06-08-2010 10:27 AM
Dear All,
We have one scenario in which management wants to give basis administrator access to change roles from PFCG but does not want to give user assignment access in PFCG on User tab. I tried several combination's to remove this access but not able to succeed. Could you please suggest me which authorization object/its value need to be changed so that basis will not be able to assign users from PFCG but at same time can change the roles ?
Thanks
Sunny
06-08-2010 10:57 AM
Hello,
you can try following
donu2019t give activity 78 (Assign) & 22 (Enter, Include, Assign) in S_USER_GRP, S_USER_AGR, S_USER_PRO.
Give all other activities.
-Thanks
06-08-2010 10:52 AM
Hi Sunny,
Its controlled by Authorization Object S_USER_GRP with activity 22 (Enter, Include, Assign)
Do not give authorization to activity 22 (Enter, Include, Assign) for the role, then your Basis team will not be able to assign users
Regards
Edited by: Siddhartha Varma on Jun 8, 2010 11:53 AM
06-08-2010 10:57 AM
Hello,
you can try following
donu2019t give activity 78 (Assign) & 22 (Enter, Include, Assign) in S_USER_GRP, S_USER_AGR, S_USER_PRO.
Give all other activities.
-Thanks
06-08-2010 11:46 AM
Hi,
> you can try following
> donu2019t give activity 78 (Assign) & 22 (Enter, Include, Assign) in S_USER_GRP, S_USER_AGR, S_USER_PRO.
If I am doing as per your recommendations, then user is not able to change authorization value in the role but able to generate it. But i only want user to restrict so that he should not be able to assign user to role and rest he can change the authorizations.
Thanks
Sunny
06-08-2010 12:04 PM
You should control it via Authorization Object S_USER_GRP with Activity 22, you can give 22, 78 in S_USER_AGR, S_USER_PRO
Try not giving activity 22 in S_USER_GRP & see.
Edited by: Siddhartha Varma on Jun 8, 2010 1:04 PM
06-08-2010 12:12 PM
Hi,
If I am removing 22 from S_USER_GRP then user is even not able to view the role.
Thanks
Sunny
06-08-2010 12:27 PM
Hi Sunny,
Create role & add just PFCG transaction to the menu.
It will pull the following Authorization Objects : S_USER_AGR, S_USER_AUT, S_USER_GRP, S_USER_PRO, S_USER_SAS, S_USER_TCD, S_USER_VAL
On the assumption that the Basis Administrator will have full access to administer roles but just should not be able assign users to the role, then you may give * in all fields for all the above Authorization Objects except activity 22 (Enter, Include, Assign) in the Authorization Object S_USER_GRP.
Then create a TEST user, assign this role & check with TEST user. The TEST user wont be able to assign users via PFCG in the USER tab
It works. Try & see