Some times, when working with large CUA landscapes, the need arise to set up a large number of users in one or more specific systems. One example is during regression or acceptance testing phases, where specific users are created in order to test new roles, or whenever a request comes in to create a multitude of users for training purposes. Of course, such requests tend to come in a day or two before deadline, as if mass user creation is something that’s easily done.
eCatts have been proposed as a solution for mass user creation. In my opinion, this technique is excellent for non-CUA systems and relatively simple role assignments. But what if the requirements are more complex, or CUA is involved? What if users already exist, but need to be allocated new role sets? What if you need to remove specific roles from specific users in specific systems only, while retaining other role assignments or adding new roles? What if there’s a mix of the above scenarios? This is where SAP’s own BAPI technology comes in handy.
SAP has an excellent range of BAPIS tagged to the business object USER; some of which are useful for our purpose: BAPI_USER_CREATE1, BAPI_USER_EXISTENCE_CHECK, BAPI_USER_LOCACTGROUPS_ASSIGN, to name §but a few of them. What characterizes these BAPIs is that they’re fully compatible with a CUA environment, enabling us to use them in complex landscapes.
The BAPIs are visible using transaction BAPI:
You can easily explore their parameters and check out the code by clicking on any of the methods.
Let’s try to make a simple program for user creation and role assignment, using these standard SAP interfaces.
The program will make use of two files; one for general user info, the other for role assignment. The files can in principle have any format (csv, txt and so on), but for our purpose we’ll use csv. Our first file will have the following structure:
Username, last name, user group, password
The second file will look like this:
Username, system, role name
The idea is to read both files into internal tables, then do a synchronized loop on both files in order to create users and assign roles. The program checks if a user exists; if not, the user is created. Then, roles are assigned from the second file.
Some notes on the code:
BAPI_USER_CREATE1 is called with the absolute minimum of parameters (user name, last name and password). Of course, the input file will normally contain more than these three pieces of information, in which case the BAPI can be called with a greater range of parameters.
Table USRSYSACT resides in the CUA master system, and contains a complete list of all valid roles in each system assigned to the CUA landscape. This table is updated every time a “text compare” is performed from within SU01 (Role tab, click “Text comparison fron child sys.”):
Before attempting to assign a role for a user, we check whether this role appears in USRSYSACT. This avoids errors when calling BAPI_USER_LOCACTGROUPS_ASSIGN. (Note: program RSDELCUA is very useful for monitoring invalid entries in CUA-related tables like USRSYSACT. Exercise great care when running this program, though, as it can also be used to wipe out the CUA itself! However, simple cleaning exercises should be done whenever a system is removed from the CUA landscape, in which case the program is quite handy).
With simple modifications, this interface can also be used for selective mass role updates. By executing BAPI_USER_LOCACTGROUPS_ASSIGN for an existing user, all previously assigned roles are automatically removed and the new ones passed to the BAPI assigned. This is handy for assigning completely new role sets for any number of users. The program will, in its current form, read existing role assignments for a user into table wt_activitygroups, then merge these with any new role assignments from the input file. By modifying the code slightly and introducing a new parameter, you could provide the option to replace existing role assignments with only those from the input file, or keep existing roles in addition to the new ones.
Another possibility is selective role assignment in specific systems, for instance by dynamically reading the CUA distribution model (table USZBVLNDSC) and building a checkbox list on the selection screen, where the user of the program could tick only those systems any role assignments should be done for. In short, the options for flexible and dynamic role assignments are numerous.
Conclusion: By using the standard BAPIs for object USER, you can easily create quite complex solutions for user handling in large CUA landscapes, giving a flexibility that goes far beyond that of eCatt or LSMW.