Setting up Administrators 

You should proceed as follows:

  1. Create an role for each administrator.
  2. Do not choose any transactions, choose Change authorization data in the Authorizations tab. The system displays a dialog box asking you to choose a template.
  3. Choose one of the following templates:
    4.

    Template:

    Administrator:

    SAP_ADM_PR

    Authorization profile administrator

    SAP_ADM_AU

    Authorization administrator

    SAP_ADM_US

    User administrator

  4. Generate an authorization profile for each.

    5. Use a profile name which DOES NOT begin with T.

  5. Assign the roles to the appropriate users.

Using user administration, you can restrict the authorization to particular user groups.

Using profile administration, you can exclude further authorization objects, for example, for HR data. If you want your generated authorization profiles to begin with a letter other than T, you should inform your profile administrator.

How the Three Administrators Work Together

The authorization data administrator creates a role, chooses transactions and maintains authorization data. In the Profile Generator, authorization data administrators merely save the data since they are not authorized to generate the profile, and accepts the default profile name T_....

The Authorization profile administrator calls the transaction SUPC and chooses All roles. He or she then restricts the selection, for example by entering the ID of the role to be processed. On the following screen, the administrator selects Display profile to check the data. If the data is correct, the administrator generates the authorization profile.

Finally, the user administrator assigns the role to a user (using User maintenance). The authorization profile is added to the user master record.

No authorization profile beginning with T may contain critical (S_USER* objects) authorization objects.