that t-code exist and ask for the reason of their existence.

Apart from these check I would also do a check using SUIM that users have not been assigned SAP standard roles and profiles..

Former Member
0 Kudos

I would approach it the other way around: First clean up the role assignments and correct the naming conventions where required (this will have some teething problems for some users and others might need to be weened of their freedoms).

Then check the assignment in all logical systems (CUA or IdM makes this easier, but you can also do your own remote comparison if need be from a SolMan as you will typically have all connections from there).

Then do a mass deletion (you will need to follow [SAP Note 313587|https://service.sap.com/sap/support/notes/313587] but protect the report well!

Cheers,

Julius

0 Kudos

Hi

Before you do delete unused roles be sure to check that they aren't part of a set of derived roles - some may have been built to allow a set of org levels or release strategies etc which were paid for by the requesting business unit.

Also, when checking for unassigned the parent roles for derived may not be populated (depends on the concept per business) and never assigned. If you delete the parents using the program mentioned (I don't know if the usual process checks are still valid in that?) you'll have a bit of a mess on your hands, hence the recommendation to follow the SAPNOTE instructions carefully.

Any roles built directly in PRD will (or at least should if not over-written manually) have a different profile name to those that have been created in DEV and transported - usually T-D for DEV and T-P for PRD at the beginning so a SUIM search will find those or just look for all changes to roles in PRD in SUIM. Anybody doing maintenance directly in PRD hang your head in shame