Solved: Need to perform Roles/Profile cleanup and document...

Former Member · ‎09-15-2007

Hello there, I have recently read through the Authorisations Made Easy guide which helped me a lot in getting started with authorisations. However I am still a bit of a novice.

I have recently been asked to perform a tidy up of the authorisations in our standard three tier 4.6C landscape... but I am not sure where to begin or what approach I should be taking to do the clean up?

What I have noticed is that there seems to be an awful lot of roles/profiles in the Dev system, compared to the QA and Prod systems. A first stab would be to identify roles that are in Dev and QA, that are not assigned to any users in Prod, and then to remove them... does that sound sensible?

Those of you who have experience in this area can you please advice me on the best approach to take?... ideally with step by step instructions as I am still relatively new to authorisations.

Your help here would be much appreciated.

Kind regards

Sharon

Basis Administrator

Former Member · ‎09-17-2007

Fist of all try to locate OWNERS of roles or Business Areas.

Because the mayor problem in a clean up will be, what you have deleted day one the business wants to use the next day.

So either

A in the support group there will be functional consultants who are responsible for an area, thus are the owners of the processes which is the same as the roles (at least when the design has been built correctly).

B or there are keyusers in the business who hold the aforementioned responsibility.

As soon as you have identified these people, you should create a list of roles and officially declare them owner of these roles. Each role should have a single person as onwer!. (take the widest list of roles for this).

Roles for which you can find no owner should be discussed with every owner and if no one wants to take responsibility, simple put it on the to be deleted list.

Next step tell the owners which roles are being used in Production and which are not available or assigned and ask them to evaluate the need for these UNUSED roles. Ask their OK to delete the unused roles. Only after this Ok delete the roles.

Before deleting download tables AGR_1251, AGR_1252, AGR_PROFS and AGR_DEFINE and store these at a save place so you can always reconstruct the deleted roles later. Consider downloading the roles to your PC before deleting as well.

Remember: roles have been created to serve a purpose, and that reason might come back later even if every one is convinced they are no longer needed. And it saves you and your company a lot of money if you can quickly bring a deleted role back into the system!

Former Member · ‎09-16-2007

One other thing... I have also been asked to document who has access to what in the Production system. What's the best way to extract this information?

Former Member · ‎09-16-2007

You can use transaction SE16 to display table AGR_USERS which will show the user to role assignment. You can get the role texts from table AGR_TEXTS

Former Member · ‎09-17-2007

Hi Sharon

Perform Two Steps in your production system :

1) Execute : SE16 Tcode then use table : AGR_1251 and Execute it .

This table will give you all the Tcodes, Object and field values available in the Roles. Download this output in your system.

2) Execute : SE16 Tcode then use table : AGR_USERS and Execute it

this will give Roles assigned to users

Download this output in your system

Using Excel function VLookup Merge the above two Output.

This will give you the USER AND ROLE documentions with authorizations values.

Former Member · ‎09-17-2007

Hi,

Look into transaction SUIM, there you will find answers to your questions. There are also third party products to design roles and have reports on the items you are talking about, like CSI Authorization Accelerator or SAP GRC.

have fun

Jan van Roest

Former Member · ‎09-17-2007