01-07-2014 10:44 AM
Currently security team is able to assign roles to themselves. Is there any way to restrict this? The team should be able to assign roles to other users but not to self. Any help or suggestion is greatly appreciated.
01-07-2014 10:51 AM
Vijay, You can do it. Put the Security team in one user group and then restrict them under object S_USER_GRP and S_USER_AGR / S_USER_PRO (if required) but the assignment values 22, 78 like that.. Hope this helps to start.. Regards, Daya
01-07-2014 11:05 AM
Yes thats true, but that will not enable my peer who is in same grp to assign a role to me. Hence this solution will not work.
I should be able to assign role to my peer who is in same grp or vice versa but I must not self assign.
01-07-2014 11:30 AM
Using the standard concept you'll have to get creative with your S_USER_GRP and a supporting set of roles. This will have a maintenance overhead. A couple of alternatives are:
1. Have someone outside the team have access to grant them to users within the group (and be strict about enforcing user groups)
2. Run a detective report on a weekly basis to see who has done self-assignments (most commonly operated control that I have seen).
01-07-2014 11:00 AM
Hi Vijay
Restrict the security group by a assigning to a auth group with the object S_USER_GRP
with values 22 and 78 and class (auth group)
Cheers
Pavan M
01-08-2014 10:20 AM
Guys, can you please looki into it. Anybody who has come across this scenario? Looking forward for your reply.
01-08-2014 12:38 PM
Vijay - I dont believe that there is a technical solution by using the SAP Authorisation concept for this. We have controlled this scenario by embedding the Firefighter tool. In summary, the Security Team have to invoke Firefighter process to modify accounts in the Basis And Security functions. The activities are logged which is the control to monitor which accounts are being modified.
All user maintenance transactions are not allocated the SAP Accounts.
The methods that are called by SU01 perform a check on User Groups versus individual users. To fulfill your requirement, you would need to build a custom solution, i.e. perhaps a user exist that performs this check in addiiton to utilzing a custom auth object.
01-08-2014 3:07 PM
Hi, as I mentioned, you will have to build a set of roles and authorisation groups that allows this segregation. Unfortunately that will mean creating auth groups and roles for each user and will incur a suitably high maintenance overhead.
06-09-2016 12:22 PM