Skip to Content
author's profile photo Former Member
Former Member

Limit password resets to a specific group

All,

I have read many threads on this topic but I cannot get it to work. I have a need to give password reset, user unlock capability to one person at each of our sites. From what I have read, this can easily be done by assigning my users into groups, One for US, one for EUR, etc. Then I create a role that contains SU01 and for the European sites under S_USER_GRP assign activity 05 and the corresponding group. I am testing this out in our sandbox and the user is still able to unlock, lock and reset passwords for users in other groups than what I defined in S_USER_GRP for him. Any ideas on what I am missing?

Michael

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Feb 09, 2010 at 09:15 PM

    It should work as you have described, unless the user can change their own password (not as administrator --> S_USER_GRP).

    Only users of type DIALOG and COMMUNICATION can do this.

    If the user does not have a user group assigned to their master record, then "anything" is sufficient to pass the authority check for the "space" group + actvt '05'.

    You should also check whether they have this access from some other profile (manually or generated or a reference user) assigned.

    A D'oh moment would be that the test user in the sandbox has a "yellow" status on the users tab in PFCG of this role!

    Cheers,

    Julius

    Edited by: Julius Bussche on Feb 9, 2010 10:17 PM

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      > I was testing by trying to lock users who were not assigned to a group.

      Yes. For this there must be a character in the user group (for authorization check!!) field of the master record. See SUIM selection screens.

      The user group tab in SU01 is different. It is for reporting purposes primarily.

      In contrast to the user (master record) group (for authorization check) on the logon data tab in SU01, the "User Group" tab can be used to assign the user to a multiple of groups.

      If several prerequisites are fullfilled in your security administration and design, then you can use this very effectively to allocate internal license costs, blend out user ID results from critical authorization analysis, SOD conflicts, etc.

      Few use it and you should prior consider whether it makes sense. You cannot use it reliably for security, only for reporting.

      Cheers,

      Julius

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.