we have one parent role and we derived five roles from that
and i assigned these derived roles to five users now i want
to restrict 2 users for couple of T-codes and rest of the
users work with those T-codes , How we can solve the problem
Answers were Sorted based on User's Feedback
Answer / rohit
you can't restrict. you have to create another child role and restrict there i.e add/remove t-code as per the requirement. This type of question is asked in interview for creating confusion :)
Is This Answer Correct ? | 20 Yes | 1 No |
Answer / siva
We can restrict via creating a new standalone role with the
required transaction codes restricting with org values of
the same plant/company code and assign the newly created
role and remove access to the already assigned derived role.
Is This Answer Correct ? | 4 Yes | 1 No |
Answer / seenivasan m u
Possible, restrict the required users in validity parts from and to dates, T-code access available but validity controls, system will be reflect assigned two users only, rest of users not facing any issues on this.
Is This Answer Correct ? | 0 Yes | 0 No |
We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.
Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.
Is This Answer Correct ? | 0 Yes | 0 No |
Answer / zaky
The answer is simple, We cannot remove the tcodes from child
roles, so we have to restrict at org level for that tcode,
The user might need tht access to different company code or
plant, So at org level maintain a wildcard value which wont
allow user to fully access the tcode
Is This Answer Correct ? | 0 Yes | 5 No |
Answer / annavarapu
first we need to add those t-codes for the users who required
access to execute and then remove the codes from the roles.
Automatically the users who doesn't required the t-code access
will workout
Is This Answer Correct ? | 0 Yes | 7 No |
Answer / kamal
We can restrict the users in the particular derived
roles........... For this we dont need to creste another
child role....
Thanks
Is This Answer Correct ? | 2 Yes | 12 No |
how we Restrict the auth groups for table maintain, creating Auth group using SE54 to built new Auth groups to restrict tables via auth object S_TABU_DIS
Explain protecting public keys?
What does the pfcg_time_dependency clean up?
How can I do a mass delete of the roles without deleting the new roles?
You want to remove a developer's and developer keys from a system. How would you do that?
User tring to submit the request in GRC but user getting error, what could be the reason , while all BRF+ & MSMP working fine.?
What authorization are required to create and maintain user master records?
How we Educated client personnel in R/3 Security and general Basis knowledge
what all are the numbers of user types in system measurement?
Could you please let me know the exact step by step process for the following Questions. 1.How to get the E-Mail address for 100 users at a time. 2.While Creating BW roles what are the Authorization Objects we will use. 3.While Creating Single role what will be happened in the functional side, when entered the Template role in the derived role tab. 4.when we changed the password for more users(for example:100 users) where the password will be stored or from where you can Re-Collect the password and how will you Communicate the password to all users at a time. 5.What is Virsa? Once you entered in to the screen what it will perform. 6.What is the use of SU24 & SM24. 7.While Creating BW roles what are the Authorization Objects we will use. 8.While Creating Single role what will be happened in the functional side, when you entered the Template role in the derived role tab. 9.What is Dialog users, Batch users and Communicate users. What is the use with Communicate user. 10.Can we add one Composite role in to another Composite role at any urgent user requests or in normal user requests. 11.In Transport what type of Request we will use.Why don't we use Workbench request in transport. 12.When we added Authorization Object in Template role, at the same time what will be happen in Derived role. 13.How to Check Profile parameter. And how to find whether any transport has ended with error and where we can check. 14.How to Extract users list like who didn't login since 3 months. And In 90 Days user Locking in which table we will use. 15.What is OSS Connection and System Opening and why we have to open these. 16.What will have in one single role and how many prifiles will be in one sap cua system. 17.What is the difference between Template role & Derive role.
what is central user administration?
Difference between SE01, SE10 & SE09?