Setting up Administrators

You should proceed as follows:

  1. Create an activity group for each administrator.
  2. Do not choose any transactions, but go directly to the authorization data (choose Authorizations). The system displays a dialog box asking you to choose a template.
  3. Choose one of the following templates:
  4. – for authorization profile administrators SAP_ADM_PR

    – for authorization data administrators SAP_ADM_AU

    – for user administrators SAP_ADM_US

  5. Generate an authorization profile for each.
  6. Use a profile name which DOES NOT begin with T.

  7. Assign the activity groups to the appropriate users.

You can restrict the authorization of user administrators to particular groups of users.

You can exclude further authorization objects from the profiles using the Profile Generator, for example, HR data. If you want your generated authorization profiles to begin with a letter other than T, you should inform the profile administrator.

How the Three Administrators Work Together

The Authorization data administrator creates an activity group, chooses transactions and maintains the authorization data. In the Profile Generator, the authorization data administrator merely saves the data since he or she is not authorized to generate the profile, and accepts the default profile name T_....

The Authorization profile administrator calls Transaction SUPC and sets the following parameters on the next screen: The administrator flags All activity groups and restricts the selection by entering the identifier of the activity group to be processed. On the following screen, the administrator selects Display profile to check the data. If the data is correct, the administrator generates the authorization profile.

Finally, the user administrator assigns the activity group to a user (using User maintenance). The authorization profile is added to the user master record.

No authorization profile beginning with T may contain critical (S_USER*) authorization objects.