Skip to Content
avatar image
Former Member

PFCG restriction: how to restrict security team from self assignment of roles?

Currently security team is able to assign roles to themselves. Is there any way to restrict this? The team should be able to assign roles to other users but not to self. Any help or suggestion is greatly appreciated.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • avatar image
    Former Member
    Jan 07, 2014 at 10:51 AM

    Vijay, You can do it. Put the Security team in one user group and then restrict them under object S_USER_GRP and S_USER_AGR / S_USER_PRO (if required) but the assignment values 22, 78 like that.. Hope this helps to start.. Regards, Daya

    Add comment
    10|10000 characters needed characters exceeded

    • Using the standard concept you'll have to get creative with your S_USER_GRP and a supporting set of roles.  This will have a maintenance overhead.  A couple of alternatives are:

      1. Have someone outside the team have access to grant them to users within the group (and be strict about enforcing user groups)

      2. Run a detective report on a weekly basis to see who has done self-assignments (most commonly operated control that I have seen).

  • avatar image
    Former Member
    Jan 07, 2014 at 11:00 AM

    Hi Vijay

    Restrict the security group by a assigning to a auth group  with the object S_USER_GRP

    with values 22 and 78 and class (auth group)

    Cheers

    Pavan M

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 08, 2014 at 10:20 AM

    Guys, can you please looki into it. Anybody who has come across this scenario? Looking forward for your reply.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi, as I mentioned, you will have to build a set of roles and authorisation groups that allows this segregation.  Unfortunately that will mean creating auth groups and roles for each user and will incur a suitably high maintenance overhead.

  • avatar image
    Former Member
    Jun 09, 2016 at 11:22 AM

    This message was moderated.

    Add comment
    10|10000 characters needed characters exceeded