Hello all,
We are going through an SAP new implemenation and I have to create a PRD ready GRC compliant role for our security team that does the following:
Allows them to display the role via PFC so that they can validate authorizations (yes we can use SUIM but PFCG is visually more friendly)
Allows them to maintain user's to assign roles to their UME records and save them.
Currently I have found (maybe incorrectly) that S_USR_AGR with 02 allows me to update a user record with the correct role, but this also allows the user "Change" access in PFCG.
I can restrict the generating of profiles S_USR_AUT and also the adding of authorizations by disabling S_USER_TCD adn S_USER_VAL which gets me 95% complete but the only thing that I cannot do is stop a user from doing so far is clicking on the "disable authorization" icon in the profile itself or clicking the save button.
If a user clicks on the disable it will disable the object, and even though a user cannot generate the profile if the user gets out without saving the profile will now be "ungenerated"
I have disabled the ability to "enable" the authorization object...just not disable or save.
any insite as to what activity will allow me to disable either of these would be helpful.
