on 12-07-2010 9:16 PM
Iu2019ve the following question for the group for GRC-SPM:
Q: Is S_USER_GRP = 05 (Lock\Unlock User) authorization a must for a Firefighter User in order to check out the Firefighter ID? (My testing shows it is!)
If yes, how will you prevent users from changing passwords for other Firefighter users and Business users in production?
Note: Not all Firefighters will have SU01 or SU10 tcodes, but Role stacking (combinations) or transaction ranges could create a risk as there are multiple ways in SAP to update a user.
Also, we are thinking about using User Groups to limit the access but weu2019ll still need to have separate Firefighter role for Basis & Security from other Firefighters in that case.
Is there a way to deactivate the S_USER_GRP = 05 authorization check in the system to avoid this issue? Has anyone implemented anything like this yet?
Thanks,
Mandeep
Hi Mandeep,
Yes, the S_USER_GRP chcek is mandatory. THe best thing to do would be to use user groups and assign a particular group to your firefighter. I guess you could assign the same group to S_USER_GRP for the FF authorization.
Regards,
Chinmaya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Virk,
Although your question is answered, just wish to add few point.
In earliar version of SPM, it was mandatory to maintain password in SPM.
However with latest version maintainance of password is no more compulsary in SPM.
Now SPM handle password change or reset (if required) internally.
and for doing that 05 is MUST.
This applies to SU01, if you want to reset any password.
Regards,
Surpreet
...... my 2 cent......
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, I agree!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.