Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Modify SU01 access to change only some attributes

Go to solution
Former Member

‎06-03-2011 6:25 AM

0 Kudos

Hi,

We have an ECC system where we do user admin using our support roles. User creation and role assignment happens through GRC, so we only need to do small support activities with our Security admin user accounts.

I have a new requirement that support users should not have access to the following functions in production:

1. Update SNC name

2. Change the valid to date on users.

3. Change user group

Is there a way to make modifications at object level to delimit access to above three functions but give access to change all other items in user master data? Like say Last name, email etc...

I tried to remove change access (ACVT 02) from S_USER_GRP object but that completely takes away change mode from su01.Does anyone know another way to attain this by limiting change mode only on the above fields and not all fields in user account?

Soumya

1 ACCEPTED SOLUTION

Go to solution
mvoros
Active Contributor

‎06-03-2011 6:40 AM

0 Kudos

Hi,

it's not possible to control access on that level using standard objects. It seems to me that you basically want to disable access to tabs "Logon data" and "SNC". So you can try to set up a variant for SU01 and hide these two tabs in production. Other approach could be to identify all fields you need to give to support and create a new transaction with only these fields and use BAPIs to change values. This one would require more effort.

Cheers

2 REPLIES 2

Go to solution
mvoros
Active Contributor

‎06-03-2011 6:40 AM

0 Kudos

Hi,

it's not possible to control access on that level using standard objects. It seems to me that you basically want to disable access to tabs "Logon data" and "SNC". So you can try to set up a variant for SU01 and hide these two tabs in production. Other approach could be to identify all fields you need to give to support and create a new transaction with only these fields and use BAPIs to change values. This one would require more effort.

Cheers

Go to solution
Former Member
In response to mvoros

‎06-03-2011 7:42 AM

0 Kudos

Thanks Martin, that was my understanding too...

Just wanted to be sure that I hadnt skipped anything in my reaserch....

I am going to propose only display acess for support (except for password and lock/unlock)... And the rest of the maintenance be done through Fire fighter... the set up now is in similar lines....

Thanks again, I am marking this as solved.

Soumya