https://community.sap.com/t5/application-development-and-automation-discussions/limiting-role-assignment/m-p/6860315#M1475633 <HTML><HEAD></HEAD><BODY><P>1. I need to exclude assignment of certian roles. I tried limiting it with the role name under S_USER_AGR object. here the hurdle is the names fo the roles are not standarised hence the problem of exclusion comes in. Another way was to limit it with transactions (S_USER_TCD) , so if I need to exclude the tcds ME21, 21N, ME22, ME51N, 52N, MIGO, ..any ideas ..newer ideas or do we just do it as per the old way of A*....wild card method ??</P><P></P><P>New ideas ?? inventions ? </P><P></P><P>Thannkx</P></BODY></HTML> Tue, 18 May 2010 20:12:46 GMT Former Member 2010-05-18T20:12:46Z https://community.sap.com/t5/application-development-and-automation-discussions/limiting-role-assignment/m-p/6860315#M1475633 <HTML><HEAD></HEAD><BODY><P>1. I need to exclude assignment of certian roles. I tried limiting it with the role name under S_USER_AGR object. here the hurdle is the names fo the roles are not standarised hence the problem of exclusion comes in. Another way was to limit it with transactions (S_USER_TCD) , so if I need to exclude the tcds ME21, 21N, ME22, ME51N, 52N, MIGO, ..any ideas ..newer ideas or do we just do it as per the old way of A*....wild card method ??</P><P></P><P>New ideas ?? inventions ? </P><P></P><P>Thannkx</P></BODY></HTML> Tue, 18 May 2010 20:12:46 GMT https://community.sap.com/t5/application-development-and-automation-discussions/limiting-role-assignment/m-p/6860315#M1475633 Former Member 2010-05-18T20:12:46Z https://community.sap.com/t5/application-development-and-automation-discussions/limiting-role-assignment/m-p/6860316#M1475634 <HTML><HEAD></HEAD><BODY><P>A solid and consistent naming convention is beyond my doubt the best solution. You can also limit what the user can request using this approach (which is increasingly popular) as they are generally only skilled enough to look for roles and not authorization field values.</P><P></P><P>But if you have to live with what you have, then there are exits available for the user administration - there you can "invent" to some extent and make it dependent on critical authorizations you define and conflicts (see report RSUSR008_009_NEW).</P><P></P><P>Last I heard the exits were converted to BADIs, but many customers are looking into GRC's CUP functionality and IdM workflows now.</P><P></P><P>It is in my opinion still a gem stone which can be used as a preventative or detective control if you set it up correctly. You are however on your own (with us... <SPAN __jive_emoticon_name="happy"></SPAN> in this and do not have updated SAP defaults for all modules to build from.</P><P></P><P>If it is only critical authorizations and low-brainers you want to detect, then it is relatively easy.</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Tue, 18 May 2010 21:26:17 GMT https://community.sap.com/t5/application-development-and-automation-discussions/limiting-role-assignment/m-p/6860316#M1475634 Former Member 2010-05-18T21:26:17Z https://community.sap.com/t5/application-development-and-automation-discussions/limiting-role-assignment/m-p/6860317#M1475635 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Do you mean to say that you want to restrict your Security Administrators to assign specific roles to users or access of Security administrators should be restricted to manage a specific set of users.</P><P></P><P>Thanks.</P><P>Anjan</P></BODY></HTML> Wed, 19 May 2010 07:01:29 GMT https://community.sap.com/t5/application-development-and-automation-discussions/limiting-role-assignment/m-p/6860317#M1475635 Former Member 2010-05-19T07:01:29Z