- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- How to provide a same user SU01 for admin and dis...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to provide a same user SU01 for admin and display authority on PFCG
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2010 4:07 PM
Hello Security Experts,
I am working on a requirement where I have to create a role for user administrator with Display access in PFCG but user should be able to use SU01 to do user administration meaning create , change user ( including role assignments) , delete , lock/unlock user.
First I have maintained S_USER_AGR as ACTVT 03,08,22 / S_USER_AUT as ACTVT 03,08,22 / S_USER_GRP as ACTVT 01, 02, 03, 05, 06, 08, 22, 78 / S_USER_PRO as ACTVT 03, 08, 22.
Disabled Objects S_USER_VAL and S_USER_TCD.
While testing the role I got authorization error where my SU53 and trace pointing at missing value in S_USER_AGR as ACTVT 02.
After assigning S_USER_AGR as ACTVT 02 the role assignment is allowed in SU01 however the role change is also enabled from PFCG where my test user is able to get in to the role in edit mode (however he cant do any changes in role or generate the role as I have disabled S_USER_VAL and did not provide 02 on S_USER_PRO ) and save the role. This should not happen as per requirement.
How can I restrict PFCG to display and allow user to assign roles to end users ? Kindly suggest and help.
Thanks in advance for your help.
Regards
Murali
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2010 9:26 AM
Dear,
This note will be helpful.
Note 312682 - Checks when assigning users to roles
Regards,
Shrinivasan. KV
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2010 5:08 PM
Hi,
If we think to create two different roles: One for SU01 with update access and another role for PFCG with display only access then I think the problem is over. Create one composite role with these two roles or add them to existing one. Now the choice of authorization objects and the corresponding field values can be done very easily I hope. Else let us know.
Regards,
Dipanjan
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2010 5:21 PM
Hi,
This is not possible. Both the transaction codes use S_USER_AGR.
Even creating two different roles and assigning them to user will give Change access.
The best option is to speak to your ABAPer and create a custom transaction code to make a PFCG display only tcode or to use SPM for one of the task.
Hope this helps!!
Rgds,
Raghu
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2010 8:44 AM
please look at a setting in the customizing table PRGN_CUST...you just have to maintain the value of a field which i don't remember.
Edited by: Srinu Koveta on Oct 23, 2010 9:47 AM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2010 10:24 AM
Hi
Run pfcg and try to go to change with your restricted settings then click on the error message to get the table entries in performance assistant. Put those in prgn_cust via sm30.
Then use 22 instead of 02 in newly called object S_USER_SAS.
Make sure you have at least one user with * in that object for full access across the landscape before transporting the table.
Cheers
David
Edited by: David Berry on Oct 23, 2010 10:25 AM
Edited by: David Berry on Oct 23, 2010 10:26 AM
Forgot to say - when you have the new object value 22 in your restricted role and assigned to test user prior to moving to PROD the only way to go into change mode is to first go to the USER tab and then press change. Anywhere else and you'll still get the 'you are not authorised' message.
Edited by: David Berry on Oct 25, 2010 8:04 PM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2010 9:26 AM
Dear,
This note will be helpful.
Note 312682 - Checks when assigning users to roles
Regards,
Shrinivasan. KV
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2010 12:17 PM
Little tip: the last three answers are all saying the same thing - the correct one...
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2010 12:27 PM
Thank you.
Enabling the switch in table PRGN_CUST as per note 312682 has helped me to resolve the issue.
But Still have a question here. We are basis release 701 , SAPKB70105 and note 312682 is applicable till releases 610.
If the basis release is on higher version then why does these changes does not come automatically ? why we have to do these manual corrections ? Please advice.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2010 8:26 PM
It will work the same in all releases for Su01 (assigning role to the user with immediate effect) and PFCG (assigning user to the role with delayed effect until a user-compare is performed).
Other tcodes might not respect this, but they generally make the same checks (let them fail if your auths are correct for actvt 22 only!) or prior make much stricter checks.
Exceptions are usually Z-programs and if a SAP program permits this (or makes too strict checks) then report it as a bug via https://service.sap.com (customer message system).
Cheers,
Julius
- SAP Managed Tags:
- Security
