A single administrator (superuser) or a group of administrators assign authorizations, depending on the size and organization of your company. By assigning authorizations, the administrator determines (within the range of possibilities defined by the programmer) which functions a user may execute or which objects he or she may access.
The following rules apply to the use of placeholders in manual authorizations (transaction SU03) and in roles (transaction PFCG):
As an administrator, you perform the following steps to assign authorizations:
An authorization is the combination of permissible values in each authorization field of an authorization object.
Authorizations are grouped in authorization profiles in such a way that the profiles describe work centers, for example, flight reservation clerk.
We recommend that your system administrator automatically sets up authorization profiles using the Profile Generator (see Role Administration). If necessary, the administrator can also set up an authorization profile manually by choosing Tools → Administration, User maintenance → Profiles (see Creating and Maintaining Authorizations and Profiles Manually).
By assigning the roles, you assign the corresponding authorization profiles (work centers) to a user master record.
When an authorization check takes place, the system compares the values entered by the administrator in the authorization profile with those required by the program for the user to execute a certain activity.