Show TOC

Generating Authorization ProfilesLocate this document in the navigation structure

Prerequisites

  • You have the authorization for the object User Master Maintenance: Authorization Profile ( S_USER_PRO).

  • If you have already assigned the changed profile to a number of users, only generate profiles after the users of the role you want to edit have logged off the system. If the users are logged on, they must log on again after generation to have the current authorizations.

Context

You must generate authorization profiles before you can assign them to users. An authorization is generated for each authorization level in the browser view, and an authorization profile for the whole role as represented in the browser view.

Procedure


  1. In role maintenance (transaction PFCG), edit a role.

  2. Choose the Authorizations tab page.

    The status display on the Authorizations tab displays whether or not the corresponding authorization profile is current. If the display is red or yellow, the profile is not current. If the profile is not current, the status text on the tab shows the reason.

  3. To change the authorization data for the transactions assigned to the role, choose Change Authorization Data or Expert Mode for Profile Generation. Expert mode opens a dialog.

    For more information about the expert mode dialog, see Regenerating an Authorization Profile After Changes.

    If you are generating the profile for the first time, there is no difference between the two modes.

  4. Maintain the predefined and open authorization fields for the transactions.

  5. To generate an authorization profile based on this data, choose Generate.

    A dialog appears, in which you can change the profile name and the text.

    Note

    When you generate an authorization profile, the technical names of the authorizations are automatically reorganized. If an authorization already existed before the merge, it retains its number in the reorganization. A newly added standard authorization is always assigned the smallest number that has not yet been assigned.

    To display the technical names, choose Start of the navigation path Utilities Next navigation step Technical names End of the navigation path. They comprise the activity profile name and a two-digit number in the range 00 - 99:

    T_ <role> <nn> , such as T_5002995604

    The authorization profile generated in this way is added to the master records of the users of the role after the user master records are compared.

    Note

    You can also just save the profile and generate it later with Mass Generation of Profiles (transaction SUPC).

  6. To display an overview of the authorization profiles that exist for this role, choose Start of the navigation path Authorizations Next navigation step Profile Overview End of the navigation path. The overview contains profile names and their maintenance status ( not generated, maintenance version, active version).

Results

When you assign the role to a user, the associated authorization profile is also assigned to the user during the profile comparison.

For more information (see Assigning Profiles).

The system then displays the current status of the authorization profile: generated.

Next Steps