Skip to Content
avatar image
Former Member

Restrict SU01 usage

Dear Gurus,

I'll have one scenario need your expertise idea and guidance.

I'll created one id with authorization roles SU01 included there.This id purposes for backup to reset /unlock the password if the sap admin not around.My problem is this id manage to reset the sap admin password.How to restrict this id with su01 access but its cannot reset/modify the admin password.its only can reset or modify the users id.

can it be done using auth.object.

Please help me...

Thanks an advance

/Shah

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Best Answer
    avatar image
    Former Member
    Aug 08, 2010 at 09:29 AM

    Hi Shah,

    The easiest way to do this is utilise user groups. What you will need to do is assign your 'high privileged' users to a user group within the SU01 transaction. Do this per user master record in the Logon Tab in SU01 in the User Group Field. For example, you can assign all the users you want to protect to 'SUPER' or 'ADMIN'.

    Then you grant access to reset passwords to all but these user groups. So if you decided to assign these users to SUPER then give your password reset access to S_USER_GRP, ACTVT = 05, CLASS = A - R* and T - Z*. This allows the users with this range to reset passwords of all user groups except the SUPER group.

    Hope this answers your question. Warm regards,

    Jamie

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Please also take a look at SAP Note 312682 (entries in table PRGN_CUST can influence authority-checks to enable more granular segregation).

      Cheers,

      Julius

  • avatar image
    Former Member
    Jul 23, 2010 at 05:20 AM

    HI Shahril,

    Yes, you can restrict the user, so he can't change admin user password.

    For that first create one user group using t.code SUGR and assign all user to that group except your admin users. Assign SUPER group to your admin users.

    Now create new role for SU01 and and in object S_USER_GRP assigne the group name which you had created.

    It will work as per your requirement.

    Regards,

    Nisit

    Edited by: Nisit Patel on Jul 23, 2010 7:21 AM

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi,

      Already i informed you this is not posible because you can restrict only edit,delete,change,display etc instead of any user name.

      Anil

  • avatar image
    Former Member
    Jul 21, 2010 at 06:28 PM

    HI,

    You can restrict Su01 by setting authorization objects activity values.

    first check the aurthorization objects functionaliy and map the activities for that.

    -Srini

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thanks..

      But in auth.object its only have a accessing functionality like 01-create,03-display.any ideas how to restrict this roles cannot change/reset the sap admin.because if i take out the create or modify means its apply to all users and admin id right.

      Please help me..

      Thanks

      /Shah

  • avatar image
    Former Member
    Jul 22, 2010 at 09:56 AM

    Hi,

    As per your query you can not define to reset all user password rest of admin.

    Anil

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 05, 2010 at 09:12 PM

    As mentioned nisit, please do follow;

    More Details : you can manage users by assiging the users to group and in S_USER_GRP you need to give only those user groups which you want to maintain.

    Example : in "S_USER_GRP " give all the values except SUPER; and for admin id you assign user group as "SUPER"

    To Test id ; only give the role in which it has values of S_USER_GRP as mentioned.

    Also make sure Test id is not getting Authorization "S_USER_GRP = SUPER from other roles and probaly it will work

    Thanks.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 05, 2010 at 09:20 PM

    If the user ID is locked, then it needs a new password and an unlock - right?

    To lock a user's password, just enter an incorrect one 5 times or so and the task is done. You can also script this easily for the admin to lock the password. NOte: This does not lock the account - only the password.

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded