Setting up Administrators
You should proceed as follows:
– for authorization profile administrators SAP_ADM_PR
– for authorization data administrators SAP_ADM_AU
– for user administrators SAP_ADM_US
Use a profile name which DOES NOT begin with T.
You can restrict the authorization of user administrators to particular groups of users.
You can exclude further authorization objects from the profiles using the Profile Generator, for example, HR data. If you want your generated authorization profiles to begin with a letter other than T, you should inform the profile administrator.
How the Three Administrators Work Together
The Authorization data administrator creates an activity group, chooses transactions and maintains the authorization data. In the Profile Generator, the authorization data administrator merely saves the data since he or she is not authorized to generate the profile, and accepts the default profile name T_....
The Authorization profile administrator calls Transaction SUPC and sets the following parameters on the next screen: The administrator flags All activity groups and restricts the selection by entering the identifier of the activity group to be processed. On the following screen, the administrator selects Display profile to check the data. If the data is correct, the administrator generates the authorization profile.
Finally, the user administrator assigns the activity group to a user (using User maintenance). The authorization profile is added to the user master record.
No authorization profile beginning with T may contain critical (S_USER*) authorization objects.