Skip to Content
avatar image
Former Member

Security Change access in Production

Hi guys,

I have a question for you guys. In ECC 6.0 when Basis team put the setting in SE06 "Not modifiable" to any configuration changes or lot of other things so production system has locked down for any changes, however as a security Admin if you have change access in your security role you can change roles through PFCG in production which is not a good practice. So you have to create security role that doesn't have 02 in this (S_USER_AGR) authorization object.

But itu2019s also affect on validity date of the role. I was trying to change the validity date of the role using SU01 for certain user in Production it's says " You don't have authorization to assign role" I ran the SU53 and It was asking for 02 in this auth object (S_USER_AGR) which is really weird because I want the security admin to change the role validity date but not to change role itself through PFCG in Production.

Is it possible or this is something that SAP came up with in ECC 6.0. Please send you suggestion or feedback regarding this issue

Thanks in advance


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    Mar 16, 2010 at 08:35 PM

    If you are not using Indirect Org. assignment then ACTVT=02, 78 for S_USER_GRP is sufficient for user assignment validity changes in production and you don't need to provide S_USER_AGR ; ACTVT = 02 for that case.

    For S_USER_AGR , you have to keep ACTVT = 22.

    Please check the documentations of all the S_USER_* Objects to get details of their usage.



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      You can do it in SE16 as well. Some tables can be maintained there if they are "hand made".

      Yes, it is transportable if your change options are set correctly.

      I recommend keeping the setting the same in the landscape. That way you can define which roles are intended for DEV, QAS and PROD via their naming conventions and user assignment and have consistent behaviour.

      It also means that you can let some users (e.g. trained key users) maintain the role data (e.g. description, menu objects) without being able to change the assignment if you need this granularity.

      Sometimes less is more, as mentioned in the note... 😊