How to provide a same user SU01 for admin and display authority on PFCG
Hello Security Experts,
I am working on a requirement where I have to create a role for user administrator with Display access in PFCG but user should be able to use SU01 to do user administration meaning create , change user ( including role assignments) , delete , lock/unlock user.
First I have maintained S_USER_AGR as ACTVT 03,08,22 / S_USER_AUT as ACTVT 03,08,22 / S_USER_GRP as ACTVT 01, 02, 03, 05, 06, 08, 22, 78 / S_USER_PRO as ACTVT 03, 08, 22.
Disabled Objects S_USER_VAL and S_USER_TCD.
While testing the role I got authorization error where my SU53 and trace pointing at missing value in S_USER_AGR as ACTVT 02.
After assigning S_USER_AGR as ACTVT 02 the role assignment is allowed in SU01 however the role change is also enabled from PFCG where my test user is able to get in to the role in edit mode (however he cant do any changes in role or generate the role as I have disabled S_USER_VAL and did not provide 02 on S_USER_PRO ) and save the role. This should not happen as per requirement.
How can I restrict PFCG to display and allow user to assign roles to end users ? Kindly suggest and help.
Thanks in advance for your help.
This note will be helpful.
Note 312682 - Checks when assigning users to roles