Find obsolete SAP roles (not assigned for X days)

Hi,

from time to time I get in the mood to clean up one or two SAP systems – and lately, I was looking for obsolete roles, which weren’t assigned to anybody for a long time (e.g. used at least 365 days ago).

While looking around in SUIM and change documents, the developer inside me became more and more delighted – because there is no SAP standard solution for this → time for some R&D. 😛

Report

Here we go:

  • Create a new report in SE38 and paste this source code (don’t forget to set a program authorization group *cough*).
  • There’s no need to edit any of the selection texts, as they’re defined inside the report…
  • Activate & execute the program.

Usage

The report allows you to select:

  • the role names (all SAP standard roles excluded per default),
  • the user who created the role (default exclusion: “SAP”) and
  • the days since the role’s last assignment to any user (default: 180).

Result

The result consists of the following columns:

  • Role: well… the role name
  • Creation date: the role’s creation date
  • Change date: the date of the role’s last change
  • Removal date: the date of the last removal from a user
  • Removed by: the user, who performed the removal
  • Role name: the role description
  • 3 status indicator fields:

Role type:

The role type shows, whether it is a single or
composite role (using the standard SAP icons).

Status:

This icon equals to the traffic light icons on PFCG’s “Authorizations” tab
(→ green: generated, yellow: action required, red: not generated).
For composite roles, this field stays empty (since they have no profile).

SR used in CR:

For single roles, this icon indicates if the role is assigned to a composite
role (glowing bulb) or not (dark bulb). Of course, this makes no sense
for composite roles – so the field is empty then.

Final words

Obsolete / superfluous / unused roles on productive systems should be removed before they get moldy!

Happy holidays!

One comment

  1. Thanks for sharing all this info! Very interesting reading. I hope you will write about HR authorizations some day.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.