The authorization system allows you great flexibility in organizing and authorizing the administration of user master records and roles:
More information on setting up superusers: Protecting Special Users.
Each administrator should only be able to perform certain tasks. By separating these tasks, you make sure that no single superuser has total control over your user authorizations. You also make sure that more than one person approves all authorizations and profiles. In addition, define standard procedures for creating and assigning your authorizations.
Since you can precisely restrict authorizations for user and authorization administration, the administrators do not have to be privileged users in your data processing organization. You can assign user and authorization administration to ordinary users.
We recommend you use the tools and functions of transaction PFCG to maintain your roles, authorizations and profiles. These functions make your job easier by automating certain processes and providing more flexibility in your authorization plan. You can also use the Central User Administration functions to centrally edit the roles delivered by SAP or your own, new roles, and to assign the roles to any number of users.
If you are using the role administration tool (the profile generator), you can distribute the administration tasks within an area (such as a department, cost center, or other organizational unit) to the following administrator types:
These administrators of one or more areas are administered by superusers who set up their user master records, profiles, and authorizations. We recommend that you assign the superuser, the user administrator, and the authorization administrator the SUPER group. If you use the pre-defined user administration authorizations, this group assignment makes sure that user administrators cannot modify their own user master records or those of other administrators. Only administrators with the pre-defined profile S_A.SYSTEM can edit users in the group SUPER.
The table in the section Setting Up User and Authorization Administrators shows the tasks that you should assign to individual administrators, tasks that you should not assign, and the templates that we have predefined for these tasks.
No authorization profile beginning with "T" may contain critical (S_USER* objects) authorization objects.