Skip to Content
avatar image
Former Member

How to provide a same user SU01 for admin and display authority on PFCG

Hello Security Experts,

I am working on a requirement where I have to create a role for user administrator with Display access in PFCG but user should be able to use SU01 to do user administration meaning create , change user ( including role assignments) , delete , lock/unlock user.

First I have maintained S_USER_AGR as ACTVT 03,08,22 / S_USER_AUT as ACTVT 03,08,22 / S_USER_GRP as ACTVT 01, 02, 03, 05, 06, 08, 22, 78 / S_USER_PRO as ACTVT 03, 08, 22.

Disabled Objects S_USER_VAL and S_USER_TCD.

While testing the role I got authorization error where my SU53 and trace pointing at missing value in S_USER_AGR as ACTVT 02.

After assigning S_USER_AGR as ACTVT 02 the role assignment is allowed in SU01 however the role change is also enabled from PFCG where my test user is able to get in to the role in edit mode (however he cant do any changes in role or generate the role as I have disabled S_USER_VAL and did not provide 02 on S_USER_PRO ) and save the role. This should not happen as per requirement.

How can I restrict PFCG to display and allow user to assign roles to end users ? Kindly suggest and help.

Thanks in advance for your help.

Regards

Murali

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 24, 2010 at 08:26 AM

    Dear,

    This note will be helpful.

    Note 312682 - Checks when assigning users to roles

    Regards,

    Shrinivasan. KV

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 24, 2010 at 11:17 AM

    Little tip: the last three answers are all saying the same thing - the correct one...

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      It will work the same in all releases for Su01 (assigning role to the user with immediate effect) and PFCG (assigning user to the role with delayed effect until a user-compare is performed).

      Other tcodes might not respect this, but they generally make the same checks (let them fail if your auths are correct for actvt 22 only!) or prior make much stricter checks.

      Exceptions are usually Z-programs and if a SAP program permits this (or makes too strict checks) then report it as a bug via https://service.sap.com (customer message system).

      Cheers,

      Julius

  • avatar image
    Former Member
    Oct 22, 2010 at 04:08 PM

    Hi,

    If we think to create two different roles: One for SU01 with update access and another role for PFCG with display only access then I think the problem is over. Create one composite role with these two roles or add them to existing one. Now the choice of authorization objects and the corresponding field values can be done very easily I hope. Else let us know.

    Regards,

    Dipanjan

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 22, 2010 at 04:21 PM

    Hi,

    This is not possible. Both the transaction codes use S_USER_AGR.

    Even creating two different roles and assigning them to user will give Change access.

    The best option is to speak to your ABAPer and create a custom transaction code to make a PFCG display only tcode or to use SPM for one of the task.

    Hope this helps!!

    Rgds,

    Raghu

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 23, 2010 at 07:44 AM

    please look at a setting in the customizing table PRGN_CUST...you just have to maintain the value of a field which i don't remember.

    Edited by: Srinu Koveta on Oct 23, 2010 9:47 AM

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi

      Run pfcg and try to go to change with your restricted settings then click on the error message to get the table entries in performance assistant. Put those in prgn_cust via sm30.

      Then use 22 instead of 02 in newly called object S_USER_SAS.

      Make sure you have at least one user with * in that object for full access across the landscape before transporting the table.

      Cheers

      David

      Edited by: David Berry on Oct 23, 2010 10:25 AM

      Edited by: David Berry on Oct 23, 2010 10:26 AM

      Forgot to say - when you have the new object value 22 in your restricted role and assigned to test user prior to moving to PROD the only way to go into change mode is to first go to the USER tab and then press change. Anywhere else and you'll still get the 'you are not authorised' message.

      Edited by: David Berry on Oct 25, 2010 8:04 PM