Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role for lock/unlock and change password

Go to solution
Former Member

‎11-23-2009 10:34 PM

0 Kudos

Hello everyone, I want to generate a role to allow some Helpdesk user to lock/unlock or change password for every user except some particular user as basis for example.

The idea is all the normal user call to Helpdesk and any support users from Helpdesk could lock/unlock or change the password for those users that are calling to Helpdesk.

But when I try to make this role, I realize that I couldn't give only this permission if I give access to su01 they will have more permission that I want.

Anyone has a piece of advice to solve this problem?

Thanks to all

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎11-24-2009 5:14 AM

0 Kudos

If the security/basis administering team are segregated into Authorization groups, then S_USR_GRP object can be used to differentiate the rest from this team. ie, except for basis and security auth groups( for e.g. BASIS or SUPER groups), helpdesk will have the privilege to change the password. Make sure that you disable the other auth objects which are irrelevant wrt lock/unlocking and password changing.

A samll bit of help can be found in the below link

http://help.sap.com/saphelp_40b/helpdata/pt/0c/164b6e5733d1118b3f0060b03ca329/content.htm

Warm Regards,

Sandeep

4 REPLIES 4

Go to solution
mvoros
Active Contributor

‎11-23-2009 11:26 PM

0 Kudos

Hi,

you can develop a new custom transaction for locking/unlocking users. SAP provides BAPis BAPI_USER_UNLOCK and BAPI_USER_LOCK. It's pretty straightforward so it won't take too much time. There is also BAPI BAPI_USER_CHANGE which can be used to change password.

Cheers

Go to solution
Former Member

‎11-24-2009 5:14 AM

0 Kudos

If the security/basis administering team are segregated into Authorization groups, then S_USR_GRP object can be used to differentiate the rest from this team. ie, except for basis and security auth groups( for e.g. BASIS or SUPER groups), helpdesk will have the privilege to change the password. Make sure that you disable the other auth objects which are irrelevant wrt lock/unlocking and password changing.

A samll bit of help can be found in the below link

http://help.sap.com/saphelp_40b/helpdata/pt/0c/164b6e5733d1118b3f0060b03ca329/content.htm

Warm Regards,

Sandeep

Go to solution
Former Member
In response to Former Member

‎11-24-2009 1:47 PM

0 Kudos

I think that is not possible to do only with the permission, as Martin Voros said maybe we should develop something with the BAPIs, because if I use the permission as you told me the Helpdesk users can change user information also, I believe the best option is build a little program with BAPIs.

Thanks to all

Go to solution
Former Member
In response to Former Member

‎11-24-2009 2:33 PM

0 Kudos

Using BAPI's is a good idea, but it is also very simple to achieve in standard SAP.

Give SU01 with the relevant objects with display access. Only for S_USER_GRP give activity 05.

Ensure that in S_USER_GRP the helpdesk do not have authorisation for the user groups assigned to the users you want to protect (if the basis team / tech users etc are not in user groups then assign them before you do this).

The helpdesk will be able to reset passwords / unlock users by using the icons on the initial screen of SU01. It will not work if they go into SU01 in display mode and make the change there.

This is the standard way of granting helpdesk access to unlock/reset without giving them access to change data.