Su01 Restriction

Hi, i want to restrict the use of Su01 to a particular group tochange user as well as unlock user

The following is the steps I am doing:

1. Create the role with a no authorizations except display.

2. Attmept to change the password.th esystem will ntopermit the user.

3. Now do an SU53 and determine whats th eauth object & Edit the auth object.

Bur I am finding it very cumbersome, there must be a direct/better way ! can you shed some light ?

Thanks