The tech stack of SAP ABAP based applications has undergone very few changes over the last couple of decades from an authorizations perspective. Su01, SU10 and pfcg have been around for a long long time and they continue to play a major role in the way application security teams administer their systems.
Except there is a problem
T-code based administration is cumbersome, painfully slow and inefficient at scale. SAP teams know this and try to mitigate the issue by employing one or more of the below methods to better manage user administration in SAP.
CUA ( Central user administration)
Access / SQL Database
Since SAP userID is the primary key to all user administration functions, getting the USerID is critical, but business and functional teams dont nessecarily need to have that information and Simple queries like getting userIDs from emails or userIDs from complete names would mean joining multiple tables using a combination of VLookup or SQL and once we have a list of SAP IDs the job is only half done as the task is to be completed in multiple systems which often means signing into multiple boxes serially.
Here are some tasks routinely performed by SAP administrators in all SAP projects.
Here is how this is traditionally addressed.
1)Find the user ids based on email addresses– Use tables ADR6 and USR21 to get a list of address numbers and map it back to user IDS.
2) Now that we have userIDs, Login to Su10 and deactivate user IDs and put them in a group for terminated users.
3) Login to every box that the users are present & Repeat the activities in SU10 with the list of users we have.
1) Download USR02 and AGR_USER tables for the 60 IDs
2) Create the users in batches based on role and other attributes.
3) Download USR02 and AGR_USER tables again and validate in Excel using Vlookup.
1) find permissions of model after user in each of the dev/qa/staging boxes
2) create the user based on the permissions above across individual boxes.
Here is a better approach
xCUA : Su01 + PFCG + Spreadsheets
xCUA makes the leap from t-codes and tables to point, click and execute for all user & role administration activities.
This fundamentally different approach to user administration changes our approach to these scenarios in multiple ways.
1) single point of entry for multiple systems
2) advanced filter and search across applications
3) point, click and execute multiple user/role administration activities.
Now lets look at the scenarios again using a tool like xCUA.
xCUA provides advanced search across all boxes for every field this enables us to simply search for users of a list from across boxes in a single click.
Its as simple as copy and pasting your ID’s and clicking deactivate.