Start of Content Area

Procedure documentation Creating Single Roles  Locate the document in its SAP Library structure


If none of the standard roles delivered by SAP meet your needs, and they cannot be adjusted to do so, create your own single role with the following procedure.



       1.      To start role maintenance, either choose Create Role in the SAP Easy Access transaction die or Tools Administration User Maintenance Role Administration Roles (transaction PFCG).

       2.      Enter the name of the role.


Roles delivered by SAP start with the prefix  "SAP_". For your own user roles, instead of using the SAP namespace, use the customer namespace. This means that the prefix is "Y_" or "Z_".

You cannot tell from the names of the delivered roles whether they are single or composite roles. You should therefore create a naming convention for your roles so that you can differentiate between single and composite roles.

       3.      Choose Create.

       4.      Create a more detailed description of the role including, for example, the activities contained within it. You can create role documentation that can be displayed with HTML in the Knowledge Warehouse, and then assign it to the role by choosing Utilities Info Object Create assignment. The user can then call the documentation by choosing Show Documentation or Documentation for the role.


You can use an existing role as a reference to extend the authorizations of the user. For more information, see Derive roles.

       5.      You can assign transactions, reports, and Web addresses to the role on the Menu tab page. The system automatically creates the authorizations that you can set on the Authorizations tab page from the transactions that you store in the menu structure of the role. For more information, see Creating a Role Menus.


So that you can call the transactions in another system in a role, enter the RFC destination of the other system in the Target system field. If the Target system field is empty, the transactions are called in the system in which the user is logged on.

You should only use RFC destinations which were created using the Trusted System concept ( Trusted System: Trust Relationships between SAP Systems) to guarantee that the same user is used in the target system. This is only necessary, however, if you want to navigate using the Easy Access Menu in the SAP GUI.

If you use mySAP Workplace in the Web browser, you can use any destination containing a logical system with the same name.

You can also specify a variable which points to an RFC destination. Variables are assigned to the RFC destinations in the transaction SM30_SSM_RFC.

To distribute the role into a particular target system, specify the target system (its must have a release status of at least SAP R/3 4.6C) and choose Distribute.

       6.      To generate the profile for the role, choose Change Authorization Data on the Authorizations tab page.

An input window may appear, depending on which activities you selected You are prompted to enter the organizational levels. Organizational levels are authorization fields which occur in a lot of authorizations (an organizational level is, for example, a company code). If you enter a particular value in the dialog box, die authorization fields of the role are maintained automatically.

The authorizations which are proposed automatically for the selected activities of the role are displayed in the following screen. Some authorization have default values.

Wherever traffic lights appear in the tree display, you must adjust the authorization values manually. You can maintain the authorization values by expanding the object classes and clicking on the white fields to the right of the authorization field name.

When you have maintained the values, the authorizations count as manually modified and are not overwritten when you copy more activities into the role and edit the authorizations again. You can assign the complete authorization (*) for the hierarchy level for all non-maintained fields by clicking on the traffic lights.

Wherever there are red traffic lights, there are organizational levels with no values. You can enter and change organizational levels with Org. levels.


If you want other functions in the tree display, such as copying or collecting authorizations, you can show them with Utilities Settings.


                            a.      Generate an authorization profile for the authorizations. To do this, Choose Generate.

You are prompted for an authorization profile name. A valid name in the customer namespace is proposed.

                            b.      Leave the tree display after the profile generation.


If you change the menu and then call the tree display for the authorizations again, the authorizations of the new activities are mixed with those for the existing authorizations. There may then be a few yellow traffic lights, because there are authorizations in the tree that are incompletely defined. You must either manually assign values to these, or if you do not want to do this, delete them. To delete an authorization, deactivate it first and then delete it.

You can add general authorizations, such as spool display or print with authorization templates to the existing data. Choose Edit Insert authorizations From template. Choose a template (SAP_USER_B – Basis authorization for application users or SAP_PRINT – print authorization). You can also create a separate role for clarity.

       7.      You can also assign users to the role immediately.

       8.      Save your entries.


You have created a role. A user menu is displayed to the user to whom this role is assigned when he or she logs on to the system. The user has the authorizations which you specified to perform the activities in the user menu.


See also:

        Editing Predefined Authorizations

        Assigning Users a Standard Role

        Changing a Standard Role

        Creating a Composite Role



End of Content Area