Start of Content Area

Procedure documentation Setting Up General Authorization Checks Locate the document in its SAP Library structure

Use

You set up authorizations in the form of roles using role maintenance (transaction PFCG). Roles provide a business perspective by representing the tasks and activities that a user is authorized to perform in the system. Authorizations are parts of roles and are stored as an authorization profile for the role. Role maintenance generates one part of the authorization profile (functional part) automatically; you must define the part of the profile that controls which data a user has access to manually. You can generate several authorization profiles for each role. When you generate roles, you also define the authorization objects with the necessary field specifications.

User menus provide access to the transactions, reports or web-based applications contained in the roles. A user menu should therefore contain only the functions that are required by a specific user with a specific task profile for daily work.

Note

Authorizations were set up using the transactions SU01 and SU03 up to release 4.6A. Up until then, the common term used to describe roles was activity groups.

Procedure

To create roles and to generate authorization profiles, proceed as follows:

  1. To create or change a role, choose Role Maintenance using transaction PFCG. If you want to create your own user roles, make sure you do not use the SAP namespace (all roles delivered by SAP have the prefix SAP_).
  2. In the Menu tab page, assign transactions, reports, and/or web addresses to the role. By doing this, you set the user menu that is automatically called up when the user assigned to this role logs on to the SAP system. When you assign transactions and so on, the user’s role or task profile is defined. The transactions defined in Menu tab page are are then used by the system to create authorizations automatically.
  3. You can change the authorizations that were automatically created by the system if you need to by setting the menu in the Authorizations tab page. To do so, choose the Expert Mode option under Maintain Authorization Data and Generate Profile in this tab page.

    4. You can create additional authorizations when you change the authorizations that you have already created by choosing additional authorization objects and so on, for example.

  4. In the Authorizations tab page , also generate the authorization profile belonging to the role when you have finished any post-processing work on the automatically created authorizations.
  5. In the User tab page , assign users to the newly generated role.

Note

You can also assign users to roles by user groups and by objects (for example, job) in Organizational Management. You cannot use the profile generator for this type of assignment; you must use transaction SU10 (User Maintenance: Mass Changes) in Organizational Management.

Caution

The generated profile is only entered in the user master record once a user comparison has taken place. A comparison is also required if changes are made to the users assigned to the role and if an authorization profile is generated.

For more information about setting up authorization profiles, see the Implementation Guide (IMG) for Personnel Administration under Tools ® Authorization Management ® Maintain Profiles.

In addition, you can find all relevant and non-HR-specific information on authorization maintenance (Role Maintenance) in the SAP Library under Basis ® Computing Center Management System (BC-CCM) ® Users and Roles (BC-CCM-USR).

 

 

 End of Content Area