from time to time I get in the mood to clean up one or two SAP systems – and lately, I was looking for obsolete roles, which weren’t assigned to anybody for a long time (e.g. used at least 365 days ago).
While looking around in SUIM and change documents, the developer inside me became more and more delighted – because there is no SAP standard solution for this → time for some R&D. 😛
Here we go:
- Create a new report in SE38 and paste this source code (don’t forget to set a program authorization group *cough*).
- There’s no need to edit any of the selection texts, as they’re defined inside the report…
- Activate & execute the program.
The report allows you to select:
- the role names (all SAP standard roles excluded per default),
- the user who created the role (default exclusion: “SAP”) and
- the days since the role’s last assignment to any user (default: 180).
The result consists of the following columns:
- Role: well… the role name
- Creation date: the role’s creation date
- Change date: the date of the role’s last change
- Removal date: the date of the last removal from a user
- Removed by: the user, who performed the removal
- Role name: the role description
- 3 status indicator fields:
The role type shows, whether it is a single or
composite role (using the standard SAP icons).
This icon equals to the traffic light icons on PFCG’s “Authorizations” tab
(→ green: generated, yellow: action required, red: not generated).
For composite roles, this field stays empty (since they have no profile).
SR used in CR:
For single roles, this icon indicates if the role is assigned to a composite
role (glowing bulb) or not (dark bulb). Of course, this makes no sense
for composite roles – so the field is empty then.
Obsolete / superfluous / unused roles on productive systems should be removed before they get moldy!
Thanks for sharing all this info! Very interesting reading. I hope you will write about HR authorizations some day.