Global User Manager authorizations (SAP Library - Users and Roles (BC-CCM-USR))

Global User Manager authorizations

You can set up the authorizations for the Global User Manager using the authorization objects S_USER_GRP, S_USER_SYS and S_USER_AGR. For security reasons, we recommend setting up two system administrators for the Global User Manager. One of the system administrators models the user data. The second system administrator checks the model (4 eyes principle) and performs the distribution. This administrator also requires the authorizations for user maintenance (SU01). See Organizing user and authorization maintenance.

The following authorizations are available for use in the Global User Manager:

Actions	Object	Activity	S_USER_GRP	S_USER_SYS	S_USR_AGR
Create, display, and delete assignments	User User group System System type Role	Model (68), Display (03)	User group of the user User group	System System type	Role
User in user group		Assign (78)	User group of the user User group
Change system type		Assign (78)		System System type
Create user group		Create (01)	User group
Migration		Migrate (90)		* Logon: not possible to specify individual systems

There is no authorization check for creating system types.

As the migration is only executed the first time the Global User Managers is used, the authorization for migration should be later revoked. This prevents the migration from accidentally being executed later leading to inconsistent data.

When the user data distribution is triggered, the system only distributes data for which the system administrator who triggered the distribution has authorizations. The system does not report whether the distribution was incomplete. It is not possible to compare or distribute only some of the data.