This website is not affiliated with, sponsored by, or approved by SAP AG.

Mass change of user roles

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Mass change of user roles

Postby SAPOY » Fri May 07, 2010 5:54 am

Hi,

I am looking to make a mass change to user roles, initially removing all access and then creating new roles for each user with different permissions.
As the change will impact >10,000 users, could you please advise the most efficient mechanism to do this?
SAPOY
 
Posts: 2
Joined: Fri May 07, 2010 5:45 am

Re: Mass change of user roles

Postby Al. » Fri May 07, 2010 10:51 am

Can you please clarify the situation?

Is it

1. Remove old roles and then assign new roles
or
2. Remove old roles, build new roles and then assign new roles
or
3. Something else.

The re-build is standard PFCG.
You can do the removal + assign new very easily using ECATT or LSMW scripting on transaction SU10
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Mass change of user roles

Postby SAPOY » Sun May 09, 2010 11:01 pm

Hi,

We'll be removing old roles, building new roles and then assigning new roles.
SAPOY
 
Posts: 2
Joined: Fri May 07, 2010 5:45 am

Re: Mass change of user roles

Postby Al. » Mon May 10, 2010 12:16 am

OK, first is to prioritise

1. Build New Roles (assuming that you can't/don't want to change your old ones).
2. Remove Old & Assign New.

Role removal & assignment is easily taken care of with eCATTs or LSMW . If you are not familiar with scripts, there are plenty of tutorials available via your favourite search engine.

1 script to remove roles from the user via SU01 - select all roles & remove.
1 script to add in new roles. Use SU10 as it allows append function - you can easily cater for different numbers of assignments. SU01 is a pain to script assignments.

For the role build, use PFCG to build your master/parent roles. You can then use scripts to automate the child role creation. Finally populate org levels manually. You can budget 200-250 roles per person per day for org level population.

If you are thinking about populating org levels programmatically, make sure you have an excellent developer and test it very thoroughly. I have seen a few real problems caused by this approach. There are also tools out there on the market that claim to speed up role build, however I would be very, very cautious about using these products as most of them are very shoddy.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Mass change of user roles

Postby berryd » Sat Jun 12, 2010 5:36 am

Hi

Mass role creation and user assignments... deep joy :-( and sorry this is a really long reply)

I'm assuming you must be expected to have the new roles in place in PRD prior to removing the old roles - I can't imaging 10000 users sitting waiting for a week for their access to be returned?

If you are using derived roles beware of cost centres, release strategies and storage locations as they can be over-written when updating the parents.

For the role assignments I've used LSMW (can't get my head round CATS unfortunately :-( ) but, after falling into the SU01 remove all roles trap I would use SU10 selectively instead. In the LSMW from date field ensure the value is 01011900 and then remember to go to the profile tab whilst doing the recording to select 'remove' in there too.

Using SU01 to remove all roles makes the audit job a nightmare as there is no plain and simple track-back to why you removed a role that was changed/not requested to be removed, and there's even more work for the replacement LSMW to do so the time/loading on the system is artificially increased (as is the chance of a mistake or the system going down whilst running).

If you could guarantee that all of the users would not exceed the 312 roles limit if you were to first assign all the new roles then that would be the best way forward - assign all the new roles and then remove the redundant ones.

If, however, you can't be sure of this then try an addtional pre-step to the process, create a copy of each user (make the user ID obviously NOT those of a real user - i.e. REF0001, REF00002 etc). Make these copy users service user type.

To do this means more LSMW scripts but it gives you a back up option if anything failed during the removal/assignment - if it can go wrong it will go wrong.

Once you have all of your copy service users in PRD link these to the original by (LSMW again) adding the copy user ID in SU01 to the original user ID's roles tab in the 'Reference User' field.

Remove the selected roles, and assign the new ones - whilst this is being done the reference user with the original access , will support the dialog users in PRD so they don't lose any access. If you have GRC RAR set up then you may want to refer this to your GRC guys to see if they want to change the settings to pick up both dialog and their reference users combined accesses.

When you have completed the role assignments, and checked they are as expected , then delete the entry in SU01 of the reference user entry, have a brew and wait to see if there are any auth errors being reported. If there are then add back the reference user entry and fix yorur role assignments quickly.

As soon as you possibly can, delete all of the reference users as they will provide missing auths access and this can lead to users creating things like sales orders etc that then have the reference user ID instead of the real person.
Real Daleks don't use the stairs. They just level the building.
Well - okay - so now they can fly - that's not fair!
berryd
 
Posts: 179
Joined: Fri Feb 27, 2004 6:30 am
Location: here.. I think

Re: Mass change of user roles

Postby os » Sun Jun 13, 2010 7:47 am

You can automatically maintain org levels from a program if you populate them from profile templates. The interface is the same and org. fields are transfered from the "manual" data to the org. values without being "changed".

You can even set them to "standard" - the trick is to first populate the org. field once only with a dummy transaction for all org. field relevant objects, then build the rest of the role and remove the dummy in the end.

Works like a charm but you must find an experienced developer for it as it is easy to torch all your roles with simple mistakes.

Good luck!
os
 
Posts: 469
Joined: Wed Dec 21, 2005 10:51 am

Re: Mass change of user roles

Postby berryd » Sun Jun 13, 2010 8:20 am

Hi os

Yes - we have designed a couple of the org level/object level updaters (called them Things of Evil just to steady the nerves when using) but they were just simple notepad++/Excel macro edit, replace or insert etc on the 1252/1251 rows in the downloaded roles.

Found out that adding all org levels to a set of roles appears to work fine as SAP/PFCG goes and sorts itself out at upload/regen but the SUIM reports look dreadful as the tables are out of sync with the role contents (another of those 'oh hell' moments :shock: ) so we group by org level and do repeated download/update/upload iterations until all have been captured.

Works fine if a little clunky - never got it to work in Access (which a chap I knew managed to do with some success) so a proper ABAP program sounds a treat...
Real Daleks don't use the stairs. They just level the building.
Well - okay - so now they can fly - that's not fair!
berryd
 
Posts: 179
Joined: Fri Feb 27, 2004 6:30 am
Location: here.. I think

Re: Mass change of user roles

Postby os » Sun Jun 13, 2010 8:35 am

No need for Excel etc and uploads as this does not understand the length of field limits and you cannot know when to insert a new authorization, which is the advantage of non-org fields. You can do it in ABAP though without updating any tables or other dirty tricks as I described above. Also no need to be forced into using derived roles as some might lead you to believe... :-)
os
 
Posts: 469
Joined: Wed Dec 21, 2005 10:51 am

Re: Mass change of user roles

Postby lordofthering » Tue Sep 20, 2011 8:28 am

Os
I know this is old post but do you have happen to have any example code which can allow us to update Org Level using ABAP or any other program ?. I thought it is not possible to update org level on existing roles using any script of program. Any hint will be helpful
lordofthering
 
Posts: 1
Joined: Tue Sep 20, 2011 4:34 am


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 3 guests





loading...


This website is not affiliated with, sponsored by, or approved by SAP AG.