07-21-2010 9:09 AM
Dear Gurus,
I'll have one scenario need your expertise idea and guidance.
I'll created one id with authorization roles SU01 included there.This id purposes for backup to reset /unlock the password if the sap admin not around.My problem is this id manage to reset the sap admin password.How to restrict this id with su01 access but its cannot reset/modify the admin password.its only can reset or modify the users id.
can it be done using auth.object.
Please help me...
Thanks an advance
/Shah
08-08-2010 10:29 AM
Hi Shah,
The easiest way to do this is utilise user groups. What you will need to do is assign your 'high privileged' users to a user group within the SU01 transaction. Do this per user master record in the Logon Tab in SU01 in the User Group Field. For example, you can assign all the users you want to protect to 'SUPER' or 'ADMIN'.
Then you grant access to reset passwords to all but these user groups. So if you decided to assign these users to SUPER then give your password reset access to S_USER_GRP, ACTVT = 05, CLASS = A - R* and T - Z*. This allows the users with this range to reset passwords of all user groups except the SUPER group.
Hope this answers your question. Warm regards,
Jamie
07-21-2010 7:28 PM
HI,
You can restrict Su01 by setting authorization objects activity values.
first check the aurthorization objects functionaliy and map the activities for that.
-Srini
07-22-2010 2:50 AM
Thanks..
But in auth.object its only have a accessing functionality like 01-create,03-display.any ideas how to restrict this roles cannot change/reset the sap admin.because if i take out the create or modify means its apply to all users and admin id right.
Please help me..
Thanks
/Shah
07-22-2010 10:56 AM
Hi,
As per your query you can not define to reset all user password rest of admin.
Anil
07-23-2010 6:20 AM
HI Shahril,
Yes, you can restrict the user, so he can't change admin user password.
For that first create one user group using t.code SUGR and assign all user to that group except your admin users. Assign SUPER group to your admin users.
Now create new role for SU01 and and in object S_USER_GRP assigne the group name which you had created.
It will work as per your requirement.
Regards,
Nisit
Edited by: Nisit Patel on Jul 23, 2010 7:21 AM
07-23-2010 9:41 AM
Hi,
Thanks for the solution given.
But Nisit I'll follow all your steps,but still cannot.Is it have a steps i missed it or need to configure another object.
Please advice.
Thanks
/Shah
07-26-2010 11:13 AM
Hi,
Please create role for SU01 with following Authorization Object and parameter.
S_USER_AUT
Activity 03, 08
Authorization name in user mas *
Authorization Object *
S_USER_GRP
Activity 05
User group in user master main ZGROUP
S_USER_PRO
Activity 03, 08
Auth. profile in user master m *
S_USER_SAS
Activity 01, 06, 22
Role Name *
User group in user master main *
Auth. profile in user master m *
Receiving system for central u *
S_USER_SYS
Activity 78
Receiving system for central u *
S_DEVELOP
Activity 03
Package MGA
Object name *
Object type *
Authorization group ABAP/4 pro *
S_ADDRESS1
Activity 01, 02, 03, 06
Address Group (Key) (Business BC01
S_OC_ROLE
Text field length 15: authoriz *
Please let me know the updated status.
Regards,
Nisit
08-02-2010 9:19 AM
Hi Nisit,
Already followed your instruction but still cannot solve it.the sap admin id still can lock/unlocked and change a password.
Please advise...
/Shah
08-03-2010 7:58 AM
Hi,
Already i informed you this is not posible because you can restrict only edit,delete,change,display etc instead of any user name.
Anil
08-05-2010 10:12 PM
As mentioned nisit, please do follow;
More Details : you can manage users by assiging the users to group and in S_USER_GRP you need to give only those user groups which you want to maintain.
Example : in "S_USER_GRP " give all the values except SUPER; and for admin id you assign user group as "SUPER"
To Test id ; only give the role in which it has values of S_USER_GRP as mentioned.
Also make sure Test id is not getting Authorization "S_USER_GRP = SUPER from other roles and probaly it will work
Thanks.
08-05-2010 10:20 PM
If the user ID is locked, then it needs a new password and an unlock - right?
To lock a user's password, just enter an incorrect one 5 times or so and the task is done. You can also script this easily for the admin to lock the password. NOte: This does not lock the account - only the password.
Cheers,
Julius
08-08-2010 10:29 AM
Hi Shah,
The easiest way to do this is utilise user groups. What you will need to do is assign your 'high privileged' users to a user group within the SU01 transaction. Do this per user master record in the Logon Tab in SU01 in the User Group Field. For example, you can assign all the users you want to protect to 'SUPER' or 'ADMIN'.
Then you grant access to reset passwords to all but these user groups. So if you decided to assign these users to SUPER then give your password reset access to S_USER_GRP, ACTVT = 05, CLASS = A - R* and T - Z*. This allows the users with this range to reset passwords of all user groups except the SUPER group.
Hope this answers your question. Warm regards,
Jamie
08-08-2010 11:51 PM
Hello:
I think all you need to do is assign this user to SUPER user group in logon tab of SU01. Now this user can maintain any user except users belonging to SUPER user group.
If I recall what i read very long ago, like 3 years, users belonging to SUPER group can not maintain each other. This may have changed since then.
But try the above and report it here.
08-09-2010 5:03 AM
Assiging the user to user group SUPER, and not letting the user have access to that group will fix your problem. S_USER_GRP restricts access by user group, but you cannot restrict access if users are not assigned to a user group. So make sure you incorporate mandatory use of user group for all users into your work instructions.
05 is lock/unlock & reset password - there is no way of segregating those actions.
Hope that helps
08-09-2010 6:39 AM
Hello Indiana Jones,
> If I recall what i read very long ago, like 3 years, users belonging to SUPER group can not maintain each other. This may have changed since then.
>
> But try the above and report it here.
Apparently if you delete the entire database the SUPER user can logon still and change other SUPER-user's passwords. Please try it and let us know how your system is...
--> You should try it before posting such mythology...
Cheers,
Julius
08-09-2010 8:27 AM
Dear All,
I think this issues has been resolved.I'll follow the steps given by Jamie.And its working.
Thanks to all.
/Shah
08-09-2010 3:27 PM
08-09-2010 9:10 PM
Glad you enjoyed it...
Did you try? The hard-coding of 'SUPER' was not a sustainable idea in my opinion, because it is easy to change and is not at the end of the ALPHA range...
Even protected users such as SAP* and DDIC have been relaxed because hardcoding exceptions cannot be done consistently for such users.
Cheers,
Julius
08-09-2010 9:20 PM
Please also take a look at SAP Note 312682 (entries in table PRGN_CUST can influence authority-checks to enable more granular segregation).
Cheers,
Julius