Question { Cognizant, 13855 }
we have one parent role and we derived five roles from that
and i assigned these derived roles to five users now i want
to restrict 2 users for couple of T-codes and rest of the
users work with those T-codes , How we can solve the problem
Answer
We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.
Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.