Question:
Hi all,
We would like to automatically lock SAP users when they are terminated in HR, and send a notification to the security team. Has anyone done this before? What are the requirements?
Answer:
Easily done with a custom ABAP that runs via Job. Talk to your programmers, give them the tables you would need to read (usr02), and the FM you need to run to lock the user. Not that difficult. I would say to run two of them like we do, one to lock users after a certain period of time, and another to totally remove them from the system. Both run concurrently daily after the system time change (next day), and it works like a charm. If you're running CUA, it will complicate things greatly, but can be done.
_________________
"SOX.. hmm .. Aren't they the baseball teams in Boston and Chicago?"
Kind Regards,
IamEvilHomer
(Wayne)
Answer:
Thanks Wayne.
We aren't using CUA so I think this should work nicely for us. We could also delete expired accounts with this kind of program.
While we can definately use this kind of automatic user maintenance, this isn't exactly what I was thinking of. I was thinking more of having an account locked as soon as an employee is terminated. Since we have HR running, and HR are usually the first people to know about terminations, as soon as they enter a termination for an employee who has an SAP account, the account could be locked. Any ideas on this one would be greatly appreciated.
Mary
Answer:
Generally "the next day" is sufficient to render the id ineffective, but it requires you to implement security by position. Since a terminated employee defalts to position 99999999 the execution of RHPROFL0 will remove all access to the user. This would require all Ids to be maintained via "security by position" implementing infotype 0105 ST 0001 and assigning the access for the user to the position. RHPROFL0 is scheduled nightly. If htere is an "emergency " termination tcode PFUD can be executed.
You can also accomplish this with workflow.
Answer:
Thanks John, that gives me some ideas to work with!
Mary