Answer / rohit

you can't restrict. you have to create another child role and restrict there i.e add/remove t-code as per the requirement. This type of question is asked in interview for creating confusion :)

Answer / siva

We can restrict via creating a new standalone role with the
required transaction codes restricting with org values of
the same plant/company code and assign the newly created
role and remove access to the already assigned derived role.

Answer / seenivasan m u

Possible, restrict the required users in validity parts from and to dates, T-code access available but validity controls, system will be reflect assigned two users only, rest of users not facing any issues on this.

Answer / sumeithmn

We can change the Authorizations of those 2 specific derived roles by removing the desired tcodes and generate. But this actually defies the derived - template roles concept.

Also, whenever the template role is modified for some reason i future, and if the change is inherited via the template role, then the 2 specific derived roles will lose all the changes made to them (as above) and will get the same auths as the template role again.
The only solution in this case is to not derive all roles from the template role after template roles modification, but to derived individually each of those 3 derived roles, and make the changes exclusively to those 2 derived roles. This is possible but proposes a very weak and unnecessary overhead task for Security administrator.

Answer / gane

convert the derived role into single role and remove the t-codes which are not required as we can't delete the t-codes from derived role menu.

Answer / zaky

The answer is simple, We cannot remove the tcodes from child
roles, so we have to restrict at org level for that tcode,
The user might need tht access to different company code or
plant, So at org level maintain a wildcard value which wont
allow user to fully access the tcode

Answer / annavarapu

first we need to add those t-codes for the users who required
access to execute and then remove the codes from the roles.
Automatically the users who doesn't required the t-code access
will workout

Answer / kamal

We can restrict the users in the particular derived
roles........... For this we dont need to creste another
child role....


Thanks

What is Preventive and Detective controls in GRC AC 5.3?

2 Answers   IBM,

How can we Lock transaction ? What happens exactly ?

4 Answers   Patni,

What does the profile generator do?

0 Answers  

Could you please let me know the exact step by step process for the following Questions. 1.How to get the E-Mail address for 100 users at a time. 2.While Creating BW roles what are the Authorization Objects we will use. 3.While Creating Single role what will be happened in the functional side, when entered the Template role in the derived role tab. 4.when we changed the password for more users(for example:100 users) where the password will be stored or from where you can Re-Collect the password and how will you Communicate the password to all users at a time. 5.What is Virsa? Once you entered in to the screen what it will perform. 6.What is the use of SU24 & SM24. 7.While Creating BW roles what are the Authorization Objects we will use. 8.While Creating Single role what will be happened in the functional side, when you entered the Template role in the derived role tab. 9.What is Dialog users, Batch users and Communicate users. What is the use with Communicate user. 10.Can we add one Composite role in to another Composite role at any urgent user requests or in normal user requests. 11.In Transport what type of Request we will use.Why don't we use Workbench request in transport. 12.When we added Authorization Object in Template role, at the same time what will be happen in Derived role. 13.How to Check Profile parameter. And how to find whether any transport has ended with error and where we can check. 14.How to Extract users list like who didn't login since 3 months. And In 90 Days user Locking in which table we will use. 15.What is OSS Connection and System Opening and why we have to open these. 16.What will have in one single role and how many prifiles will be in one sap cua system. 17.What is the difference between Template role & Derive role.

3 Answers   Infosys,

What every changes done exist role in development system that changes are not reflected in quality system, but transport is successfully moved?

0 Answers  

We have one request to modify role(adding field value in auth. object) and we have added it. when transporting that role, getting error "role XXXXX type is undetermined" can any body please suggest, how to fix this issue?

2 Answers   Cap Gemini, IBM,

In 4.7 EE, we have an option as User -> Settings -> Automatic Comparison at Save. Is it right if i say that this option checked will automatically prompt for User cpompare when we simply save the data after entering the users to the role? But whether the option is checked or not i did not get any prompt for User compare on saving the data after entering Users info in the role. My another doubt is whats the difference between User and Complete Compare options. If i dont do complete Compare, wiill that effect? Is it right if i say that User compare assigns the users to the role and Complete Compare updates the user master recoirds , i.e., User master record comparison is current.

3 Answers  

how to do Assigning authorization groups for table restrictions and program restrictions.

1 Answers   IBM,

What is the use of usergroup in logon data tab?

3 Answers  

How can sap security be improved?

0 Answers  

what is sox and in sap security?

2 Answers   IBM,

Can you please let me know the GRC 10 landscape, is it 2 system landscape like GRC 5.3 or 3 system landscape. As GRC 10 is ABAP Stack

4 Answers   TCS,