05-18-2010 9:12 PM
1. I need to exclude assignment of certian roles. I tried limiting it with the role name under S_USER_AGR object. here the hurdle is the names fo the roles are not standarised hence the problem of exclusion comes in. Another way was to limit it with transactions (S_USER_TCD) , so if I need to exclude the tcds ME21, 21N, ME22, ME51N, 52N, MIGO, ..any ideas ..newer ideas or do we just do it as per the old way of A*....wild card method ??
New ideas ?? inventions ?
Thannkx
05-18-2010 10:26 PM
A solid and consistent naming convention is beyond my doubt the best solution. You can also limit what the user can request using this approach (which is increasingly popular) as they are generally only skilled enough to look for roles and not authorization field values.
But if you have to live with what you have, then there are exits available for the user administration - there you can "invent" to some extent and make it dependent on critical authorizations you define and conflicts (see report RSUSR008_009_NEW).
Last I heard the exits were converted to BADIs, but many customers are looking into GRC's CUP functionality and IdM workflows now.
It is in my opinion still a gem stone which can be used as a preventative or detective control if you set it up correctly. You are however on your own (with us... in this and do not have updated SAP defaults for all modules to build from.
If it is only critical authorizations and low-brainers you want to detect, then it is relatively easy.
Cheers,
Julius
05-19-2010 8:01 AM
Hi
Do you mean to say that you want to restrict your Security Administrators to assign specific roles to users or access of Security administrators should be restricted to manage a specific set of users.
Thanks.
Anjan