Hierarchy
⤷ BC-SEC-AUT-PFC (Application Component) ABAP Authorization and Role Management
⤷ S_PROFGEN (Package) ABAP Role Administration (Profile Generator)
IMG Activity
ID | SIMG_CFMENUSAPCOY20 | Create roles for distributed administration |
Transaction Code | S_BCE_68000264 | IMG Activity: SIMG_CFMENUSAPCOY20 |
Created on | 19981204 | |
Customizing Attributes | SIMG_CFMENUSAPCOY20 | Create Roles for Distributed Administration |
Customizing Activity | SIMG_CFMENUSAPCOY20 | Create Roles for Distributed Administration |
Document
Document Class | SIMG | Hypertext: Object Class - Class to which a document belongs. |
Document Name | SIMG_CFMENUSAPCOY20 |
Create roles for user and authorization maintenance. You must log on as superuser.
If you only have one administrator, this person is the superuser and can perform all actions. Create an appropriate role to which you assign the corresponding transactions. The following actions are not required in this case.
If you want to create a "distributed administration" with multiple administrators in your company, it makes sense to split the work of the administrators as follows. At least two people are always involved in this three-step concept when a user's authorizations are changed.
- Define a role for each of the following:
- Authorization administration
Using transaction PFCG, the authorization administrators define the roles (role maintenance). They choose transactions and edit the corresponding authorization data. They are allowed to save the authorization data for the roles, but not generate a profile.
Create a role that is not assigned any transactions but for which you choose the template SAP_ADM_AU and generate a corresponding profile. - Activation administration
The activation administrators check the authorization data using transaction SUPC (mass generation of profiles). They are not allowed to change them but can generate the corresponding profiles.
Create an activity group which is not assigned any transactions but for which you choose the template SAP_ADM_PR and generate a corresponding profile. - User administration
User administrators assign roles to the users using transaction SU01 (user maintenance). This automatically assigns the profiles corresponding to the roles.
Create a role that is not assigned any transactions but for which you choose the template SAP_ADM_US and generate a corresponding profile.
When saving the authorization data for the roles, ensure that the profile names do not begin with 'T'. Apart from the superuser, all administrators may generate profiles that do not begin with the letter 'T'. This ensures that you cannot change the profiles that are assigned to you.
Creating sub-administrators:
- A sub-administrator does not have authorization to maintain users in the user group "SUPER".
- If you want to define further sub-administrators, ensure that these people do not have maintenance authorizations for users in the user group "SUPER". The value "SUPER" must not be included in the authorizations for the object S_USER_GRP for these sub-administrators. This prevents you from assigning authorizations to yourself. In addition, you should not have authorization to regenerate and assign profiles that are assigned to yourself. You can prevent this by only allowing certain profile names for the authorization object S_USER_PRO, only profiles that begin with 'T' for example.
Additional information
The following authorization objects are important for distributed administration. You can use these to finetune administration:
For more information, see BC - Users and Roles.
Business Attributes
ASAP Roadmap ID | 209 | Establish Authorization Management |
Mandatory / Optional | 2 | Optional activity |
Critical / Non-Critical | 2 | Non-critical |
Country-Dependency | A | Valid for all countries |
Assigned Application Components
Documentation Object Class | Documentation Object Name | Current line number | Application Component | Application Component Name |
---|---|---|---|---|
SIMG | SIMG_CFMENUSAPCOY20 | 0 | HLB0009026 | User Administration |
Maintenance Objects
Maintenance object type | C | Customizing Object |
Assigned objects | ||||||
---|---|---|---|---|---|---|
Customizing Object | Object Type | Transaction Code | Sub-object | Do not Summarize | Skip Subset Dialog Box | Description for multiple selections |
SU03 | T - Individual transaction object | PFCG | 0000000007 |
History
Last changed by/on | SAP | 20000314 |
SAP Release Created in |