Start of Content Area

 Procedure documentation Setting Up User and Authorization Administrators  Locate the document in its SAP Library structure


If you have organized your user administration in a decentralized manner, in which you have distributed the user administration tasks among multiple administrators, you must create these administrators as normal SAP users or assign these tasks to existing users.

The table below shows the tasks that you should assign to individual administrators, tasks that you should not assign, and the templates and roles that we have predefined for these tasks. A role is only available for the user administrator. This has the advantage over a template that the administrator receives a menu that contains all of the important functions for his or her work.

Organization of the User Administrators when using the Role Administration Tool


Permitted Tasks

Impermissible Tasks

Templates and Roles

User Administrator

Creating and changing user master records

Changing role data

Template SAP_ADM_US



Assigning roles to users

Changing or generating profiles



Assigning profiles beginning with "T" to users




Displaying authorizations and profiles




Using the User Information System



Authorization Data Administrator

Creating and changing roles

Changing users



Changing authorization data and transaction selection in roles

Generating profiles



Using the User Information System



Authorization Profile Administrator

Displaying roles and the associated data

Changing users



Using transaction PFCG or SUPC to generate the authorizations and profiles that begin with “T” for roles that have authorization data

Changing role data



Checking roles for the existence of authorization data (transaction SUPC)

Generating authorization profiles with authorization objects that begin with S_USER




Performing a user master comparison (transaction PFUD, Performing a profile comparison of the user master comparison)



Using the User Information System




You are an administrator with the predefined profile S_A.SYSTEM, with which you can edit users of the group SUPER.



       1.      Create a role for each administrator.

                            a.      Enter a name in the Role field in role administration (transaction PFCG) and choose Create Role.

                            b.      Do not assign any transactions; instead, choose Change authorization data on the Authorizations tab page.

A dialog box appears asking you to choose a template.

                            c.      Choose one of the following templates:




Authorization profile administrator


Authorization data administrator


User administrator

                            d.      Generate an authorization profile in each case.

Use a profile name that does not begin with “T”, so that the authorization data administrator cannot change his or her own authorizations.

       2.      On the User tab page, assign the role to the relevant user, that is, to the administrator.

       3.      Save your entries.

       4.      So that the user administrators cannot change their own user master records, or those of other administrators, assign them to the group SUPER. This applies if you are using the predefined user administration authorizations.


                            a.      To do this, choose the Logon Data tab page in user administration (transaction SU01).

                            b.      In the User Group for Authorization Check field, enter the value SUPER.

                            c.      Save your entries.

       5.      If appropriate, restrict the authorizations of the administrators further:

       You can use authorization objects S_USER_AGR, S_USER_TCD and S_USER_VAL to further differentiate the roles of the administrators.

       For the user administrator, you can restrict the authorization to particular user groups.

       For the profile administrator, you can exclude additional authorization objects, for example, for HR data. If you want your generated authorization profiles to begin with a letter other than “T”, you should inform your profile administrator.


End of Content Area