>

> If tests are sucessfully, delete old role assignements to your 3000 users in PRD.

I would do that in the reverse order => first remove the old roles QAS and then test whether it still works

Kind regards,

Julius

Yes, we have done exactly the way you have said but the business wants the backup user accounts created because if the users face any issues they can still be given the old user ids ( to be on the safer side)

regards,

Ajai

Just explain to the Business that any failure is due to their lack of proper testing In Quality. So it should not be an issue and i for certain would not allow this, also this might have huge an impact on your license fee. so is the business wanting to pay for that??

Hi,

All the backup users will be expired. That is, we will set the expiry date in SU01 some time to 12.01.2000. In this case, will the licensing be an issue?. Will SCAT work for my case?. Thanks so much for your time

regards,

Ajai

If you are setting the expiry time then that is additional stuff you have to do to reinstate that user. Just record their old role assignments & paste those roles into the userID if you have problems. Far better than using a dupicate ID

Hi Alex,

I want to know the step by step procedure for creating a test script to create 3000 users using SECATT. I did try it but not able to get through. Many thanks for your help

regards,

Ajay

if you use the search for secatt there are results for links with tutorials, the same if you google for secatt tutorial

Hello Alex,

I managed to create a script using SDHB ( BDC ). I need your input regarding SAP licence. As per our cut over plan, we are going to create backup user accounts with the existing roles for all the current users (about 3000)..For eg. USER1 to USER1_BACKUP and expire USER1_BACKUP ( expiry date to some date in 2007). Then we will assign the newly built roles to USER1. Incase, if the user faces any authorization issue then the old user account will be released to him (USER1_BACKUP) so that the user's business activities is not hampered. The business has informed that this process will not be in conflict with the present agreement they have. My concern is, in the event of an audit, will there be any issues as to why an expired user account was activated?. I hope you would be able to shed some light from the wealth of your experience..Thanks very much for your time..

Regards,

Hi Ajay,

It is very possible that your auditors would have a problem with you reactivating an account in this manner.

You need to speak to your auditors to get their opinion on this, especially as has been mentioned there are better ways (in my opinion) of providing the support the users need without creating additional ID's.

If I was your auditor I would be asking why you think is it easier to unlock an copied user than just cutting and pasting their old roles from a spreadsheet into their user master. You should also think about the following:

1. How can you ensure that only the named user is using the copied ID?

2. Will you lock their usual ID so they are not using both at the same time?

3. How will you ensure that all changes are merged into the new role build and users are not using 2 different ID's for different tasks

I hope you don't take this the wrong way, but from my experience, this sort of approach will cause far more long term problems than it will fix short term access issues caused by a lack of testing.

Regards,

Alex

Hi Alex,

Thanks very much for your input. The idea of creating backup users is to ensure that the users are able to continue their business activities in the event of an authorization failure. The current roles are scheduled to become obselete in September. The new roles will replace the existing roles in production in september. We intend to take this approach because during this period, if the users encounter any issues they will be able to continue their business activities using their backup id, thereby reducing the downtime of an user. We have tested the roles in the Quality system but we intend to use this approach to be on the safer side.

Please provide your opinion. Thank you very much

regards,

Hi Ajay,

I also would not recommend the plan to use backup user ids for many of the reasons mentioned above.

As long as you save a copy of the user to role assignments before the conversion to the new roles it is just as fast to assign the "old roles" back to the user as it would be to release the backup id to the user.

I would make it clear to the end users to contact your security support group with any authorization issues immediately. If you make it too easy for them to activate their "backup ids" or reinstate their old roles they may not alert you to problems they are having and thus prevent the proper fixes from taking place.

When converting users to new security roles I also like to follow a phased conversion. Maybe convert 10% of users to the new roles in week 1, 20% in week 2, etc., etc. Try to hit all functional areas in the early conversion so that you are comfortable any bugs are worked out and by the third or fourth conversion you should be able to cutover a large # of users with little problem.

I would be partial to using 2 CATT scripts to perform the cutover. First a CATT script assigning the new roles and once completed, a second CATT script to unassign the old roles.

Hi Ajay,

My opinion is that you are potentially going to cause more problems than you fix & your auditors will ask the same questions which I asked in my previous post.

If you already know their existing role mapping, why do you not record that and in the worse case scenario you could reassign the old access. It should take less than 1 minute for a user - fractionally longer than time taken to unlock the copy ID's. If you have an efficient resolution process in place then you only need to rely on giving users emergency access if their requirement is business critical. Trust me when I say that the moment you start giving users 2 ID's you will get trouble and it will take months to fix as they will insist on using the copy ID the moment they hit a problem with the new access. Once they have been given that, they will expect it.

Cheers

Alex

I agree that creating copies in a prod system is dubious ; if the purpose is to test the validity of new roles this should be done further down the system chain (in a QA or Regression or even a preprod system, if you happen to have one).

That said, I much prefer the BAPI way of creating users compared to CATT/eCATT. Have a look at BAPI_USER_CREATE as well as BAPI_LOCACTGROUPS_ASSIGN (and others related to the BOR "USER"), and you should be able to write a nifty little program that might be much more handy and flexible than those CATTs...

Regards,

Trond

Hi Trond,

The user management BAPI's are pretty neat, I've played with them through Excel but stopped short of replacing my favourite scripts with them

Hi Alex,

I have consolidated your posts and have forwarded it to the business. I am waiting for their response.

Thank you very much for your posts and above all thank you very much for your time. You have been very helpful.

regards,

Ajay

Hi Ajay,

I'm pleased to help, as are the other here who have been through this stuff and have the mental scars to prove it

Hi,

Yes, I got your point. The catch is we want to rename the present user names to another name. For example,

USER1 to USER1_BA

USER2 to USER2_BA

USER3 to USER3_BA

.

.

.

USER3000 to USER3000_BA

This is what we want to do. I think I will be able to do this using SCAT. If its possible, can you tell me how?

regards,

Ajai