Hi All,

thanks a lot for your inputs. Bernhard's recommendation seems to be very useful and i will try that. Adding to what we have here is that we have almost 8 Abap stack applications in our environment and we use CUA for user management. So using a template user etc may not be feasible. We are looking for a solution where role assignment automatically happens for any user created whatever way it is created.

i will see how we can fit Bernhard's recommendation in our setup. Another way i was thinking was to run a background job which check for missing default roles and assigns them. But this may be a security challenge.

Yogesh

> missing default roles

If the default role(s) exist in all systems and are the same, then you can also consider encapsulating the role(s) into one reference user (not to be mistaken for a template user) and assign this reference user at the time of creation already.

The user BAPI for creating (or changing) users offers the option of adding one reference user for additional authorizations at the time of creation already. You can avoid the problem with locks on roles this way and the BAPI takes care of all the LUW aspects in the same commit at the end ( at the latest.. ).

Additional advantage is that with huge numbers of users, you have a performance gain in that the user buffer is only loaded once for the reference user and available to all others it is assigned to.

Downside is that you can only have one reference user assigned at one ponit in time - but this is probably a good thing...

IMO a "common role" for all users only makes sense if you ensure that the role is truely "watertight" and the same objects (which will by proposed by other transactions!) are not making it obsolete anyway.

If you add too much access to this common role it will make you lazy when building other roles; you should be carefull of this when expecting those roles to work correctly or wonder when restrictions to them don't work, because it is very difficult to restrict a role assigned to all users with a diversity of other roles.

Cheers,

Julius

Hi Julius,

I've tried your recommendation. Here is what I did:

1. Created a user called REFUSER (as a reference user) with the common role, which should be assigned to all the users.

2. Checked the BAPI - BAPI_USER_ACTGROUPS_ASSIGN.

But, I didn't find any option to include a Activity Group.

Can you provide a more step by step approach to achieve this?

Rgds,

Raghu

It is initially a change to the user's master record with only an indirect assignment to the roles (aka activity groups).

So, what you are looking for is BAPI_USER_CHANGE.

It will then subsequently make the same checks as assigning the roles and profiles directly, but doesn't actually do it. This must already have been done to the REFUSER itself.

Note that you can only assign one reference user at one ponit in time, and cannot cascade the reference users for referenence users. So, there is no "enabler" user option, incase that was going to be your next question

Cheers and nice to see you back again,

Julius

Hi Raghu,

You can assign the reference user (with the common role assignments) when you are using BAPI_USER_CREATE1 or BAPI_USER_CHANGE

Hi

Sorry if I'm picking up a slightly old thread here, I've used reference users during mass swap of roles to users in end markets which worked fine but I did get some worrying emails from the users saying purchase order and sales order prints had defaulted to the reference user ID during the removal/assignment period.

Maybe this was something that had been caused by system config - not sure.

I do like the option of using this REF user (the performance issue mentioned is a real plus which I hadn't thought about) but would a REFUSER name on a document sent/emailed to a customer or vendor be an issue? edit - presumption being printing is in the common role - edit

I think the postings do really show the real dialog user in SAP but just from a purchasing/sales point of view I wondered about this...

Cheers

David

Edited by: David Berry on Oct 16, 2010 3:40 PM

This is illogical but still possible if the developer tried to determine the intended user's authority from a workflow or batch processing unit of work via the check FOR USER abc, which already had a refetence user xyz.

This means you can cascade the reference user authorizations one user further but not all three at the same time. If the program found the refuser to be authorized and returned that user's name back to the program then I would class it as a programming error to overwrite the name of the user being checked against by that of their own authorizations (which is what a reference user is).

Which tcode did this happen in?

Cheers,

Julius

Hi Julius

This came for VA01 and VL01N but that's as much as I could gather from them unfortunately (end users and manager's frantic emails were all I had to work from) before I deleted the REF user link in SU01.

I would still use it for mass maintenance of role assignments - better than no access at all if they are being LSMW'd but it may be that the printing issue in a base role doesn't matter if at these tcode levels and not SP02?

Cheers

David

Hmmm... I have seen this sort of thing in background processing and RFC (for example, see [SAP Note 999004 - user switches in RFC debugging|https://service.sap.com/sap/support/notes/999004] and [User switch in inbound LUW|https://service.sap.com/sap/support/notes/926261] for some infos) but this is a programming error.

In custom code I have once seen a construct where instead of checking the authority of a user to perform a task, the program determined the user's authority to automatically perform tasks they were authorized for. The refuser wasn't considered initially.

Another possibility is that the refuser had sufficient auths to initiate LUW's for the dialog user in their own context, but these were not sufficient to complete them. When you removed the refuser, the FOR USER auth check failed and the task was handed back to the background processing.

Sometimes, less is more...

These are nice examples (albeit complicated ones) why maintaining SU24 is at best a developer task (it also makes S_DEVELOP authority-checks...) and building roles should ideally be done together with the developer or good documentation to rely on.

At the time of creating programs, the developer knows most about how it works and what it restricts. This also means that security folks can influence the coding and simplify the concept (for example to use existing authorizations with the same semantics already in place for the users).

Cheers,

Julius