01-13-2011 9:25 AM
Hi Experts,
The organization that I've recently joined DELETE user ID from the Production client if it is not used more that certain period. I'm not very comfortable with their action as the history of the access given will be gone as well. The justification that I've got from the support team is that their organization is huge and they need to keep the user ID 'clean'.
I'm not sure if this is OK and I would appreciate your advice or share your experience on the above matter. Thanks much
01-13-2011 10:40 AM
As Sandipan said, the change history is not removed, nor the logs of activities performed with that ID. Even with the eventual re-use of ID's your provisioning process should retain enough data to be able to identify the "actual person" using the particular ID at a specific point of time.
01-13-2011 9:57 AM
Hi,
It makes sense to delete inactive/unused user IDs from production systems which would otherwise incur unnecessary license fees to the company (if not properly deactivated via user locking/end-dating etc) or even consume system resources if the user base is huge. In our company, it is one of the mandatory Security policy to delete inactive as well as terminated/offboarded/retired user's ID from the system.
I'm not very comfortable with their action as the history of the access given will be gone as well
Even if the user ID is deleted, you can find the entire change history for that user via report RSUSR100 (change history for user IDs) and RSSCD100_PFCG (Change history of role assignment to user IDs).
If its your HR system, remember deletion of an user ID delimits corresponding IT0105 subtype 0001 entry for that user as well (via a function module in Su01 program if I remember correctly). So make sure, delimited IT0105 won't disrupt anything in your system after deletion of the ID (in case its connected to MDM, etc)
Some companies also choose to retain unused/inactive user IDs for easier audit trails but in such cases important measures like below have to be taken:
1. Lock User ID
2. Valid through date set to current date
3. Remove all roles
4. Assign to a user group that identifies the user as Inactive/Expired/Terminated etc.
If such procedures are followed there is no license cost incurred since non-valid users are not considered for license calculations. But it depends on company's security policy which method they adopt to monitor and deactivate unused user IDs.
Hope this helps!
Sandipan
06-29-2011 6:01 AM
Hi,
Please guide me in this procedure, we are using BI7 and we have more than 5 thousand users and we planned to clean up the users who or inactive/ unused.
Please tell me how to find out the list of user, I searched with logon date who not used for 2 months but we have deactivated the password because they login through portal backend. so please guide me in this situation how I need to pull out the report.
Thanks,
VKP.
01-13-2011 10:40 AM
As Sandipan said, the change history is not removed, nor the logs of activities performed with that ID. Even with the eventual re-use of ID's your provisioning process should retain enough data to be able to identify the "actual person" using the particular ID at a specific point of time.
01-13-2011 12:56 PM
pardon my introduction with question in mind regarding this activity. When we recreate a user ID sometimes I saw message "adopt old office data" (or something like that). What is the same and in which table this data get stored?
Again sorry for asking question in other thread.
Regards,
Arpan Paik
01-13-2011 5:04 PM
Hi Arpan,
Message "Old SAPoffice data found for this user name" pops up when the user name entered for creation is found in SAPOffice address data tables like ADR7, USR21, ADRP,etc and the already existing address data for that user is fetched from those tables, if administrator clicks on 'Yes' option of the pop-up message, and populated in the address tab of SU01.
You can run ST05 (sql) trace to find the entire list of tables which are searched during this step.
Thanks
Sandipan
01-13-2011 5:25 PM
This popup does not appear if you are running the "clean up" reports to remove inconsistent and "orphaned" data in the user management.
Locking the user and moving them to a "retired" group is the best practice. They are not included in the licensing. Same goes for validity dates.
There are many advantages from this. Eg. when batch jobs start dumping then you typically want to be able to unlock it quickly again...
Cheers,
Julius
01-13-2011 5:38 PM
I hear as of Release 6.10, SUSR_SAP_OFFICE_BUFFER_CLEAR function module can be used to delete the SAPOffice address data buffer for deleted user. Is there any other method as well Julius?
Sorry for asking all these questions in this thread..just curious
Thanks
Sandipan
01-14-2011 1:36 PM
Thanks to both of you for sharing the info.
Julius wrote
There are many advantages from this. Eg. when batch jobs start dumping then you typically want to be able to unlock it quickly again...
This means that a user ID for a retired person been used in times of emargency? How audit will see this. And moreover as the ID been used why SAP wouldn't charge for the same? It may be misused (my perception only. I know all person out there are very much honest)
Regards,
Arpan Paik
01-14-2011 4:14 PM
Of course I am not saying you should make that possible! That is what user groups are for...
@ Sandipan: do a where-used-list on the function modules and take a look at the other reports in package SUSR. Also do a where-used-list on those programs and scan for external calls of the forms. Also jave fun trying to find them all...
Cheers,
Julius
01-17-2011 8:07 AM
Hi All,
Thanks for all your advices and feedbacks which clear my curiosity and doubt for deleting the unused ID in Production client instead of lock and delimit it - like I used to practice in my previous company. I guess the company choose to get rid of those IDs for a cleaner list.
Again, million thanks for everyone
01-17-2011 3:50 PM
Though the question has been answered, I would still want to advise you about one issue that we faced when we used to delete the user ids.
We got few inquiries from the Business about the name of the user who say created the order or release some kind of hold and from the deleted user id it was hard to find the first name and last name of the users.
Though there is a way to do it by using table ADR7 ( getting addrnumber and persnumber fields ) and then using function module - ADDR_PERS_COMP_GET_COMPLETE.
01-17-2011 5:38 PM
Somewhat off topic... I don't think you can expect administration of a system to be performed using the test environment of function modules, and it is always best to remove the access completely from everyone other than developers in development systems.
Particularly doing that just because you are unnecessarily deleting users is a bit silly.
Cheers,
Julius
01-17-2011 6:27 PM
Yep..I agree. In Production Security administrators should not have access to t-codes like SE37.
It was just for informing the OP that there is still a way if that happens and he go the way of deleting the user ids from the system ...