Solved: Re: Calling Multiple destinations

Former Member · ‎2015 Oct 02

Hi All,

As we are global company where we have almost 130 servers(including Dev,QAS&PROD) it is very difficult to maintain the routine security activities for user validity extension.Note we have explored enough possibilities with CUA but due to some specific concerns we are not proceeding with it.

We are developing a program to extend the validity period of our internal sap users using BAPI_USER_CHANGE.

Process steps followed to perform this activity.

1.Text file is uploaded with userid,email,first name,last name,expiry date & extension date as various columns and same has been populated as an internal table.

2.Now i need to pass this internal table to BAPI.

Loop lt_extension assigning <lt_extension>.

LV_USERNAME = <lt_extension>-USER_ID.

This code will work fine if the user is exist in the same system.Now we need to extend the same by providing multiple destinations.

Queries

What is best approach to perform this?

1. Get all RFC destinations from RFCDEST table and loop it and fill as Destination wa_destination-RFCDEST.

2.We are planning to execute the program in background so STARTING NEW TASK wont be an ideal solutions.

3.IN BACKGROUDN TASK provides only single destinations to chosen at a time.Not sure about performance..

Kindly provide some hints/suggestions to move forward.

Ram

Jelena_Perfiljeva · ‎2015 Oct 05

Based on the large number of destinations and information in ABAP Help, I suspect that 'STARTING NEW TASK IN GROUP' would be a better solution.

Note that 'BACKGROUND TASK' actually has nothing to do with background jobs (it's a common confusion). I have not used ''STARTING NEW TASK' before, but there is nothing in the documentation that it can't be run in a background job.

The differences between the 3 DESTINATION commands are in the RFC execution - synchronous, asynchronous, tRFC / qRFC. Since this program will run only every N days (it seems) I don't think it matters much.

As a side note - still I believe this DIY user management is just a very bad idea. And it'll be a headache for the IT to maintain - what if the file does not arrive? what if there is an error? who will be watching this interface? The company would be much better off adopting a more solid user management solution IMHO, especially considering the sensitivity.

P.S. Besides, if someone manages the user removal from AD then why not provide them a web service or something from SAP, so that they could also remove the SAP access? At least this would be more streamlined process with less potential failure points...

Jelena_Perfiljeva · ‎2015 Oct 03

Can't you just set the date farther in the future, so that you don't have to extend it all the time? We were SOX compliant at one poin,t but even then we didn't extend validity dates. We simply deleted/locked the accounts when people left company or accounts were not used. Also not using CUA is a big mistake here IMHO.

How many user IDs will this program process and how frequently?

Former Member · ‎2015 Oct 03

Hi Jelena

Thanks for your reply.

As we are a Pharma based company where 40% IT people are contractors whose access and validity dates are strictly captured.As you know in Pharama we follows strict process where security violations wont be tolerated.

We will have internal audits every 15 days and usually Security folks have to deal with 150-200 persons across the globes.The issue is where consultants IDs are universally maintained in Active directories but there SIDs are not stored.So it's a hectic job to manully log in to each and every system and check for the user id and perform the actions.

We cannot just delete the IDs form SAP as during Audits it will be serious violations and moreover we used to intake the same consultants when some Build activities are required.So time being we just deactivate the user and remove his/her roles and Valid to date will be maintained as the last working day.

Any suggestions are appreciated.

Ram.

venkateswaran_k · ‎2015 Oct 03

Dear Ram,

If I understand your requirement correctly, ......

You want to extend the user's validity period by executing this program correct?

Why dont you have a program that runs in background ( in all servers ) that will send out an email to a common id/ security persons, where their validity period is going to expire in 7 days.. before

So accordinly individual person can take care ....

REgards,

Venkat

Former Member · ‎2015 Oct 03

Hi Venkateswaran,

Thanks for your reply.

I appreciate your idea.But still the manual work is involved.We are just working on some automation.I can think it as a workaround.

Still Just imagine the overhead of running a background job in all servers for this purpose seems little tricky right..

All suggestions are welcome.Thanks for your time.

Ram

Former Member · ‎2015 Oct 03

Hi Folks,

Any updates please

Ram

venkateswaran_k · ‎2015 Oct 03

Dear Ram

I have couple of questions.

You said that a text file is uploaded. Is that uploaded in a shared folder where all your servers can access?

Is your text file contains the comprehensive list of all Uses across all systems?

Regards,

Venkat

Former Member · ‎2015 Oct 03

Hi Venkat,

Let me explain the process again.

1.Business unit will send a list of users to be terminated to Active directory team.Team will perform the deletion in Active directory.

2.Using Webmethods we will transfer the processed file to application server in SAP.

3.Using custom program the file is read and need to perform the actions in SAP.

Active directory is just a central repository to check whether user is in the company or not.It wont give a comphrehensive information.It just deletes the user.It wont have any SID details.It will just populate the SAP User ID.

Using this ID we need to manually check all the systems and perform the action.Quite tedious right..

Ram

venkateswaran_k · ‎2015 Oct 03

Thanks Ram, I know about the ADS, however, I want to know the details of text file.and your process.

Okay,

Can you review this approach.

1. Write your program/logic in the form of a Function Call - SE37.

2. Make that function as Remote enabled.

3. Make this function available in all servers,

4. Create a RFC destination matrix between your main system and other systems in

using the Tcode SM59

5. Write a main program from your main system ( put it in a job )

that calls the RFC destinations in sequence and update the user details.

Regards,

Venkat

Former Member · ‎2015 Oct 03

Hi Venkat,

Yes.I agree to your approach. I don't have to build a FM as Standard BAPIs will serve my purpose.

I have created a Z program to fetch the details from application server and Internal tables are build.Now only i need to pass this data to BAPI_USER** to perform the actions.

"calls the RFC destinations in sequence and update the user details"

This is where am struck.I am not sure of which approach i need to for go for it.Kindly suggest some hints or let me know any of my 3 approaches mentioned above will suit the purpose.If yes which will be best.

Thanks for your kind reply.

Ram

venkateswaran_k · ‎2015 Oct 03

Dear Ram,

Hope you know SM59 - to create the RFC Destination.

Name the RFC destination of one server as say - RFC-TO-SERVER1.

The main program that calls the RFC destination will be looking like this. I hope bapi_user_change is rfc enabled.

You need to add the DESTINATION parameter only.

REPORT zrfc_job

CALL FUNCTION <YOUR RFC NAME>

DESTINATION <RFC-TO-SERVER1>

EXPORTING

<YOUR INTERNAL TABLE>....ETC.

Please let me know if you need any information

Regards,

Venkat

Jelena_Perfiljeva · ‎2015 Oct 05

Based on the large number of destinations and information in ABAP Help, I suspect that 'STARTING NEW TASK IN GROUP' would be a better solution.

Note that 'BACKGROUND TASK' actually has nothing to do with background jobs (it's a common confusion). I have not used ''STARTING NEW TASK' before, but there is nothing in the documentation that it can't be run in a background job.

The differences between the 3 DESTINATION commands are in the RFC execution - synchronous, asynchronous, tRFC / qRFC. Since this program will run only every N days (it seems) I don't think it matters much.

As a side note - still I believe this DIY user management is just a very bad idea. And it'll be a headache for the IT to maintain - what if the file does not arrive? what if there is an error? who will be watching this interface? The company would be much better off adopting a more solid user management solution IMHO, especially considering the sensitivity.

P.S. Besides, if someone manages the user removal from AD then why not provide them a web service or something from SAP, so that they could also remove the SAP access? At least this would be more streamlined process with less potential failure points...

Former Member · ‎2015 Oct 05

Hi Jelena

Thanks for your kind reply.

Regarding CUA our management is not interested as they are quite happy with Active directories.For SAP alone they are not ready to implement the integrated control.

Sorry for giving a wrong impression. Actually i meant as per the following document it tells that Starting New Task will utilize the dialog work process.As i believe every SAP server systems will have a predefined Dialog WPs assigned.In Background how this control will be enabled.

Parallel Processing - ABAP Development - SCN Wiki

Ram

Jelena_Perfiljeva · ‎2015 Oct 05

Ram, I think you should check with your Basis admin on the processes. It's not really an ABAP question. Not sure if wiki article is even accurate, usually I take such unofficial (and also old - 2009) information with a grain of salt.

Still I agree with Gretchen as well - use a proper solution instead of DIY.

Former Member · ‎2015 Oct 05

Ram,

Had you posted this question in the Security space, you probably would have gotten the right answer straightaway. If CUA is not practical for whatever reason, IMHO the best approach to this challenge is option 4, using your organization's identity management solution to manage user validity both in the AD and in the managed apps including SAP systems. Your proposed homegrown solution sounds like far too much work and risk. When the manager goes into IdM and manages the contractors' validity dates centrally across your landscape, you have a much better control. When the contractors terminate, if the termination date was not already set, the manager can log into IdM again and she terminates their accounts centrally, no muss, no fuss.

Regards,

Gretchen

Former Member · ‎2015 Oct 05

Hi Grethchen,

Thanks for your kind reply.

I will check and update soon.

Ram

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Calling Multiple destinations