Show TOC

Maintaining Authorizations in SAP Example RolesLocate this document in the navigation structure

Prerequisites

SAP development delivers a role that describes an activity in the enterprise, with which the user can perform his or her tasks in the system. The role must fulfill the following criteria:

  • For the user to be able to execute the necessary applications (transactions, Web Dynpro applications, and so on), SAP development must include these in the role menu.

  • The role's authorizations are complete enough that the user can execute the core functionality of all applications. This means that the role contains authorizations for all of the necessary authorization objects. It does not mean that all authorizations are fully specified. Some fields can remain empty for the customers to fill later with their specific values.

  • When creating the example role, take the guidelines for segregation of duties into account.

Procedure

This procedure does not apply to the manual maintenance of roles for technical users.

  1. Start transaction PFCG and create a single role. Assign the role to your package. This is necessary for translation.
  2. Document the role by entering the following details:
    1. Describe the activity in a business process for which the role is intended.
    2. Describe the steps of this activity.
  3. Include the applications (transactions, Web Dynpro applications, and so on) associated with the activity in the role menu.
  4. In change mode, on the Authorizations tab page, choose Change Authorization Data.

    The Profile Generator then automatically generates the start authorizations for the applications contained in the menu. The Profile Generator also generates authorizations from the authorization default values of the contained applications.

    • For authorization objects with the value Yes, it generates authorizations from the authorization default values.

    • For authorization objects with the value Yes, Without Values, it generates authorizations without values.

  5. Check whether you can maintain additional values, for example, whether the role's purpose means that it requires a more specific specification of the authorization values than is possible in the authorization default values. This can be the case if the authorization default values were kept general to cover different functions but the role is for a specific function.
    The trace function, which you can call by choosing the Trace button, supports you in maintaining the authorization values.
  6. Transfer the authorization data.
  7. On the Authorizations tab page, delete the profile name, and choose Save.
  8. Caution

    If you want to make further changes to the role menu or the authorization default values later, start the expert mode on the Authorizations tab page. Choose Read old status and merge with new data.

    On the initial screen of transaction PFCG, transport the role by choosing the Transport Role button. Deliver the role from the Customizing client.
Related Information