Solved: Re: User Groups

former_member759680 · ‎2008 Jul 03

Could you please tell me what is teh advantage of having Security User groups in a system.

We have 5 modules in our SAP ECC

MM

PM

SD

FI

CO

Please suggest as to how should I go about creating User Groups.

Thanks.

Former Member · ‎2008 Jul 03

hi Gautam

In addition to above

use tcode SUGR for creating authorization user group

these groups are assigned in SU01->logon Tab

While searching in SUIM, somtimes it is easier to fing user by user group

Also there is Group tab in SU01

This group is used when doing mass user maintainance in SU10

Hope this helps

Former Member · ‎2008 Jul 03

Most popular use for user groups is to categorise users in a way that fits your company. Often they are used to show function, location, country etc or many combination's of the above. Lots of SUIM reports have the facility to sort by user group so it can help with reporting.

You can also use user group to restrict access to who can maintain users within that group, have a look at the object documentation for S_USER_GRP.....

Use transaction SUGR to create user groups

Former Member · ‎2008 Jul 03

Hi Gautam,

The real advantage of security user group is delegating administrative rights to among user administrators for user maintenance.

User group enhance your security among the administrators .

User group will protect the super user against misusing administrator.

It allows to create security management authorization by user

group.

As Per your company security requirement.You should analysis to create user group in the security point of view.

Proper deployment of user group will helps you a lot in maintenance part.

Correct me if I'm wrong !

Regards,

Naveen

Former Member · ‎2008 Jul 03

hi Gautam

In addition to above

use tcode SUGR for creating authorization user group

these groups are assigned in SU01->logon Tab

While searching in SUIM, somtimes it is easier to fing user by user group

Also there is Group tab in SU01

This group is used when doing mass user maintainance in SU10

Hope this helps

Bernhard_SAP · ‎2008 Jul 03

Hi Trupti,

good point.

Only the user group assignement on the logon tab of SU01 is taken into consideration for the check of object S_USER_GRP!

Group assignements on the 'groups'-tab are only useful for categorizing your users, for instance for easier selection of users as you mentioned.

I have found that really useful for instance for mass locking of users before upgrading the system (supportpackages). Simply select all users in SU10 to be locked except the users belonging to my administrators group....

b.rgds, Bernhard

former_member759680 · ‎2008 Jul 03

Hello All,

Thanks for the info. Really appreciate it!

One last guidance i need is on this, We ahve just 100 end users in Production system, with the expected users to reach 500 over a period of 1 year.

Is User groups requiered for maintaning such a small number of users?

Also, is it advisable to create User groups in each System separately or transport them?

How do I transport them?

Thanks.

Former Member · ‎2008 Jul 03

Hi,

user groups cannot be transported.

you have to create them in all systems

I would suggests you to create user groups for your users

It is always a good practice while maintaining them

group them as your business requirement

e.g if u r users are globe wise you can create groups for each country

etc

hope this helps

Edited by: Trupti on Jul 3, 2008 11:54 AM

Former Member · ‎2008 Jul 03

Well, you can actually "transport" user groups.

In table PRGN_CUST, you just have to insert an entry for parameter CUA_USERGROUPS_CHECK with value C. This is done in the development system(s), and transported across to all related systems. What happens is the following: If a user is transported via CUA to a system where his/her user group do not exist, it will now be created automatically (although without the description as seen in SUGR).

In general, you use user groups for two reasons: either to be able to select groups of users easily in SU10 (for instance, when you want to add a new role for all users belonging to one group), or to segregate user admin tasks using object S_USER_GRP (in case you have several security teams and you want to segregate the handling of their respective user communities, for instance).

For a small population like yours, it all depends. What are your needs? Will you be handling users one by one, or in groups? Are you using an external tool for role assignment, or could it be nice to use user groups?

After all, even if you decide to assign groups to users, you can always decide later on not to use this option.

Hope this helps,

Trond

Bernhard_SAP · ‎2008 Jul 04

> In table PRGN_CUST, you just have to insert an entry for parameter CUA_USERGROUPS_CHECK with value C. This is done in the development system(s), and transported across to all related systems. What happens is the following: If a user is transported via CUA to a system where his/her user group do not exist, it will now be created automatically (although without the description as seen in SUGR).

.....good point, but: of course this applies only if a CUA is set up...., not for 'normal' system landscapes without using central user administration...

b.rgds,

Bernhard

Former Member · ‎2008 Jul 04

... and the option of having a development system as the central CUA master for production systems is questionable as well...

I think that is why Trond said "transport" and not transport

Former Member · ‎2008 Jul 07

Well... just to remove the last few grains of confusion: my solution is irrelevant of whether you use a dev system as the CUA master or not - of course, you should (ideally) use a (dedicated!) production system for this purpose.

What I intended to explain was that the PRGN_CUST setting has to be made in all systems belonging to the CUA landscape. Thus, you make the setting in all dev systems and transport from there.

To sum up: I didn't imply you'd use a dev system as CUA master; only that the PRGN_CUST setting is done (and transported) from all dev systems.

Trond

PS: anyone NOT using CUA here? How come??? )))

former_member759680 · ‎2008 Jul 09

Thanks everybody

Former Member · ‎2008 Jul 09

Hi,

For Maintaining usergroups.Just create user group in t.code sugr.In each system in dev/qua/pro create user group by t.code sugr.for each module like sd ,fi maintain the name by your standards.By maintainig usergroup it will be helpful you can assign to users the usergroup to which user group user will belong to.

Regards,

Parimala

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

User Groups