Skip to Content
0
Former Member
Jul 26, 2016 at 06:58 AM

GRC AC Leaver Process (rollback)

261 Views

Dear Experts,

We have the following requirement: To set up a User Leaver process where if a user is set up as leaver then the following actions are automated:

- Block the user

- Expire the user

- Remove all roles and profiles

- Change the user group to a specific user group

For that we are using the User Defaults BRF+ and I have created a Function Module "ZLEAVER" which include all the ABAP code in order to automate the actions mentioned above. So whenever there is a leaver access request the following BAPI's are used:

- Block the user --> BAPI_USER_LOCK

- Expire the user --> BAPI_USER_CHANGE

- Remove all roles and profiles -- BAPI_USER_PROFILES_DELETE and BAPI_USER_ACTGROUPS_DELETE

- Change the user group to a specific user group --> BAPI_USER_CHANGE

All the BAPI's are working well except the "BAPI_USER_CHANGE" which is not changing the values - Valid to and User Group - into the target system accordingly. My question is why?

We have been investigating a little bit and seems like the user - which is performing the changes into the target system - it is UNDOING the changes for some reason. In the image below you can see how the system is doing the changes and also un-doing.

Analyzing the BAPI_USER_CHANGE have notice that there are some ROLLBACK work but not sure why they are activated.

Kind regards and thank you,

Sara.

Attachments

LEAVER_Undo.JPG (48.2 kB)