Prerequisites
SAP development delivers a role that describes an activity in the enterprise, with which
the user can perform his or her tasks in the system. The role must fulfill the following
criteria:
-
For the user to be able to execute the necessary applications (transactions, Web Dynpro applications, and so on), SAP development
must include these in the role menu.
-
The role's authorizations are complete enough that the user can execute the
core functionality of all applications. This means that
the role contains authorizations for all of the necessary authorization objects.
It does not mean that all authorizations are fully specified. Some fields can
remain empty for the customers to fill later with their specific values.
-
When creating the example role, take the guidelines for segregation of duties into
account.
Procedure
This procedure does not apply to the manual maintenance of roles for technical
users.
- Start transaction PFCG and create a single
role. Assign the role to your package. This is necessary for translation.
- Document the role by entering the following details:
- Describe the activity in a business process for which the role is intended.
- Describe the steps of this activity.
- Include the applications (transactions, Web Dynpro applications, and so on)
associated with the activity in the role menu.
- In change mode, on the Authorizations tab page, choose
Change Authorization Data.
The Profile Generator then automatically generates the start authorizations for
the applications contained in the menu. The Profile Generator also generates
authorizations from the authorization default values of the contained
applications.
-
For authorization objects with the value Yes, it
generates authorizations from the authorization default values.
-
For authorization objects with the value Yes, Without
Values, it generates authorizations without values.
- Check whether you can maintain additional values, for example, whether the role's
purpose means that it requires a more specific specification of the authorization
values than is possible in the authorization default values. This can be the case if
the authorization default values were kept general to cover different functions but
the role is for a specific function.
The trace function, which you can call by choosing the
Trace button, supports you in maintaining the authorization
values.
- Transfer the authorization data.
- On the Authorizations tab page, delete the profile name, and
choose Save.
Caution
If you want to make further changes to the role menu or the authorization default
values later, start the expert mode on the Authorizations
tab page. Choose Read old status and merge with new
data.
On the initial screen of transaction PFCG,
transport the role by choosing the Transport Role button.
Deliver the role from the Customizing client.