Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Pick Up file and remove roles/profiles for the specified ID's

chris_hall2
Participant

‎11-04-2010 8:02 PM

0 Kudos

I am wondering if the following would be possible.

I want to dump a csv file containing user ID's that are no longer required on a daily basis on a server. Would it be possible to write a program to go out and retrieve that file and where ever there is a match on ID's, remove all roles and profiles associated with that user and change the user group?

Sounds very simple from a theoretical standpoint but I'm not sure of it's truely feasibility. I'm not looking for any coding, just to know whether it could be done. Any help would be great.

15 REPLIES 15

Former Member

‎11-04-2010 8:12 PM

0 Kudos

Very easy but potentially very dangerous...

How hardened is that server and are the file shares open for SAP to access it?

Cheers,

Julius

chris_hall2
Participant
In response to Former Member

‎11-05-2010 1:40 PM

0 Kudos

Thanks Julius and everyone else.

Do you mean how secure is the server?

We currently receive an extract from our Oracle HR system and manually go through our 40 systems/clients. This is very time consuming especially when we are looking at 50+ users per day that need to be removed.

Former Member
In response to Former Member

‎11-05-2010 4:37 PM

0 Kudos

Okay, so instead of having the file on your PC and manually entering changes... you want to save the file on a server and SAP should open it and write to it from a program while you are at home fast asleep.

How safe is the server where the file is located and who can access that file from SAP or from within the network?

Cheers,

Julius

chris_hall2
Participant
In response to Former Member

‎11-05-2010 5:26 PM

0 Kudos

At this point no server has been selected as this is very preliminary and a fresh idea. We are moving away from manual service and installing BO GRC. With having limited resources in the future to process tickets, this was just one thought. With today's process, ID's in our production environments do tend to get removed as this the top priority but the development and qa clients are hit and miss which is a big issue. Our HR data is on a secure sever where the oracle resides, maybe we put the file on this server.

It comes across sounding very lazy, just being home asleep By no means am I trying to be lazy or have a lazy team but I do want accurate data and it is imperative to have only those still with the company having ID's in the system.

How do other companies handle high employee turn over rates and are held to SOx requirements. I've talked to some individuals and they just do monthly cleanup activities but they are not held to any external audits. I do realize one of the biggest challenges is having so many clients/enivornments.

Former Member
In response to Former Member

‎11-05-2010 7:12 PM

0 Kudos

By "sleep" I meant "peace of mind".

Automation is a good thing, even unavoidable, and the way to go! It also gives you more time to attend to other security tasks.

No belittlement of your efforts was meant at all. I will add a smiley next time

Cheers,

Julius

chris_hall2
Participant
In response to Former Member

‎11-05-2010 7:15 PM

0 Kudos

Ok thanks Julius, hard to read into things when there is no emotion with text

mvoros
Active Contributor
In response to Former Member

‎11-05-2010 9:26 PM

0 Kudos

Guys,

it shouldn't be that hard to improve this process to minimize risk that somebody creates a fake file. One of the ways is to use crypto. You can generate a certificate a sign each file. Only properly signed files will be processed. PKCS#7 is format which is supported by SAP. SAP would need to have only public key to verify signature.

Cheers

Former Member
In response to Former Member

‎11-05-2010 10:06 PM

0 Kudos

Hi Martin,

Very true, but infrastructure folks might not want to manage certificates and OS users (good tip for Chris to check on...)

Open file shares are out there "in the wild" - which is what I wanted to warn against (in addition to the application authorizations within SAP to run this "interface"...

If it is running as a job, then a check on system field sy-batch = 'X' is usefull, but blunt only for the online execution.

Personally I have used an (inaccessible) timestamp execution scheme for such things in DB tables not accessibly to the application transactions before. Have not been able to hack it myself, but tried hard..

But if the file shares are open or the password is in clear text (in a script, .properties type file, ABAP text, network traffic, etc) then I would not class it as secure.

Such "identity management" stuff, particularly when you want to intergrate it with HR events, is best taken care of centrally in an "identity store" which you can secure and encryot etc centrally.

Local batch jobs accessing servers and registering / starting external programs and vise-versa to transfer files etc is decentral spagetti coding and security nightmare... ;-(

Cheers,

Julius

Former Member

‎11-04-2010 8:12 PM

0 Kudos

Hi Chris

This should be available in SUIM

Users / by last logon (or similar - working from memory)

It will show you when the user last logged on/not used etc. you can set up some variants to give a better listing or get a developer to produce an auto-locking program for you but watch out for users who use portals which (I think) don't trigger a logon event. And avoid non dialog users..

There's probably shed loads if searched as this is a common admin function to keep the system clean.

Cheers

David

mvoros
Active Contributor

‎11-04-2010 8:13 PM

0 Kudos

Yes, feasible. Check [API documentation|http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/668e6629-0701-0010-7ca0-994cb7dec5a3] for more info. Check sections 1.4.3, 1.4.8 and 1.4.9.

Cheers

Former Member

‎11-05-2010 4:54 AM

0 Kudos

Hi Chris,

As mentioned by the other experts, it is not recommended to automate this process. However, alternatively you can create an eCATT script to delete the user IDs and run it every day. Creation of the eCATT script is a one time task and you just need to update the variant file every day, which may require a very few minutes to delete the IDs. This way, you can track which user is executing the script and also restrict the authorization to a specific user.

Hope this helps!!

Warm Regards,

Raghu

Former Member

‎11-08-2010 2:41 PM

0 Kudos

any program to delete from tables directly is not recommended.......

many side effect..... change log not maintain, ....

best you use eCATT..... as recomemded earliar.....

regards,

Surpreet

Former Member
In response to Former Member

‎11-08-2010 2:57 PM

0 Kudos

No one is wanting to delete anything from a table here... but yes, otherwise it would be true and should not be done --> there are BAPIs for the user management.

Cheers,

Julius

chris_hall2
Participant
In response to Former Member

‎11-08-2010 3:26 PM

0 Kudos

Thank you everyone for the great information.

Former Member
In response to Former Member

‎11-08-2010 9:44 PM

0 Kudos

Hmm... your ponits choice (as indicator) seems to favour the API infos, but your original question was different.

How are you going to secure the source of the automation in the ABAP? The ABAP is the easy part thanks to APIs.

Cheers,

Julius