The authorization system allows you great flexibility in organizing and authorizing the administration of user master records and roles.
If your company is small and centralized, you can have all administration of user master records and authorization components executed by a single superuser.
More information on setting up superusers: Protecting Special Users.
Depending on the size and organization of your company, you should, however, distribute the administration of user master records and authorizations among multiple administrators, each with limited areas of responsibility. This applies in particular in a decentralized environment, in which different time zones might apply. This also helps to achieve maximum system security.
Each administrator should only be able to perform certain tasks. By separating these tasks, you make sure that no single superuser has total control over your user authorizations. You also make sure that more than one person approves all authorizations and profiles. In addition, define standard procedures for creating and assigning your authorizations.
Since you can precisely restrict authorizations for user and authorization administration, the administrators do not have to be privileged users in your data processing organization. You can assign user and authorization administration to ordinary users.
If you are using the role administration tool (the profile generator), you can distribute the administration tasks within an area (such as a department, cost center, or other organizational unit) to the following administrator types:
These administrators of one or more areas are administered by superusers who set up their user master records, profiles, and authorizations. We recommend that you assign the superuser, the user administrator, and the authorization administrator the SUPER group. If you use the predefined user administration authorizations, this group assignment makes sure that user administrators cannot modify their own user master records or those of other administrators. Only administrators with the predefined profile S_A.SYSTEM can edit users in the group SUPER.
The table in the section Setting Up User and Authorization Administrators shows the tasks that you should assign to individual administrators, tasks that you should not assign, and the templates that we have predefined for these tasks.