Set namespace for report tree migration and specific IMG activities

Optional activity

Only perform this activity if you want to migrate existing report trees in area menus and do not want to use the default customer namespace for this.

This activity also makes sense if you want to create IMG activities for your own Customizing.

In this step, you specify a namespace to use for the transactions that will be automatically created for the report trees during the migration and during creation of your own IMG activities.

This is only necessary if you do not want to use the default customer namespace for transactions.

You must specify a valid namespace of the type /..../ .

To do this, maintain the table SSM_CUST in transaction SM30. Add a record with the key "NAMESPACE_PREFIX" and enter the namespace as the value.

Changes to how central user administration works

Example

In this activity, you can specify how Organizational Management (HR-Org) is to function when central user administration is active.

If you are using central user administration to distribute the administration of user and activity group assignments, you must specify one of the systems as the central system. If Organizational Management (HR-Org) is also used on this system, the changes made in Organizational Management (HR-Org) are usually not maintained in the central user administration, but only take affect locally on the central system.

You must maintain a Customizing entry, if you want the changes made in Organizational Management (HR-Org) to be automatically maintained in the central user administration.

Activities

To do this, add an entry with the key "PD_ORG_ACTIVE" and the value "YES" to the current activity that references table PRGN_CUST.

Maintain user master records

After you have defined the required activity groups, you can create the users who are to administer users and authorizations.

Prerequisite

• You must have logged on as a superuser.

SAP recommendation

All user, authorization and activation administrators should be assigned to the "SUPER" group. Only the superuser should have authorization to maintain users in this group.

Activities

1. Create a new user or edit an existing user

2. In the "User group" field on the "Logon data" tab, enter the "SUPER" user group

3. On the "Activity groups" tab, enter the desired activity groups The corresponding authorization profiles are automatically transferred.

4. Save the user

For more information, see BC - Users and Authorizations.

Create roles for distributed administration

Create activity groups for user and authorization maintenance. You must log on as superuser.

If you only have one administrator, this person is the superuser and can perform all actions. Create an appropriate activity group to which you assign the corresponding transactions. The following actions are not required in this case.

If you want to create a "distributed administration" with multiple administrators in your company, it makes sense to split the work of the administrators as follows. At least two people are always involved in this three-step concept when a user's authorizations are changed.

• Define an activity group for each of the following:

• Authorization administration
  Using Transaction PFCG, the authorization administrators define the activity groups (activity group maintenance). They choose transactions and edit the corresponding authorization data. They are allowed to save the authorization data for the activity groups, but not generate a profile.
  Create an activity group which is not assigned any transactions but for which you choose the template SAP_ADM_AU and generate a corresponding profile.

• Activation administration
  The activation administrators check the authorization data using Transaction SUPC (mass generation of profiles). They are not allowed to change them but can generate the corresponding profiles.
  Create an activity group which is not assigned any transactions but for which you choose the template SAP_ADM_PR and generate a corresponding profile.

• User administration
  User administrators assign activity groups to the users using Transaction SU01 (user maintenance). This automatically assigns the profiles corresponding to the activity groups.
  Create an activity group which is not assigned any transactions but for which you choose the template SAP_ADM_US and generate a corresponding profile.

When saving the authorization data for the activity groups, ensure that the profile names do not begin with 'T'. Apart from the superuser, all administrators may generate profiles that do not begin with the letter 'T'. This ensures that you cannot change the profiles that are assigned to you.

Creating sub-administrators:

• A sub-administrator does not have authorization to maintain users in the user group "SUPER".

• If you want to define further sub-administrators, ensure that these people do not have maintenance authorizations for users in the user group "SUPER". The value "SUPER" must not be included in the authorizations for the object S_USER_GRP for these sub-administrators. This prevents you from assigning authorizations to yourself. In addition, you should not have authorization to regenerate and assign profiles that are assigned to yourself. You can prevent this by only allowing certain profile names for the authorization object S_USER_PRO , only profiles that begin with 'T' for example.

Additional information

The following authorization objects are important for distributed administration. You can use these to finetune administration:

• S_USER_AGR

• S_USER_TCD

• S_USER_VAL

• S_USER_GRP

• S_USER_PRO

S_USER_AUT

Distributed Administration

t is useful to create various roles and assign them to the appropriate users when you grant authorizations for system administration and development.

In this section, you will learn:

• How to create administrators for user and authorization maintenance

• Which role templates exist

• How you can easily create other roles

You can specify how the user master records and authorizations are organized. You can assign these maintainance tasks to one single administrator, the so-called superuser, or distribute them among other sub-administrators.