cancel
Showing results for 
Search instead for 
Did you mean: 

How to provide only User Alias Mapping to a User in SAP BOBJ

Ckumar
Contributor
0 Kudos

Hello Experts,

I need to assign Only Alias Mapping Authorization to an User in BOBJ. Could you please suggest how I can achieve the same.

I am new to SAP BOBJ so could you please also suggest some links and pdf to getting started with it.

Regards,

C Kumar

Joe_Peters
Active Contributor
0 Kudos

Can you please clarify what you're trying to do?

Ckumar
Contributor
0 Kudos

Thanks for reply Joe!

Sorry If I am not clear regarding my query as I am new to BOBJ.

Actually I have to provide only provisioning access to a user in BOBJ. Please help me to achieve this.

Joe_Peters
Active Contributor
0 Kudos

Eh, still not clear. Do you mean you want the user to only have the ability to create other user accounts?

Ckumar
Contributor
0 Kudos

Yes Joe and apart from this he should be able to assign the group too, Similar

to SU01 access in SAP ECC.

Accepted Solutions (0)

Answers (2)

Answers (2)

Ckumar
Contributor
0 Kudos

Thanks Joe for Answer!

Yes I tried the same way you suggested -

"The simplest way to do this is to give the group Full Control over both Users and User Groups. However, this may be more than what you want, as it would grant the ability to delete users, change passwords, and add/delete groups."

But as per the business requirement, user mustn't have delete users, change passwords, and add/delete groups authorization. How to limit this.

Another query - how we can limit the access to only user creation.

Joe_Peters
Active Contributor

If you grant the explicit rights as I listed in my answer, then they won't be able to delete users, or add/delete groups.

By default, users only have access to what you give them. So if your delegated admin isn't granted any other access, then they won't be able to do anything else.

Ckumar
Contributor
0 Kudos

Thanks Joe for suggestions!

Let me work on the suggestions provided and will update here.

Joe_Peters
Active Contributor
0 Kudos

What you're after is commonly referred to as a delegated admin. You can use a Custom Access Level for this, or assign rights directly. Directly-assigned rights might be sufficient if your requirements aren't too complex.

I would suggest creating a Delegated Admin group, add your user to the group, and then grant the group the appropriate rights.

You'll need to grant the rights at the top level of both Users and User Groups (CMC -> Users and Groups -> Manage -> Top level security -> All Users, then All Groups).

The simplest way to do this is to give the group Full Control over both Users and User Groups. However, this may be more than what you want, as it would grant the ability to delete users, change passwords, and add/delete groups.

At a minimum, in All Users, the group would need to the following rights granted:

  • Edit objects
  • View objects
  • Add objects to the folder
  • Add or edit user attributes

For User Groups, it needs:

  • View objects
  • Add objects to the folder
  • Edit objects

You could also do limited deleted admins -- instead of granting the above User Group rights at the top level, just assign it to a particular group. This would allow the deleted admin group the ability to add/remove users from this group only.