Point & click is the game changer for SAP Security teams

The tech stack of SAP ABAP based applications has undergone very few changes over the last couple of decades from an authorizations perspective. Su01, SU10 and pfcg have been around for a long long time and they continue to play a major role in the way application security teams administer their systems.

Except there is a problem

T-code based administration is cumbersome, painfully slow and inefficient at scale. SAP teams know this and try to mitigate the issue by employing one or more of the below methods to better manage user administration in SAP.


CUA ( Central user administration)
ECATT Scripts
LSMW
Custom Programs
Access / SQL  Database

Since SAP userID is the primary key to all user administration functions, getting the USerID is critical, but business and functional teams dont nessecarily need to have that information and Simple queries like getting userIDs from emails or userIDs from complete names would mean joining multiple tables using a combination of VLookup or SQL  and once we  have a list of SAP IDs the job is only half done as the task is to be completed in multiple systems which often means signing into multiple boxes serially.

Here are some tasks routinely performed by SAP administrators in all SAP projects.

Scenario 1: Based on a list of email IDs of users who have left the company, deactivate users across all clients and servers.

Here is how this is traditionally addressed.

1)Find the user ids based on email addresses– Use tables ADR6 and USR21 to get a list of address numbers and map it back to user IDS.

2) Now that we have userIDs, Login to Su10 and deactivate user IDs and put them in a group for terminated users.

3) Login to every box that the users are present & Repeat the activities in SU10 with the list of users we have.

Scenario 2: There is a new test project and a need to setup the test scenario for 75 test IDs.  

1) Download USR02 and AGR_USER tables for the 60 IDs

2) Create the users in batches based on role and other attributes.

3) Download USR02 and AGR_USER tables again and validate in Excel using Vlookup.

Scenario 3: Setup new dev team member across boxes and based on model-after user.

1) find permissions of model after user in each of the dev/qa/staging boxes

2) create the user based on the permissions above across individual boxes.

Here is a better approach

xCUA : Su01 + PFCG + Spreadsheets

xCUA makes the leap from t-codes and tables to point, click and execute for all user & role administration activities.

This fundamentally different approach to user administration changes our approach to these scenarios in multiple ways.

1) single point of entry for multiple systems

2) advanced filter and search across applications

3) point, click and execute multiple user/role administration activities.

Now lets look at the scenarios again using a tool like xCUA.

Scenario 1: Based on a list of email IDs of users who have left the company, deactivate users across all clients and servers

xCUA provides advanced search across all boxes for every field  this enables us to simply search for users of a list from across boxes in a single click.

Its as simple as copy and pasting your ID’s and clicking deactivate.

Power your team with xCUA.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
​​Try xCUA, free for the first 30 days.
Contact us for a live demo.