09-01-2009 6:30 AM
Hi
Can you pls confirm me giving the authorization for s_user_grp with activity 05 is critical or not if the user is not carrying the authorization for t code su01
regards
Mysterious
09-01-2009 8:03 AM
Hi,
This auth obj is present both in su01 and su10. If su10, (though su01 is not assigned)is assigned to your user you can perform
what ever activity(5) you have assigned to the auth obj using su10. If both su01 and su10 are not assigned, it would not have
much significance as system cannot pass the auth obj s_tcode (=su01 or su10) at the first place. Hence user would not be
allowed to enter the tcodes at the first place to perform the activity. I feel this is logical too.
The auth obj s_user_grp is for user group maintenance as the name suggests, It has two auth feilds "user group" and "activity"
Also, If in your project all users are grouped into user groups, then assigning activity =5 without specifying user group does not
have any significance as system does not know which user group to act upon.
Hope it is useful.
Regards,
Brahmeshwar
09-01-2009 8:03 AM
Hi,
This auth obj is present both in su01 and su10. If su10, (though su01 is not assigned)is assigned to your user you can perform
what ever activity(5) you have assigned to the auth obj using su10. If both su01 and su10 are not assigned, it would not have
much significance as system cannot pass the auth obj s_tcode (=su01 or su10) at the first place. Hence user would not be
allowed to enter the tcodes at the first place to perform the activity. I feel this is logical too.
The auth obj s_user_grp is for user group maintenance as the name suggests, It has two auth feilds "user group" and "activity"
Also, If in your project all users are grouped into user groups, then assigning activity =5 without specifying user group does not
have any significance as system does not know which user group to act upon.
Hope it is useful.
Regards,
Brahmeshwar
09-01-2009 8:40 AM
What about SU01_NAV and BAPI_USER_CHANGE and SWU3 and EWZ5 etc?
If you use this approach you need to be very carefull or be able to trust and log the user for eventualities.
A good idea would be to limit to the user group (e.g. FireFighters...) and ensure all others have a group of sorts assigned.
Error prone, but it can work.
Cheers,
Julius
Edited by: Julius Bussche on Sep 1, 2009 9:44 AM
09-02-2009 5:37 AM
my concen was there are certain Finance users who ask for this authoriztaion object with actvity as 5 and user group as FICO , though thy are not administartors nor having the authorization of SU01/Su10 ..
so was confused y they need this authoriztaion object .
09-02-2009 5:55 AM
That's it? All they say is "Gimme 05, mysterious man!"
Surely there must be more information than just that... or is it meant to be a mystery for us as well?
Cheers,
Julius
09-01-2009 8:23 AM
What exactly is your user trying to do?
Very often auth failures on S_USER_GRP actvt 05 are dummy/false failures. Unless you know exactly what they are doing then you cannot make a call on the importance of this.
09-01-2009 10:55 PM
For endusers, those who doesn't need to perform administrative tasks, you can Deactivate this Object in the roles assigned to them. There will surely be some other Objects like this to them.
Regards,
Dipanjan
09-03-2009 8:11 AM
Just need to confirm certain FI users always ask for this particular Auhorization object even though they have not been assigned to any t code related to SU01 / Su10 , so just wann knw its criticality
Rrds
Mysterious
09-03-2009 8:47 AM
09-16-2009 5:56 AM