Skip to Content
avatar image
Former Member

GRC-SPM Firefighter S_USER_GRP 05 (Lock\Unlock) authorization issue

Iu2019ve the following question for the group for GRC-SPM:

Q: Is S_USER_GRP = 05 (Lock\Unlock User) authorization a must for a Firefighter User in order to check out the Firefighter ID? (My testing shows it is!)

If yes, how will you prevent users from changing passwords for other Firefighter users and Business users in production?

Note: Not all Firefighters will have SU01 or SU10 tcodes, but Role stacking (combinations) or transaction ranges could create a risk as there are multiple ways in SAP to update a user.

Also, we are thinking about using User Groups to limit the access but weu2019ll still need to have separate Firefighter role for Basis & Security from other Firefighters in that case.

Is there a way to deactivate the S_USER_GRP = 05 authorization check in the system to avoid this issue? Has anyone implemented anything like this yet?

Thanks,

Mandeep

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Dec 07, 2010 at 09:35 PM

    Hi Mandeep,

    Yes, the S_USER_GRP chcek is mandatory. THe best thing to do would be to use user groups and assign a particular group to your firefighter. I guess you could assign the same group to S_USER_GRP for the FF authorization.

    Regards,

    Chinmaya

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 08, 2010 at 03:41 PM

    Thanks, I agree!

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 09, 2010 at 09:34 AM

    Virk,

    Although your question is answered, just wish to add few point.

    In earliar version of SPM, it was mandatory to maintain password in SPM.

    However with latest version maintainance of password is no more compulsary in SPM.

    Now SPM handle password change or reset (if required) internally.

    and for doing that 05 is MUST.

    This applies to SU01, if you want to reset any password.

    Regards,

    Surpreet

    ...... my 2 cent...... 😊

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Frank,

      You were correct, I checked and confirmed with SAP .... Note# 992200 is applicable for VIRSANH 530_710 as well.

      Thanks,

      Mandeep