Mass User-Role assignment utilizing Groups tab in SU01 and LSMW
During a go-live or testing of an SAP project, where there is a need for hundreds of new user accounts to be set up or assign various roles to these user accounts, it becomes a monotonous and time-consuming task. Also, it may be prone to manual errors.
If the SAP roles are common between the users it is a simple task which can be done using SU10 but if the Users are to be assigned with different roles, SU10 is not that helpful.
There are different ways of doing mass user role assignment, using LSMW(BAPI) or SECATT script. But it may be difficult for someone and sometimes get stuck due to errors while building the script or execution.
The most common problem that I have seen with such scripts is that they get stuck because there is no batch input data for screen defined when one comes to the role’s tabs in SU01/SU10 or the user assignment tab in PFCG.
Also, there are tools available that help in mass user-role assignment but may impact the project budget, require approvals and eventually impact the timeline.
I hope the method below will help in addressing such hurdles but requires 3 simple LSMW scripts.
Overview of steps to be followed
- Create new SAP user groups using transaction SUGR.
- Assign users to these groups (One should utilize the ‘Groups’ tabs in SU01/SU10, so that the User group field in the ‘Logon Data’ tab is not used)
- Assign roles to users using PFCG user assignment tab using the ‘Selection’ button shown below.
Once you have read the overview, you may have figured what are the steps to be I am going to do next.
- Create LSMW script for User group creation.
- To make it simple, the number of groups to be created could be equal to the number of users. Otherwise, one can group the users with similar access into one group and create a corresponding number of new User groups using the script. These groups can be used in the future for any further role assignment needs. Also, one can leave it as-is or remove the group’s assignment from the user later.
- Create a new recording using transaction SUGR. The recording will have two variables as shown below Group Name and Group Description.
- The input file for this script will contain two columns that will map to these two fields.
- After execution of the script the new user groups will be created, which can be validated through SUGR transaction or table USGRPT.
- Note: We are assigning the group to the ‘Groups’ tab of SU01/SU10 and not ‘User group’ field in the ‘Logon Data’ tab. This will allow us to execute this role assignment script without impacting the current security design.
- Create a new recording using transaction SU10. I do notprefer using SU01 because there may be existing user groups assigned to the users in the ‘Groups’ tab, which may create a problem with the script.
- The recording should be done only for one user to one user group assignment.
- The recording will have below parameters with only two input parameter UserName and Group Name.
- The input file for the script will also contain only two columns corresponding to UserName and Group name.
- After the execution of the script, the user groups will be assigned to users and can be validated using SUIM=>Users by Complex Selection Criteria and using the ‘User group (general) field as shown below.
- Create LSMW project for role assignment.
- The recording should be done only for one group and one role assignment (can have multiple users in one group).
- When the user listing for the user group pops-up, enter the User group name and use ‘select all’ option only. Do not select the users individually, as it may lead to a problem with the script. Note: there should not be any unwanted users assigned to these groups who are not part of the role assignment script.
- The recording will have the below parameters with only two input parameters Role Name and Group Name. Remove all remaining parameters from the recording.
- The input file for the script will also contain only two columns corresponding to Role Name and Group name.
- Once the script is executed, the role assignment to the user will be completed.
Hope this article will help to reduce the monotonous work of manual user role assignment and save some time.