Skip to Content
avatar image
Former Member

Restricted access for user in SU01

Hi All

How can we give authorisation to a User to modify access (Create/Delete/Password Change/Role assign /Role Delete..etc) for other user IDs but that user should have only display access for his User ID.

Please Help me in this.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • avatar image
    Former Member
    Oct 16, 2008 at 01:58 PM

    Hi Raju,

    The best way for securing users is through User Groups. You can create User Groups in SUGR.

    You can restrict via the S_USER_GRP Authorization object so that a user have privelages for User Administration, Role Assignment for only certain user groups and not to every one including his own user id.

    You can have SU01D to perform display access of all user info.

    Regards,

    Kiran Kandepalli.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Raju,

      I think it is imperative that the only personnel who should be having this kind of an access is BASIS TEAM and nobody else should have authorizations to display/change/update other users master records.

      Now what harm will it be to give access to BASIS TEAM to look and handle their own master records when they can because you dont have USER GROUPS concept at your company.

      I agree that User Administration and Role Administration should not be handled by the same Basis Person.

      You can segregate that to avoid a valid SOD Conflict although most companies dont pay a lot of attention.

      You may end up creating two different roles for the basis team, one for pure User creation and the other for role assignment only.

      Hope this helps

      Regards,

      Kiran Kandepalli.

  • avatar image
    Former Member
    Oct 19, 2008 at 09:09 AM

    Hi,

    I have worked with many clients, and the requirement of handling the user Administration and Role Administration is different from each client to other client.

    Some client may ask for the same person should handle both User and Role ADministration, but some client may ask for separating the tasks.

    In your case, if you want to restric the person to maintain the other users but not the own user id, this can be achieved by doing the following:

    Create a separate user group who is doing the administration part and create other user groups for other users.

    Create a role with SU01 and restrict the Standard objects with all user groups except the administation one and add S_USER_GRP authorization object manually into the same role and provide only 03 with the administration object.

    The above will solve the problem of administration not able to update the own user id, but the other users.

    Regards

    Anandm

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 19, 2008 at 01:02 PM

    This message was moderated.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 21, 2008 at 11:54 AM

    This message was moderated.

    Add comment
    10|10000 characters needed characters exceeded