Organizing Authorization Administration

The authorization system allows you great flexibility in organizing and authorizing the maintenance of user master records and roles:

· If your company is small and centralized, you can have all maintenance of user master records and authorization components executed by a single superuser.

For more information on setting up superusers.

· Depending on the size and organization of your company, you should, however, distribute the maintenance of user master records and authorizations among multiple administrators, each with limited areas of responsibility. This applies in particular in a decentralized environment, in which different time zones might apply. This also helps to achieve maximum system security.

Each administrator should only be able to perform certain tasks. By dividing the tasks, you avoid a situation where a single superuser has absolute control over your user authorizations. You also ensure that not only one person approves all authorizations and profiles. You should also define standard procedures for creating and assigning authorizations.

Since you can precisely restrict authorizations for user and authorization maintenance, the administrators do not have to be privileged users in your data processing organization. You can assign user and authorization maintenance to ordinary users.

We recommend that you use the role maintenance functions and the profile generator (transaction PFCG) to maintain your roles, authorizations, and profiles. The role maintenance functions support you in performing your task by automating various processes and allowing you more flexibility in your authorization plan. You can also use the central user administration functions to centrally maintain the roles delivered by SAP or your own, new roles, and to assign the roles to any number of users.