Alex,

thanks again.!

Now my interest is most on the point two due to the cost. As SAP is paid on # of active users. Currently its set to 90 days which in my opinion is too large. In the installations you visited what was the typical period and was their any special considerations ?

I know that the installation woudl vary the time period but I need to hear some ' best practices too!

thanks alex

Hi George,

90 days is typical for the majority of places I have worked at/audited.

Some have 60 and from memory, some have a 45 days policies. I don't think you will be surprised that special considerations usually only apply to very senior management who like the ability to log on every now and then!

Personally I find that 60 days is a reasonable compromise covering typical ranges of users e.g. functional, reporting, T&E, occasional purchasing via SRM for example. If you make the period too short then you get to a situation where you create extra admin overhead & inconvenience the users for a negligible reduction in risk. If you can automate parts of the process then it makes it easier i.e. set up a job that automatically locks users after x days & sends an email to their manager to say that the user has been locked due to inactivity & can they confirm that the user is still required etc. If no response after a certain period then the user will enter into the termination process. There are lots of ways of doing it, the important thing is that you have a consistent, manageable & auditable process that is supported by (the easiest bit) a sound technical solution.

I'm sure Julius & others will be along soon to give some other good advice!

ok, very quick way to cover terminating a user

1. lock User Master

2. set the valid date to the day you lock the user

3. assign a user group to identify a user who has left e.g. LEAVER, TERMINATED

4. delete the roles from the user (you can see what they had by the user change docs). If they don't use SAP any more then they don't need any access!

I do not like deleting the user, there was a recent post by Auke with some really useful info in it around this subject.

Alex

I will summaries the other answer, main points:

1. By law in most countries you need to be able to prove who owned a userid as financial laws state that you have to show financial data when requested (sometimes until 7 years after the TRX has been executed). Recently a number of companies have been fined who could not produce all requested data. In this case it was mostly about E-mail data as contracts in those companies were done via e-mail. But this can (and will) be extended to SAP data. In this one has to remember that almost all transactions in SAP have financial consequences thus are part of the data the laws talk about. I would not want to be the person who deleted data that the company is fined for deleting a couple of years later.

2. Next argument some processes in PM/PS cannot be followed on when the uid of the person who started the process has been deleted from the system.

So best practice: Never delete a UID from a system, but remove all roles, lock it and assign it to a special user group (this is also needed to avoid having to pay License cost for these users)

Small addition, when you use HR for user maintenance (via program RHPROFL0) that program will also NOT delete UID’s , but only take away the roles for users that have left the company.

Persons that go on vacation: one can use the temporary replacement option in SAP.