Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Automate assign/remove roles to/from users every month

Former Member
0 Kudos


Hi,

We have a request to assign all users to RoleA, RoleB at calendar month end. Then after calendar month end, to remove RoleA, RoleB from all users and assign all users to RoleY, RoleZ.

I'm currently doing it thru SU10, adding and removing roles to users at calendar month end.

Is it possible to automate this (assign roles to users then remove roles from users) for every month? May I know the detailed steps to do it?

Thank you.

13 REPLIES 13

Colleen
Advisor
Advisor
0 Kudos

Hi

You would need to build something custom for this

That aside, is there a reason why you need to do this? If this is a common activity I would be questioning the design reasoning and see if there is an alternative approach

Do you have specific access you want to restrict from all users each month-end?

Regards

Colleen

Former Member
0 Kudos

Hi Colleen,

Yes, there's specific access that would like to restrict from all users every month end.

regards,

zl

0 Kudos

do you want to share what that is? Someone might have an alternative solution for you?

Former Member
0 Kudos

I agree with Colleen.

Firstly what are you trying to achieve?

Secondly it is sufficiently important as to not operate another control to achieve that objective?

Former Member
0 Kudos

Hi,

Would like to restrict users from doing goods movement during month end.

regards,

zl

0 Kudos

Hello

If the requirement is really 'non -negotiable' then there are several means to automate it.

  1. Creating a custom ABAP program to perform a 'mass role assignment' to roles. In some of our SAP R3 systems we have a custom made ABAP/Transaction code that allows us to upload a comma delimited text file (CSV). And in this file we specify user ID, role name, valid-from date, valid-to date. The program uploads the file and executes the role assignments
  2. If you don't want to create custom ABAP's you can also use the standard available 'SAP Batch Input Mapping' functionality This is a kind of 'screen scraping' tool for mass update. In a nutshell: you 'record' once the actions you do in SAP (for example: start SU01, open user ID, go to roles tab, go to end of roles list, add roles and save). And then using the 'Mail Merge' functionality of your Word Processor, and the list of actions in a spreadsheet. You generate a 'mass Batch Input Map (BIM). This BIM is then processed via SM35 transaction and the actions are executed. It looks complex, but once you have done it a couple of time you can create BIM scripts quite fast. More Info: SAPTechnical.COM - How to do BDC without writing BDC program and ,
  3. CATT functionality in SAP offers the same functionality as (2). However some companies may have a policy that CATT is not allowed in productive environments.
  4. There are even means to automate it outside SAP. You can use various scripting languages (Powershell, Python, Perl, VBA) to connect to SAP systems and execute RFC/BAPI commands.

I hope this helps.

But, like colleen i doubt the reasoning behind this requirement. What is it what they want to achieve? And is this the best way to do it? In our company we do have authorization roles for 'Month End Closing' activities, but they are assigned to users 'all the time'

Former Member
0 Kudos

Thanks, is there any specific movement activity that is causing the problem?  It's not unknown for inventory activities to require a movement block (MI32/33) for month/period end activities.  Generally I would expect the control to be that users are told not to do it and non-compliance has implications.  Of course, if this is super-high risk for whatever reason then M. Coenjaerts has given some good methods.

Former Member
0 Kudos

Hi,

This is a request from our Finance Users. During month end, there should not be any goods movement but people always forget and do goods movement during month end. And this affect the finance month end closing.

'goods movement' role are removed from users at month end, and after month end users are assigned back 'goods movement' role.

may i know which methods can be scheduled to run by itself?

0 Kudos

It seems a bit strange that finance are requesting the business to stop day to day operational activities so they can close the books. I question if there is an underlying issue with the business process and design.

0 Kudos

I have seen clients opts this option during financial year end during which, they would not want any goods movements to happen so that the finance team can reconcile the records.  For that, instead of locking the movement types, they would lock the related transaction itself like for outgoing deliveries, couple of movement types are there.  Instead of locking all these movement types, they would lock the transaction codes like VL01N, VL10* etc.

G. Lakshmipathi

0 Kudos

Thanks - thats what I was wonderIng if SM01 transaction locking might be solution or if some function config. When movement types mentioned I immediately thought MIGO and locking that would not help if  goods receipt allowed. I assume solution depends on what movenent type?

but you witnessed situation where they relied on authorisations to achieve temporary lock down?

0 Kudos

Hi

If you want to schedule (so that it runs automatically), then option (1) works best: you can schedule ABAP programs to run in the background, to be started at a certain time , or after a certain event.(using SM36/SM37)

Open (4) could also be schedule, but then this needs to be done outside SAP. Using Windows Task Scheduler or CRON job scheduling in case of unix/linux based systems.

Option (2) and (3) most of the time require "human intervention": you have to prepare the "data set" (which users/roles-assigments you are going to change), generate and start the BIM/CATT script

Matt_Fraser
Active Contributor
0 Kudos

I won't pretend to be a functional expert in logistics or finance, but it seems to me that this is likely a configuration and/or business process issue and not a security issue.  I'm pretty sure it is not common for organizations to take away access to MIGO entirely during month-end close.  I think rather that most organizations will just do something like lock the period that is being closed, so new postings go to the new period.  This should happen anyway, since closing is usually done after the period in question has expired.

You might have a look at , but otherwise this question might be better raised at .

Regards,

Matt