10-16-2008 2:50 PM
Hi All
How can we give authorisation to a User to modify access (Create/Delete/Password Change/Role assign /Role Delete..etc) for other user IDs but that user should have only display access for his User ID.
Please Help me in this.
10-16-2008 2:58 PM
Hi Raju,
The best way for securing users is through User Groups. You can create User Groups in SUGR.
You can restrict via the S_USER_GRP Authorization object so that a user have privelages for User Administration, Role Assignment for only certain user groups and not to every one including his own user id.
You can have SU01D to perform display access of all user info.
Regards,
Kiran Kandepalli.
10-16-2008 3:05 PM
Hi Kiran,
Thanks for your reply,
We are not maintaining User Groups and We have almost 10,000+ Users .Is there any other option .
Regards
Raj
10-16-2008 3:12 PM
Hi Raju,
Even if you are not maintaining users through user groups still you can achieve this in a very simple way i.e
Create only two user group for ex. group 1 & 2
Assign the user whom you want to restrict from changing his own user id but administer the id of others to say group 1 and the rest of the users to group 2.
Then, restrict the access for the user who would be administering other users through S_USER_GRP to exclude his own user group i.e group 1.
Hope this helps !
Thanks,
Saby..
10-16-2008 3:12 PM
> We are not maintaining User Groups and We have almost 10,000+ Users .Is there any other option .
You only need to maintain a user group for the ones going to use SU01. Surely that aren't 10,000+?
10-16-2008 3:18 PM
Hi Raju,
I think it is imperative that the only personnel who should be having this kind of an access is BASIS TEAM and nobody else should have authorizations to display/change/update other users master records.
Now what harm will it be to give access to BASIS TEAM to look and handle their own master records when they can because you dont have USER GROUPS concept at your company.
I agree that User Administration and Role Administration should not be handled by the same Basis Person.
You can segregate that to avoid a valid SOD Conflict although most companies dont pay a lot of attention.
You may end up creating two different roles for the basis team, one for pure User creation and the other for role assignment only.
Hope this helps
Regards,
Kiran Kandepalli.
10-19-2008 10:09 AM
Hi,
I have worked with many clients, and the requirement of handling the user Administration and Role Administration is different from each client to other client.
Some client may ask for the same person should handle both User and Role ADministration, but some client may ask for separating the tasks.
In your case, if you want to restric the person to maintain the other users but not the own user id, this can be achieved by doing the following:
Create a separate user group who is doing the administration part and create other user groups for other users.
Create a role with SU01 and restrict the Standard objects with all user groups except the administation one and add S_USER_GRP authorization object manually into the same role and provide only 03 with the administration object.
The above will solve the problem of administration not able to update the own user id, but the other users.
Regards
Anandm
10-21-2008 12:59 PM
10-19-2008 2:02 PM
10-21-2008 12:54 PM
10-21-2008 12:58 PM