Role Maintenance: Tips and Tricks 

Limiting Activities by Time

Even if you are not using HR-Org. you can still take advantage of the option to assign roles to users for a limited period of time. This is useful, for example for your end of year procedure, where inventory activities should only be permitted for a limited time.

Choose Tools ® Administration ® User maintenance ® Roles.

Under the tab User, you can set the assignment validity period.

To put a time–delimited assignment of an activity group to a user master record into effect, you must first execute a comparison.

The authorization profile is only entered or deleted in the user master record automatically if you have scheduled the background report to run periodically.

Job scheduling is also important for ensuring role consistency after an import.

SAP recommends that you schedule background program PFCG_TIME_DEPENDENCY for these cases.

User assignment

Never insert generated profiles directly into the user master record (Transaction SU01). Assign the role to the user in the Roles tab in transaction SU01 or choose the User tab in role maintenance (PFCG) and enter the user to whom you want to assign the role or profile.

If you then compare the user master records, the system inserts the generated profile in the user master record.

Do not assign any authorizations for modules you have not yet installed

If you intend to gradually add modules to your system, it is important you do not assign any authorizations for those modules you have not yet installed. This ensures that you cannot accidentally change data in your production system you may need at a later stage.

Leave the corresponding authorizations or organizational levels open. Do not set the Check Indicator in Transaction SU24 to No check.

Initial authorization assignment

You want to create a user in the test system who can do "almost anything": typically, such users cannot create a user master record or change authorization profiles.

The fastest way to set up this user is as follows:

  1. Create a role.
  2. In Authorizations, choose Change authorization data and then Edit ® Insert ® Full authorization.
  3. Expand the Basis administration object class.
    This contains the authorization objects generally regarded as critical.
  4. Deactivate all authorizations which begin with User master maintenance and any others which you regard as critical. You need the authorization User master maintenance: User groups (S_USER_GRP) with the value * in the fields CLASS and ACTVT for transaction SU24.
  5. Generate the profile and assign the authorizations to a user under User.
  6. You assign the role you have just created to users entering them in Role.