Skip to Content

Do you really have to delete roles if you deactivate a user?

I was searching through threads trying to find a recommendation regarding the best way to deactivate users in SAP. I understand locking and changing the validity date, but I am also seeing recommendations to delete the roles... In addition to roles do you also recommend deleting profiles (ones not associated with a specific role)? I'm just asking because I was under the impression it was good for security purposes to know what roles/profiles (authorizations) the user had in the past if something happened that required research and the ability to identify "who had the ability to do what". If we delete all of that information from their account, is their still a way to determine what they did have when they were an active user? If it is OK to leave roles in and maybe just set their expiration date, how should profiles not associated to roles be handled?

I guess most importantly, is there a known recommendation straight from SAP that I can reference? My searches have come up empty.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

4 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Dec 20, 2008 at 04:36 AM

    Hi Chanda,

    In addition to what Julius has recommended (which is perfect no doubt 😉 ) I would suggest that you also change the user group of the user to an obsolete or not in use type. This will also prevent the security administrators from unknowingly reactivating the user , provided you are following proper naming conventions for segregation of admin responsibilities. You can also thereby determine the users that have been deactivated through reports.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      You can download the table AGR_Users in this table you can determine what roles a user has.

      It can be handy to download often and keep older versions on your harddrive!

      The deletion or delimiting of roles to a user is an additional step in securing obsolete users, that is seen as best pratice! Be aware when you do not do this it can lead to questions in audits!

  • author's profile photo Former Member
    Former Member
    Posted on Dec 19, 2008 at 11:56 PM

    In my opinion, best is to:

    - Retire the user ID by locking the account (not just the password).

    - Set the validity on the user account to expire (preferably when this is known already, and not when a piece of paper becomes current...).

    - Setting the validity of roles is subject to the user compare to a large extent. It is very usefull.

    - Manual profiles are a bugger - dirty trick is to import them as a template into a role.

    > I guess most importantly, is there a known recommendation straight from SAP that I can reference? My searches have come up empty.

    I know that the technical explanations of how it works is to a large extent available, release dependently.

    If you search for the reports associated to the "user compare" (tcode PFUD) then you will find a lot of infos.

    Recommendations are more tricky, as it depends on what you want. SAP enables a lot of stuff and is responsible for the correct checks in the programs. But how you build your roles and profiles is up to you, and you have a lot of freedom in that area. You can also shoot yourself in the foot 😉

    I am assuming that you are not on SAP release R/2. Perhaps a bit more details would help...

    Cheers,

    Julius

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Dec 23, 2008 at 05:54 PM

    Thanks to you all for your suggestions. I will download the users' info as they currently stand, then lock and change the validity dates of the users themselves, change the validity dates of their roles, and finally remove any profiles not associated with roles. I know this may not be the "recommended" solution, but this will at least ensure their accounts are no longer available for use. I am serving as BASIS and security right now since we haven't gone live yet, but we will bring on a security administrator in the future. I will let them make the ultimate decision as to what process would best fit with our company standards. Thanks again everyone. Points were rewarded.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 23, 2008 at 06:50 PM

    Here is the Best Practice for terminated users.

    - Set the validity date to last working day.

    - Change the user group to "TERMINATED"

    - Lock the user

    - Remove all the roles from the user master. (If at all there is any push back from the auditors to keep the role, you can set the validity of the role to last working day. However, I would suggest you to remove these roles as these role assignment will be pulled up in SUIM Reports & extracts from AGR_USERS. Everytime you will have to filter these reports. Best is remove the roles from the user master.

    Sameek

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.