Answer / rajesh srisailapu

Hi ,

"Groups" tab in SU01

By using "Groups" tab in SU01, we can allocate user group
to number of users at a time, this is for find the list of
users of a particular user group but we cannot restrict any
user to any region or any location.

User Group in "Logon data"

If we assign any user to User Group in Logon data of SU01,
then user will restrict to particular user group or region
or location. Whenever user trying to do any activity other
than this user group, then system will show “You are not
authorized to "XXXX user group.” Even though user have the
access for particular activity.

Ex: Let us assume some ABC Project, its having multiple
locations like India(SEC_IN), China (SEC_CN), Australia
(SEC_AU)…etc. Each location having individual security
admin with respective user groups. Now India security admin
trying to do password reset to any cross country user like
China user(as per urgency/requirement)then system will
show “You are not authorized to reset password
to “SEC_CN” user group.” Because India security admin is
assign to SEC_IN user group. like this way we can restrict
the users with User Group in Logon data of SU01.

This is the main Difference between User Group in "Logon
data" and "Groups" tab in SU01.

Answer / halmstad

User Group in LOG ON TAB will under got authorization check
where as User group maintained in user groups tab will not
go under authorization check

Answer / praveen.grcsecurity

Logon data ----> Used for Authorization purpose
Groups ----> Not used for Authorization purpose

Answer / vasu.g

Hi Rajesh,

Thanks for the above...!!!

"Groups" tab in SU01

Yes you are correct "By using "Groups" tab in SU01, we can
allocate user group
to number of users at a time, this is for find the list of
users of a particular user group but we cannot restrict any
user to any region or any location."

but if we assgin user to User Group in Logon data of SU01
The user administrators will be ristricted to Maintain the
user master records of particular users, this restriction
will be possible with S_USER_GRP.

Ex: if we have User A with group assgined to "Admin" at
Logon Tab and User B with group assgined to "Support"

if Security admins are rescticted at Auth Object S_USER_GRP
for "Admin" Group, then security admin team can not change
any user Master records of user "A"

Regards,
Vasu.G

Answer / anusha

Both fields pull data from USGRP table.

entries for "user group " for auth check are checks on S_USER_GRP and they stored in table USR02 and in fld CLASS

where as GROUP is stored in table USGRP_USER
And can be displayed

Answer / satyajit

User Group for Authorization Check
If you assign a user to a user group for the authorization check on the Logon Data tab, you can distribute user maintenance tasks among several user administrators. The system administrator can assign the respective user administrator the right to create and change users in a group. Using the authorization object User Master Maintenance:User Groups ( S_USER_GRP), you can assign user groups to different administrators.

Users that are not assigned to any of the groups, can be maintained by all administrators.


General User Groups
You use the division of users into user groups on the Groups tab primarily to group users for mass maintenance (transaction SU10). Furthermore, the Global User Manager (transaction SUUM) uses the user groups.

In the user maintenance transaction (SU01), you can assign users to one or more groups on the Groups tab.

Maintaining User Groups
You create user groups using the function Environment -> User Groups -> Maintain. If you are using Central User Administration, you must create the user groups required in all systems.

Answer / raghuram.kondreddi

1.When you assign user group in groups tab that user name
will not be shown when you extract a report in SUIM-->Users
by complex criteria -->By user Id .

2. When you assign user group in Logon TAB that user name
will be shown in the same .


PLEASE CORRECT ME IF I AM WRONG

how to adjust user master records?

6 Answers   Accenture,

What is t code?

0 Answers  

Whr will u find u Error logs in BI security and What are Error logs will come and how will u solve that

3 Answers   IBM,

how do we test security systems.what is the use of SU56

2 Answers   GE, IBM,

1) Explain me about your SAP Career? 2) Tell me your daily monitoring jobs and most of them you worked on? 3) which version of SAP are you working on? Is it a java stack or abap stack? 4) Tell me about derived role? 5) what is the main difference between single role and a derived role 6) Does s_tabu_dis org level values in a master role gets reflected in the child role?? 7) Tell me the steps to configure CUA? 8) Is RAR a java stack or Abap Stack? 9) What is the report which states the critical T-codes? and also What is the T-code? 10) What is the T-code to get into RAR from R/3? 11) Explain about SPM?

2 Answers   TCS,

SU25 Step6 How Roles are created through Profiles?

2 Answers   IBM,

In 4.7 EE, we have an option as User -> Settings -> Automatic Comparison at Save. Is it right if i say that this option checked will automatically prompt for User cpompare when we simply save the data after entering the users to the role? But whether the option is checked or not i did not get any prompt for User compare on saving the data after entering Users info in the role. My another doubt is whats the difference between User and Complete Compare options. If i dont do complete Compare, wiill that effect? Is it right if i say that User compare assigns the users to the role and Complete Compare updates the user master recoirds , i.e., User master record comparison is current.

3 Answers  

What are major changes happened in GRC 10 compared to that GRC 5.3?

3 Answers   Sony,

how we Created over 120 customized end user roles and menus.

1 Answers   IBM, Wipro,

How to create a simple or single role.?

2 Answers  

How to hide SAP user menu or Role Menu from end user?

2 Answers   Cap Gemini,

Explain protecting public keys?

0 Answers