Regenerate the Authorization Profile Following Changes

When you change a role, you must regenerate the authorization profile. In this case, the status of the profile generation is displayed red or yellow at the top of the Authorizations tab page, and is explained in more detail further down the tab page with a short text:

• If the status display is red, you must perform an authorization data comparison, since the menu was changed since the last profile generation or no authorization data exists.
• If the display is yellow, the authorization data for the role was changed and saved after the last generation. The generated profile is no longer current. You need to regenerate it.

1. In role maintenance (transaction PFCG), choose change mode.
2. On the Authorizations tab page, choose Expert Mode for Profile Generation.
3. Choose one of the options to maintain the authorization values (in normal mode, the correct option is automatically set):
   • Delete and recreate profile and authorizations

     All authorizations are recreated. Values which had previously been maintained, changed or entered manually are lost. Only the maintained values for organizational levels remain.

   • Edit old status

     The last saved authorization data for the role is displayed. This is not useful, if transactions in the role menu have been changed.

   • Read old status and compare with new data

     If you change transactions in the role menu, this option is the preconfigured. The profile generator compares the existing authorization data with the authorization default values for the menu transactions. If new authorizations are added during this process, they receive the status New. Authorizations that already existed receive the status Old.

     Note the following during the comparison:

     • Values for organizational levels that are no longer required are deleted, all others are retained. If new organizational levels are added, you need to maintain them.
     • The standard authorization for the object S_TCODE is always automatically filled with the current transactions from the role menu. It cannot be copied or manually changed, only deactivated.

     For more information about the automatic merging of the authorization data, see Merge Function for the Authorization Data of PFCG Roles.

4. Maintain the required standard authorizations and deactivate all others. The deactivation means that no unnecessary values are included in the profile associated with the role, since deactivated authorizations are not taken into account for the profile generation. It also means that the same standard authorization is not added again at the next merge.
5. Generate the authorization profile.

The authorization data for the role and the authorization profile are current. The status display on the Authorizations tab page is green.