cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Remove invalid entries from GRACUSER

Go to solution
Former Member

on ‎02-23-2014 10:00 PM

0 Kudos

Dear Colleagues

I'm trying to remove user data for invalid connectors from the tables GRACUSER, GRACUSERCONN, GRACUSERROLE. To populate these tables is very easy, but to remove invalid entries is somehow mission impossible. Sorry for the impressive terms.

The names of the connectors have changed many times in the past. Now we have some invalid entries, which have impact on other processes (SOD, extension and termination).

My idea was to activate an old connector and change the target host to any SAP system with fewer users, the 000 client is good example. Nothing happened, the sync didn't work.

I tried to create new user in this system and the user was added in the GRACGRACUSER* tables.

After I have deleted this user again form the backend the user is still in the sync-tables.

::sync log::

Sync successful for connector P01_020 and total count: 24

Sync completed for connector P01_020

User sync successfully executed

Sync successful for connector P01_020

Repository Object sync job successful

::sync log::

I have still over 800 users for the connector P01_020 in the table GRACUSERCONN.

Thank you for any suggestions.

Daniel

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-27-2014 3:02 PM
0 Kudos

Hi Daniel,

Before you delete the connector, you can delete the informaction of users and roles in the following path:

SPRO>AC>...>Access Risk Analysis> SoD rule > Delete Sod Rule

There you put the connector and check "delete sync data for physical system".

It will delete the entries in the tables that you mentioned if the connector still exists.

Hope its helps

regards,

Show replies
Show replies
Former Member
‎03-10-2014 10:08 AM
0 Kudos

Hi Claudio,

this exactly what I was looking for. The name of the program is a little bit confusing GRAC_DELETE_ACCESS_RULES but it deletes the data from all tables I was interested:

GRACUSER

GRACUSERCONN

GRACUSERROLE

GRACUSERPROFILE

.. and 30 more.

Thank you

Kind regards

Daniel

Answers (3)

Answers (3)

Former Member
‎02-24-2014 8:24 AM
0 Kudos

Thanks both for the quick answer.

The syncjobs was run in the full sync for the connector.

We are on support pack 11:

SAPK-V1011INGRCFNDA

SAPK-10311INGRCPINW  

There also the last implemented notes:

0001785439 Performance improvement of User Sync

0001864423 Repository sync is not updating the GRACUSER table properly

0001873361 Performance issue with GRAC_REPOSITORY_OBJECT_SYNC

When I've run the SOD last time (include deactivated and locked users). I saw some users without any status, they never didn’t exist in this connector. I’ve checked some users with ‘no violation’. There is no history for 19 from 272 users (statistically sample) in the backend (they didn’t exist).

Show replies
Show replies
Former Member
‎02-25-2014 10:18 AM
0 Kudos

Hi Daniel

Have a look at the following SAP Notes 1676255, 1819493, 1803158.

They have to do with deleting data for a specific connector, or all connectors.

Regards

Ferdie

dyaryura
Active Participant
‎03-01-2014 11:35 PM
0 Kudos

Hello Daniel,

Have you configured data sources? 1960721 - Search Data Sources in GRC

We have a similar issue but with Legacy Connectors, in such case there's a special procedure to delete users. Even you perform a full synch the users are not deleted.

If you are in a DEV/TEST system you might try cleaning up the tables using SE14 for example. I tried such option once after deleting the SoD rules in a DEV system and we still had an entry in one of the tables that was impossible to delete via the programs.

Definitely that's not a recommended procedure, but for tests systems where  you've tried and tested many things sometimes is the only way to fully clean the tables. For a production system is not an option at least if you don't have a SAP recommendation to do that...

Cheers,

Diego.

Colleen
Advisor
Advisor
‎02-24-2014 6:25 AM
0 Kudos

Hi

Did you run full sync? And, does the tables contain the user but have them flagged as deleted?

Also, are you able to check SE38 to see if there might be a GRAC*DELETE* program of some type. I thought I saw a thread a while back that there was a deletion program (or 5.3 had something). Possibly there might be a way to remove the data if the connector is no longer required

Where the connector is still in use the tables should keep the user for historical purposes and flag as delete

What is being impacted for SOD/etc with this connector?

Regards

Colleen

Show replies
Show replies
Former Member
‎02-27-2014 11:42 AM
0 Kudos

Dear colleen

Yes, the analysis ran in Full-Sync mode. I couldn't find any program to delete old data.

Is there some technical specification, how the Sync should work? What the tables should contain? I’m asking because after applying some SAP notes we have duplicates, triplicates, etc. in GRACUSER now.

Since we don’t have CUA in place, this should be our source for identification in which systems the user exists. For example I see some users in 000 client, which were accidentally created there in the past and removed again. But they will probably stay in the GRACUSERCONN table for ever. The column status doesn’t contain any value at all.

The information ‘updated on’ in GRACUSER doesn’t say for which connectors the user has been updated. This information would be helpful also in the table GRACUSERCONN.

Thank you

Regards

Daniel

alessandr0
Active Contributor
‎02-24-2014 5:52 AM
0 Kudos

Dear Daniel,

if you run the jobs with "Full" sync mode, all old entries should be deleted. In my environment it is working fine (I am on SP13).

Did you run with FULL or INCREMENTAL?

Best regards,

Alessandro

Show replies
Show replies
Former Member
‎02-27-2014 10:19 AM
0 Kudos

Hi Alessandro,

thanks for your reply. We are on SP 11. The analysis ran in Full-Sync mode. After Implementation of the notes from last post, the table GRACUSER contains some id's 2times, 3times, 4times .. up to user in connectors. Nice.

Regards

Daniel

Ask a Question