Su01 Restriction

Former Member · ‎12-10-2007

Hi, i want to restrict the use of Su01 to a particular group tochange user as well as unlock user

The following is the steps I am doing:

1. Create the role with a no authorizations except display.

2. Attmept to change the password.th esystem will ntopermit the user.

3. Now do an SU53 and determine whats th eauth object & Edit the auth object.

Bur I am finding it very cumbersome, there must be a direct/better way ! can you shed some light ?

Thanks

Former Member · ‎12-10-2007

Hi George,

Check out transaction ST01. In the transaction help there is some useful info on how to use it.

ST01 will let you to switch on an authorisation trace that will record all the auth checks performed when you run a transaction.

An easy way to start is to switch on the trace & using your ID perform one of the tasks e.g. unlock user. This will tell you which auths are checked (for this one, you need S_USER_GRP ACTVT=05).

The trace will also tell you what auth failures occur etc.

Use the search for ST01 - there is loads of info on various "features" of the tool that you should be aware of.

Frank_Buchholz · ‎12-11-2007

Hi George,

if you add a transaction to a role menu (using transaction PFCG) you get the authorization proposals for that transaction after switching to the authorization tab.

Transaction SU24 shows the authorization proposals for a transaction, too.

For transaction SU01 you'll find several entries, e.g. for S_USER_GRP (users), S_USER_AGR (roles), S_USER_PRO (profiles).

You can view authorization objects including their documentation using transaction SUIM (or SU21 or SE80).

Kind regards

Frank Buchholz

Former Member · ‎12-11-2007

Thanks. I frequntly listen to you as well as read your books ! I am greatly pleased to hear from you directly !!

Thanks

Former Member · ‎12-11-2007

New inputs from Frank Bucholz which needs to be shared and discussed

Former Member · ‎12-12-2007

A small comment from me: If you have prior been able to select the user based on a criteria you are authorized for, and are authorized to navigate into the start screen of SU01 or SU01_NAV (from a report), then only locking the user or resetting the password of the user does not require S_USER_GRP actvivity '03' (display).

You already have the user (based on prior knowledge or report output) => the system at that point checks S_USER_GRP activity '05' only.

Performing user logon data administration <b>after</b> displaying (F7) the user in SU01 will require more authorizations (display, change,...).

Depending on how you navigate, and when you subsequently run the SU53 check, and how you analyze the ST01 trace, I would think that you will be able to find a correct (authorizations) path to "fine tune" the user admin authorizations.

Though I do not know your requirements (for user group administration), nor how many user groups you have...

Kind regards,

Julius

Former Member · ‎12-12-2007

Juluis,

As said, I want to give the support team -first level of call in- the task of unlocking the users as well as the reseting of PWDS.-Nothing more so no blanket SU01 Access.

What is the value is recommend for S_USER_GRP given that there is Authorizastion for start screen of su01?

Su01 has so wide range of Autho. so yesterday after FB's input I got all the AUth objects and their description. All I now do is tune it up. and then Do a fine tune with SU53/ST01 !Thx

Former Member · ‎12-12-2007

george, may I suggest you read my previous post on this topic. It tells you what it needs........

Former Member · ‎12-12-2007

I have competed my task.