Solved: Mass role removal

Former Member · ‎09-22-2010

Hi all,

We have a new requirement to remove ALL roles from users in group TERMINATED.

I have used SU10 in the past to remove a specific role X from a group of users. But I cannot seem to simply remove all roles from every user in the group. Is there a way to do this without using ECATT?

There are about 2200 users in the group, as it was not previously maintained, and I would rather not do this manually if I can avoid it.

Thanks

Former Member · ‎09-22-2010

Hi

Run SUIM to give you a list of the user ID's in the TERMINATED user group.

Record LSMW - you'll need to create a project/sub-project/object and then go to recordings, running tcode SU01, enter one user ID, go to the roles tab, select all roles icon and save.

That will end your LSMW recording.

Check the variables in the recording - all you need are the user ID - make sure you remove the default tested user ID or all you'll get wlll be a recording that does nothing but delete nothing from the same user

Create a .txt file with another of user ID's from the user group (barring the one you just changed) and save it somewhere easy to find.

Go back to your LSMW project and maintain each of the steps up to specify files - you'll need to browse for the saved .txt file and also change the delimiter section to tabular.

Assign the files and work your way through the next steps until you generate a batch input session, run the batch input in foreground and step through the recording you are now running for real. Make damned sure it does only what you expected it to do!

If the trial one works then mayby try a couple more unitl you feel confident before going for the big one.

Oh - and don't forget to check that you aren't in the TERMINATED user group or you'll lose your access during the LSMW script. That bit is embarrassing but renaming 670 users to Theresa is worse (I did that once because I forgot to remove the default entry in the recording)

jurjen_heeck · ‎09-22-2010

I think that for this specific requirement SU01 may even be better. If I recall correctly that one has a 'select all' button on the roles tab which will allow you to delete them in one go per user regardless of the number of roles assigned.

Former Member · ‎09-22-2010

Correct. I have done this for a few users. However, I must choose each user individually in SU01. There are 2200+ users.

Trying to avoid doing this same process thousands of times in a row.

jurjen_heeck · ‎09-22-2010

> Correct. I have done this for a few users. However, I must choose each user individually in SU01. There are 2200+ users.

That's where ECATT comes into play. There are some other forums and blogs covering that topic. It isn't bound to security. I made my remark because when manipulating users with ECATT SU10 is often the tool of choice. This is one exception to that rule.

Former Member · ‎09-22-2010

Hi

Run SUIM to give you a list of the user ID's in the TERMINATED user group.

Record LSMW - you'll need to create a project/sub-project/object and then go to recordings, running tcode SU01, enter one user ID, go to the roles tab, select all roles icon and save.

That will end your LSMW recording.

Check the variables in the recording - all you need are the user ID - make sure you remove the default tested user ID or all you'll get wlll be a recording that does nothing but delete nothing from the same user

Create a .txt file with another of user ID's from the user group (barring the one you just changed) and save it somewhere easy to find.

Go back to your LSMW project and maintain each of the steps up to specify files - you'll need to browse for the saved .txt file and also change the delimiter section to tabular.

Assign the files and work your way through the next steps until you generate a batch input session, run the batch input in foreground and step through the recording you are now running for real. Make damned sure it does only what you expected it to do!

If the trial one works then mayby try a couple more unitl you feel confident before going for the big one.

Oh - and don't forget to check that you aren't in the TERMINATED user group or you'll lose your access during the LSMW script. That bit is embarrassing but renaming 670 users to Theresa is worse (I did that once because I forgot to remove the default entry in the recording)

Former Member · ‎09-22-2010

Thanks Jurjen and David for your answers!

This helped quite a bit. I will look into automating this process using your advice.

Former Member · ‎09-22-2010

Hi Ben

Most welcome, SU10 will work if you want to selectively remove some of the users' roles - just make sure the from and to dates are out of the ranges that users have but it's a slower recording that the SU01 full blast. It does allow you to make masschanges to users though.

Something to consider if you want to cover yourself in case it doesn't work as expected is to create a set of reference user (use type reference) ID's temporarily copied from the users, named say ZREF00001 - one for each of the proposed TERMINATED users, keep a .txt file of the real ID and their refence user ID.

The file should look like this

BERRY.D ZREF00001

JONES.A ZREF00002 and so on.

If, after deleting the roles from the terminated users, you recieve no complaints for a few days then just delete the reference users, if you do get a complaint then add their reference user ID on their role tab and save. This will give you time to check what went wrong and restore their access.

But do delete those reference users as soon as possible...

Edited - One quick thought - if the users are in the TERMINATED user group due to inactive logons, then do check that they aren't using a non R3 system (ESS or something similar I think) rather than being a full bloodied user. I'm sure they don't 'appear' on the last logon SUIM reports but I may be wrong - edited

Edited by: David Berry on Sep 22, 2010 7:31 PM

Former Member · ‎09-22-2010

Also dont forget to check that they are not immortalized in jobsteps (table tbtcp).

Anyway, during projects there are often "wait times" and you can fill this gap for 2200 minutes. It is completely stressfree and you get to know some of the old users, look at their code, check them for sy-uname constructs if xubname was used for the field, etc.

That will take you about one day but you will learn a lot about the system, and I assume there is no hurry for this requirement.

Cheers,

Julius

Edited by: Julius Bussche on Sep 22, 2010 8:20 PM

Former Member · ‎09-22-2010

Thanks guys for following up.

No, there is no rushed requirement, as no one maintained this for quite some time. (Hence the backlog of 2200 term'd users with roles, heh.)

I will be checking the table to ensure none of the users were used in job steps. Good advice.

I'm actually want to use this as an opportunity to familiarize myself more with ecatt, but if I'm unsure after my test runs I will probably utilize that "free time" to do it manually.