The authorization system allows you great flexibility in organizing and authorizing the administration of user master records and roles:
● If your company is small and centralized, you can have all administration of user master records and authorization components executed by a single superuser.
More information on setting up superusers: Protecting Special Users.
● Depending on the size and organization of your company, you should, however, distribute the administration of user master records and authorizations among multiple administrators, each with limited areas of responsibility. This applies in particular in a decentralized environment, in which different time zones might apply. This also helps to achieve maximum system security.
Each administrator should only be able to perform certain tasks. By separating these tasks, you make sure that no single superuser has total control over your user authorizations. You also make sure that more than one person approves all authorizations and profiles. In addition, define standard procedures for creating and assigning your authorizations.
Since you can precisely restrict authorizations for user and authorization administration, the administrators do not have to be privileged users in your data processing organization. You can assign user and authorization administration to ordinary users.
We recommend you use the tools and functions of transaction PFCG to maintain your roles, authorizations and profiles. These functions make your job easier by automating certain processes and providing more flexibility in your authorization plan. You can also use the Central User Administration functions to centrally edit the roles delivered by SAP or your own, new roles, and to assign the roles to any number of users.
If you are using the role administration tool (the profile generator), you can distribute the administration tasks within an area (such as a department, cost center, or other organizational unit) to the following administrator types:
● Authorization data administrator, who creates roles (transaction selection and authorization data), selects transactions, and edits authorization data. However the authorization data administrator can only save data in the role administration tool, since he or she is not authorized to generate the profile, He or she accepts the default profile name T_.... when doing this.
● Authorization profile administrator, who checks and approves the data, and generates the authorization profile. To do this, he or she choose ® All Roles in transaction SUPC, and then specifies the abbreviation of the role to be edited. On the following screen, he or she checks the data by choosing Display Profile.
● User administrator, who edits the user data with the user administration transaction (SU01) and assigns roles to the users. This enters the approved profiles in the master records of the users.
These administrators of one or more areas are administered by superusers who set up their user master records, profiles, and authorizations. We recommend that you assign the superuser, the user administrator, and the authorization administrator the SUPER group. If you use the pre-defined user administration authorizations, this group assignment makes sure that user administrators cannot modify their own user master records or those of other administrators. Only administrators with the pre-defined profile S_A.SYSTEM can edit users in the group SUPER.
The table in the section Setting Up User and Authorization Administrators shows the tasks that you should assign to individual administrators, tasks that you should not assign, and the templates that we have predefined for these tasks.
No authorization profile beginning with “T” may contain critical (S_USER* objects) authorization objects.