05-13-2008 7:57 PM
This is the type of change I need. Im finding S_USER_AGR controls all change....including user assignment to the role. I need everything under PFCG display except the user assignment.
How do I do it?
05-13-2008 8:16 PM
Jerry,
I think you are trying to make a DISPLAY ONLY PFCG. If that is right, just create a role with the Tcode PFCG and maintain all the objects to be display only (Activity 03 and 08).
To allow a user with role to assign other users with roles you will need activity 22 for object S_USER_AGR.
So basically to create a role which can view every role in PFCG and be allowed to assign roles to users do both of the above
Hope this helps.
Kunal
05-13-2008 8:10 PM
You will need to exclude auth object - S_USER_AGR - value 22 and S_USER_PRO - value 22.
05-13-2008 8:16 PM
Jerry,
I think you are trying to make a DISPLAY ONLY PFCG. If that is right, just create a role with the Tcode PFCG and maintain all the objects to be display only (Activity 03 and 08).
To allow a user with role to assign other users with roles you will need activity 22 for object S_USER_AGR.
So basically to create a role which can view every role in PFCG and be allowed to assign roles to users do both of the above
Hope this helps.
Kunal
05-13-2008 8:29 PM
But...that basically is what I have.
I took a version of SAP_ALL that we have that has some FI/CO authorizations turned off. Been using for a long time. This is to satisfy SOX. But now we want to restrict the basis person from doing any role changes in PRD. So I removed 01, 02, and 06 activity under S_USER_AGR. Activity 22 is ON. All other S_USER_xxx authorizations have full authorizations.
The result, you cant change anything under PFCG, display works. But even assigning a role to a user under SU01 is now no longer possible. Its asking for the 02 activity under S_USER_AGR.
So Im confused.
05-13-2008 8:41 PM
Can you clarify what you wanted ? Is it a PFCG display role or a role with all access except assignment of role ? You seem to have said 2 different things in the last couple of posts. Also what version are you on ? I seem to recall that at some point assignment required activity 02 and 22, but then it changed. It works with just 22 on ECC 6.0.
05-13-2008 8:42 PM
So what is it that you WANT them to be able to do and NOT be able to do ?
05-13-2008 8:50 PM
We want no changes to any roles in PRD. Some past errors, has resulted in modifications under PFCG to transactions and authorizations in PRD. We want that transported.
User assignment is to be in PRD only by basis.
I took the basis role, which is a modified SAP_ALL role, and exlcude 01, 02, and 06 activity under S_USER_AGR.
It took away the change ability, and I saw activity 22...and as everyone is saying I thought the ability to assign a user to a role would be kept in tact. It wasn't...it's asking for activity 02 when make a role adjustment under SU01.
We are under ECC 6.0.
To further clairfy.
WANT to be able to assign roles to users
Don't WANT the ability to modify the role....except for this user assignment.
Edited by: Jerry Cummins on May 13, 2008 10:04 PM
05-13-2008 9:13 PM
OK I think you will need tcode SU01 with S_USER_GRP - activity 02 and 22 as well.
05-13-2008 9:35 PM
JC
Looks like you want to assign Roles to Users in SU01 but restrict assigining Users to Roles in PFCG? Is this what your are looking for?.
I doubt if this is possible, and also doesn't make any logic. Since if you restrict Users at Role Maintenance, one can assign a role to the User at User maintenance.
Gp.
05-14-2008 12:27 PM
The problem I see is SAP has the activity of 02 in S_USER_GRP to broad.
To satisfy auditors/SOX....we have to set roles so the transactions and authorizations in a role cannot be change in PRD. We have to have that transported. We want that protected.
The same security bit that controls that....is the same one that controls the assignment of a user to a role.
From the documentation...it says...22 is for 'Roles are assigned to users with this'. But, it sure does not work that way.
05-14-2008 12:30 PM
>
> From the documentation...it says...22 is for 'Roles are assigned to users with this'. But, it sure does not work that way.
Hi Jerry,
OSS note 312682 should fix that
05-14-2008 12:34 PM
05-14-2008 1:14 PM
Sorry Gopi, but this was not my question, but Jerry's. See below for what his intent was with this question.
05-14-2008 2:11 PM
Hi Jerry,
OSS # 828672 refers to setting up auth object - S_USER_SAS - to override the other auth objects. Is this what you were looking for ?
" Instead of checking S_USER_GRP and S_USER_AGR, the system checks the S_USER_SAS object (see Note 536101) with the following field values"