06-04-2013 8:42 PM
Hi,
I've created a user group TEST and TEST2, and a new role in PFCG with only SU01 and only the authorization object S_USER_GRP activated.
ACTVT: 05
CLASS: TEST
One user has been given the role and this is the users only role. However, when running SU01 the user can lock users that are added to TEST2 even though the class limits the user to group TEST.
Can you please help me figure out why this happens?
Also, is it correct that I have to add ALL users to a group to be able to limit editing of users inside one particular group?
06-04-2013 10:34 PM
I found that it all worked when the user group was set in SU01 instead of SUGR. Tell me, what does the user assignment in SUGR do, if I still have to add the user to the group in SU01? Is it multiple levels to the assignment?
06-04-2013 9:04 PM
"Also" is correct.
You can read the documentation on objects in SU21 (those which have documentation... 😞 )
Cheers,
Julius
06-04-2013 10:34 PM
I found that it all worked when the user group was set in SU01 instead of SUGR. Tell me, what does the user assignment in SUGR do, if I still have to add the user to the group in SU01? Is it multiple levels to the assignment?
06-04-2013 11:21 PM
SUGR assignments are obsolete. They only are relevant for reporting groups (same f4 -> see groups tab in SU01).
They are not authorization relevant.
You must use the logon data tab field. That is authorization relevant.
You can however use a naming convention and then mask in role field values for CLASS.
Check is always from left to right when masking. After *, everything is *. So thing the groups in SUGR through carefully...
Cheers,
Julius
06-05-2013 5:40 PM