04-16-2007 5:45 AM
i need to create a user who has authorization to create new user ,roles etc but the user i am creating should not have authorization to add sap_all,sap_new both at SU01 and pfcg.pls tell me how to do.
04-16-2007 6:40 AM
Hi,
Please create a role and add Transactions SU01, PFCG, SU53 in the Menu tab and generate the role and assign to user.
When you add pfcg it brings up S_USER_GRP and S_USER_PRO along with some other object. <u>with the following combination the user will be able to create a user with
access to SAP_ALL, SAP_NEW:</u>
<b>S_USER_GRP
ACTVT: 01, 02, 03, 05, 06, 08, 22, 24, 78
CLASS: <DUMMY>
&
S_USER_PRO
ACTVT: 01, 02, 03, 06, 07, 08, 22, 24
PROFILE: SAP_ALL, SAP_NEW</b>
So make sure that you dont include SAP_ALL and SAP_NEW and only include the values which user is suppose to access in S_USER_PRO.
Hope it helps.
please award points if it is useful.
Thanks & Regards,
Santosh
Message was edited by:
NAVABOTHU SANTOSH KUMAR
04-16-2007 7:30 AM
if your question is only what you have mention then i thing you should do:-
1) PFCG to create a new role .....
give it some name...
2) MENU -
> Transaction -
> add the transaction for the authorizations you want to give
like SU01 ---> to create user
PFCG ---> for role maintenec...
and so forth
04-16-2007 9:04 AM
Hi,
you have to manage the following object:
S_USER_AUT
S_USER_GRP
S_USER_PRO
S_USER_SYS
hope it helps
04-16-2007 12:19 PM
Hi
Go to Tcode PFCG And creat a role and assigne Tcode(SU01,PFCG,and other) in menu and generate profile.Hope its work fine.
Also Check Profile Parameter auth/no_check_in_some_cases = Y in RZ11.
Thanks
Pankaj Kumar
04-20-2007 1:18 AM
The best system is not to include S_USER_PRO in the role. This will ensure that the user to whom this role is assigned cannot assign any profiles - including SAP_ALL or SAP_NEW. The user can only assign roles. This is SAP recommended practice.
Hope this helps.
Snehal