You should proceed as follows:
Template: |
Administrator: |
SAP_ADM_PR |
Authorization profile administrator |
SAP_ADM_AU |
Authorization administrator |
SAP_ADM_US |
User administrator |
Use a profile name which DOES NOT begin with T.
Using user administration, you can restrict the authorization to particular user groups.
Using profile administration, you can exclude further authorization objects, for example, for HR data. If you want your generated authorization profiles to begin with a letter other than T, you should inform your profile administrator.
How the Three Administrators Work Together
The authorization data administrator creates a role, chooses transactions and maintains authorization data. In the Profile Generator, authorization data administrators merely save the data since they are not authorized to generate the profile, and accepts the default profile name T_....
The Authorization profile administrator calls the transaction SUPC and chooses All roles. He or she then restricts the selection, for example by entering the ID of the role to be processed. On the following screen, the administrator selects Display profile to check the data. If the data is correct, the administrator generates the authorization profile.
Finally, the user administrator assigns the role to a user (using User maintenance). The authorization profile is added to the user master record.
No authorization profile beginning with T may contain critical (S_USER* objects) authorization objects.