Show TOC

 Role AdministrationLocate this document in the navigation structure


You can use the role administration functions to manage roles and authorization data. The role management tool creates authorization data automatically based on selected menu functions, and presents it for postprocessing. It is also integrated with organizational management.

We recommend you use the role maintenance functions (transaction PFCG) to maintain your roles, authorizations and profiles. Although you can continue to create profiles manually, you need detailed knowledge of all SAP authorization components.

The role administration functions support you in performing your task by automating various processes and allowing you more flexibility in your authorization plan. You can also use the Central User Administration functions to centrally edit the roles delivered by SAP or your own, new roles, and to assign the roles to any number of users.

The roles (previously: activity groups), which are based on the organizational plan of your company, form the basic framework of the tool. These roles form the link between the user and the corresponding authorizations. The actual authorizations and profiles are stored in the SAP system as objects.

With the roles, you assign to your users the user menu that is displayed after they log on to the SAP system. Roles also contain the authorizations that users can use to access the transactions, reports, Web-based applications, and so on that are contained in the menu.

When you work with the role administration tool, you work with a level of information that is a step away from the actual objects in the SAP system. The graphic below shows how these two levels are separated, yet linked together with the role administration functions.

Structure of Role Administration

Implementation Notes

Since the standard SAP system contains a large number of roles already, you should check whether you can use these before defining your own roles.

To get an overview of the roles delivered with the system, do one of the following:

In the SAP Easy Access menu, choose Tools → Administration → User Maintenance → Infosystem →Roles → Roles By Complex Selection Criteriaand then Execute.

In role administration (Tools → Administration → User Maintenance →Roles), choose the input help for the Role field.

If you want to make modifications to an existing role, make a copy of it and modify this.

If you do not find suitable roles, write job descriptions before beginning your work in role administration (see also Initial Installation Procedure).

Either have all maintenance tasks performed centrally by a single superuser, or distribute the maintenance tasks to several users in order to increase system security. For more information, see Organization of the Authorization Administration.


The system administrator chooses transactions, menu paths (in the SAP menu) or area menus, in the role administration (transaction PFCG), and combines them in a tree. The selected functions correspond to the activities of a user or a group of users. The tree corresponds to the user menu that is displayed to the users to whom this role is assigned when they log on to the system.

The role administration tool automatically provides the required authorizations for the selected functions. Some of these have default values. Traffic lights show you which values you have not yet edited. After you have entered all of the values, generate an authorization profile from the authorizations and assign the role to the users.

In the role administration, you can:

Process Flow

With the role administration functions, you are work in the upper level displayed in the above graphic. You define the roles for the various job descriptions with the permitted activities. The role administration tool determines the authorizations for users for a particular role based on this information. The basic process is as follows:

  1. Assign transactions to job descriptions.

    Define job descriptions for each application area in your company (for example, in a job description matrix). For each position, determine the menu paths and transactions that the users in this position need to access. Determine the necessary access authorizations (display, change), as well as any restrictions that may apply.

  2. Edit the roles with the role administration (transaction PFCG).

    Using the role maintenance functions, create the roles that correspond to each of the job descriptions. For each role, select those tasks (reports and transactions) that belong to the corresponding job.

  3. Generate and edit authorization profiles

    In this step, the tool automatically builds the authorization profile that applies to the role. To accept or change the suggested profile, you must work your way through the profile tree structure and confirm the individual authorizations that you want to assign to the role.

  4. Assign users

    In this step, you assign users to the relevant role.

  5. Update the user master records

    The user assignment and generated profile need to be updated in the user master records. There are a number of ways of doing this (depending on the release):

    • In all releases, you can schedule a background job that regularly updates the user master records.
    • As of release 4.5, you can either use the function User compare, or you can have the system automatically update the user master records when you save the roles. (Choose Utilities → Settingsand activate the option Automatic comparison at save.)

      Even if you use the User Comparison function or the Automatic Comparison at Save option , we recommend that you schedule a background job and ensure that all user master records are automatically updated on a regular basis.



More information: