how to give authorization to a user to lock a part...

Former Member · ‎09-11-2008

Hello,

In our company while executing payroll our finace users wants to lock some users to avoid data redundancy.

What authorization should I give to finance users so that

they can only lock users but cant view there details in su01.

Regards,

Rachel

Former Member · ‎09-11-2008

You need SU01 + S_USER_AGR, ACTVT = 05 and the relevant authorisation group/s

Don't give them activity 01,02,03,06 etc

Former Member · ‎09-11-2008

Any thread which does not mention "BAPI_USER_LOCK" is not worth reading, so try the search (first) for it ...

Cheers,

Julius

former_member1061482 · ‎09-11-2008

Give SU01and S_USER_GRP with "activity 05" and "user group" of the users which need to be locked.

former_member248712 · ‎09-12-2008

Why would Finance team want to do Security work. The reason for Security is to do all these kind of requests. Once you give this kind of access, all other 15 organizations in 50 regions would be asking for similar access, and on top of that you have maintenance and Training.

AB.

Former Member · ‎09-12-2008

Perhaps it is a relatively small company, and payroll is located in finance and IT is somewhere in the basement... (as far as personell information is concerned...)...

As HR typically has the information about people leaving the company (and when they will be, for example no longer in the payroll...) and also when they might change positions (change roles...) it can be usefull to tap into this information and use the HR data...

@ Rachel: If you search for discussions here about "RHPROFLO" does that help you / match your requirements?

Cheers,

Julius

former_member248712 · ‎09-15-2008

Yeah, I know or in one case the Fi Team do not want user to Post anything while there are closing the books for Month end and quarter end.

How about trying with EWZ5(recomended) or SU10(need control values at Field Level). Just User ID and First and Last name are Displayed.

AB.

Former Member · ‎09-15-2008

You can get in a lot of trouble with EWZ5. I know enough security & basis admins who get it wrong, let alone giving it to an end user!

Former Member · ‎09-15-2008

Hi AB,

I agree with Alex about the EuroConversion solution.

If it is only for posting then the posting periods can be closed with OB52 settings and F_BKPF_BUP authority. No reason to lock the user out of the whole system...

There is an old thread here in the forum about "how to give authorization to unlock a particular user" which this seems to be similar to but on the other hand also the opposite of. That thread turned out to be very interesting once the requirements (and story) behind the question came to light...

@ Rachel: Perhaps we could have more information about what is the intention behind this requirement?

Cheers,

Julius

former_member248712 · ‎09-17-2008

>


> You can get in a lot of trouble with EWZ5.  I know enough security & basis admins who get it wrong, let alone giving it to an end user!

I am not trying to start a new discussion here, but in my experience I did not had an opportunity to see the negative effect of EWZ5 when assigned to end-users, apart from that they get to control Locking and Unlocking users.

Alex or Julius, can you please tell me top 3 issues with EWZ5. Thanks in advance.

AB

Former Member · ‎10-03-2008

With the help of below post written by julius & alex,the problem got solved.

Julius:

You need SU01 + S_USER_AGR, ACTVT = 05 and the relevant authorisation group/s

Don't give them activity 01,02,03,06 etc

Alex:

Any thread which does not mention "BAPI_USER_LOCK" is not worth reading, so try the search (first) for it ...

how to give authorization to a user to lock a particular user.