Skip to Content
avatar image
Former Member

Authorization level

Hi Experts,

We are planning to create authrization levels for user creation & role creation, role assignation and role comparison.

As below

1) first user can create user and role

2) Second user only can assign created role to users

3) Third user only can do user comparison, which means in this step he only can activate user or role.

1st and second steps we can create roles based on su01 and pfcg. But i am not clear about 3rd step how we can assign only activation authorization.

Please let me know if any other possibility for above auth levels.

Thanks & Regards

Nick Loy

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

8 Answers

  • avatar image
    Former Member
    Aug 08, 2009 at 08:14 AM

    Hi Nick,

    For 3rd condition you have to restric below authorizations to create, change, delete

    S_USER_AGR

    S_USER_AUT

    S_USER_GRP

    S_USER_PRO

    S_USER_SAS

    S_USER_TCD

    S_USER_VAL

    Regards

    Chandra

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 08, 2009 at 08:35 AM

    Hi Chan,

    Thanks and I accept your reply, but those objects are default objects which will come with SU01 and PFCG Tcodes.

    I have clearly mentioned that i want to assing only USER COMPARISON authorizaton(or user/role activation if any) for 3rd user.

    How USER COMPARISON will come and with which authorization object?

    Regards

    Nick Loy

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 08, 2009 at 08:54 AM

    Moved to NW Security forum...

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 08, 2009 at 09:31 AM

    > 1) first user can create user and role

    > 2) Second user only can assign created role to users

    To split these two make sure you read [Note 312682 - Checks when assigning users to roles|https://service.sap.com/sap/support/notes/312682] so the person assiging roles does not need change

    > 3) Third user only can do user comparison, which means in this step he only can activate user or role.

    And why do you want to separate 2 and 3? Can you tell us more about the reasoning behind this? In most systems I work with the user compare is done by the person assiging the role(s) and by a daily job (PFCG_TIME_DEPENDENCY)

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 08, 2009 at 09:44 AM

    Hi Nick,

    I don't think seperate authorizations are required for role assignment and role comparision. Once the role is assigned to the user it gets activated in the user profile.

    If the role assignment to user is done with some future date, it is better to do the user comparision with the program, PFCG_TIME_DEPENDENCY.

    Regards,

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 08, 2009 at 10:13 AM

    Hi all,

    Thanks for your inputs.....

    Dear Jurjen: Actually for more security one of my client is asking about these auth levels.

    Here he wants to create 3 levels with different authorization.

    More clearly 3rd level is hegher level with only user compare authorization, he can do only user comparison then only these authorizations have to get activated. for this if any other way to create 3rd level, means can we give user/role activation etc.

    Regards

    Nick Loy

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Also not sure why you would want the 3rd level because often this is scheduled as a job anyway.

      But there is a way of doing it: If you take a look in table PRGN_CUST there is a switch which activates a check on transaction PFUD to be able to do the user compare and assign the roles profiles.

      Only those users who are authorized for transaction PFUD can do it, regardless of whether they are in PFUD itself, PFCG, the reports, etc.

      Also check your Support Pack levels, as there have been several corrections lately which correctly differentiate between role development / admin and user admin. In some cases the checks were too strict or missing.

      Cheers,

      Julius

      Edited by: Julius Bussche on Aug 9, 2009 10:30 AM

  • avatar image
    Former Member
    Aug 10, 2009 at 06:46 AM

    Hi Julius,

    I have created auth levels as mentioned above, but only one concern...that is i want to kept USER COMPARISON as mandatory to reflect role/authorization changes.

    Means now when we are assigning new roles to user ids, those are directly getting accessible to user with/without user comparison.

    If we do the USER COMPARISON as mandatoru field, then it will be easy to acheive 3rd step.

    Thanks & Regards

    Nick Loy

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      > If we do the USER COMPARISON as mandatoru field, then it will be easy to acheive 3rd step.

      The bugger is that it's not a field... so you would need to permit role assignment via SU01 only and block the ability to use validity ranges there and generally access to the "Users" tab in PFCG, no structural authorizations, etc.

      But I think it could be do-able with the above switch for transaction PFUD and S_USER_PRO actvt 22, and then be carefull who you give the access to.

      There used to be a customizing option at events in SU01 which allowed you to add your own code - which for "SAVE" had a path to PFCG as well. That might have been another possible option to force the compare, but to my knowledge they are obsolete now.

      Anyway, important is that the changes done to the role and assignment are correct and authorized. That the profiles follow-suit as and when needed can be automated in my opinion. There is no additional risk.

      Cheers,

      Julius

  • avatar image
    Former Member
    Aug 11, 2009 at 06:20 AM

    Yes Julius,

    I created new role only with PFUD tcode for 3rd user, who able to do user comparison.

    Hence i acheived 3rd step too....as below.

    Say A.B and C are 3 different users.

    A will be able to create user and role

    B only can assign roles to user ids.

    C only can compare those assigned roles.

    These steps are working fine as approval levels.

    Thanks & Regads

    Nick Loy

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hai Nick,

      I am on ECC6.0...we have applied SPS15 stack recently...afer this Role Comparision is active only when you create new role...

      If the same new/old role needs to given with new T-code then after save and generation,user comparison shows * USer master record compared*...that means as per my understand,by saving and genaration itself the role got compared...is it correct?if yes,then how will you address your 3rd point...please share this also...

      Rgds,

      Gadde.