06-19-2008 11:07 AM
Hi all,
I have requirement to provide authoriaztion to 3 basis admin in the way that they can use su01, pfcg or any basis related tcode but one should be restricted to one company say 'A' only... i.e. I have 3 basis admin A, B and C on single system and 3 comanies say DEF, PQR and XYZ . Now A can create use id for DEF company only...same for the rest of the user and company..
Is it possible n what way ?
Rgds
D L
06-19-2008 11:25 AM
If the admins can do role assignments as well, then you might want to consider the company code in the role naming convention and use S_USER_AGR to control their powers.
If they have access to authorization administration as well, then take a look at S_USER_VAL, S_USER_OBJ etc.
Cheers,
Julius
06-19-2008 11:21 AM
Of course this can be done.
Here you would be using the S_USER_GRP authorization object.
Giving access this authorization will allow user A to only manage users in group DEF
S_USER_GRP
ACTVT 02
GRP 'DEF'
Giving access this authorization will allow user C to only manage users in group XYZ
S_USER_GRP
ACTVT 02
GRP 'XYZ'
Create user groups via transaction SUGR.
Read more at:
http://help.sap.com/saphelp_nw70/helpdata/EN/fa/f63f4222fab16be10000000a155106/frameset.htm
Good luck
Regards Fredrik
06-19-2008 12:06 PM
by assigning user_grp u can assign the user ids defined in user group so you can make changes in the user id allocated to the user group but can not be restricted to perticualr company
06-19-2008 1:07 PM
Solution is create a usergroup per company, if you want to restrict on the company code itself you have to go through a lengthy abap process creating your own code
06-19-2008 1:34 PM
Hi Auke,
I don't understand this comment:
> ... if you want to restrict on the company code itself you have to go through a lengthy abap process creating your own code
Which code are you referring to?
Cheers,
Julius
06-19-2008 11:23 AM
Hi ,
the solution could be easy, if you set up the 3 companies in different clients of the system. According to the access to that clients, your administrators will be able to use basis transactions only in that client/for that company.
b.rgds, Bernhard
06-19-2008 11:27 AM
Hmmm... the downside of that would be more customizing and the risk that the customizing, the roles, the user admin, the monitoring,,, could drift appart.
Cheers,
Julius
06-19-2008 12:02 PM
The first solution is the most common used and is secure, as it makes use of functionallity designd for this purpose
06-19-2008 12:08 PM
06-19-2008 11:25 AM
If the admins can do role assignments as well, then you might want to consider the company code in the role naming convention and use S_USER_AGR to control their powers.
If they have access to authorization administration as well, then take a look at S_USER_VAL, S_USER_OBJ etc.
Cheers,
Julius