Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PFCG- How to remove access for User Assignment

Go to solution
sunny_pahuja2
Active Contributor

‎06-08-2010 10:27 AM

0 Kudos

Dear All,

We have one scenario in which management wants to give basis administrator access to change roles from PFCG but does not want to give user assignment access in PFCG on User tab. I tried several combination's to remove this access but not able to succeed. Could you please suggest me which authorization object/its value need to be changed so that basis will not be able to assign users from PFCG but at same time can change the roles ?

Thanks

Sunny

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎06-08-2010 10:57 AM

0 Kudos

Hello,

you can try following

donu2019t give activity 78 (Assign) & 22 (Enter, Include, Assign) in S_USER_GRP, S_USER_AGR, S_USER_PRO.

Give all other activities.

-Thanks

6 REPLIES 6

Go to solution
Former Member

‎06-08-2010 10:52 AM

0 Kudos

Hi Sunny,

Its controlled by Authorization Object S_USER_GRP with activity 22 (Enter, Include, Assign)

Do not give authorization to activity 22 (Enter, Include, Assign) for the role, then your Basis team will not be able to assign users

Regards

Edited by: Siddhartha Varma on Jun 8, 2010 11:53 AM

Go to solution
Former Member

‎06-08-2010 10:57 AM

0 Kudos

Hello,

you can try following

donu2019t give activity 78 (Assign) & 22 (Enter, Include, Assign) in S_USER_GRP, S_USER_AGR, S_USER_PRO.

Give all other activities.

-Thanks

Go to solution
sunny_pahuja2
Active Contributor
In response to Former Member

‎06-08-2010 11:46 AM

0 Kudos

Hi,

> you can try following

> donu2019t give activity 78 (Assign) & 22 (Enter, Include, Assign) in S_USER_GRP, S_USER_AGR, S_USER_PRO.

If I am doing as per your recommendations, then user is not able to change authorization value in the role but able to generate it. But i only want user to restrict so that he should not be able to assign user to role and rest he can change the authorizations.

Thanks

Sunny

Go to solution
Former Member
In response to Former Member

‎06-08-2010 12:04 PM

0 Kudos

You should control it via Authorization Object S_USER_GRP with Activity 22, you can give 22, 78 in S_USER_AGR, S_USER_PRO

Try not giving activity 22 in S_USER_GRP & see.

Edited by: Siddhartha Varma on Jun 8, 2010 1:04 PM

Go to solution
sunny_pahuja2
Active Contributor
In response to Former Member

‎06-08-2010 12:12 PM

0 Kudos

Hi,

If I am removing 22 from S_USER_GRP then user is even not able to view the role.

Thanks

Sunny

Go to solution
Former Member
In response to Former Member

‎06-08-2010 12:27 PM

0 Kudos

Hi Sunny,

Create role & add just PFCG transaction to the menu.

It will pull the following Authorization Objects : S_USER_AGR, S_USER_AUT, S_USER_GRP, S_USER_PRO, S_USER_SAS, S_USER_TCD, S_USER_VAL

On the assumption that the Basis Administrator will have full access to administer roles but just should not be able assign users to the role, then you may give * in all fields for all the above Authorization Objects except activity 22 (Enter, Include, Assign) in the Authorization Object S_USER_GRP.

Then create a TEST user, assign this role & check with TEST user. The TEST user wont be able to assign users via PFCG in the USER tab

It works. Try & see