Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Different authorization for SU01-what is the use this?

Former Member
0 Kudos
4,298

Hi Experts,

When using SU01 transaction, I want to restrict the user,so that the user should only view the details. what are the object and filed values required?

Also sometimes,I have seen in SU01 transaction only the display button(no create or change button) is there and In some systems all the create,change and display buttons will be there, but the user will have access only to view it.

What is the difference between the two methods. what are the different objects used to control it.

Regards,

Rajeev.

10 REPLIES 10

Former Member
0 Kudos
1,046

Look at S_USER_GRP Authorization object and it activities. You will understand it.

For example if a user has SU01 but S_USER_GRP has activity just as 05 then he will only be able to lock /unlock and password reset a user. If he only has activity 03 in this object then he can only display a user id even though he has SU01.

Also when you only see Display tab, I suspect you might be just looking at SU01D

Edited by: Nishant Sourabh on Sep 2, 2010 7:27 PM

Former Member
0 Kudos
1,046

Control this with S_User_grp object activity 03 display only. If you want create change access, give activity 01,02, 05 also.

Former Member
0 Kudos
1,046

If you are working with CUA and global settings are done to change /delete user from CUA only then all linked child system will have these buttons disabled.

If you are not having CUA then you do not have change activity enabled for your user/Roles.

Former Member
0 Kudos
1,046

The reason behind this is because SAP tries to make the visibility of the screen intuitive. Otherwise people "click around" and complain. If you are not authorized (at all) then you don't have visible options in the user interface of the screen.

If the icons do appear, then Su53 is normally your friend to find out what values you have to be able to use the transaction, as compared to being able to start it (which loads the screen variants).

Perhaps you cannot edit a certain protected user (via their S_USER_GRP group), but you can change passwords and user types of TEST user group users.

Another posibility is...

> and In some systems all the create,change and display buttons will be there

The screens are modified, user specifically via screen variants. There are some limitations here but it can be used for several activities.

It is usefull in CUA environments where you use the "simplified" authority check scenario.

It actually works quite nicely in my opinion but you need to be carefull with navigation of the users (for example the user BAPI's, which do not have screens nor transaction codes.

Cheers,

Julius

Edited by: Julius Bussche on Sep 3, 2010 2:22 AM

Former Member
0 Kudos
1,046

Rajeev,

Have you considered giving them SU3 instead of SU01? The advantage is that the users can then maintain their own personal data (address, phone etc) change passwords, and parameters, but not make changes to roles etc as they won't see the specific details.

sreekanth_sunkara
Active Participant
0 Kudos
1,046

Hi,

Try SU01D

Thanks,

SS

Former Member
0 Kudos
1,046

Try this create role with tcode su01 transaction and maintain objects as below

S_C_FUNCT

ACTVT 16

CFUNCNAME *

PROGRAM *

S_USER_AGR

ACTVT 03

ACT_GROUP *

S_USER_AUT

ACTVT 03, 08

AUTH *

OBJECT *

S_USER_GRP

ACTVT 03

CLASS *

S_USER_PRO

ACTVT 03

PROFILE *

S_USER_SAS

ACTVT 01, 06, 22

ACT_GROUP *

CLASS *

PROFILE *

SUBSYSTEM *

Regards

Siddhesh

Former Member
0 Kudos
1,046

Hi

This thread is still unanswered even though over a week since the last reply came in so I thought I'd chuck in my tuppence worth :-)!

Which users/user groups are using SU01? Are they support/admin people or business users please?

If support and you want to restrict their access to certain user groups to create/change or display for some then this has been answered already - SU01 has many objects to keep users in check (as does PFCG). If the users are business users then, again SUN has offered the only real option - SU01D

Cheers and good luck

David

Former Member
0 Kudos
1,046

Hi Rajeev

Are there any more answers needed to your question please?

Cheers

David

soloboysree
Explorer
0 Kudos
1,046

Hi Rajeev,

The deference between SU01 and SU01D

1) SU01

In the Home Screen of SU01 T-Code is having many options like Create new user, create technical user, Edit , Display, Delete, copy , lock/unlock and change password. ( shown below screen short)

2) SU01D

In the Home screen of SU01D transaction code having only unique option , that is Display (shown below screen short)

Result : SU01 T-Code is having lot off options but SU01D T-code is Display option only

In case any further support concern to me