Answer / rohit

you can't restrict. you have to create another child role and restrict there i.e add/remove t-code as per the requirement. This type of question is asked in interview for creating confusion :)

Answer / siva

We can restrict via creating a new standalone role with the
required transaction codes restricting with org values of
the same plant/company code and assign the newly created
role and remove access to the already assigned derived role.

Answer / seenivasan m u

Possible, restrict the required users in validity parts from and to dates, T-code access available but validity controls, system will be reflect assigned two users only, rest of users not facing any issues on this.

Answer / sumeithmn

We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.

Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.

Answer / zaky

The answer is simple, We cannot remove the tcodes from child
roles, so we have to restrict at org level for that tcode,
The user might need tht access to different company code or
plant, So at org level maintain a wildcard value which wont
allow user to fully access the tcode

Answer / annavarapu

first we need to add those t-codes for the users who required
access to execute and then remove the codes from the roles.
Automatically the users who doesn't required the t-code access
will workout

Answer / kamal

We can restrict the users in the particular derived
roles........... For this we dont need to creste another
child role....


Thanks

how to transport roles

3 Answers  

What is a composite role?

0 Answers  

How to find list of roles which are not assigned to any user

1 Answers   Wipro,

authorization issue. We had asssigned company codes 'BUKRS' in range for example 4000-4220 some come company code is working some are not working means in between ranges . could you please post the answer as early as possible.

0 Answers   Hexaware,

How to assign single tcode to 100 roles with single take

2 Answers  

how can we get the email address for multiple users at a time.

3 Answers   Tech Mahindra,

1 How many tickets usually get per day/month in support ? 2 what is the major ticket in your experience ? 3 what is the tool you are using in your company? 4 in situation we will use Derive roles in support project? 5 One User asked me the TCODE access in support project,he got approvals from all,so shal i create new role or can i add that TCODE in his roles? 6 what is ROLE OWNER? 7 What are the daily activities in your Project ?

2 Answers   ADI, AXA, TCS,

What is use of derived roles?

0 Answers  

HI FRIENDS, Can anybody tell me which is best institute in Hyderabad or bangalore for SAP GRC COURSE.How much duration and cost? Regards, sandy...@

6 Answers  

Is it possible to have a request type by which we can change the validity period of a user? If possible, then what are the actions?

3 Answers  

what is the difference between su25 & su24 , when we can make the authorization checks in su25 then what is the use of su24

2 Answers  

what is the procedure for deleting a role?

6 Answers   iGate, Satyam,