Answer / rohit

you can't restrict. you have to create another child role and restrict there i.e add/remove t-code as per the requirement. This type of question is asked in interview for creating confusion :)

Answer / siva

We can restrict via creating a new standalone role with the
required transaction codes restricting with org values of
the same plant/company code and assign the newly created
role and remove access to the already assigned derived role.

Answer / seenivasan m u

Possible, restrict the required users in validity parts from and to dates, T-code access available but validity controls, system will be reflect assigned two users only, rest of users not facing any issues on this.

Answer / sumeithmn

We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.

Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.

Answer / gane

convert the derived role into single role and remove the t-codes which are not required as we can't delete the t-codes from derived role menu.

Answer / zaky

The answer is simple, We cannot remove the tcodes from child
roles, so we have to restrict at org level for that tcode,
The user might need tht access to different company code or
plant, So at org level maintain a wildcard value which wont
allow user to fully access the tcode

Answer / annavarapu

first we need to add those t-codes for the users who required
access to execute and then remove the codes from the roles.
Automatically the users who doesn't required the t-code access
will workout

Answer / kamal

We can restrict the users in the particular derived
roles........... For this we dont need to creste another
child role....


Thanks

1. what is the difference b/w change authorization mode and expert mode. 2.when we do the user comparison in pfcg what is the difference in complete comparison and expert mode comparison. 3. what are the critical auth objects in security point of you , 4.when we do the transportation of composite role what will happened . 5.while doing the kernel upgrade we download the executable s one by one are all together. 6. while applying the patches what is the importance of test import why we do test import

2 Answers   IBM,

Red, Yellow, Green in PFCG significance? Can we generate red Roles in PFCG and assign it to Users?

3 Answers   IBM,

If we have UK roles in our system and we want to find the AUS australian role how you will find the same

2 Answers   Cap Gemini,

(1)Difference between usobt_c and usobx_c?(2)What are usobt and usobx tables for?(3)Difference between usobt and usobt_c?(4)Se93.How u create custom t-codes?(5)Difference b/w customizing request and workbench request?(6)To trnsprt sU24 setting which is used is it customizing or workbench request?(7)If we add org level elements in a master role will it reflect in child role and how AGR_1252 will act as a barrier?(8)How to do mass user to role assignment using secatt, will u use su01 or su10?Explain why you will use SU10 not SU01?(9)Can SU10 can be used for mass password reset?Why not?(10)If you want to reset the password for say 100 users in Production how will you do?(11)Expalian Steps 2A and 2B in SU25?

6 Answers   HCL,

how you can delete multiple roles from qa, dev and production system?

0 Answers  

Please provide me defination for the follwing objects.  S_user_GRP S_USER_AUT S_USER_AGR S_USER_PRO S_USER_SYS S_USER_SAS

1 Answers  

A user has roles that only give display access but he can still change something in the system. how?

6 Answers   Atos Origin, IBM,

I have deleted single role from composite role now i want to find out the changes in composite role without using SUIM. Is there any other possibilitie to get?

3 Answers  

How to update risk id in rule set?

0 Answers  

What is the Organization level?

3 Answers   IBM,

How we do Scheduled jobs in background to cleanup spool request, dumps

2 Answers   IBM,

What are su01d t-codes used for?

1 Answers