Show TOC

Editing Templates for General AuthorizationsLocate this document in the navigation structure

It does not makes sense to include general authorizations (printing, archiving and so on) in every transaction.

You can adopt authorization objects from templates created by SAP when you maintain roles (transaction PFCG).

You can then maintain these templates from the initial screen of Transaction SU24. Choose Edit templates.

The system then displays a list of the SAP templates. These cannot be changed directly.

You can, however, copy these and use them as a pattern for your own settings, or you can create completely new templates. You need the authorization User master maintenance: User groups (S_USER_GRP).

The names of SAP templates begin with S . If you create any templates yourself, they should not begin with S . SAP_ALL contains all authorizations.

Ensure that changes to templates are not passed on when you compare roles.

If you want to transport your template you must specify a development class when you create it (not $TMP, local objects). You can find details on this in the BC - Change and Transport Organizer documentation in Development Classes.

You want to create a Basis user who can do "almost anything": such users can typically not create user master records or change authorization profiles.

Proceed as follows:

  • Create a role by choosing User maintenance → Roles
  • Do not enter any transactions, choose Authorizations and then Change authorization data.
  • Do not copy any templates, but choose Edit → Add authorization. → Full authorization.
  • Expand the Basis administration object class. Here you find the authorizations which are generally regarded as critical.
  • Deactivate all authorizations which begin with User master maintenance and any others which you regard as critical.
  • Using the Profile Generator, generate a new profile and save it under a new name (refer to Naming Convention for Pre-Defined Profiles

If you choose User Maintenance → Users, you can assign the role you have just created to the user. See Assigning roles.