Answer / rohit

you can't restrict. you have to create another child role and restrict there i.e add/remove t-code as per the requirement. This type of question is asked in interview for creating confusion :)

Answer / siva

We can restrict via creating a new standalone role with the
required transaction codes restricting with org values of
the same plant/company code and assign the newly created
role and remove access to the already assigned derived role.

Answer / seenivasan m u

Possible, restrict the required users in validity parts from and to dates, T-code access available but validity controls, system will be reflect assigned two users only, rest of users not facing any issues on this.

Answer / sumeithmn

We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.

Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.

Answer / gane

convert the derived role into single role and remove the t-codes which are not required as we can't delete the t-codes from derived role menu.

Answer / zaky

The answer is simple, We cannot remove the tcodes from child
roles, so we have to restrict at org level for that tcode,
The user might need tht access to different company code or
plant, So at org level maintain a wildcard value which wont
allow user to fully access the tcode

Answer / annavarapu

first we need to add those t-codes for the users who required
access to execute and then remove the codes from the roles.
Automatically the users who doesn't required the t-code access
will workout

Answer / kamal

We can restrict the users in the particular derived
roles........... For this we dont need to creste another
child role....


Thanks

What is the maximum number of authorization objects in a role?

1 Answers  

How to trace a Report User (Business User) in SAP BI?

5 Answers   IBM,

two company codes ex 1001,1002 and two users ,one user need to access both company codes and another user need to access only one company code need to access by giving same role (one role ) to both of them.how can give access or restrict company codes in one role?

2 Answers   IBM,

How to update risk id in rule set?

0 Answers  

how do we create firefigter Id in VIRSAs VRAT

3 Answers  

can u secure profiles ? if so , hou to do it ?

2 Answers   IBM,

How to create secatt script in sap step by step

1 Answers  

How to add a new tcode to 1000 roles at a time?

2 Answers   Cap Gemini, Tech Mahindra,

What is mean By Start Profile, Default Profile, Instance Profile ? What is difference between these ?

4 Answers   Patni,

How to lock all the users at a time?

1 Answers  

How would you do the 'lock all users at once'.

1 Answers  

11.If the user don't have the access of su53?then how to fine the user missing authorization with out using st01?

6 Answers