Authorization Objects Checked in Role Administration

The authorization object S_USER_ADM protects general customizing and administration tasks for user and authorization administration. The object consists solely of the authorization field S_ADM_AREA.

Until now, there was only the fixed value CHKSTDPWD, with which special users, such as SAP*, could be displayed, including their default passwords. We add more fixed values as required for other general administration functions in the area of user and authorization administration, which are listed in SAP Note 704307 .

This authorization object protects roles. The roles combine users into groups to assign various properties to them; in particular, transactions and authorization profiles.

To set up a distributed user administration, use this authorization object together with the authorization objects S_USER_GRP, S_USER_AUT, S_USER_PRO, S_USER_TCD, and S_USER_VAL.

This authorization object defines which authorizations the administrator can process. Use the activities to specify the types of processing, such as creating, deleting, and displaying change documents.

The authorization object is used in role administration when assigning users to roles and during the user master comparison.

You can divide user administration between several administrators with this authorization object. Assign only specific user groups to specific administrators. Use the activities to specify the types of processing an administrator can do for the group, such as creating, deleting, and archiving.

This authorization object protects profiles. Use the activities to specify the types of processing an administrator can do for profiles, such as creating, deleting, and archiving.

The authorization object S_USER_SAS is checked in transactions SU01, SU10, PFCG, and PFUD when you assign roles, profiles, and systems to users. It represents a development of the authorization objects S_USER_AGR, S_USER_GRP, S_USER_PRO, and S_USER_SYS, which the system previously checked when users made assignments. All authorization checks for the objects S_USER_AGR, S_USER_GRP, S_USER_PRO, and S_USER_SYS with the activity 22 (Assign/Remove Assignment) are replaced by authorization checks for the object S_USER_SAS.

The checking of authorization object S_USER_SAS is activated by default and can be deactivated using a customizing switch. To deactivate, use Edit Table Views (transaction SM30) to create an entry in table PRGN_CUST with the ID CHECK_S_USER_SAS and the value NO. This value NO means that the authorization objects S_USER_AGR, S_USER_GRP, S_USER_PRO, and S_USER_SYS are used again.

This authorization object determines the system assignment in the central user administration (CUA).

You can distribute users from a central system to various child systems of a system group. The object S_USER_SYS is used to check the systems to which the user administrator can assign the users. This authorization object is also checked when setting up the CUA.

This authorization object determines the transactions that an administrator can assign to a role and the transactions for which he or she can assign transaction authorization (object S_TCODE).

This authorization object allows the restriction of values that a system administrator can insert or change in a role in Role Maintenance (transaction PFCG).

This authorization object relates to all field values with the exception of the values for the object S_TCODE.

The authorization to include transactions in a role or to change the transaction start authorization in a role is linked to the authorization object S_USER_TCD.