01-22-2008 3:47 PM
Hello,
Our company has a audit recommendation to restrict administrative access to certain individuals only to user creation. However in certain instances these administrators need to model new users based on existing ones and this includes copying profiles and roles as well. The administrators use transaction SU01 with the following objects:
S_USER_AGR
S_USER_AUT
S_USER_GRP
S_USER_PRO
S_USER_SAS
Does anyone know whether it is possible to allow these individuals only to create users and assign profiles, without being able to modify existing roles and profiles or change their own authorizations.
Thank you for your time!
Martin
01-22-2008 4:35 PM
Hi Martin,
There are a couple of things here:
Not change their own access
Assign them to a user group and make sure that they only have display access to this group via S_USER_GRP. This will stop them maintaining their own ID or that of their colleagues (it won't stop them creating powerful users which they then log in via though......)
Not change roles/profiles
If they assign roles via SU01 and not PFCG then they only need S_USER_PRO and S_USER_AGR with activity 22 (assign)
If you don't give them change access to the above then they won't be changing roles or profiles. If you get auth failures because SAP wants change access to roles when assigning users, then check out note 312682
01-22-2008 4:35 PM
Hi Martin,
There are a couple of things here:
Not change their own access
Assign them to a user group and make sure that they only have display access to this group via S_USER_GRP. This will stop them maintaining their own ID or that of their colleagues (it won't stop them creating powerful users which they then log in via though......)
Not change roles/profiles
If they assign roles via SU01 and not PFCG then they only need S_USER_PRO and S_USER_AGR with activity 22 (assign)
If you don't give them change access to the above then they won't be changing roles or profiles. If you get auth failures because SAP wants change access to roles when assigning users, then check out note 312682
01-25-2008 3:55 PM
Hi Alex,
Thank you for your input - your advice resolved our query. In addition to your recommendations, we also implemented SAP Note 312682, which discusses how to avoid assigning activity 02 to S_USER_AGR which is necessary in order to allow administrators to assign roles to users.
Thanks again!
Martin