Create roles for distributed administration

Create activity groups for user and authorization maintenance. You must log on as superuser.

If you only have one administrator, this person is the superuser and can perform all actions. Create an appropriate activity group to which you assign the corresponding transactions. The following actions are not required in this case.

If you want to create a "distributed administration" with multiple administrators in your company, it makes sense to split the work of the administrators as follows. At least two people are always involved in this three-step concept when a user's authorizations are changed.

  • Define an activity group for each of the following:
  • Authorization administration
    Using Transaction PFCG, the authorization administrators define the activity groups (activity group maintenance). They choose transactions and edit the corresponding authorization data. They are allowed to save the authorization data for the activity groups, but not generate a profile.
    Create an activity group which is not assigned any transactions but for which you choose the template SAP_ADM_AU and generate a corresponding profile.
  • Activation administration
    The activation administrators check the authorization data using Transaction SUPC (mass generation of profiles). They are not allowed to change them but can generate the corresponding profiles.
    Create an activity group which is not assigned any transactions but for which you choose the template SAP_ADM_PR and generate a corresponding profile.
  • User administration
    User administrators assign activity groups to the users using Transaction SU01 (user maintenance). This automatically assigns the profiles corresponding to the activity groups.
    Create an activity group which is not assigned any transactions but for which you choose the template SAP_ADM_US and generate a corresponding profile.

When saving the authorization data for the activity groups, ensure that the profile names do not begin with 'T'. Apart from the superuser, all administrators may generate profiles that do not begin with the letter 'T'. This ensures that you cannot change the profiles that are assigned to you.

Creating sub-administrators:

  • A sub-administrator does not have authorization to maintain users in the user group "SUPER".
  • If you want to define further sub-administrators, ensure that these people do not have maintenance authorizations for users in the user group "SUPER". The value "SUPER" must not be included in the authorizations for the object S_USER_GRP for these sub-administrators. This prevents you from assigning authorizations to yourself. In addition, you should not have authorization to regenerate and assign profiles that are assigned to yourself. You can prevent this by only allowing certain profile names for the authorization object S_USER_PRO , only profiles that begin with 'T' for example.

Additional information

The following authorization objects are important for distributed administration. You can use these to finetune administration:

S_USER_AUT

No comments:

topics