Answer / rohit

you can't restrict. you have to create another child role and restrict there i.e add/remove t-code as per the requirement. This type of question is asked in interview for creating confusion :)

Answer / siva

We can restrict via creating a new standalone role with the
required transaction codes restricting with org values of
the same plant/company code and assign the newly created
role and remove access to the already assigned derived role.

Answer / seenivasan m u

Possible, restrict the required users in validity parts from and to dates, T-code access available but validity controls, system will be reflect assigned two users only, rest of users not facing any issues on this.

Answer / sumeithmn

We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.

Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.

Answer / gane

convert the derived role into single role and remove the t-codes which are not required as we can't delete the t-codes from derived role menu.

Answer / zaky

The answer is simple, We cannot remove the tcodes from child
roles, so we have to restrict at org level for that tcode,
The user might need tht access to different company code or
plant, So at org level maintain a wildcard value which wont
allow user to fully access the tcode

Answer / annavarapu

first we need to add those t-codes for the users who required
access to execute and then remove the codes from the roles.
Automatically the users who doesn't required the t-code access
will workout

Answer / kamal

We can restrict the users in the particular derived
roles........... For this we dont need to creste another
child role....


Thanks

What profile versions?

0 Answers  

Explain transport system-level security?

0 Answers  

How do i display users with SAP_ALL roles.

2 Answers  

what is sod in sap security?

0 Answers  

What is fire fighter ? When we are using fire fighter?

4 Answers  

hi..guys... can u tell me? what is the solution manager.. and what is the use? which type of commands we should follow?

2 Answers   IBM,

Hi, I want to import my Transport request from DEV. to Test system (from STMS buffer of DEV.(domain only) but I don’t want Login/PWD screen while importing from DEV to Test System. But I need login/pwd screen while importing TR from Test to PRD system. Presently I have activated all systems as a non trusted systems. If any one has idea please let me know. Thanks in advance! Regards, Raj Chavan.

0 Answers  

You want to configure the local and global setting of cua. Where would you do that? What would happen if you have inconsistent settings?

0 Answers  

In which table you can see authorization group for table and which table to see authorization group for program?

8 Answers   Cap Gemini,

Why is it important to delete sap-new profile? What steps will you take to do this?

0 Answers  

How to Maintenance of User Master Records, Profiles, Authorizations

1 Answers   IBM,

Tell me about derived role?

0 Answers