Create roles for user and authorization maintenance. You must log on as superuser.

If you only have one administrator, this person is the superuser and can perform all actions. Create an appropriate role to which you assign the corresponding transactions. The following actions are not required in this case.

If you want to create a "distributed administration" with multiple administrators in your company, it makes sense to split the work of the administrators as follows. At least two people are always involved in this three-step concept when a user's authorizations are changed.

• Define a role for each of the following:
• Authorization administration
  Using transaction PFCG, the authorization administrators define the roles (role maintenance). They choose transactions and edit the corresponding authorization data. They are allowed to save the authorization data for the roles, but not generate a profile.
  Create a role that is not assigned any transactions but for which you choose the template SAP_ADM_AU and generate a corresponding profile.
• Activation administration
  The activation administrators check the authorization data using transaction SUPC (mass generation of profiles). They are not allowed to change them but can generate the corresponding profiles.
  Create an activity group which is not assigned any transactions but for which you choose the template SAP_ADM_PR and generate a corresponding profile.
• User administration
  User administrators assign roles to the users using transaction SU01 (user maintenance). This automatically assigns the profiles corresponding to the roles.
  Create a role that is not assigned any transactions but for which you choose the template SAP_ADM_US and generate a corresponding profile.

When saving the authorization data for the roles, ensure that the profile names do not begin with 'T'. Apart from the superuser, all administrators may generate profiles that do not begin with the letter 'T'. This ensures that you cannot change the profiles that are assigned to you.

Creating sub-administrators:

• A sub-administrator does not have authorization to maintain users in the user group "SUPER".
• If you want to define further sub-administrators, ensure that these people do not have maintenance authorizations for users in the user group "SUPER". The value "SUPER" must not be included in the authorizations for the object S_USER_GRP for these sub-administrators. This prevents you from assigning authorizations to yourself. In addition, you should not have authorization to regenerate and assign profiles that are assigned to yourself. You can prevent this by only allowing certain profile names for the authorization object S_USER_PRO, only profiles that begin with 'T' for example.

Additional information

The following authorization objects are important for distributed administration. You can use these to finetune administration:

• S_USER_AGR
• S_USER_TCD
• S_USER_VAL
• S_USER_GRP
• S_USER_PRO
• S_USER_AUT
  

For more information, see BC - Users and Roles.