08-03-2009 12:41 PM
Hi Experts,
We were facing issue in login through Firefighter - error message was "You are not authorized to change passwords in user group XXXX" - - solved this by following SAP note 1319031. Same SAP note says that "It is also recommended that any users with this access should NOT have access to transaction SU01."
We have modified firefighter role and added the authorisation object "S_USER_GRP" - and this firefighter role is assigned to all firefighter including Basis firefighters who have access to SU01.
So is there any reason that this modified role should not be given to people who have access to SU01 and will there be any problem.
Thanks
Davinder
08-06-2009 10:44 AM
If you have decentralized user administration based on User Groups. You wouldnt want other than UAs to change the user Records. Hence the suggestion from SAP. Giving to basis shouldnt be a problem and ofcourse you will have logs from firefighter to see, if they have changes any user master record details.
Regards,
Ajesh Raju.
08-10-2009 10:15 AM
Hello Ajesh,
Do you mean giving access of this modified role to user who already have access of SU01 is not a problem?
Thanks
Davinder
01-12-2010 11:57 AM
01-12-2010 3:28 PM
Davinder,
in earlier versions of Firefighter oyu had to maintain passwords for your FF IDs manually. The latest versions do that automatically, therefore the FF user needs authorization to change the password through S_USER_GRP.
If he also had access to SU01, he could change anyone's password.
The way to prevent that is
a) limit access to SU01 and similar (a good idea anyway)
b) assign all FF IDs to a special user group, and limit the FF users S_USER_GRP authorization to that user group.
Frank.
03-22-2010 6:03 PM
After encountering this issue, our preliminary testing indicates that only activity "05 - Lock/Unlock" is required. My suspicion is that newly created FF users will require an initial password reset which is why the note calls for "02 - Change" access as well. If we manually reset the password for newly created users I'm hoping we can get away with just assigning "05" and avoiding "02."
Has anyone else gone this route? Any other reason for "02" to be assinged here?
Thanks