Yes thats true, but that will not enable my peer who is in same grp to assign a role to me. Hence this solution will not work.

I should be able to assign role to my peer who is in same grp or vice versa but I must not self assign.

Using the standard concept you'll have to get creative with your S_USER_GRP and a supporting set of roles.  This will have a maintenance overhead.  A couple of alternatives are:

1. Have someone outside the team have access to grant them to users within the group (and be strict about enforcing user groups)

2. Run a detective report on a weekly basis to see who has done self-assignments (most commonly operated control that I have seen).

Vijay - I dont believe that there is a technical solution by using the SAP Authorisation concept for this. We have controlled this scenario by embedding the Firefighter tool. In summary, the Security Team have to invoke Firefighter process to modify accounts in the Basis And Security functions. The activities are logged which is the control to monitor which accounts are being modified.

All user maintenance transactions are not allocated the SAP Accounts.

The methods that are called by SU01 perform a check on User Groups versus individual users. To fulfill your requirement, you would need to build a custom solution, i.e. perhaps a user exist that performs this check in addiiton to utilzing a custom auth object.

Hi, as I mentioned, you will have to build a set of roles and authorisation groups that allows this segregation.  Unfortunately that will mean creating auth groups and roles for each user and will incur a suitably high maintenance overhead.