Tracking the terminated FF Owners and controllers.
Guys, to give you the background, I am a SAP security consultant, learnt how to write code in ABAP recently, WHY?
And honestly, its very easy to code in ABAP if the pseudo code is ready with you. So, writing here about one of the security problems.
I am not sure if you faced this issue ever, but we did multiple times. Like when a user leaves company and his/her account is terminated, the production accounts get terminated with the automated workflow. Even in GRC system, user gets terminated, but if the user is assigned as an owner or controller for a FFID, that assignment doesn’t change with the termination. I am not sure if there is a standard solution to tackle this problem, but what I did was create a Z program which runs every week to run the current owners and controllers against their USR02 records. The program sends an automated email to our support DL to act in time to change the owners/controllers and reroute the existing workflows.
This is the sample email which we receive.
I will give the algorithm flowchart and code snippets here, please comment in case you need assistance with the code.
Below are the Code Snippets for reference:
Thank you guys, please comment on the post if you need any assistance.
Guys, to give you the background, I am a SAP security consultant, learnt how to write code in ABAP recently, WHY?
- Dependency on Dev teams for custom solutions.
- Developer’s lack of knowledge of security concepts.
- Longer wait times (back and forth) in the UAT phase
And honestly, its very easy to code in ABAP if the pseudo code is ready with you. So, writing here about one of the security problems.
I am not sure if you faced this issue ever, but we did multiple times. Like when a user leaves company and his/her account is terminated, the production accounts get terminated with the automated workflow. Even in GRC system, user gets terminated, but if the user is assigned as an owner or controller for a FFID, that assignment doesn’t change with the termination. I am not sure if there is a standard solution to tackle this problem, but what I did was create a Z program which runs every week to run the current owners and controllers against their USR02 records. The program sends an automated email to our support DL to act in time to change the owners/controllers and reroute the existing workflows.
This is the sample email which we receive.
I will give the algorithm flowchart and code snippets here, please comment in case you need assistance with the code.
Below are the Code Snippets for reference:
Thank you guys, please comment on the post if you need any assistance.
- SAP Managed Tags:
| User | Count |
|---|---|
| 4 | |
| 3 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
