Skip to Content
avatar image
Former Member

Segregate duties and disallow user to modify user

Hi All;

Please advise if l can do the following:

1. Segregate the duties among the security administrator; mainly for the following tasks;

a. User administrator

b. Authorization administrator

c. Activation administrator

2. Ability to disallow security administrator to modify their own user records

Thanks

Jordan

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Best Answer
    avatar image
    Former Member
    Aug 05, 2010 at 03:00 PM

    This is possible but it will be suggestable if you have lot of SAP users in your organization . if the number of users are less then it might not be costeffective way of having different team do differnt task .

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 05, 2010 at 09:52 PM

    This is achieveable. See the FAQ sticky thread at the top of the forum for the SAP note which explains how it works.

    > c. Activation administrator

    I assume this refers to maintaining the roles of the previous 2 functions (for objects such as S_USER_VAL) and having access to more activities for S_USER_OBJ, config of CUA, the security params and various customizing tables, creating transactions, performing some of the SU25 upgrade steps, approving security related transports, etc. Bar the restrictions on S_USER_VAL (see the documentation in transaction SU21) you can achieve this as well but it is a considerable effort.

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 05, 2010 at 02:07 PM

    Jordan,

    I n many companies they follow

    User adm is taken care by other team(help desk) / Role base security is taken by other team.

    even password reset / lock and unlock user id can also be restricted.

    Activation adm = Profile generating

    even this is also possible

    One user will create a role upto tcode level

    another person will generate role.

    Best practise to give to one person / team.

    Assigning of SAP_ALL / SAP_NEW you can restrict (few them will have this type of authority)

    what modification will security person will do?

    Let say security person will add basis role to his user buffer, it will be done in development but not in production system, right?

    Ps: Best way to start is know the object and how they work for particular transactions(SU01/ PFCG)

    Thanks,

    Sri

    Edited by: sri on Aug 5, 2010 11:14 AM

    Add comment
    10|10000 characters needed characters exceeded

  • Aug 05, 2010 at 02:14 PM

    Hi,

    This is achievable. You control it via the S_USER* auth objects e.g. S_USER_GRP, S_USER_PRO, S_USR_AGR. Read up on the objects via SU21 and you will be able to design restrictions to suit your requirements.

    The only one I am unsure of is c. activation administrator. What is activation adminstration?

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      in case you want the auth administrator to assign roles also then you willl need to assign the auth adminstrator to a particular user group and then skip this group from the object S_USER_GRP .

  • Aug 06, 2010 at 04:31 AM

    I have seen this approach and worked as well in this model...However all I can say is that SAP Security is itself is small area to wrok on in normal support. Segregating it more deeply will increase resource, ideal time, less knowledge contribution among team member..

    Add comment
    10|10000 characters needed characters exceeded