05-04-2007 3:35 PM
if i want to restrict access to a user even after assigning sap_all profile how do i deactivate the authorization object S_user_grp to restrict access to the transaction su01.can anyone give me the steps?????
thanks
renjy
05-04-2007 4:11 PM
SAP Security is additive, so if the user had the object in their role/profile, you will have to remove it from there to have any effect. In this instance you would have to copy SAP_ALL to a custom profile or role and remove the corresponding S_USER* auths. As long as the user has debug access they will be able to hobble this anyway.
The very premise of SAP_ALL is to give access to everything, you should not give it (or close variants of it) to people that you want to restrict. In those situations, develop a role that gives them access to the functions that they require.
05-04-2007 4:11 PM
SAP Security is additive, so if the user had the object in their role/profile, you will have to remove it from there to have any effect. In this instance you would have to copy SAP_ALL to a custom profile or role and remove the corresponding S_USER* auths. As long as the user has debug access they will be able to hobble this anyway.
The very premise of SAP_ALL is to give access to everything, you should not give it (or close variants of it) to people that you want to restrict. In those situations, develop a role that gives them access to the functions that they require.
05-06-2007 8:25 AM
Hi Renjy,
Once you assing the sap_all.
You will find list of objects/objects class etc..
Search for the object S_user_grp or what are all the objects you want to make them inactive.
Expand the object you will find an icon with - sing(red - sign icon) next to this you will have copy icon.
click on the - Negitive (Icon) in red the object will become in-active.
Generate the role.
Hope this helps if you need more information let me know.
Cheers
Soma
Message was edited by:
soma pradeep
05-07-2007 7:02 AM
Hi Renjy,
You can deactivate an authorization object say S_user_grp by going into TR code PFCG (role maintenance).
Steps:
1) go to PFCG here create role starting with Z*.
2)under Authorization Tab click on change authorization Data
3) search for object S_user_grp and make it inactive.
then generate profile again and save it.
Cheers
Gaurav
05-07-2007 11:11 AM
Hi Renjy,
Restricting S_USER_GRP would not be adviced to resrict a user fom SU01 as this object may also restrict access to few other transaction codes which are dependant on S_USER_GRP. Instead you can enter the following combination in
<b>S_TCODE</b> object without deactivating S_USER_GRP:
<b>0-9, A-N, P-ST, SU02-Z</b>
Hope it helps.
Please award points if it is useful.
Thanks & Regards,
Santosh
05-07-2007 4:51 PM