Start of Content Area

Procedure documentation Generating Authorization Profiles  Locate the document in its SAP Library structure


Authorization profiles must be generated before you can assign them to users. An authorization is generated for each authorization level in the browser view, and an authorization profile for the whole role as represented in the browser view.


         You have the authorization for the object User Master Maintenance: Authorization Profile (S_USER_PRO).

         If you have already assigned the changed profile to a number of users, you should note the following:

You should only generate profiles after the users of the role you want to edit have logged off the system. If the users are logged on, they must logon again after generation to have the current authorizations.



       1.      In role maintenance (transaction PFCG), choose the Authorizations tab page.

The status display on the Authorizations tab page displays whether or not the corresponding authorization profile is current. The profile is not current if the display is red or yellow. In this case, the status text on the tab page shows the reason for this.

       2.      To change the authorization data for the transactions assigned to the role, choose Change Authorization Data or Expert Mode for Profile Generation. Otherwise, a dialog box appears in expert mode (see Regenerating an Authorization Profile After Changes).

If you are generating the profile for the first time, there is no difference between the two modes.

       3.      Maintain the predefined and open authorization fields for the transactions.

       4.      To generate an authorization profile based on this data with the Profile Generator, choose Generate (This graphic is explained in the accompanying text ).

A dialog window appears, in which you can change the profile name and the text.


When you generate an authorization profile the technical names of the authorizations are automatically reorganized. If an authorization already existed before the merge, it retains its number in the reorganization. A newly added standard authorization is always assigned the smallest number that has not yet been assigned.

You can display the technical names by choosing Utilities Technical names on. They comprise the activity profile name and a two end digits number in the range 00 - 99:

T_<role>nn, such as T_5002995604

The authorization profile generated in this way is added to the master records of the users of the role after the user master records are compared.


You can also just save the profile and generate it later with the transaction Mass Generation of Profiles (SUPC).

       5.      To display an overview of the authorization profiles that exist for this role, choose Authorizations Profile Overview. The overview contains profile names and their maintenance status (not generated, maintenance version, active version).


When you assign the role to a user, the associated authorization profile is also assigned to the user during the profile comparison (see Assigning Profiles).

The system then displays the current status of the authorization profile: generated.

See also:

        Regenerating Authorization Profiles Following Changes

        Checking Roles for Existing Profiles


End of Content Area