Announcement:
wanna exchange links? contact me at sapchatroom@gmail.com.
Posted by
Admin at
Also u can run pfcg_time_dependecy standard job which removes role from user after expiry date
Sent on my BlackBerry? from Vodafone
-----Original Message-----
From: "Sonia via sap-security" <sap-security@Groups.ITtoolbox.com>
Date: Tue, 7 Sep 2010 23:02:17
To: Kedar Kulkarniemail@removed
Reply-To: sap-security@Groups.ITtoolbox.com
Subject: Re: [sap-security] Working of SUIM
Asif,
Question:
If i run a query on 8th of September in SUIM looking for users which have
e.g. access to S_TCODE SU01. This TCODE is only covered by role 1 with the
end date 31.12.2009.
Will Suim report the user even if the role has an end date which has passed
(31.12.2009)?
Yes, since it still in user validity period.
Further which of the following is best practise or preffered when a user
changes function:
1. Delete the role that the user does not need anymore or
2. Put an end date for the role that is not needed anymore.
I myself have preferences for option 1, considering that somebody working
for a company for 20 years and changing jobs every 3/4 years, option 2 would
be from maintenance and risk perspective less desirable. Further considering
SUIM it may result in not accurate results.
Go with 1. safer side with SOD.
Thank you,
Sonia
On Tue, Sep 7, 2010 at 9:59 PM, asifali via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by asifali(BBA RE CIA CISA)
> on Sep 7 at 11:01 PM Sap Guru's,
>
> I have a question regarding the working of Suim. Lets say you have the
> following hypothetical situation.
>
> User: KLM1234
> User Validity: 31.12.9999
> Roles (1): Z_Tasks_for_administrator => Role validity till 31.12.2009
> Roles (2): Z_Reporting_For_Finance => Role validity till 31.12.9999
>
> Question:
> If i run a query on 8th of September in SUIM looking for users which have
> e.g. access to S_TCODE SU01. This TCODE is only covered by role 1 with the
> end date 31.12.2009.
>
> Will Suim report the user even if the role has an end date which has passed
> (31.12.2009)?
>
> Further which of the following is best practise or preffered when a user
> changes function:
> 1. Delete the role that the user does not need anymore or
> 2. Put an end date for the role that is not needed anymore.
>
> I myself have preferences for option 1, considering that somebody working
> for a company for 20 years and changing jobs every 3/4 years, option 2 would
> be from maintenance and risk perspective less desirable. Further considering
> SUIM it may result in not accurate results.
>
> Waiting for your reply!
>
> Kind Regards,
> Asif
| __.____._ Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
| |  _.____.__ |
Mark as helpful
