Start of Content Area

Process documentation Assigning Authorizations  Locate the document in its SAP Library structure


A single administrator (superuser) or a group of administrators assign authorizations, depending on the size and organization of your company. By assigning authorizations, the administrator determines (within the range of possibilities defined by the programmer) which functions a user may execute or which objects he or she may access.


The following rules apply to the use of placeholders in manual authorizations (transaction SU03) and in roles (transaction PFCG):

       The asterisk (*) is the only valid placeholder. All placeholders that are familiar from other applications, such as the plus sign (+) are handled as normal characters.

       If an authorization value contains additional characters after an asterisk, these are ignored during the authorization check. Example: The value A*B is interpreted as A*.

Process Flow

As an administrator, you perform the following steps to assign authorizations:

      Editing authorizations for each authorization object

An authorization is the combination of permissible values in each authorization field of an authorization object.

      Generating authorization profiles

Authorizations are grouped in authorization profiles in such a way that the profiles describe work centers, for example, flight reservation clerk.

We recommend that your system administrator automatically sets up authorization profiles using the Profile Generator (see Role Administration). If necessary, the administrator can also set up an authorization profile manually by choosing Tools Administration, User maintenance Profiles (see Creating and Maintaining Authorizations and Profiles Manually).

      Assigning authorization profiles to a user master record

By assigning the roles, you assign the corresponding authorization profiles (work centers) to a user master record.


When an authorization check takes place, the system compares the values entered by the administrator in the authorization profile with those required by the program for the user to execute a certain activity.


End of Content Area