we have one parent role and we derived five roles from that
and i assigned these derived roles to five users now i want
to restrict 2 users for couple of T-codes and rest of the
users work with those T-codes , How we can solve the problem
Answers were Sorted based on User's Feedback
Answer / rohit
you can't restrict. you have to create another child role and restrict there i.e add/remove t-code as per the requirement. This type of question is asked in interview for creating confusion :)
Is This Answer Correct ? | 20 Yes | 1 No |
Answer / siva
We can restrict via creating a new standalone role with the
required transaction codes restricting with org values of
the same plant/company code and assign the newly created
role and remove access to the already assigned derived role.
Is This Answer Correct ? | 4 Yes | 1 No |
Answer / seenivasan m u
Possible, restrict the required users in validity parts from and to dates, T-code access available but validity controls, system will be reflect assigned two users only, rest of users not facing any issues on this.
Is This Answer Correct ? | 0 Yes | 0 No |
We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.
Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.
Is This Answer Correct ? | 0 Yes | 0 No |
Answer / zaky
The answer is simple, We cannot remove the tcodes from child
roles, so we have to restrict at org level for that tcode,
The user might need tht access to different company code or
plant, So at org level maintain a wildcard value which wont
allow user to fully access the tcode
Is This Answer Correct ? | 0 Yes | 5 No |
Answer / annavarapu
first we need to add those t-codes for the users who required
access to execute and then remove the codes from the roles.
Automatically the users who doesn't required the t-code access
will workout
Is This Answer Correct ? | 0 Yes | 7 No |
Answer / kamal
We can restrict the users in the particular derived
roles........... For this we dont need to creste another
child role....
Thanks
Is This Answer Correct ? | 2 Yes | 12 No |
1.How do I assign roles to a specific group, not to a specific user, and apply the roles to all users in that group? This particular group has four users.?
What is a derived role?
How do you check background jobs?
how u add a roleowner in a role
what are the important A.O ? why they are important ... ?
What is the use of usergroup in logon data tab?
Q3) What is difference between R/3 security and HR security? Explain in detail or its importance?
How will you mitigate a user against an authorization object which is decided as sensitive by Business
difference between business view n technical view?
how to do Reporting and Analysis authorizations
Explain secure store and forward?
What does PRGN_STAT & TCODE_MOD table consist of?