Scribd Logo
Upload

Welcome to Scribd!

  • Restriction On Security Administrator and Help Desk Users

    Uploaded by

    Suresh Malisetty
    22 views2 pages
    Security admin segregation

    Original Title

    Security Admin Restriction

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Security admin segregation

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    22 views2 pages

    Restriction On Security Administrator and Help Desk Users

    Uploaded by

    Suresh Malisetty
    Security admin segregation

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Restriction on Security Administrator and Help desk users

    In any company the security admin and / or Help desk personnel are tasked to change the user master.
    The most common user changes are:
    1.
    2.
    3.
    4.
    5.
    6.
    7.

    Lock / Unlock the user


    Password reset
    Change in Validity date
    Change on the default settings
    Change in the address - Phone #, Email etc.,
    Assign / un assign the roles
    User group changes

    It is not a good security practice for one making changes to own user id. There is a risk of the security
    admin or Help desk person assigning SAP_ALL which gives full permissions to the user to perform
    anything in the production system without any approval.
    This situation can be avoided if security admin role is built in such a way that one cannot change the
    own user id.
    Solution:
    This can be achieved by using S_USER_GRP object in conjunction with Group filed on the log on data tab
    of SU01.
    First categorize the Security administrators in to various groups such as SEC1, SEC2, SEC3 etc.,
    In SUGR build user groups SEC1 and SEC2
    In these groups only one security administrator will be preset.
    Then build the Security role with following t-codes
    SU01, PFCG, SU10, SUGR.
    Maintain the object values in SU24.
    Leave the group name in S_USER_GRP empty in SU24
    In PFCG Deactivate the S_USER_GRP object for the security role.
    Generate the security role.
    Then build two object only roles with S_USER_GRP object only in them.
    In role1 for group name give every value except SEC1
    In role2 for group name give every value except SEC2

    Now create two test security admin ids both will have the security role built above and secadmin1 will
    have the role with Group SEC1 and the SECADMIN2 will have the role with group SEC2.
    Make sure you have assigned SEC1 as user group on the logon data tab of SECADMIN1 and SEC2 for
    SECADMIN2
    Now log on as SECADMIN1 and try to change the any other user you should be able to change it.
    Then try to change the user id SECADMIN1, you should not be able to change.
    Same should the case with SECADMIN2.
    The reason you at least two ids is if one gets locked out by mistake the other secadmin can unlock the
    first one.

    You might also like