08-01-2007 11:09 AM
Hi,
I have one user which can access to the SU01 but he musn't be able to provide SAP_ALL profile.
How can I restrict SU01 to forbid SAP_ALL and/or access to the Profile tab ?
Thanks for regards.
08-01-2007 11:39 AM
You can control the profiles that users assign via object S_USER_PRO
If you ensure that there is no * or range that includes SAP_ALL* in that object then they can't assign that to users.
As the assignment of roles to users invokes a check on the profile associated with that role, you can't completely lock that object.
Furthermore, the only way I can think of restricting the profile tab would be to create a transaction variant for SU01 (using SHD0) and making those fields display only.
08-01-2007 11:39 AM
You can control the profiles that users assign via object S_USER_PRO
If you ensure that there is no * or range that includes SAP_ALL* in that object then they can't assign that to users.
As the assignment of roles to users invokes a check on the profile associated with that role, you can't completely lock that object.
Furthermore, the only way I can think of restricting the profile tab would be to create a transaction variant for SU01 (using SHD0) and making those fields display only.
08-01-2007 1:39 PM