01-21-2010 7:22 AM
Hi All,
There are many derive roles created in development and moved to quality and production environment.
1.Now is it possible to block selected bulk of roles for user assignment ?(So that these set of roles can not be assigned to any user in quality and production)
2.Also One should not be able to transport these set of bulk roles from development system to the other systems ?
Thanks in advance.
01-21-2010 7:30 AM
Hi Anu,
You can very well place the control by restricting objects:
S_USR_GRP and S_USR_AGR also to certain extent S_USR_TCD as well.
Refer to the help link below for more details of such objects:
http://help.sap.com/saphelp_nw04/Helpdata/EN/ce/17533e5ff4d064e10000000a114084/content.htm
01-21-2010 7:39 AM
Hi,
Role assignment can't be restricted but you can delimit the assignment for mass users. Also to restrict the transport you need to revoke the access of role transport or create a project for security and review(make check) the transport before reelasing for that particular transport.
Can you give more information like....These roles are obselete ones or still u want to use them for business.
If roles are obselete ones and not in use you can delete them as well after taking the backup......if business agree with same.
01-21-2010 7:52 AM
Hi,
Role assignment can't be restricted at role level but u can make check at access level to person by object restriction (for su01,su10,PFCG) access him for assignment (and also you can delimit the assignment for mass users. Also to restrict the transport you need to revoke the access of role transport or create a project for security and review(make check) the transport before reelasing for that particular transport.
Can you give more information like....These roles are obselete ones or still u want to use them for business.
If roles are obselete ones and not in use you can delete them as well after taking the backup......if business agree with same.
01-21-2010 8:00 AM
Hi Pawan,
Refer to the help.sap link which I have provided earlier.You can restrict the role assignments by controlling access to S_USR_AGR and many other related objects. This helps in deligated user administration. Please try it yourself, you will definitely enjoy it.
01-21-2010 8:19 AM
Hi Anu,
In addition to akshay's above post, If you want to restrict definite set of role for transport then you need to create the seperate role for those to restrict them with S_USER_AGR for transport activity 21 and for asignment activity 78 and also restrict the download upload option for the same as this is the another way to move the roles.
Remember to check user should not have access of particular object with restricted access in other roles. Check user buffer SU56 for same.
01-21-2010 8:42 AM
01-21-2010 10:10 AM
>
> Finally Pawan you learned it
Where is Pawan in this thread?
Whereas connecpk says u201CHi Anuu201D in response to sap.sec.akshay?
Funnily everyone addressing everyone incorrectly in this thread.
Looks like all you are around in one Development centre and while Anu went to washroom leaving her/his system unlocked eventually connecpk responds with Anuu2019s system?
Cheers
01-21-2010 10:16 AM
Hi Amit,
I referred to connecpk's profile which was visible earlier. Dont know about your other queries
01-21-2010 10:16 AM
Hi Amit,
"connecpk" is also known as "Pawan" and usually clicks "Reply" to the last post in the thread, regardless of whom he is answering.
Anu is not at the same location.
Cheers,
Julius
01-21-2010 10:37 AM
01-21-2010 9:30 AM
What you can do is delete them and send one last transport through.
That blocks them one shot...
01-21-2010 10:15 AM
HI All,
Thanks for your response
See I can restrict role assignment.... by restricting particular consultant authorization in that case I will have to change authorization of large number of users (SAP security consultant)who have authorization to assign all roles right now.
I am looking solution at role level so that a consultant's authorization will not be changed
And smiler case with roles transport a consultant can make roles Transport request but those particular roles could not be attached to Transport request.
There are around 3000 roles which should not be assigned to any end user and will be used later in business
and roles which can be assigned are more then10,000
If we see objects S_USER_GRP, S_USER_AGR there is Role Name field is not taking range like IN54 to IN90
So is it possible to make individual entry of more then 10,000 roles in field Role name( ACT_GROUP)
01-21-2010 10:17 AM
> So is it possible to make individual entry of more then 10,000 roles in field Role name( ACT_GROUP)
No.
You could however add them individually to table TMSTCRI to block them being added to a transport request. That would then apply to everyone.
Cheers,
Julius
Edited by: Julius Bussche on Jan 21, 2010 11:19 AM
01-21-2010 10:29 AM