Question:
Hi, we need to make a production system read only (no data changes) for a few days.
System is 4.7Enterprise, Oracle 9.2.0.6, Solaris 64bit
For a few users we could temporarily just chage their profiles to prevent updates but we have 1,500 users so not sure how this could be achieved without significant work.
>> anyone have any ideas ?
Thanks,
Tony.
Answer:
Everything has a cost and in your case it is costly. you have to assign everyone a display only role and change their current role FROM-to date to be in the futuer and run PFUD. And remove all non-role profiles. Or you could just lock the IDs fo a few days and keep everyone out.
Answer:
thanks for the reply John,
essentialy though you're saying there is no quick way...we have to amend each user's profile individually...one of our security people estimated this would take him 3-4 days for 1,500 users so that's why I was trying to find a quicker/better solution.
ho hum...c'est la vie...
cheers,
Tony.
Answer:
If they need display only, do a complete database copy to the test system and let them display their work there for the few days and lock them all out of production while you do your project.
Tarr
Answer:
Hi,
You can do it by 4 step process.
Step 1) Go to SE16 and download the data of table AGR_USERS. This table contains the User to Role Mapping.
Step 2) Create a LSMW program to delete all the roles from all the Users.
Step 3) Now Add Users to the Display roles either from PFCG or make LSMW for it.
Step 4) Once the work is completed remove the display roles and add the orginal roles again using the same LSMW program and your data would be the original dump from SE16.
Hope this helps.
Regards.
Answer:
Even after changing all roles, your system will not be read only.
Just one example: each logon changes the logon date and time in USR02.
Why don't you just restore a backup on a separate machine, and let the users access this backup system?
Does it really matter if they change data in this copy?
Answer:
One company copied the production system then posted a message saying that it was only a reference system then redirected all the logins to this system during the changeover period. You would want to take away authority for S_OC_SEND (so that no one would create bogus output and send it) you may want to disabe some parts of S_SPO_DEV so that some kinds of spool are not inadvertantly created and you may want to go into SM13 and disable updating (this doesn't mean that changes can't be made but a lot of changes could be disabled).
You certainly would want to have a system message appear that warned users not to post changes.
In short it is a mess.
Another strategy would be to create twenty or thirty display only ids and then publish the user ids and passwords and lock all the existing named users. They can use an anonymous id for a few days. This presumes that you don't have a lot of sensitive data in the system.
_________________
bwSecurity