If you have organized your user administration in a decentralized manner, in which you have distributed the user administration tasks among multiple administrators, you must create these administrators as normal SAP users or assign these tasks to existing users.
The table below shows the tasks that you should assign to individual administrators, tasks that you should not assign, and the templates and roles that we have predefined for these tasks. A role is only available for the user administrator. This has the advantage over a template that the administrator receives a menu that contains all of the important functions for his or her work.
Organization of the User Administrators when using the Role Administration Tool
Administrator | Permitted Tasks | Impermissible Tasks | Templates and Roles |
---|---|---|---|
User Administrator |
Creating and changing user master records |
Changing role data |
Template SAP_ADM_US Role SAP_BC_USER_ADMI |
|
Assigning roles to users |
Changing or generating profiles |
|
|
Assigning profiles beginning with "T" to users |
|
|
|
Displaying authorizations and profiles |
|
|
|
Using the User Information System |
|
|
Authorization Data Administrator |
Creating and changing roles |
Changing users |
SAP_ADM_AU |
|
Changing authorization data and transaction selection in roles |
Generating profiles |
|
|
Using the User Information System |
|
|
Authorization Profile Administrator |
Displaying roles and the associated data |
Changing users |
SAP_ADM_PR |
|
Using transaction PFCG or SUPC to generate the authorizations and profiles that begin with "T" for roles that have authorization data |
Changing role data |
|
|
Checking roles for the existence of authorization data (transaction SUPC) |
Generating authorization profiles with authorization objects that begin with S_USER |
|
|
|
Performing a user master comparison (transaction PFUD, Performing a profile comparison of the user master comparison) |
|
|
Using the User Information System |
|
|
You are an administrator with the predefined profile S_A.SYSTEM, with which you can edit users of the group SUPER.
A dialog box appears asking you to choose a template.
Template |
Administrator |
SAP_ADM_PR |
Authorization profile administrator |
SAP_ADM_AU |
Authorization data administrator |
SAP_ADM_US |
User administrator |
Use a profile name that does not begin with "T", so that the authorization data administrator cannot change his or her own authorizations.