Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Investigate - ECC roles for retirement.

Former Member
0 Kudos

I am trying to investigate and find roles that can be retired in the ECC system. How do I come up with a list of roles that are ready for retirement (due to unuse or wrong naming convention, etc,etc)?

What are the questions I should be asking?

I have tried to follow the below approach, but it doesn´t seem to be effective enough:

note- From hereon, when I mention roles, it means Z-Roles only.

Please find the method I used to analysis the issue below:

***************************************************************************

Requirement: Investigate - ECC roles for retirement.

(Self made points below)

1. Document all roles in ECC, that have never been assigned to any user.

2. Document all the roles in ECC, that do not have any users assigned to

it since atleast one year.

3. Document all the roles in ECC, that are forbidden to be assigned to

any roles.

4. Document all the roles in ECC, that do not follow the standard naming

convention defined by the organisation.

My question - Should I extend this list?

****************************************************************************

Analysis:

Transactions used extensively during analysis:

SE16 Data browser

SUIM User Information system

S_BCE_68001425 Roles by Complex Criteria

PFCG Role Maintenence

Tables user extensively during analysis:

AGR_AGRS Roles in Composite Roles

AGR_DEFINE Role definition

AGR_USERS Assignment of roles to users

Actions taken, to reach the solution:

1. Single Roles - Without assignment in the last one year ( There has been no user assignment to these roles for atleast one

year and no changes have been done to the role during this time.

These roles are currently without any user assigned to them.

2.Forbidden roles: These roles are not to be assigned to any users and it

can be strongly recommended that they should be retired.

There are currently no user assignement for this roles.

3. Wrong Naming convention : Roles that donot follow the

standard role naming conventions (as defined). These roles should be

retired.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi..

Last month we did this clean up activity. But after a lot of meandering here and there, like what has been stated, finally i decided to take help of the functional consultants of each module of SAP and removed all unwanted roles - from end users. It was a massive exercise, esp when roles were assigned indirectly,  but finally we could clean up a bit.

But for some reasons, the back end team has kept the roles on the system and roles have not been deleted or completely removed from the system itself. May be as part of 2nd phase of clean up, we would do that.

And also that was the reason why we felt - as to whether it is ok, to make any role as non-editable, and identify it, all those roles in one go, for a direct clean up at a later date. But I was not able to categorize that way.

In case you have some other better ideas of cleaning up the system completely, please share your thoughts too. It would be very helpful.

Thanks

indu

12 REPLIES 12

HuseyinBilgen
Active Contributor
0 Kudos

Hi,

Did SUIM > Roles > Roles by complex search criteria > Selection According to user assignments "without user assignment" helped?

0 Kudos

Hi Huseyin,

Thanks for your input. What we are trying to do, SUIM>Roles>Roles by complex selection>Without user assignment, constitutes just the first step, because we are trying to retire all those roles that have no further need to be in the system anymore. As a result we are considering various situations, such as those mentioned in my original post.

Thanks,

Amlan

Former Member
0 Kudos

Instead of checking only the roles, you can also check for the transaction which are obsolute(not being used anymore by the business). For this audit profile has to be activated in the system

0 Kudos

Hi Bal,

Thanks for your input. I believe this is a very important suggestion that you have made and I will take it under consideration.

I will update you once I have some more news.

Thanks,

Amlan

Former Member
0 Kudos

Hi..

Last month we did this clean up activity. But after a lot of meandering here and there, like what has been stated, finally i decided to take help of the functional consultants of each module of SAP and removed all unwanted roles - from end users. It was a massive exercise, esp when roles were assigned indirectly,  but finally we could clean up a bit.

But for some reasons, the back end team has kept the roles on the system and roles have not been deleted or completely removed from the system itself. May be as part of 2nd phase of clean up, we would do that.

And also that was the reason why we felt - as to whether it is ok, to make any role as non-editable, and identify it, all those roles in one go, for a direct clean up at a later date. But I was not able to categorize that way.

In case you have some other better ideas of cleaning up the system completely, please share your thoughts too. It would be very helpful.

Thanks

indu

0 Kudos

Hi Indu,

Thanks for your input, I can imagine your situation.

Till now one of the more honest and effective solutions I have received is as below:

My main concern is How do we come up with a list of roles that are No longer being used in the Current landscape?”

To find out the Roles that have not been used in the System, simply go to SUIM and check for Roles not assigned to users. Later cross check when was the role last modified and the last assignment date. Each Role will have to be looked into individually. No short cut to this approach.

I am trying to find out other approaches which will be mre efficient. Will keep you updated.


Thanks,

Amlan

0 Kudos

Hi Amlan.

Thanks for the advise.

But just wondering... how am i going to find out what is supposed to be a finance related transaction or not - i dont know. Except that I looked at their AGR_USERS table and got a dump of the entire list of roles in their system and segregated them as per naming convention as standard, finance, HRMS, sales, mm etc. 

Have got another clean up assignment... 

Shall keep this in mind.

Thanks again.

Regards

indu

0 Kudos

Hi Amlan,

Going to SUIM and checking for Roles not assigned to users may be an easier part. However you should also consider that some of the unassigned or Forbidden roles may be in a Master-Derived relationship with other roles. Retiring these roles can cause chaos in the system.

Hence Crosscheck the roles either y their short description or from inside the role. Tedious, but necessary.

Furthermore you can also work with the functional consultant of each module for the list of obsolete transactions and track the roles accordingly.

Hope this helps...

Thanks,

FP

0 Kudos

Hi experts.

Request some help.

I would like to know a few things as to how to categorize a high end transaction / role.

Is thre a list which says - these are high end transactions whether it is finance or Sales or HR.

How do we define a transaction as strong transaction tcode.

Though have sort of noted a list.

Can anyone advise on this.

thanks.

@Amlan /Fahim :

Hope you are all doing fine with your roles - and retirements from your system.

Also would like to share with you that we had been able to also retire many roles by looking at AGR_DEFINE - where there were some derived roles without master roles.

Regards

indu

0 Kudos

FYI, I am starting the same kind of cleanup in our landscape, and SUIM report S_BCE_68001425 returned unreliable results when I queried for roles without user assignment. In our ECC 6.0 EhP 4 system, the list returned from that query included a number of roles which do have users assigned. So I would take care if that is your planned approach.

I did not find a Note addressing this issue, but if I do get one, I will reply again.

Good luck!

Gretchen Lindquist

0 Kudos

Hi Gretchen,

I have a question/ suggestion. Let`s assume you`re right (I guess you`re but I am too lazy to double check). Why do you wait for a OSS note to come instead of triggering one?

I would love to use the tool and have 100% faith in the result and tell all my friends and customers it was Gretchen who had found the bug.

Cheers Otto

0 Kudos

Amlan/ Fahim,

Before relying on S_BCE_68001425 for this effort, you might wish to review Note 1548076.

Good luck and regards,

Gretchen