Authorization level

Former Member · ‎08-08-2009

Hi Experts,

We are planning to create authrization levels for user creation & role creation, role assignation and role comparison.

As below

1) first user can create user and role

2) Second user only can assign created role to users

3) Third user only can do user comparison, which means in this step he only can activate user or role.

1st and second steps we can create roles based on su01 and pfcg. But i am not clear about 3rd step how we can assign only activation authorization.

Please let me know if any other possibility for above auth levels.

Thanks & Regards

Nick Loy

Former Member · ‎08-08-2009

Hi Nick,

For 3rd condition you have to restric below authorizations to create, change, delete

S_USER_AGR

S_USER_AUT

S_USER_GRP

S_USER_PRO

S_USER_SAS

S_USER_TCD

S_USER_VAL

Regards

Chandra

Former Member · ‎08-08-2009

Hi Chan,

Thanks and I accept your reply, but those objects are default objects which will come with SU01 and PFCG Tcodes.

I have clearly mentioned that i want to assing only USER COMPARISON authorizaton(or user/role activation if any) for 3rd user.

How USER COMPARISON will come and with which authorization object?

Regards

Nick Loy

Former Member · ‎08-08-2009

Moved to NW Security forum...

jurjen_heeck · ‎08-08-2009

> 1) first user can create user and role

> 2) Second user only can assign created role to users

To split these two make sure you read [Note 312682 - Checks when assigning users to roles|https://service.sap.com/sap/support/notes/312682] so the person assiging roles does not need change

> 3) Third user only can do user comparison, which means in this step he only can activate user or role.

And why do you want to separate 2 and 3? Can you tell us more about the reasoning behind this? In most systems I work with the user compare is done by the person assiging the role(s) and by a daily job (PFCG_TIME_DEPENDENCY)

Former Member · ‎08-08-2009

Hi Nick,

I don't think seperate authorizations are required for role assignment and role comparision. Once the role is assigned to the user it gets activated in the user profile.

If the role assignment to user is done with some future date, it is better to do the user comparision with the program, PFCG_TIME_DEPENDENCY.

Regards,

Former Member · ‎08-08-2009

Hi all,

Thanks for your inputs.....

Dear Jurjen: Actually for more security one of my client is asking about these auth levels.

Here he wants to create 3 levels with different authorization.

More clearly 3rd level is hegher level with only user compare authorization, he can do only user comparison then only these authorizations have to get activated. for this if any other way to create 3rd level, means can we give user/role activation etc.

Regards

Nick Loy

Former Member · ‎08-08-2009

Also not sure why you would want the 3rd level because often this is scheduled as a job anyway.

But there is a way of doing it: If you take a look in table PRGN_CUST there is a switch which activates a check on transaction PFUD to be able to do the user compare and assign the ~~roles~~ profiles.

Only those users who are authorized for transaction PFUD can do it, regardless of whether they are in PFUD itself, PFCG, the reports, etc.

Also check your Support Pack levels, as there have been several corrections lately which correctly differentiate between role development / admin and user admin. In some cases the checks were too strict or missing.

Cheers,

Julius

Edited by: Julius Bussche on Aug 9, 2009 10:30 AM

Former Member · ‎08-10-2009

Hi Julius,

I have created auth levels as mentioned above, but only one concern...that is i want to kept USER COMPARISON as mandatory to reflect role/authorization changes.

Means now when we are assigning new roles to user ids, those are directly getting accessible to user with/without user comparison.

If we do the USER COMPARISON as mandatoru field, then it will be easy to acheive 3rd step.

Thanks & Regards

Nick Loy

Former Member · ‎08-10-2009

> If we do the USER COMPARISON as mandatoru field, then it will be easy to acheive 3rd step.

The bugger is that it's not a field... so you would need to permit role assignment via SU01 only and block the ability to use validity ranges there and generally access to the "Users" tab in PFCG, no structural authorizations, etc.

But I think it could be do-able with the above switch for transaction PFUD and S_USER_PRO actvt 22, and then be carefull who you give the access to.

There used to be a customizing option at events in SU01 which allowed you to add your own code - which for "SAVE" had a path to PFCG as well. That might have been another possible option to force the compare, but to my knowledge they are obsolete now.

Anyway, important is that the changes done to the role and assignment are correct and authorized. That the profiles follow-suit as and when needed can be automated in my opinion. There is no additional risk.

Cheers,

Julius

Former Member · ‎08-11-2009

Yes Julius,

I created new role only with PFUD tcode for 3rd user, who able to do user comparison.

Hence i acheived 3rd step too....as below.

Say A.B and C are 3 different users.

A will be able to create user and role

B only can assign roles to user ids.

C only can compare those assigned roles.

These steps are working fine as approval levels.

Thanks & Regads

Nick Loy

Former Member · ‎08-11-2009

Hai Nick,

I am on ECC6.0...we have applied SPS15 stack recently...afer this Role Comparision is active only when you create new role...

If the same new/old role needs to given with new T-code then after save and generation,user comparison shows * USer master record compared*...that means as per my understand,by saving and genaration itself the role got compared...is it correct?if yes,then how will you address your 3rd point...please share this also...

Rgds,

Gadde.