Show TOC

 Setting Up General Authorization Checks


You set up authorizations in the form of roles using role maintenance (transaction PFCG). Roles provide a business perspective by representing the tasks and activities that a user is authorized to perform in the system. Authorizations are parts of roles and are stored as an authorization profile for the role. Role maintenance generates one part of the authorization profile (functional part) automatically; you must define the part of the profile that controls which data a user has access to manually. You can generate several authorization profiles for each role. When you generate roles, you also define the authorization objects with the necessary field specifications.

User menus provide access to the transactions, reports or web-based applications contained in the roles. A user menu should therefore contain only the functions that are required by a specific user with a specific task profile for daily work.

Note Note

Authorizations were set up using the transactions SU01 and SU03 up to release 4.6A. Up until then, the common term used to describe roles was activity groups.

End of the note.


To create roles and to generate authorization profiles, proceed as follows:

  1. To create or change a role, choose Role Maintenance using transaction PFCG. If you want to create your own user roles, make sure you do not use the SAP namespace (all roles delivered by SAP have the prefix SAP_).

  2. In the Menu tab page, assign transactions, reports, and/or web addresses to the role. By doing this, you set the user menu that is automatically called up when the user assigned to this role logs on to the SAP system. When you assign transactions and so on, the user’s role or task profile is defined. The transactions defined in Menu tab page are are then used by the system to create authorizations automatically.

  3. You can change the authorizations that were automatically created by the system if you need to by setting the menu in the Authorizations tab page. To do so, choose the Expert Mode option under Maintain Authorization Data and Generate Profile in this tab page.

  4. You can create additional authorizations when you change the authorizations that you have already created by choosing additional authorization objects and so on, for example.

  5. In the Authorizations tab page , also generate the authorization profile belonging to the role when you have finished any post-processing work on the automatically created authorizations.

  6. In the User tab page , assign users to the newly generated role.

Note Note

You can also assign users to roles by user groups and by objects (for example, job) in Organizational Management . You cannot use the profile generator for this type of assignment; you must use transaction SU10 ( User Maintenance: Mass Changes ) in Organizational Management .

The generated profile is only entered in the user master record once a user comparison has taken place. A comparison is also required if changes are made to the users assigned to the role and if an authorization profile is generated.

End of the note.

For more information about setting up authorization profiles, see the Implementation Guide (IMG) for Personnel Administration under Start of the navigation path Tools Next navigation step Authorization Management Next navigation step Maintain Profiles End of the navigation path .

In addition, you can find all relevant and non-HR-specific information on authorization maintenance (Role Maintenance) in the SAP Library under Start of the navigation path Basis Next navigation step Computing Center Management Next navigation step System (BC-CCM) Next navigation step Users and Roles (BC-CCM-USR) End of the navigation path .