Answer / rohit

you can't restrict. you have to create another child role and restrict there i.e add/remove t-code as per the requirement. This type of question is asked in interview for creating confusion :)

Answer / siva

We can restrict via creating a new standalone role with the
required transaction codes restricting with org values of
the same plant/company code and assign the newly created
role and remove access to the already assigned derived role.

Answer / seenivasan m u

Possible, restrict the required users in validity parts from and to dates, T-code access available but validity controls, system will be reflect assigned two users only, rest of users not facing any issues on this.

Answer / sumeithmn

We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.

Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.

Answer / gane

convert the derived role into single role and remove the t-codes which are not required as we can't delete the t-codes from derived role menu.

Answer / zaky

The answer is simple, We cannot remove the tcodes from child
roles, so we have to restrict at org level for that tcode,
The user might need tht access to different company code or
plant, So at org level maintain a wildcard value which wont
allow user to fully access the tcode

Answer / annavarapu

first we need to add those t-codes for the users who required
access to execute and then remove the codes from the roles.
Automatically the users who doesn't required the t-code access
will workout

Answer / kamal

We can restrict the users in the particular derived
roles........... For this we dont need to creste another
child role....


Thanks

Explain snc in sap security?

0 Answers  

Hi we are working on the one company but location are different one location we are restrict the user pass word length 8 characters another location pass word length 10 characters but client is same and also we are maintaining the one app server. Could please help on this

4 Answers  

What is the difference between Execution and Simulation in grc rar

1 Answers   IBM,

Whr will u find u Error logs in BI security and What are Error logs will come and how will u solve that

3 Answers   IBM,

How can I do a mass delete of the roles without deleting the new roles?

0 Answers  

how many authorizations creates one user ?

6 Answers  

what is central user administration?

1 Answers  

Hiiiiii ..frnds... Pls tell me.... We know that we are using 2 transport request. Customizing and work bench request.I want to know which are comes under work bench and which are comes under customising???

1 Answers  

Difference between SE01, SE10 & SE09?

3 Answers   IBM,

This is in continuataion to the previous question. a user is assigned with tcode SA38.how to restrict him to execute only a few reports,say rsusr003.If you're going to modify the role(having sa38) assigned to the user,that will affect other users also because that role might be assigned to multiple users.I don' want that to happen.so what is the solution?

5 Answers   iGate,

can u tell me some of the password related parameters ?

5 Answers   IBM,

what is the length of user buffer

2 Answers   IBM,