Answer / rohit

you can't restrict. you have to create another child role and restrict there i.e add/remove t-code as per the requirement. This type of question is asked in interview for creating confusion :)

Answer / siva

We can restrict via creating a new standalone role with the
required transaction codes restricting with org values of
the same plant/company code and assign the newly created
role and remove access to the already assigned derived role.

Answer / seenivasan m u

Possible, restrict the required users in validity parts from and to dates, T-code access available but validity controls, system will be reflect assigned two users only, rest of users not facing any issues on this.

Answer / sumeithmn

We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.

Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.

Answer / gane

convert the derived role into single role and remove the t-codes which are not required as we can't delete the t-codes from derived role menu.

Answer / zaky

The answer is simple, We cannot remove the tcodes from child
roles, so we have to restrict at org level for that tcode,
The user might need tht access to different company code or
plant, So at org level maintain a wildcard value which wont
allow user to fully access the tcode

Answer / annavarapu

first we need to add those t-codes for the users who required
access to execute and then remove the codes from the roles.
Automatically the users who doesn't required the t-code access
will workout

Answer / kamal

We can restrict the users in the particular derived
roles........... For this we dont need to creste another
child role....


Thanks

i have one role in development then this role need to be available in production how to achieve this?

5 Answers   Infosys,

Difference between 4.7c and ECC 6.0 in security aspect? I tried in many website but still not able to find the correct one.

2 Answers   CTS,

Hi All, We have few users with SAP_ALL profile from 90 days, now i want check what are the transactions they are used till now and i didn’t activate any audit filters in SM19. In this case How can we find?

4 Answers  

What's the basic difference in between SU22 & SU24?

3 Answers  

Hi , Currently i am working in an MNC company as an SAP Security tier1 member , we will take care of User Administration , Profile/authorization administration activities .Could any one tell me , is i am eligible to apply for an SAP Security job for 2 years experience . Could any one tell me about SOD , SOX Audit and Virsa tool , i have never worked before . Prakash

3 Answers   IBM,

Using which table transaction code text can be displayed?

2 Answers   IBM,

What is the procedure for role modifications?

0 Answers  

Which tables will you use for making customizing setting for security administration?

0 Answers  

Q5) What is the procedure you follow in your company as a security admin when a end user complains that he is unable to perform or execute an action in a particular tcode?

2 Answers   HP,

What are su01d t-codes used for?

1 Answers  

What are pfud t-codes used for?

0 Answers  

what are all the questions covered in "profiles related concepts " please let me know ?

0 Answers   IBM,