One of my clients recently brought an issue related to User group assignment through GRC Access request form. He was trying to modify a user’s user group field within ‘Logon data’ tab in SU01 via GRC access request. When he assigned a user to a user group through ‘Groups’ tab and field ‘user group’ in access request, the change was made in ‘Groups’ tab of SU01 user master record instead of ‘Logon data’ tab.
It is a little confusing where in Access request this must be added. I thought I will share the solution here, hoping it will be helpful to others.
First, let me explain what purposes these 2 different ‘user group’ fields in SU01 user master record have.
The user group field available under ‘Logon data’ tab is used to distribute user maintenance tasks among administrators by utilizing authorization check. Using authorization object S_USER_GRP you can assign different user groups to different administrators. If an administrator does not have a specific user group in her authorization profile, then she will get ‘no authorization…’ error. Please note that users that are not assigned to any groups can be maintained by all administrators.
You use the division of users into user groups on the ‘Groups’ tab primarily to group users for mass maintenance (transaction SU10 etc.). For example: you can divide user groups by business divisions or company codes. Then you can easily lock/unlock, assign roles etc. to all users that belong to specific set of user group(s).
In Access request form’s ‘User System details’ tab and field ‘User Group’ is mapped to ‘Logon data’ tab’s ‘user group’ field in corresponding user master record in SU01 as shown below.
There is configuration required in GRC to be able to modify/assign user to user group. Please follow these steps:
- In SPRO à Access Control à User Provisioning, open ‘End user personalization’ tab.
- Field ‘User group’ needs to be made ‘Editable’ as shown below.
Also, while filling out Access Request form at least one system must be selected in User Access tab. After that, click on ‘User System Details’ tab. You will see the system and current user group assignment as shown below.
Field User group is editable with selection help as shown above. You can change user group name and then submit the request and it will modify that user’s user group assignment in the target system with the new value. Please see below the user group is modified to FIN from SCM.
The two different user groups maintained in user master record have 2 different purposes and they are mapped to 2 different fields in GRC Access Request as explained above.
I appreciate all feedbacks from all GRC enthusiasts.
References:
SAP notes
1609079,
1754687, &
1987981
https://help.sap.com