Skip to Content

Mass deletion of roles from users

I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

8 Answers

  • Apr 10, 2013 at 06:11 PM

    At it's most simple you could have a script (LSMW/eCATT) that runs SU01 for a user, selects all in the role tab and deletes all.  More sophisticated automation described by Samuli is also an option.

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 16, 2013 at 08:05 AM

    Either use eCATT for SU01 or develop a custom report using the functions BAPI_USER_*

    see the documentation about these BAPIs: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/668e6629-0701-0010-7ca0-994cb7dec5a3?overridelayout=true

    Kind regards

    Frank

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      If CUA is not used, then a little trick is to assign a meaningless symbolic role and profile via the bapis because they remove everything else.

      It is a good idea to first check that the user is not running any jobsteps or assigned to a security policy which only requests a logon once per year..

      Cheers,

      Julius

  • May 22, 2013 at 06:57 AM

    If this is a one time shot:

    Run SUIM fo filter out your selection, save as CSV-file.

    Create a LSMW with your CSV as input and call the function moduleĀ  BAPI_USER_ACTGROUPS_DELETE

    No need to create an ABAP for a one time activity.

    /fredrik

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hello,

      Is it possible to provide work instruction "how to mass cleanup user's profile with function BAPI_USER_ACTGROUPS_DELETE".

      Regards,

      Roman

  • Apr 10, 2013 at 04:40 PM

    I'm not aware of any standard program to fulfill your requirement. It should be pretty straight forward for an abapper to implement such program (first read all locked users, read existing roles for user at a time, remove existing roles).

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 16, 2013 at 11:49 PM

    With this transaction as not deleted. In a period of validity of roles "expired"

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 17, 2013 at 08:36 PM

    We developed our own application which locks users after a while, then removes their role assignments after a while, and then lists roles which no longer have any assignments or no one is using anything which the role authorizes.

    This way you can optimize / automate periodic controls.

    There is no standard monitoring cockpit for this, but you can use declaritive system params to destroy password based authentication.

    The real trick with periodic controls is to target the sample before you unassign and destroy roles, but the ability to do that depends on how you buikd the roles.

    Disclaimer: If you use composite roles then you have no chance. You are doomed.. ;-)

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      If the system is not connected to CUA you could tried to delete the role through SU10 using SHDB, i did tried with the system which connected through CUA however it was not working since some of the screen input not captured .

  • avatar image
    Former Member
    Apr 26, 2013 at 10:31 AM

    Hi,

    If you are not in favor of using custom reports, here is a shortcut for delting roles using SU10.

    1. Use SUIM to get list of roles assigned to all locked users

    2. Remove duplicate entries from roles( now you should have max 150-200 roles left assuming the role structure in your system is good)

    3. Use SU10 to enter all these roles (tedious task but should not take more than half an hour)

    Going forward, you can request your ABAP team to create custom programs for role assignment/deletion user termination etc. These programs are very useful for security admin tasks.

    Add comment
    10|10000 characters needed characters exceeded

    • We have used the remove option, and were happy with the validity days set to the day before.

      But hey - thanks for the hint, the report PRGN_COMPRESS_TIMES seems to be able to delete the expired roles (tested it and works)!

      Cheers

      Boldi

  • avatar image
    Former Member
    Nov 10, 2015 at 10:56 AM

    You can create SAP recording ( executing Su01 and going to roles tab and selecting all roles and removing lines and save ) along with a bit of VB code ( to fetch user id's from excel and loop ).

    Simple and easy if SAP scripting is enabled in RZ11.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded