Automate sap security user audit

Getting Started Newsletters Store
Search the CommunityWelcome, Guest Login Register
Added by Guest, last edited by Manish Kumar on Jul 17, 2013
Code Gallery
Automate SAP Security user audit
Introduction:
It is a good practice to keep the users in the SAP system landscapes up to date. In my experience, I find most of the SAP systems have user IDs that were created way back. This may cause issues with
one of the following:
SAP Licensing
Delays in user master records reconciliation.
Mirror IDs
May give option to others to perform activities with the user IDs who left the organization.
As mentioned, it is always recommended to keep the user master record up to date. This article helps you to create a strategy within the SAP Security and also helps the other departments such as HR to
understand the criticality of notifying the SAP Security team when a team/project member leaves the organization/project.
It is recommended to define the strategy, such as the period of inactivity of the user IDs, user groups that should be excluded etc., before you proceed with implementing the below recommended solution.
Also, this article helps you to automate the SAP User audit and provides a list of users that can either removed/locked in the SAP system.
For easy understanding, following are the reporting limitations that I've considered:
Will pick only the users IDs who haven't logged into the system from the last 180 days.
Will ignore the users who belong to SUPER, TERMINATE etc.,
Will only look for the Dialog users.
Create a Z Program
The RSUSR200 report that is supplied with your SAP system can also be used to generate a list of users with the mentioned limitations. However, there are a few limitations using it. To further narrow down
the list of users, I recommend using the program included in this article.
Create a Background job to schedule the Z Program to run periodically
To create a background job, perform the following steps:
1. Go to SM36 (Define Background job) transaction.
2. Enter a job name (for eg: Z-User_Audit_PRD)
3. Select the Job class (This can be a C class job as it require very less time.)
4. Click Start condition and click Date/Time. Mention a date/time to run the job and check the "Periodic job" check box.
5. Click the Period Values button and select Monthly.
6. Click Step button, and click ABAP Program. Mention the program name that was created.
7. Select No, when you are prompted to add additional steps.
8. Click "Spool list recipient" button, and provide a Recipient name (can be your sap user ID or an external mail ID.)
9. Click Copy button and Save to save the background job.
Note: You should have permission to create background jobs in the system. Also, it is recommended to run the background job with any super user/batch user, so that no further changes
are required.
The background job now will run the ABAP program and will send you the list of users who haven't logged in to the system from the last 180 days. Once the list is generated, you can discuss with the
corresponding managers and see which user IDs are required/not required and delete them from the system.
ABAP Code
REPORT z_list_users.
TYPE-POOLS: slis.
TABLES: usr02.
CONSTANTS:
c_typdia TYPE usr02-ustyp VALUE 'A'. "Dialog
SELECT-OPTIONS:
s_class FOR usr02-class NO-DISPLAY.
DATA: w_class LIKE LINE OF s_class.
DATA: w_date TYPE usr02-trdat.
TYPES: BEGIN OF w_usr02_ty,
bname TYPE usr02-bname,
class TYPE usr02-class,
ustyp TYPE usr02-ustyp,
aname TYPE usr02-aname,
erdat TYPE usr02-erdat,
Automate SAP Security user audit - Code Gallery - SCN Wiki http://wiki.scn.sap.com/wiki/display/Snippets/Automate+SAP+Securit...
1 of 4 3/21/2014 7:31 PM

gltgb TYPE usr02-gltgb,
trdat TYPE usr02-trdat,
ltime TYPE usr02-ltime,
bcda1 TYPE usr02-bcda1,
END OF w_usr02_ty.
DATA: t_usr02 TYPE TABLE OF w_usr02_ty.
DATA: t_fcat TYPE slis_t_fieldcat_alv,
w_fcat_ds TYPE slis_fieldcat_alv.
*-------------------------------------------------------------------*
START-OF-SELECTION.
* 3. User groups - SUPER, HR TERMINATE, INACTIVE, OBSOLETE, TERMINATED should be excluded.
PERFORM exclude_groups.
* 1. No. days since last logon: 90 (If a user logged in in the last 90 days, he should not be picked in the list)
w_date = sy-datum - 90.
* Select the users from USR02 for the conditions.
SELECT bname class ustyp aname erdat gltgb trdat ltime bcda1
FROM usr02
INTO TABLE t_usr02
WHERE ustyp = c_typdia " * 2. Only Dialog (User type A) should be considered.
AND class IN s_class
AND trdat LT w_date.
IF sy-subrc NE 0.
MESSAGE 'No users found' TYPE 'I'.
ENDIF.
PERFORM build_fieldcat.
* Display the selected users in pop-up window (in foreground)
CALL FUNCTION 'REUSE_ALV_POPUP_TO_SELECT'
EXPORTING
i_title = 'Users'
i_selection = ' '
i_zebra = 'X'
i_screen_start_column = 10
i_screen_start_line = 2
i_screen_end_column = 130
i_screen_end_line = 20
i_tabname = 'T_USR02'
it_fieldcat = t_fcat
TABLES
t_outtab = t_usr02
EXCEPTIONS
program_error = 1
OTHERS = 2.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
*&--------------------------------------------------------------------*
*& Form exclude_groups
*&--------------------------------------------------------------------*
FORM exclude_groups.
CLEAR w_class.
w_class-sign = 'E'.
w_class-option = 'EQ'.
w_class-low = 'SUPER'.
APPEND w_class TO s_class.
CLEAR w_class.
w_class-sign = 'E'.
w_class-low = 'HR TERMINATE'.
2 of 4 3/21/2014 7:31 PM

CLEAR w_class.
w_class-sign = 'E'.
w_class-low = 'INACTIVE'.
CLEAR w_class.
w_class-sign = 'E'.
w_class-low = 'OBSOLETE'.
CLEAR w_class.
w_class-sign = 'E'.
w_class-low = 'TERMINATED'.
ENDFORM. "exclude_groups
*&--------------------------------------------------------------------*
*& Form build_fieldcat
*&--------------------------------------------------------------------*
FORM build_fieldcat.
DATA: w_col_pos TYPE syst-cucol.
REFRESH t_fcat.
CLEAR w_fcat_ds.
w_fcat_ds-fieldname = 'BNAME'.
w_fcat_ds-tabname = 'T_USR02'.
ADD 1 TO w_col_pos.
w_fcat_ds-col_pos = w_col_pos.
w_fcat_ds-seltext_m = 'User'.
APPEND w_fcat_ds TO t_fcat.
CLEAR w_fcat_ds.
w_fcat_ds-fieldname = 'CLASS'.
ADD 1 TO w_col_pos.
w_fcat_ds-seltext_m = 'Group'.
CLEAR w_fcat_ds.
w_fcat_ds-fieldname = 'USTYP'.
ADD 1 TO w_col_pos.
w_fcat_ds-seltext_m = 'Type'.
w_fcat_ds-outputlen = 1.
CLEAR w_fcat_ds.
w_fcat_ds-fieldname = 'ANAME'.
ADD 1 TO w_col_pos.
w_fcat_ds-seltext_m = 'Created By'.
CLEAR w_fcat_ds.
w_fcat_ds-fieldname = 'ERDAT'.
ADD 1 TO w_col_pos.
w_fcat_ds-seltext_m = 'Created On'.
CLEAR w_fcat_ds.
w_fcat_ds-fieldname = 'GLTGB'.
ADD 1 TO w_col_pos.
3 of 4 3/21/2014 7:31 PM

~End of the article.
This report is similar to transaction code "RSUSR200_UNUSED30" or using RSUSR200 with variants. The only exception I can see is the user groups. I hope there should be few recommendations further
to enhance the capability of this report.
w_fcat_ds-seltext_m = 'Valid'.
CLEAR w_fcat_ds.
w_fcat_ds-fieldname = 'TRDAT'.
ADD 1 TO w_col_pos.
w_fcat_ds-seltext_m = 'Last logon Date'.
CLEAR w_fcat_ds.
w_fcat_ds-fieldname = 'LTIME'.
ADD 1 TO w_col_pos.
w_fcat_ds-seltext_m = 'Last logon Time'.
CLEAR w_fcat_ds.
w_fcat_ds-fieldname = 'BCDA1'.
ADD 1 TO w_col_pos.
w_fcat_ds-seltext_m = 'User locked'.
CLEAR w_fcat_ds.
ENDFORM. "build_fieldcat
security_faq
Follow SCN
Contact Us SAP Help Portal
Privacy Terms of Use Legal Disclosure Copyright
4 of 4 3/21/2014 7:31 PM

Automate sap security user audit

Recommended

Recommended

More Related Content

Similar to Automate sap security user audit

Similar to Automate sap security user audit (20)

Recently uploaded

Recently uploaded (20)

Automate sap security user audit