Administration Without Using the Profile Generator

For maximum system security, you can divide up maintenance among three types of users:

A user administrator can perform tasks such as creating user master records, maintaining the list of profiles in a user master record, and setting user parameters.

A user administrator cannot maintain or activate profiles or authorizations.

An authorization administrator can work only with the maintenance versions of profiles and authorizations. The administrator cannot activate profiles nor authorizations, that is, make them effective in the system.

An activation administrator cannot change the authorizations defined in profiles and authorizations. The administrator can only activate existing maintenance versions of profiles and authorizations.

Reasons for Dividing Maintenance

Maintenance responsibilities are divided up for the following reasons:

If a single user can execute all user and authorization maintenance activities, then the user can single-handedly define authorizations and put them into effect in the system.

Similarly, if users can maintain and activate profiles and / or authorizations, they can make changes to a profile or authorization and put them into effect in the system. When the user activates a profile or authorization that he or she has modified, these changes take effect for all users who already have the profiles or authorizations.

The system lets you further subdivide the administrative workload. You can organize user and authorization maintenance by department, cost center, or any other organizational criteria.

Specifically:

The users who execute these functions can therefore be ordinary users in your organization. The superuser is required only for setting up the lower-level administrators.

Organizing Maintenance: Example

The graphic below shows how the three types of administrator work together.

In the graphic, the superuser maintains user master records, profiles, and authorizations for administrators in one or more organizational areas.

An area may be a department, a cost center or any other organizational entity.

Within an area, administration responsibilities are divided among three users. One user is responsible for creating and maintaining user master records. Another is responsible for creating and maintaining profiles and authorizations. A third user activates profiles and authorizations.

The following sections describe how to assign administration tasks to the various users:

Setting Up User Administrators

Setting Up Authorization and Activation Administrators

Setting Up Authorization Administrators

Setting Up Activation Administrators