SUIM --General

Former Member · ‎01-07-2008

In the T code SUIM when we select users bu complx selection criteria there is a There are two types of groups one group for authorization and the other User Group ( general)

On SU01 --> the " Logon Data" tab as an auth check gp .

--> The Groups tab also has the identical group as the pull down.

Now Whats the difference ? certainly there is one ...what is it ?

Thanks

Former Member · ‎01-07-2008

The first user group refers to the user group listed on the Logon data tab (user group for authorization check) and the second user group refers to any groups assigned on "groups" tab in the user master record (SU01).

The groups tab can be used to further categorize your users, if wanted (secondary and tertiary user groups, etc).

Don't forget that pressing the F1 key on the field will also pull up a lot of good information. (SAP explains in detail the purpose of a field).

Edited by: Julie Nguyen on Jan 7, 2008 7:58 PM

Former Member · ‎01-07-2008

Does it mean the following :

1.In the groups tab of SU01 we can assign any numbe rof groups thats not necessarily be the Auth check gp ?

2.Whats the thought behind it ? User segregation ?

Former Member · ‎01-07-2008

I suggest clicking on the F1 button when in the field in SU01; there is detailed information there and you can play around with how it works.

Matt_Fraser · ‎01-07-2008

George,

Julie pretty much nailed it, but the main purpose of the User Groups on the Logon Data tab is for separating out user maintenance activities among multiple user administrators. For instance, perhaps you have a security administrator for HR who is separate from the security administrator for the rest of your SAP system. To ensure the non-HR secadmin isn't messing with HR users, you can set up the authorizations on that secadmin's role, with auth object S_USER_GRP (I think that's it) to exclude the HR users group. Another and perhaps more common use is to separate out the security tasks among an authorizations administrator and a user administrator, and to make sure they can't update each other (or themselves) or any other 'super' administrators, you assign all such powerful users to a SUPER group and then exclude them from being able to maintain anyone in the SUPER group. This can help prevent fraud and is probably required by Sarbanes-Oxley in the US (though as I work in public sector, my organization isn't subject to SOX requirements, though the above is still a very good idea and we practice it at least in part).

The User Groups on the Groups tab are used more for general organization of your users, such as having a TERM group for terminated users, or ESSUSER for ESS users, and perhaps other groups for HR, or Finance, or however you wish to divide them up (if you do). This is more for query purposes than anything else, but it does allow you to put a single user into multiple groups here, whereas on the Logon Data tab you can only assign one. I'm not sure whether assigning someone to SUPER in the Groups tab and not the Logon Data tab will have the same effect as I described above -- might have to check that out -- but I suspect it won't.

So, in SU10 or SUIM when you are searching by complex criteria for users, it can make a difference which of the two User Group options you choose.

--Matt

Former Member · ‎01-08-2008

>


This can help prevent fraud and is probably required by Sarbanes-Oxley in the US (though as I work in public sector, my organization isn't subject to SOX requirements, though the above is still a very good idea and we practice it at least in part).

Hi Matt,

There is no single set of mandated controls at that level of detail for SOX. Some of my clients use this to split the admin function, some don't - both sign off OK. I can go one place where they satisfy SOX requirements with 25 key controls, other places do with no less than 100. The huge amount of interpretation involved in SOX work always makes it "interesting".

Cheers

Alex