- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- User Termination Ideal Procedure.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
User Termination Ideal Procedure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2011 11:21 AM
Hi gurus,
Have come across various discussions and materials mentioning some of the user termination procedures, in case he leave the organisation/retires or is releived, as under:
1. Delete the user ID from SAP Directly.
2. Lock the user id and remove all the roles. Remove the ID later after some months.
Can you guys please highlight what is the implication of following each of these methodology. Pointers are needed only with reference to the best practice & user Lisencing and fees. That is:
a> What is the best practice and WHY?
b> What impact does it have on the user lisencing costs? Do we still have to pay SAP for the locked and not used user?
Regards,
ApnaMitra.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2011 9:42 PM
From a license perspective, if the account is locked and out of validity date (i.e. set their validity date to the day they leave) then the user will not be consuming a license and will not show in a license measurement.
A locked id, even without roles, will still be in validity date so would count as a user for licensing purposes.
I've seen some organisations do this and also put the user account into a LEAVERS user group, to make it easier to see active / inactive accounts, without checking validity dates. It is however the locking and the invalid date, that make the user be excluded from licensing. Removing the roles only really serves to give you an issue if the id has to be re-instated - do you go back through role requesting / approval again - or just reactive the invalid and locked user id?
Once in the locked / invalid state the id can sit there for quite a while before you actually physically delete - but if the individual has completely left your organisation, no harm in then actually removing them. You might actually want to do this for users on long term absence (sickness, sabatticals, maternity leave etc) to minimise effort in restablishing access.
Audit sometimes have concerns over locked / invalid accounts sitting on a system with their roles still assigned to them, but as it would require someone to unlock and change the validity date to an active range, the risk of someone getting back in as a user that has left is low.
My organisation actively manages users on SAP, so accounts that have not actively used a system in the past 180 days get marked for deletion due to inactivity. Again we lock and make the validity date have expired, the benefit of this being if the user does then need re-instating we can just unlock and make valid again.
Users sit in this 'soft deletion' status for 2 months since last active, when we then physically delete them.
As our user ids match our network ids, if someone truly leaves and their network account is removed, all other accounts are also permanently deleted.
Does depend how big your user population is and you level of staffing changes - globally we have about 500 joiners / leavers each month and around 1,000 inactive users - but we do have some 55,000 SAP user ids.
Edited by: Chris Haigh on Jun 6, 2011 10:43 PM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2011 9:42 PM
From a license perspective, if the account is locked and out of validity date (i.e. set their validity date to the day they leave) then the user will not be consuming a license and will not show in a license measurement.
A locked id, even without roles, will still be in validity date so would count as a user for licensing purposes.
I've seen some organisations do this and also put the user account into a LEAVERS user group, to make it easier to see active / inactive accounts, without checking validity dates. It is however the locking and the invalid date, that make the user be excluded from licensing. Removing the roles only really serves to give you an issue if the id has to be re-instated - do you go back through role requesting / approval again - or just reactive the invalid and locked user id?
Once in the locked / invalid state the id can sit there for quite a while before you actually physically delete - but if the individual has completely left your organisation, no harm in then actually removing them. You might actually want to do this for users on long term absence (sickness, sabatticals, maternity leave etc) to minimise effort in restablishing access.
Audit sometimes have concerns over locked / invalid accounts sitting on a system with their roles still assigned to them, but as it would require someone to unlock and change the validity date to an active range, the risk of someone getting back in as a user that has left is low.
My organisation actively manages users on SAP, so accounts that have not actively used a system in the past 180 days get marked for deletion due to inactivity. Again we lock and make the validity date have expired, the benefit of this being if the user does then need re-instating we can just unlock and make valid again.
Users sit in this 'soft deletion' status for 2 months since last active, when we then physically delete them.
As our user ids match our network ids, if someone truly leaves and their network account is removed, all other accounts are also permanently deleted.
Does depend how big your user population is and you level of staffing changes - globally we have about 500 joiners / leavers each month and around 1,000 inactive users - but we do have some 55,000 SAP user ids.
Edited by: Chris Haigh on Jun 6, 2011 10:43 PM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2011 9:46 AM
Hello Chris,
Thanks for sharing your detailed thoughts. This was really very good information. However, from an audit point of view or just to keep a record of what this particular user might have done in the system, what would be the actual time after the user has not used his/her account, would you physically delete their IDs from the system? Need to know this as there are certain transactions or I would say actions that might have been performed by the terminated user which might be needed by the business for a later period of time.
Please let me know if i have not made myself clear.
ApnaMitra.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2011 10:50 AM
As long as the user ID itself is not key to the existence of the data, the impact of whether the user ID exists on the system or not is irrelevant. The reasons why a user ID might be kept on the system is among other things, for audit purposes (which usually happen bi annually but might vary sometimes) or as Chris has mentioned, for user license purposes. But with a lot of clients, i have seen that we just lock the users, remove their role assignments, set an end validity date (for user licensing), and optionally assign the users to a leavers group. But yes, i had one client where inactive users were marked for deletion and locked down as well.
Regards,
Prashant
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2011 11:26 AM
Hello Prashant,
Thanks for sharing your thaughts. Well, to make it more clearer for our discussion I am actully discussing the scenario where the user ID itself is a key to the existence of the data. in this case when do we actually delete a user? Any thoughts on that.
on the Licencing part, Chris I guess have already made us a ot clear by saying that its just the valid to date which matters.
regards,
ApnaMitra
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2011 1:32 PM
Hello,
Well, where the user ID is key.... the ID should kept until the process has come full circle i.e. it has come to its logical end. If you understand about data archiving you would know that data cannot be archived where it linked to a process which is still not complete / open.
I am assuming ofcourse that there would be a time frame after which the data "has come a full circle" and does not require the user ID anymore. Can you give an example where the user ID is key though?
Regards,
Prashant
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2011 2:04 PM
I have seen systems where user ids are never 'deleted' they are just termed. Put into a terminated user group, roles removed, validity set to end date and user account locked.
The issue in setting a time period for deletion is that some history which have user id as key may have very different life cycle (in terms of archiving) . SO it will be difficult to arrive at one common point after which all locked/termed user ids on the system will be deleted.
So i recommend not removing the user accounts at all. This ensures a complete history/record of all actions. And I do not think there is any audit implication in keeping user accounts that way.
Soumya
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2011 2:48 PM
Hi All,
So can I conclude that it would be best to have the validity & roles removed and the user locked for say 1 year after the termination against the detion of the user ID on termination? Please share your thoughts in case you wish to differ.
ApnaMitra.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2011 3:13 PM
Hi,
I would advise the following:
1. Lock the ID on termination date.
2. Put the Validity end to be the same as termination date.
3. Remove all the roles from the ID on termination date.
4. Agree with business as to what should be the cut off time to delete the users from the system without it being referenced for any activity performed by him.
This should work for you.
Regards,
Hersh.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2011 8:04 PM
One thing to keep in mind is the uniqueness of the user id scheme. If your user ids are not suitably unique and there is the possibility that an id would be re-used by a completely different person, you need to ensure that the information contained in the id is updated if used again.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2011 9:59 PM
Melissa is correct!
Users could re-assume a lot of things (variants, spools, workitems, change documents, queries, transport requests, etc etc if you do not keep them unique over time.
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2011 7:37 AM
> Users could re-assume a lot of things (variants, spools, workitems, change documents, queries, transport requests, etc etc if you do not keep them unique over time.
> Julius
which brings a lot of trouble when you are using compensating controls for some of your SODs and you have to sort out afterwards
in which timeframe a userid was used by which user.
Cheers
Jörg
- SAP Managed Tags:
- Security
