Modify SU01 access to change only some attributes
We have an ECC system where we do user admin using our support roles. User creation and role assignment happens through GRC, so we only need to do small support activities with our Security admin user accounts.
I have a new requirement that support users should not have access to the following functions in production:
1. Update SNC name
2. Change the valid to date on users.
3. Change user group
Is there a way to make modifications at object level to delimit access to above three functions but give access to change all other items in user master data? Like say Last name, email etc...
I tried to remove change access (ACVT 02) from S_USER_GRP object but that completely takes away change mode from su01.Does anyone know another way to attain this by limiting change mode only on the above fields and not all fields in user account?
Martin Voros replied
it's not possible to control access on that level using standard objects. It seems to me that you basically want to disable access to tabs "Logon data" and "SNC". So you can try to set up a variant for SU01 and hide these two tabs in production. Other approach could be to identify all fields you need to give to support and create a new transaction with only these fields and use BAPIs to change values. This one would require more effort.