BEST PRACTISE on users deletions HR/SU01
Hi
we use CUA/SSO.
The records are fed from HR records and sent to Active Directory (AD)
AD brings backs the records and creates/changes users in SU01
A function module populates the CVR (timesheet) parameter dependent on whether you are an employee or a contractor
Occasionally, our HR department request records to be deleted from the SAP Support team - for example if the employee or contractor hasn't in fact joined the company.
Until some time ago, the deletion was causing problems because:
a) the record does not get deleted in AD and there is no way to send the deletion across after
b) when AD tries to reprocess that specific record, LDAP connector will not find it as HR record so what happens in SU01 for some reasons, the VALID from field gets wiped out and the CVR parameter for Timesheet also...
We have changed the process for the deletion however, I would like to ask if you know what is the best practise for this?? HR want to delete the record so it can be re-utilised
I cannot delete those records from UMR unless I am 100% sure they have never used the system (will have to check that)
I hope I have provided enough info on what the issue is..
Thank you
Nadia
Best practice is not to delete.
> HR want to delete the record so it can be re-utilised
So many people with the same name? Perhaps a suffix of 2 numbers when the ID naming convention produces a clash. Besides, do your AD admins not want unique names in the AD as well?
E.g. (just an imperfect example)
MUSTERMA = Alfred MUSTERMan
MUSTERMM = Manfred MUSTERMan
MUSTER01 = Mechtilde MUSTERMuller
> I cannot delete those records from UMR unless I am 100% sure they have never used the system (will have to check that)
Surest way is to determine that they have never logged on before. But that does not exclude that records might exist for them, which may eventually do a "user existence check" to be read. One such example is the Security Audit Log, e.g. there may have been failed login attempts.
Good luck,
Julius
Similar Messages
-
Question on LDAP integration & user deletion
In the "Administration Console Help" Document it states:
"You cannot invite user accounts that are mastered in an LDAP-based user directory; these accounts are created automatically when you synchronize the LDAP directory."
Does this mean that after configuring a LDAP Realm, the users specified by the filter should be automatically pulled into OnTrack? I do not see ldap users when executing a blank search from the admin console. At this point, I also cannot log into OnTrack using a valid LDAP user. I was trying to see if OnTrack worked similar to UCM where the OnTrack user acct would be created once the user logs into the application.
What I can do is go to "Create User" and enter the email address for a valid ldap user. then I see that user in the full search. that user can also log in successfully.
I wanted to know what the expected behavior was: is there expected to be a required 'registry' of ldap users into ontrack before they can auth into the app? Is there some sync process that needs to be run to pull in the ldap users?
Also, is there any current best practice of user deletion? I see in the admin console that there is a note that states: "Note: User deletion is not supported."
As always, thanks for the info!
Thanks,
-ryan
Ryan Sullivan | ECMconsultant
http://www.ecmconsultant.net/Ryan,
It sounds like you figured this out.
There is NOT an explicit sync of users from LDAP into On Track. The On Track user object is created when the LDAP user first logs in (or when added to a Conversation by another user). After that point, the user will be visible in the admin console. (Note, however, that from the client, you can search for an LDAP user and add them to a Conversation's membership even if that user has not yet logged in to On Track. It does this by searching for the user in the LDAP directory, as well as in On Track's known users. This is a great way to "invite" other people in the organization to participate in On Track.
As for your other questions:
- The recommended way to "delete" a user is to mark the user "Disabled" in On Track. This will prevent that user from logging in and from showing up as a valid user in the client.
- Once a user "[email protected]" exists, it should not be possible to create another "[email protected]" user, even if the first one is disabled, and regardless of which realm those users are in.
--Dan -
Best practise for SAP users who leave the company
Hi
Could anyone reccommend a best practise document or give advice on how to deal with SAP user ID's when employee's/contractors/consultants leave? I am the basis admin just starting an SAP implementation and we have no dedicated authorisation team at the moment, so I have been asked to look into this :
Currently we set the validity date in SU01 to the termination date.
We chack there are no background jobs scheduled under that user id, if there are, we change the job owner to a valid user (we try to run all background jobs under an admin account).
We do not delete the user as from an audit point of view I believe it restricts information you can report on and there are implications on change documents etc, so best to lock it with validity dates.
Can anyone advise further?
We are running SAP ECC 5.0 on Windows 2003 64 Bit/MS SQL 2000.
Thanks for any help.Hi,
Different people will tell you different versions of what they believe is best practice, but in my opinion you are already doing reasonably well.
What I prefer is
1. Lock ID & set validity date.
2. Assign user to user group LEAVER or EXPIRED or something similar (helps with reporting) out of SUIM/S_BCE* reports.
3. Delete role assignment (should you need it, the role assignment will be in the change history docs anyway).
4. Check background jobs & act accordingly.
For ease of getting info I prefer not to delete the ID though plenty of people do. -
My question is same while granting user or role in the application, what is the best practise? How to decide the level of applying role to pagedef's, xml files, or some other file that i have missed out.
As for my concern I would go for page definition files.
-
Best Practises for Email Addresses?
Hi Guys,
Are there any best practise guides / documents / etc. for configuring user's E-mail addresses? We have a large turnaround of users and obviously sometimes they have the same name as previous/current employees (we
do not delete any old accounts / mailboxes.) My question is whether or not it is OK to use numbers in an email address (i.e. [email protected])?
Thanks
StephenHi,
It's OK to use numbers in an email address.
The format of email addresses is local-part@domain where the local-part may be up to 64 characters long and the domain name may have a maximum of 253 characters.
The local-part of the email address may use any of these ASCII characters RFC 5322
Uppercase and lowercase English letters (a–z, A–Z) (ASCII: 65-90, 97-122)
Digits 0 to 9 (ASCII: 48-57)
Characters !#$%&'*+-/=?^_`{|}~ (ASCII: 33, 35-39, 42, 43, 45, 47, 61, 63, 94-96, 123-126)
Character . (dot, period, full stop) (ASCII: 46) provided that it is not the first or last character, and provided also that it does not appear two or more times consecutively (e.g. John..[email protected] is not allowed.).
Special characters are allowed with restrictions. They are:
Space and "(),:;<>@[\] (ASCII: 32, 34, 40, 41, 44, 58, 59, 60, 62, 64, 91-93)
The restrictions for special characters are that they must only be used when contained between quotation marks, and that 3 of them (The space, backslash \ and quotation mark " (ASCII: 32, 92, 34)) must also
be preceded by a backslash \ (e.g. "\ \\\"").
For more information, please refer to this similar thread.
https://social.technet.microsoft.com/Forums/exchange/en-US/69f393aa-d555-4f8f-bb16-c636a129fc25/what-are-valid-and-invalid-email-address-characters
Best Regards. -
Request for howto - error processing best practise
Hi JDev Team. Something I would like to see in a future HOWTO would be error handling in a BC4J/JSP application. What is best practise? How do we make sure that when a database error occurs, we can trap the error and provide a friendly error message, or failing that, at least ensure the standard error is usable by a maintenance programmer. For eg. the following error occurs if a referential constraint restricts the delete:
javax.servlet.jsp.JspException: JBO-26041: Failed to post data to database during "Delete": SQL Statement " DELETE FROM TECHTRANSFER.TTSITES Sites WHERE SITEID=:1".
in fact the same error message is displayed for almost any database error - the programmer can't fix the problem when he has no idea what it is!! (same with update and insert)
I wasn't going to request this until I had read all of the help available on error processing but the way this project is going I won't get time. If you think that it is adequately covered in the help, then fine, just let me know where.
Thanks,
SimonYou can enclose your bc4j/jsp code with a try / catch expression. That way if a failure occurs, you can trap it, display a friendy error, and do whatever you want with the exception.
What I have been doing for develpment purposes, is send via email a modified errorpage.jsp. Here is what gets emailed to me (*'s in potentially sensitive data) and displayed to the screen (I'm eventually going to replace all the displayed garbage with something friendly):
An error occured in application PDC User Administration
User Session Properties:
Sesion ID: *********
App ID: *********
User Name: *********
User ID: *********
Priv Role: *********
Password: *********
Org No: *********
First Name: skunitzer
Last Name: ANALYST
App Title : PDC User Administration
Current Url: insertNewUser.jsp
Specific error is javax.servlet.jsp.JspException: JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
Parameters:
LastName
Kunitzer
EmailAddress
[email protected]
FirstName
SteveLiveTest
OrgNo
PhoneWorkNo
I have no phone #
ExpireDate
2001-04-26
ExpireDateString
jRQiIsFGANIbrGlihGTl[epofZmSNgEkGqbHN@iErHNPRi
UserID
UserPrivs
Exception:
javax.servlet.jsp.JspException: JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
Message:
JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
Localized Message:
JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
Stack Trace:
javax.servlet.jsp.JspException: JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled Code)
...Stack Trace goes on but I won't bother with it anymore...
While not always as specific as I would like, I have not had too much trouble hunting down the errors.
null -
Best Practises with ACS Replication & external databases
I am looking for a best practise with the following scenario:
2 ACS Servers in 2 separate locations, each providing mutual backup to each other - i.e. all devices/users in Site X point to local ACS Server X 1st and remote ACS Server Y 2nd. In Site Y the devices/users point to the local ACS Server Y 1st and remote ACS Server X 2nd. This works fine; currently Server X replicates the Database to Server Y.
In the future we will be implementing a remote LDAP database and will forward unknown users to this database for authentication. As I understand it if an unknown user exists on the LDAP database then the ACS Server will create a local account (depending the mapping policy etc) and point the password at the remote LDAP server. If we replicate from Server X to Server Y, but Server Y has created an account for an unknown user will this get deleted on replication? Is there a best practise to handle this scenario?
AndyI could not find a best practices document as such but a lot of ground is covered in the document 'CiscoSecure Database Replication' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sad.htm#wp755988.
-
Oracle Tuxedo Security Best Practises
Hi,
I am new in Oracle Tuxedo. I searching about Tuxedo Security best practises. I found many informations in Tuxedo Documentation but if anybody have more informations, i am very interested.
Such as:
- ULOG files permissions => The Tuxedo administrator must not have write acces on this files but if I remove this right, does Tuxedo can write in this files ?
- tlisten.pw => What is the encryption type and can i add only one user password or more ? It's true that there is no user login ?
- tpsysadm and tpsysop => What do they serve ? and where are stored their passwords ant how can i change it ?
- Use of LLE/SSL => What is the best practise, use of LLE and SSL or just LLE, just SSL ?
Thanks a lot !
Best regardsHi,
welcome to the wonderful (and sometimes byzantine) world of Tuxedo!
You have a couple of interesting questions and I'll try to shed some light on some of them. Disclaimer: I'll assume that you run Tuxedo on some flavor of Linux or Unix. If you're running on Windows, some of these thoughts won't make much sense to you, sorry about that.
When I install the Tuxedo software, I usually let a dedicated user (e g "tuxedo") be the owner of the installed software and files (include files, FML field definitions and so on).
When I create a Tuxedo application, I have a separate user account (e g "some_application") running each application. In this way, an application running wild cannot overwrite or delete any Tuxedo system files, neither another application's files, only its own files, due to file system permissions. In this case, "some_application" will execute your Tuxedo servers and also need to be the owner of the directory where the ULOG will reside (remember that the application need to be able to create a new file every new day).
The tlisten.pw file is not for "user" passwords, it's primary use is to authenticate the different (physical) machines working together in a bridged (clustered) Tuxedo application. It is also used in conjunction with TSAM monitoring, although I have no first-hand experience with that (yet). I've had problems trying to have more than one secret in the tlisten.pw file, your mileage may vary...
When it comes to tpsysadm and tpsysop, you should think of them more as roles rather than actual users. These roles may perform special actions (such as starting/stopping/re-configuring) in your application. Depending on your security settings, any user may (try to) act as tpsysadm and/or tpsysop. Any user passwords you may have are connected to the actual users rather than the roles tpsysadm or tpsysop. All this depends on your settings for SECURITY and AUTHSVC in your ubbconfig. There is no simple/easy answer here, I'm afraid... it all depends on how you have set up your security (USER_AUTH is a good start, but you need to supply an AUTHSVC in that case).
When it comes to encryption, my experience is only with LLE. It simply works. Using SSL I suspect there will be more challenges setting up certificates and such things. The way I understand it you either use LLE or SSL for a given type of communication (i e WSL or TDOMAIN), you can't use both simultaneously.
Hope this helps and I may be able to elaborate further if there's a particular area that seems particularly foggy :-)
/Per -
Best practise to detect changes between two tables
Hi,
I try to write a query, that shows me the differences between a table in my DWH and the table in the source system. It should show me new, deleted and updated rows.
My approach is to do a full outer join based on the key and then check if any of the columns changed (source.A!=DWH.A or Source.B!=DWH.B, etc.) to get the updated rows.
My problem is now that my table has millions of rows und more than 100 columns (number, nvarchar, etc.). So the query takes hours.
Is there any best practise solution to optimize that query, by rewriting it, setting indexes or using hash code? I played around with hash code, but it wasn't really faster.
(BTW: CDC, etc are not allowed)
Thanks for any ideas!890408 wrote:
So i guess I can't use the merge statement, as it is just for SCD1.
Yes you can:
create table products(
name varchar2(20),
price number,
effective_from date,
effective_to date,
active number
insert
into products
values(
'Samuel Adams, 6-pack',
6.99,
null,
sysdate - 51,
0
insert
into products
values(
'Samuel Adams, 6-pack',
7.29,
sysdate - 50,
null,
1
create table product_updates(
name varchar2(20),
price number
insert
into product_updates
values(
'Samuel Adams, 6-pack',
7.49
insert
into product_updates
values(
'Corona, 6-pack',
6.49
select *
from products
NAME PRICE EFFECTIVE EFFECTIVE ACTIVE
Samuel Adams, 6-pack 6.99 13-OCT-11 0
Samuel Adams, 6-pack 7.29 14-OCT-11 1
select *
from product_updates
NAME PRICE
Samuel Adams, 6-pack 7.49
Corona, 6-pack 6.49
merge
into products p
using (
select name,
price,
'update' flag
from product_updates
union all
select chr(0) || name name,
price,
'insert' flag
from product_updates
) u
on (
p.name = u.name
when matched
then update
set effective_to = sysdate,
active = 0
where active = 1
when not matched
then insert
values(
substr(u.name,2),
u.price,
sysdate,
null,
1
where flag = 'insert'
3 rows merged.
select *
from products
NAME PRICE EFFECTIVE EFFECTIVE ACTIVE
Samuel Adams, 6-pack 6.99 13-OCT-11 0
Samuel Adams, 6-pack 7.29 14-OCT-11 03-DEC-11 0
Samuel Adams, 6-pack 7.49 03-DEC-11 1
Corona, 6-pack 6.49 03-DEC-11 1
SQL> SY.
SY. -
Best practise around handling time dependency for flat file loads
Hi folks,
This is a fairly common situation - handling time dependency for flat file loads. Please can anyone share their experience around handling this. One common approach is to handle the time validity changes within the flat file where it is easily changeable by the user but then again is prone to input errors by the user. Another would be to handle this via a DSO. Possibly, also have this data entered directly in BI using IP planning layouts. There is a IP planning function that allows for loading flat file data but then again, it only works without the time dependency factor.
It would be great to hear thoughts or if anyone can point to a best practise document for such a scenario.
Thanks.Bump!
-
Best Practise for connecting to Ethernet based device
Hi,
I have inherited a system where we have a cDAQ-9181 controlling an vehicle access barrier, with a LabView application on a PC talking to it via Ethernet.
(The application is very simple - press a button > send a value to the 9181 unit > opens the barrier )
All works fine most of the time.
( We occasionally get network related errors. The LabView application sometimes thinks another PC has reserved the unit, or gives “error 89130 - device not available for routing” )
The users would now like to be able to easily run the application from a second PC ( not at the same time ), but this seems to be a problem. If I exit the application on PC “A” and run it on PC “B” it struggles to reserve the chassis, and throws the “89130” error and I have to restart the unit via MAC.
While I’m a “veteran” control programmer, I’m new to LabView, and would be very grateful for any pointers on “best practise” for talking to devices via Ethernet, or any specific suggestions for handling multiple PCs talking to a single device.
Thank You.
Tim.Hi Tim,
Thank you for your post and welcome to the NI forums.
There are lots of knowledgebase articles on our website and you should be able to find documentation for most of our hardware.
There is a good troubleshooting guide for cDAQ Ethernet here (http://ae.natinst.com/public.nsf/web/searchinternal/e67b4e4749f378ff862577270059bd4b?OpenDocument) - it outlines the steps to take to ensure you have a stable a connection as possible. You may have already seen it, but the quick-start guide for your specific device may also be worth consulting for best practices. Are these helpful?
As for using more than one PC - this shouldn't be too much of an issue. I would expect that the resource isn't being closed correctly - when you exit the App on PC 'A', how are you closing off the resource?
Best regards,
Eden S
Applications Engineer
National Instruments UK & Ireland -
Best Practise for rebooting ISE Nodes?
Hello Community,
I administer an ISE installation with two nodes (I am not an ISE Specialist, my job is just to manage the user/mac-adresses... but now I have to move my ISE Nodes from one VMWare Cluster to another VMWare Cluster.
(Both VMWare environments are connected to our enterprise network, but are different environments. vMotion not possible)
I would shutdown ISE02, move it to our new VMWare environment and start it again.
Than I would do this with our ISE01 Node...
Are there any best practises for doing this? (Shutdown application first, stopl replikation etc)?
Can I really simply reboot an ISE Node - or have I consider something bevor I doing this? After I doing this?
Any tasks after reboot?
Thank you for any answer!
ISE01
Administration, Monitoring, Policy Service
PRI(A), SEC(M)
ISE02
Administration, Monitoring, Policy Service
SEC(A), PRI(M)There is a lot to consider here. If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things. If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment. Then spin-up a new Secondary node and register it on the Primary. Once this is done, you can re-host the license from your old environment onto your new environment. You can use this tool to re-host:
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999
If IP Addressing is to remain the same, it gets simpler.
First, and always, perform a configuration and operational backup.
If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes. Transfer them to the New Environment and turn them on, Primary Node first, of course.
If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment. Start the Secondary Node and when it is up, shut down the Primary Node. Once services on the primary node have stopped, promote the Secondary Node to Primary Node.
Transfer the OLD Primary Node to the New Environment and turn it on. It should assume the role of Secondary Node. If it does not, assign that role through the GUI.
Remember, the correct way to shut down an ISE node is:
application stop ise
halt
By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Exchange 2013 Archive mailbox best practise
Current senario:
Migrating to Exchange 2013 CU3 from lotus Domino
in lotus domino the customer is having huge archive files(nfs file size is around 30 GB, like wise users are having multiple archive file with same size.)
Requirement is all these file need to migrated to exchange 2013 CU3. whcih we are taking care by using thrid party tool.
My concern is exchang e2013 support for huge mailbox size. if so what maximum size supported for online mailbox and archive mailbox.
can I assign multiple archive mailbox to users.
we have got separate Exchange 2013 archive server in place
We would like know the best practise/guide line for archive mailbox/live mailbox size.
refered below link:
http://blogs.technet.com/b/ashwinexchange/archive/2012/12/16/major-changes-with-exchange-server-2013-part-1.aspxThe key decision is that the content in the primary mailbox is synchronized with the client when in cached mode, while the content in the archive is not. So I'd want to keep the primary mailbox populated with the content the user needs on a daily basis,
and put the rest in the archive. Unfortunately, that answer is not a number, and it isn't the same for all users.
Each user can have zero or one archive mailboxes, not multiple.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Exception Propagation - Best Practises
Hello,
I was thinking what is the best practise for exception propogation.
The way I know and have been doing is to specify an error page in my web.xml and in that I get a request paramater from the sesion ( which I populate in the catch blocks across the various classes) and display it to the user and ask him to contact the admin. Ofcourse I log them using log4j.
I was wondering if there are other ways people do this (other than just displaying a "Sorry, Application Error" page and what do you think should be the best practise of exception handling and more importantly exception propagation.
Thanks in advance for your time
rgds,Sarvananda wrote:
...what do you think should be the best practise of exception handling and more importantly exception propagation.The very best practice is to always handle the exception, that is to say: never use empty "catch blocks".
As already stated there are many correct ways to handle exceptions depending largely on the result you desire according to the exception. If you want feedback for debugging: I've made the errors descriptive... class/method and exception/error included in the message to the end user. This almost never works, since they never read it and if they report it, they just say: "I got this error thingy and it said to call you..." I got smarter the second time around and put the errors in logs, so when they actually called, then I could have them look up the error for me, or even better, just send me the log so I could see any other problems they didn't bother to report.
It sounds like you are doing web development, one thing I have done in the past is to just pop up an e-mail ready to go with all the info in it. All the end user had to do is hit send. -
Best practises for replication
Hi,
I want to know what is best practise for duration of replicaation of database between two Cisco ACS.
Regards,
Atif.Hi Atif,
The replication time interval should always be higher.
Reason: Everytime you replicate the data it requires ACS services to restart so doing this frequently may affect your production enviroment.
However, if you want to replicate internal user's password then there is an option to replicate password changes right awayvwithout a full replication. You can enable this option under System Configuration -> Local Password Management. With this enabled you could potentially set the replications to a larger interval.
It also depend how often you do changes in your ACS. If its normal then I would say set it to every sunday 12:00 PM.
This is how replication happens:
The primary ACS stops its authentication and creates a copy of the ACSinternal database components that it is configured to replicate. During this
step, if AAA clients are configured properly, those that usually use the primary ACS fail over to another ACS. The primary ACS resumes its authentication service.
After the preceding events on the primary ACS, the database replication process continues on the secondary ACS. The secondary ACS stops its authentication service and replaces its database components with the database components that it received from the primary ACS. During this step, if AAA clients are configured properly, those that usually use the secondary ACS fail over to another ACS. The secondary ACS resumes its authentication service.
HTH
Regards,
JK
Plz rate helpful posts-
Maybe you are looking for
-
Ipod Touch does not want to turn on after I Restored from Backup to recover notes
I was trying to restore a note in the notes app and followed these instructions If you synced your notes from iPhone while these notes were still on it and you haven't synced again since they were deleted, you may be able to recover them by restoring
-
My imac keeps giving me a spinning color wheel when i open and close applications and also when I am typing in programs. It happens and spins and then releases. I have done the following: Run virus software and found no problems, I have reinstalled t
-
What are the best temperatures for my Quad G5?
-
Voice Metrics and Radio Measurements
Ok, how do I use these exactly? We're running 4.1.185 on the controllers at the moment and 4.2.81.0 on WCS. First with the Voice metrics, I get no data on my 7920 and 7921 phones? And with the Radio Measurements if I attempt to use it with a client,
-
Errors on my SAP Netweaver Developer Studio
Well basically I had many mistakes, so I kept on re-do my Entity Services. Add in attributes, removing attributes and so on. Of course, I also did change the operations and implementations in my Application Services. I believe I did all these at leas