If you have organized your user administration in a decentralized manner, in which you have distributed the user administration tasks among multiple administrators, you must create these administrators as normal SAP users or assign these tasks to existing users.
The table below shows the tasks that you should assign to individual administrators, tasks that you should not assign, and the templates and roles that we have predefined for these tasks. A role is only available for the user administrator. This has the advantage over a template that the administrator receives a menu that contains all of the important functions for his or her work.
Organization of the User Administrators when using the Role Administration Tool
Administrator |
Permitted Tasks |
Impermissible Tasks |
Templates and Roles |
User Administrator |
Creating and changing user master records |
Changing role data |
Template SAP_ADM_US Role SAP_BC_USER_ADMI |
|
Assigning roles to users |
Changing or generating profiles |
|
|
Assigning profiles beginning with "T" to users |
|
|
|
Displaying authorizations and profiles |
|
|
|
Using the User Information System |
|
|
Authorization Data Administrator |
Creating and changing roles |
Changing users |
SAP_ADM_AU |
|
Changing authorization data and transaction selection in roles |
Generating profiles |
|
|
Using the User Information System |
|
|
Authorization Profile Administrator |
Displaying roles and the associated data |
Changing users |
SAP_ADM_PR |
|
Using transaction PFCG or SUPC to generate the authorizations and profiles that begin with “T” for roles that have authorization data |
Changing role data |
|
|
Checking roles for the existence of authorization data (transaction SUPC) |
Generating authorization profiles with authorization objects that begin with S_USER |
|
|
|
Performing a user master comparison (transaction PFUD, Performing a profile comparison of the user master comparison) |
|
|
Using the User Information System |
|
|
You are an administrator with the predefined profile S_A.SYSTEM, with which you can edit users of the group SUPER.
...
1. Create a role for each administrator.
a. Enter a name in the Role field in role administration (transaction PFCG) and choose Create Role.
b. Do not assign any transactions; instead, choose Change authorization data on the Authorizations tab page.
A dialog box appears asking you to choose a template.
c. Choose one of the following templates:
Template |
Administrator |
SAP_ADM_PR |
Authorization profile administrator |
SAP_ADM_AU |
Authorization data administrator |
SAP_ADM_US |
User administrator |
d. Generate an authorization profile in each case.
Use a profile name that does not begin with “T”, so that the authorization data administrator cannot change his or her own authorizations.
2. On the User tab page, assign the role to the relevant user, that is, to the administrator.
3. Save your entries.
4. So that the user administrators cannot change their own user master records, or those of other administrators, assign them to the group SUPER. This applies if you are using the predefined user administration authorizations.
...
a. To do this, choose the Logon Data tab page in user administration (transaction SU01).
b. In the User Group for Authorization Check field, enter the value SUPER.
c. Save your entries.
5. If appropriate, restrict the authorizations of the administrators further:
○ You can use authorization objects S_USER_AGR, S_USER_TCD and S_USER_VAL to further differentiate the roles of the administrators.
○ For the user administrator, you can restrict the authorization to particular user groups.
○ For the profile administrator, you can exclude additional authorization objects, for example, for HR data. If you want your generated authorization profiles to begin with a letter other than “T”, you should inform your profile administrator.