Hi Msororaji

1) If you want to avoid users to modify users to modify roles in production, then u have to remove from those users the authorization to do this:

Start working with the autorization object S_USER_AGR (note actv 64):

The authorization object is used to protect the roles. Roles are used to combine users in groups and to assign them different attributes, in particular transactions and authorization profiles.

Together with authorization objects S_USER_GRP, S_USER_AUT, S_USER_PRO, S_USER_TCD, and S_USER_VAL, you can use this authorization object to distribute user administration, if different administrators are to administer the users.

Defined fields

ACT_GOUP

The field determines which roles may be processed.

ACTVT

The field determines which activities may be executed using the roles. You can choose from the following activities:

01

Create roles

02

Change roles

03

Display roles

06

Delete roles

08

Display change documents for roles

22

Compare role user master records

Roles are assigned to users with this.

36

This activity is not yet used. It is planned for use for additional objects that can be maintained from the roles.

21

Transport role

59

Distribute roles to another system using RFC

64

Generate authorization profiles from role.

68

Modeling: Assigning roles to systems or users in user management using models. The actual assignments can be derived from these models later.

78

Assign roles to systems or user groups in central system of central user administration

79

Assign single roles to composite roles

DL

Download

Save roles to a file

2) I think the information you´re looking for is under SUIM-> change documents-> for roles

Hope it helps.

Regards,

Diego.