on 02-23-2014 10:00 PM
Dear Colleagues
I'm trying to remove user data for invalid connectors from the tables GRACUSER, GRACUSERCONN, GRACUSERROLE. To populate these tables is very easy, but to remove invalid entries is somehow mission impossible. Sorry for the impressive terms.
The names of the connectors have changed many times in the past. Now we have some invalid entries, which have impact on other processes (SOD, extension and termination).
My idea was to activate an old connector and change the target host to any SAP system with fewer users, the 000 client is good example. Nothing happened, the sync didn't work.
I tried to create new user in this system and the user was added in the GRACGRACUSER* tables.
After I have deleted this user again form the backend the user is still in the sync-tables.
::sync log::
Sync successful for connector P01_020 and total count: 24
Sync completed for connector P01_020
User sync successfully executed
Sync successful for connector P01_020
Repository Object sync job successful
::sync log::
I have still over 800 users for the connector P01_020 in the table GRACUSERCONN.
Thank you for any suggestions.
Daniel
Hi Daniel,
Before you delete the connector, you can delete the informaction of users and roles in the following path:
SPRO>AC>...>Access Risk Analysis> SoD rule > Delete Sod Rule
There you put the connector and check "delete sync data for physical system".
It will delete the entries in the tables that you mentioned if the connector still exists.
Hope its helps
regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks both for the quick answer.
The syncjobs was run in the full sync for the connector.
We are on support pack 11:
SAPK-V1011INGRCFNDA
SAPK-10311INGRCPINW
There also the last implemented notes:
0001785439 Performance improvement of User Sync
0001864423 Repository sync is not updating the GRACUSER table properly
0001873361 Performance issue with GRAC_REPOSITORY_OBJECT_SYNC
When I've run the SOD last time (include deactivated and locked users). I saw some users without any status, they never didn’t exist in this connector. I’ve checked some users with ‘no violation’. There is no history for 19 from 272 users (statistically sample) in the backend (they didn’t exist).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Daniel,
Have you configured data sources? 1960721 - Search Data Sources in GRC
We have a similar issue but with Legacy Connectors, in such case there's a special procedure to delete users. Even you perform a full synch the users are not deleted.
If you are in a DEV/TEST system you might try cleaning up the tables using SE14 for example. I tried such option once after deleting the SoD rules in a DEV system and we still had an entry in one of the tables that was impossible to delete via the programs.
Definitely that's not a recommended procedure, but for tests systems where you've tried and tested many things sometimes is the only way to fully clean the tables. For a production system is not an option at least if you don't have a SAP recommendation to do that...
Cheers,
Diego.
Hi
Did you run full sync? And, does the tables contain the user but have them flagged as deleted?
Also, are you able to check SE38 to see if there might be a GRAC*DELETE* program of some type. I thought I saw a thread a while back that there was a deletion program (or 5.3 had something). Possibly there might be a way to remove the data if the connector is no longer required
Where the connector is still in use the tables should keep the user for historical purposes and flag as delete
What is being impacted for SOD/etc with this connector?
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear colleen
Yes, the analysis ran in Full-Sync mode. I couldn't find any program to delete old data.
Is there some technical specification, how the Sync should work? What the tables should contain? I’m asking because after applying some SAP notes we have duplicates, triplicates, etc. in GRACUSER now.
Since we don’t have CUA in place, this should be our source for identification in which systems the user exists. For example I see some users in 000 client, which were accidentally created there in the past and removed again. But they will probably stay in the GRACUSERCONN table for ever. The column status doesn’t contain any value at all.
The information ‘updated on’ in GRACUSER doesn’t say for which connectors the user has been updated. This information would be helpful also in the table GRACUSERCONN.
Thank you
Regards
Daniel
Dear Daniel,
if you run the jobs with "Full" sync mode, all old entries should be deleted. In my environment it is working fine (I am on SP13).
Did you run with FULL or INCREMENTAL?
Best regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.