Start of Content Area

Background documentation Authorization Checks when Adjusting Derived Roles  Locate the document in its SAP Library structure

You are maintaining the authorization data for a role in the Profile Generator (transaction PFCG, by choosing Change Role on the Authorizations tab page), and want to transfer this data to the derived roles (Authorizations Adjust Derived Save Derived Roles).

The authorization checks performed here correspond to those that would be performed if you adjusted the derived roles manually. The following checks are performed, in the order in which they are listed:


       1.      Changing a Role

The user requires change authorization for all derived roles (S_USER_AGR, activity 02). To avoid inconsistencies between the derived roles, the process is terminated, if the authorization check fails for at least one role. A list of all roles for which change authorization has not been assigned is displayed first.

       2.      Saving the Profile names

The system automatically generates profile names for roles to which no profile name has yet been assigned (starting with  "T-"). The system then checks whether the role administrator is authorized to save the name (S_USER_PRO, activity 01). The program also only continues in this case, if all checks are successfully performed, because roles with no profile names cannot be correctly saved. The profile and role names for all failed checks are displayed.

       3.      Removing the Authorizations from the Derived Roles

During the adjustment of derived roles, their authorization data is completely removed and replaced by the data of the original role. Since the authorizations of the derived roles can be maintained individually, the system must check whether the administrator has the required authorizations for S_USER_VAL to be permitted to remove them. If the derived roles also contain manual authorizations for the object S_TCODE, the corresponding rights for S_USER_TCD are also required. If the checks are not successful for all derived roles, the process is terminated after displaying the missing authorizations.

       4.      Copying the Authorizations from the Original Role

The administrator’s authorizations for S_USER_VAL and S_USER_TCD are also checked here. Note that full authorization is required in the field AUTH_VALUE of S_USER_VAL for authorization fields that contain ranges of values (see also SAP Note 495282). If the derived role also contains manual authorizations for the object S_TCODE, the corresponding rights for S_USER_TCD are also required. These conditions also apply for point 3. In the case of missing authorizations, a list is again displayed before the process terminates with an error message.

       5.      Generating the Profiles

If you have chosen the function Generate Derived Roles, you also require the authorization S_USER_AGR with activity 64 for the original role and the derived roles. For structural reasons, it is not possible to adjust derived roles if you do not have authorization to generate the profile of the original role, since this action is performed before the adjustment process. If this is the case, the system displays system message 425 (class S#). Derived roles for which the profiles cannot be generated due to missing authorization are displayed in a list at the end of the adjustment process. The profiles of all other roles are generated. Termination is not required, since the authorization data of the derived roles cannot become inconsistent. After confirming the list, the system displays message 680 (S#) to complete the process. If all profiles have been generated, the system displays the message "Action performed successfully".


You can also use a background job to adjust derived roles. To do this, schedule a variant of the report SUPRN_REGENERATE_DEPENDENT, in the selection screen of which you enter the name of the original role in the field TOP_AGR. To also generate the profile, select the field GEN with an "X", otherwise leave it empty. If authorization checks fail during the run, these are recorded in the job log.


You can adjust the data for all derived roles in a single work step. If there are multiple derived roles for an original role and you want to adjust the authorization data for all derived roles to the data of the original role, we recommend that you use one of the functions listed under 3 or 4, instead of adjusting the roles individually with Transfer Data.


End of Content Area