Answer / rohit

you can't restrict. you have to create another child role and restrict there i.e add/remove t-code as per the requirement. This type of question is asked in interview for creating confusion :)

Answer / siva

We can restrict via creating a new standalone role with the
required transaction codes restricting with org values of
the same plant/company code and assign the newly created
role and remove access to the already assigned derived role.

Answer / seenivasan m u

Possible, restrict the required users in validity parts from and to dates, T-code access available but validity controls, system will be reflect assigned two users only, rest of users not facing any issues on this.

Answer / sumeithmn

We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.

Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.

Answer / zaky

The answer is simple, We cannot remove the tcodes from child
roles, so we have to restrict at org level for that tcode,
The user might need tht access to different company code or
plant, So at org level maintain a wildcard value which wont
allow user to fully access the tcode

Answer / annavarapu

first we need to add those t-codes for the users who required
access to execute and then remove the codes from the roles.
Automatically the users who doesn't required the t-code access
will workout

Answer / kamal

We can restrict the users in the particular derived
roles........... For this we dont need to creste another
child role....


Thanks

how we Restrict the auth groups for table maintain, creating Auth group using SE54 to built new Auth groups to restrict tables via auth object S_TABU_DIS

1 Answers   IBM,

Explain protecting public keys?

0 Answers  

What does the pfcg_time_dependency clean up?

0 Answers  

How can I do a mass delete of the roles without deleting the new roles?

0 Answers  

You want to remove a developer's and developer keys from a system. How would you do that?

0 Answers  

User tring to submit the request in GRC but user getting error, what could be the reason , while all BRF+ & MSMP working fine.?

1 Answers   TCS,

What authorization are required to create and maintain user master records?

0 Answers  

How we Educated client personnel in R/3 Security and general Basis knowledge

0 Answers   IBM,

what all are the numbers of user types in system measurement?

1 Answers   iGate,

Could you please let me know the exact step by step process for the following Questions. 1.How to get the E-Mail address for 100 users at a time. 2.While Creating BW roles what are the Authorization Objects we will use. 3.While Creating Single role what will be happened in the functional side, when entered the Template role in the derived role tab. 4.when we changed the password for more users(for example:100 users) where the password will be stored or from where you can Re-Collect the password and how will you Communicate the password to all users at a time. 5.What is Virsa? Once you entered in to the screen what it will perform. 6.What is the use of SU24 & SM24. 7.While Creating BW roles what are the Authorization Objects we will use. 8.While Creating Single role what will be happened in the functional side, when you entered the Template role in the derived role tab. 9.What is Dialog users, Batch users and Communicate users. What is the use with Communicate user. 10.Can we add one Composite role in to another Composite role at any urgent user requests or in normal user requests. 11.In Transport what type of Request we will use.Why don't we use Workbench request in transport. 12.When we added Authorization Object in Template role, at the same time what will be happen in Derived role. 13.How to Check Profile parameter. And how to find whether any transport has ended with error and where we can check. 14.How to Extract users list like who didn't login since 3 months. And In 90 Days user Locking in which table we will use. 15.What is OSS Connection and System Opening and why we have to open these. 16.What will have in one single role and how many prifiles will be in one sap cua system. 17.What is the difference between Template role & Derive role.

3 Answers   Infosys,

what is central user administration?

1 Answers  

Difference between SE01, SE10 & SE09?

3 Answers   IBM,