09-11-2008 11:58 AM
Hello,
In our company while executing payroll our finace users wants to lock some users to avoid data redundancy.
What authorization should I give to finance users so that
they can only lock users but cant view there details in su01.
Regards,
Rachel
09-11-2008 12:09 PM
You need SU01 + S_USER_AGR, ACTVT = 05 and the relevant authorisation group/s
Don't give them activity 01,02,03,06 etc
09-11-2008 12:09 PM
Any thread which does not mention "BAPI_USER_LOCK" is not worth reading, so try the search (first) for it ...
Cheers,
Julius
09-11-2008 2:55 PM
Give SU01and S_USER_GRP with "activity 05" and "user group" of the users which need to be locked.
09-12-2008 9:27 PM
Why would Finance team want to do Security work. The reason for Security is to do all these kind of requests. Once you give this kind of access, all other 15 organizations in 50 regions would be asking for similar access, and on top of that you have maintenance and Training.
AB.
09-12-2008 9:57 PM
Perhaps it is a relatively small company, and payroll is located in finance and IT is somewhere in the basement... (as far as personell information is concerned...)...
As HR typically has the information about people leaving the company (and when they will be, for example no longer in the payroll...) and also when they might change positions (change roles...) it can be usefull to tap into this information and use the HR data...
@ Rachel: If you search for discussions here about "RHPROFLO" does that help you / match your requirements?
Cheers,
Julius
09-15-2008 7:35 PM
Yeah, I know or in one case the Fi Team do not want user to Post anything while there are closing the books for Month end and quarter end.
How about trying with EWZ5(recomended) or SU10(need control values at Field Level). Just User ID and First and Last name are Displayed.
AB.
09-15-2008 8:09 PM
You can get in a lot of trouble with EWZ5. I know enough security & basis admins who get it wrong, let alone giving it to an end user!
09-15-2008 9:49 PM
Hi AB,
I agree with Alex about the EuroConversion solution.
If it is only for posting then the posting periods can be closed with OB52 settings and F_BKPF_BUP authority. No reason to lock the user out of the whole system...
There is an old thread here in the forum about "how to give authorization to unlock a particular user" which this seems to be similar to but on the other hand also the opposite of. That thread turned out to be very interesting once the requirements (and story) behind the question came to light...
@ Rachel: Perhaps we could have more information about what is the intention behind this requirement?
Cheers,
Julius
09-17-2008 12:20 AM
>
> You can get in a lot of trouble with EWZ5. I know enough security & basis admins who get it wrong, let alone giving it to an end user!
I am not trying to start a new discussion here, but in my experience I did not had an opportunity to see the negative effect of EWZ5 when assigned to end-users, apart from that they get to control Locking and Unlocking users.
Alex or Julius, can you please tell me top 3 issues with EWZ5. Thanks in advance.
AB
10-03-2008 8:39 AM
With the help of below post written by julius & alex,the problem got solved.
Julius:
You need SU01 + S_USER_AGR, ACTVT = 05 and the relevant authorisation group/s
Don't give them activity 01,02,03,06 etc
Alex:
Any thread which does not mention "BAPI_USER_LOCK" is not worth reading, so try the search (first) for it ...