Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict and changes under PFCG in PRD except user assignment.

Former Member
0 Kudos

This is the type of change I need. I’m finding S_USER_AGR controls all change....including user assignment to the role. I need everything under PFCG display except the user assignment.

How do I do it?

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Jerry,

I think you are trying to make a DISPLAY ONLY PFCG. If that is right, just create a role with the Tcode PFCG and maintain all the objects to be display only (Activity 03 and 08).

To allow a user with role to assign other users with roles you will need activity 22 for object S_USER_AGR.

So basically to create a role which can view every role in PFCG and be allowed to assign roles to users do both of the above

Hope this helps.

Kunal

13 REPLIES 13

Former Member
0 Kudos

You will need to exclude auth object - S_USER_AGR - value 22 and S_USER_PRO - value 22.

Former Member
0 Kudos

Jerry,

I think you are trying to make a DISPLAY ONLY PFCG. If that is right, just create a role with the Tcode PFCG and maintain all the objects to be display only (Activity 03 and 08).

To allow a user with role to assign other users with roles you will need activity 22 for object S_USER_AGR.

So basically to create a role which can view every role in PFCG and be allowed to assign roles to users do both of the above

Hope this helps.

Kunal

0 Kudos

But...that basically is what I have.

I took a version of SAP_ALL that we have that has some FI/CO authorizations turned off. Been using for a long time. This is to satisfy SOX. But now we want to restrict the basis person from doing any role changes in PRD. So I removed 01, 02, and 06 activity under S_USER_AGR. Activity 22 is ON. All other S_USER_xxx authorizations have full authorizations.

The result, you can’t change anything under PFCG, display works. But even assigning a role to a user under SU01 is now no longer possible. It’s asking for the 02 activity under S_USER_AGR.

So I’m confused.

0 Kudos

Can you clarify what you wanted ? Is it a PFCG display role or a role with all access except assignment of role ? You seem to have said 2 different things in the last couple of posts. Also what version are you on ? I seem to recall that at some point assignment required activity 02 and 22, but then it changed. It works with just 22 on ECC 6.0.

0 Kudos

So what is it that you WANT them to be able to do and NOT be able to do ?

0 Kudos

We want no changes to any roles in PRD. Some past errors, has resulted in modifications under PFCG to transactions and authorizations in PRD. We want that transported.

User assignment is to be in PRD only by basis.

I took the basis role, which is a modified SAP_ALL role, and exlcude 01, 02, and 06 activity under S_USER_AGR.

It took away the change ability, and I saw activity 22...and as everyone is saying I thought the ability to assign a user to a role would be kept in tact. It wasn't...it's asking for activity 02 when make a role adjustment under SU01.

We are under ECC 6.0.

To further clairfy.

WANT to be able to assign roles to users

Don't WANT the ability to modify the role....except for this user assignment.

Edited by: Jerry Cummins on May 13, 2008 10:04 PM

0 Kudos

OK I think you will need tcode SU01 with S_USER_GRP - activity 02 and 22 as well.

0 Kudos

JC

Looks like you want to assign Roles to Users in SU01 but restrict assigining Users to Roles in PFCG? Is this what your are looking for?.

I doubt if this is possible, and also doesn't make any logic. Since if you restrict Users at Role Maintenance, one can assign a role to the User at User maintenance.

Gp.

0 Kudos

The problem I see is SAP has the activity of 02 in S_USER_GRP to broad.

To satisfy auditors/SOX....we have to set roles so the transactions and authorizations in a role cannot be change in PRD. We have to have that transported. We want that protected.

The same security bit that controls that....is the same one that controls the assignment of a user to a role.

From the documentation...it says...22 is for 'Roles are assigned to users with this'. But, it sure does not work that way.

0 Kudos

>

> From the documentation...it says...22 is for 'Roles are assigned to users with this'. But, it sure does not work that way.

Hi Jerry,

OSS note 312682 should fix that

0 Kudos

Yes, just found it myself. But for our release it's note 828672. Thanks.

0 Kudos

Sorry Gopi, but this was not my question, but Jerry's. See below for what his intent was with this question.

0 Kudos

Hi Jerry,

OSS # 828672 refers to setting up auth object - S_USER_SAS - to override the other auth objects. Is this what you were looking for ?

" Instead of checking S_USER_GRP and S_USER_AGR, the system checks the S_USER_SAS object (see Note 536101) with the following field values"