Start of Content Area

Procedure documentation Role Administration: Example  Locate the document in its SAP Library structure


You are using the SD and MM applications but not HR or HR-ORG.

You are not using warehouse management within materials management.

Your company has five plants and you want to create material master data for them. A separate employee is responsible for each plant, who must not be able to edit the data for other plants.


In order to understand this scenario and to be able to adapt it for your own purposes, you will need a basic knowledge of the SAP authorization concept, authorization objects, authorizations and authorization profiles.

The following assumes that none of the predefined user roles satisfies your requirements.



Activate the Profile Generator and permit authorization checks to be suppressed

The system parameter auth/no_check_in_some_cases must be set to the value 'Y'. This is the case for new installations.

Check the setting in your system using report RSPARAM.

Copy SAP default settings for check indicators and authorization field values

Copy the SAP default check indicator settings for the authorization objects in transactions and the authorization field values for the Profile Generator using Transaction SU25.

You can then edit the default check indicators using Transaction SU24.

For more information, see Preparatory Steps.

Creating and Editing an Authorization Profile for a User

Create a user-specific menu with appropriate authorizations.

The user needs to be able to:

      Edit material master data for plant 0001 in company code 0001, all sales organizations and distribution channels

      Display material master data for all plants and company codes.

The user needs a range of authorizations to be able to do this. These are grouped together in an authorization profile.

To create an authorization profile for a user, do the following:


       1.      Create a role and generate an authorization profile

       2.      Assign the role to a user

       3.      Change the role (optional)

       4.      Change the check indicator defaults (optional)

       5.      Copy the general authorizations from SAP defaults (optional)

       6.      Regenerate the Authorization Profile Following Changes

       7.      Check the authorization profile

These steps are described in detail below.

1.   Create a role and generate an authorization profile

You use roles to define the functions (transactions) for which a user receives authorizations.

1.       On the initial screen of the user administration tool (transaction SU01), choose Environment Maintain role.

2.       Create a role. Enter MATST_0001 as the identification code and choose Create.

3.       On the following screen, enter an appropriate description.

4.       Choose the Menu tab and SAP Menu.

5.       Expand the Logistics, Materials management and Material master levels.

6.       Flag the checkbox next to Material. If you expand this branch further, the transaction which you have selected is displayed: including Create/Display/Change material.

7.       Copy the selection. The system now compiles the authorization data using the transactions you have selected.

8.       Under the Authorizations tab, choose Change authorization data.

9.       In the next dialog box, you are required to edit the organizational levels. Organizational levels are fields in the authorization system, determined by SAP, that relate to the enterprise structure. These fields occur in many authorizations. You only need to edit them once, in this dialog box for the organizational levels.

Corresponding to our scenario, you would need to enter the following values (each time in the From field):

    Company code: 0001

    Warehouse number / complex (no entry since there is no warehouse management.

    Sales organization: *  (all)

    Distribution channel: *  (all)

    Plant: 0001

Choose Enter.

10.   The authorization data is displayed hierarchically in the following screen: the role at the highest level, the object classes of the authorization objects for this role below.

Expand a few levels of the hierarchy. By choosing Color legend, you can display an explanation of the colors used in the authorization component hierarchy.

At the lowest level for example are the authorization field values: most fields have default values, either from SAP, or your organizational level values.

The traffic lights indicate whether there are fields whose values you have not yet maintained.

Red -   You have not maintained the organizational levels.

Yellow: - You have not assigned values to fields (not organizational levels).

11.   Expand the levels with red traffic lights: this includes an authorization for the object Material master record: Warehouse number. Since you are not using warehouse management in your company, no employee needs authorization to administer this data.

12.   Deactivate this authorization by choosing the relevant icon.
The authorization is flagged as Inactive. When you generate authorization profiles later, this authorization will not be copied into the profile.

There are now no more red traffic lights, since no active authorizations with unmaintained organizational levels remain.

13.   There are, however, a lot of yellow traffic lights. For each of these you need to supply values in the authorization fields by choosing the edit icon for the fields.

You can display help as follows:

By double-clicking the text of an authorization object

By double-clicking the text of an authorization field

14.   Assign full authorization

To assign full authorization (*), click on the star symbol next to an authorization field.

You can assign full authorization for all unmaintained (empty, open) fields in an organizational level by clicking on the traffic light. Once you have confirmed the operation, full authorization (*) is assigned for all empty fields in the subordinate levels of the hierarchy. Note how the traffic light reacts.

You can display detailed information on the individual icons by choosing Color legend.

15.   When you have finished editing the data, save your changes. Here you can also change the default name for the authorization profile to be generated.

16.   Generate the authorization profile by choosing Generate. To do this, you need the appropriate authorization. An active authorization profile is generated from the authorization data.

2.   Assign roles and authorization profiles to a user

Assign role MATST_0001 to users by entering names in the lists displayed under the Users tab. These users have the proper authorizations to execute the role transactions. See the online documentation for more information on assigning users in Users.


The generated profile is not entered in the user master record until the user master records have been compared. To do this, choose Compare users.

You can also assign a role to a user in the user administration transaction (SU01) in Roles. For more information, see Assigning roles.

Log onto the system again with the user name that you have entered. The user should now have all of the authorizations necessary to administer material masters in plant 0001 / company code 0001. It should also be possible to display data for all plants. This does not yet work.

3.   Change the role (optional)

You change a role as follows:

1.       In the initial screen of role administration, enter the name of the role you want to change and choose Change.

2.       By choosing Menu and Menu selection, you can also activate the menu functions Stock overview, Close period, Allow posting to a previous period. Save your changes.

3.       Under the Authorizations tab, choose Authorization data to access authorization administration. Two new organizational levels have now appeared in the dialog box: Purchasing group and Purchasing organization. Maintain these (enter * for example) and choose Choose Continue.

Some new authorizations have been added to the group because new functions have been added. These are marked as New. Some of these will already contain values, others will need to be maintained manually (yellow traffic light). The warehouse management authorization is still inactive. New authorizations (for the period closing program, for example) may already be filled if they only affect organizational levels that already contain values.

If you also want to assign authorization to display data for all plants, To do this, you proceed as follows:

1.       Expand the authorization for the Material master:Plant object. Choose Copy to copy the authorization.

2.       Edit the activities in the authorization you have copied. Delete all authorizations except Display.

3.       Edit the Plant field by choosing the edit icon. Choose Full authorization.
Notice that the authorization status has changed to Changed. This means that you have changed activities and / or organizational levels that no longer correspond to the default authorizations for the selected functions.


Note that when you change an organizational level by choosing Org. Levels, this affects all fields in the organizational level. Exception fields whose status have changed.

If, on the other hand, you edit an organizational level by choosing the edit icon, the changes only apply to the field. The field then has the status Changed.

4.       Generate the authorization profile.

4.   Change the check indicator defaults (optional)

You will have noticed that you need to edit the warehouse management data in order to set the red and yellow traffic lights to green. You can avoid this by changing the transaction defaults.

1.       To do this, call Transaction SU24.

2.       Choose Edit check indicators in all transactions and enter M_MATE_LGN as the object. Choose Execute.

On the next screen, the system displays all the transactions which check this authorization object. You can assign the Check Indicators globally for the object. In this case it is a good idea to check this object in all transactions, but not to copy the defaults into the Profile Generator.

Select all transactions, set the check indicator in the top line to P and choose Save. All transactions are set to P. Save your data.

3.       Return to editing role MATST_0001. On the Authorizations tab page,  choose Change authorization data. You can see from the overview that all data for the M_MATE_LGN authorization object has disappeared.

4.       You can also change the check indicator for each individual transaction. For example, from the initial screen of Transaction SU24, enter Transaction MMPV Close Periods. If you do not want the default value 51 Initialize for object M_MATE_PER Material master: Allow backposting to be copied into the role, change the proposal for transaction MMPV by editing the field values. You can reactivate the SAP defaults at any time, restoring the default values delivered when you installed the system.

It is sensible to change the defaults whenever several roles are affected, whether they already exist (and must as such then be compared) or you will create in the future.

5.   Copy the general authorizations from SAP defaults (optional)

Notice that the generated profile does not give users general authorizations such as those required for printing. It does not make sense to copy general authorizations to each transaction with the check indicator CM.

There are two options:

1.       Create a role which only contains general authorizations (such as printing). Then assign this role to all users. This is the best thing to do if all users are to be allowed to print from any printer, for example.

Then compare the user master records.

2.       Use a template to import the required objects into the role and then maintain missing field contents. This is the best thing to do if each user assigned to a role may use only one particular printer, for example.

In the authorization data administration tool, choose Edit Insert From template. Choose the SAP_PRINT template. The system inserts authorization data, which you must then complete yourself (printers to be used, and so on).

If you want to create your own templates, choose Edit templates in Transaction SU24. You need the authorization User master maintenance: User groups, S_USER_GRP. You can create your own templates or you can copy the SAP templates and edit them. Unlike changes to defaults, changes to templates are not passed on when you  compare roles. Your own templates must not begin with S.

6.   Regenerate the Authorization Profile Following Changes

Regenerate the authorization profile so that your changes take effect in the system.

7.   Check the authorization profile

Test your generated authorization profile

If any authorizations are missing or superfluous, you have two options:

1.       Change the role: change activities, create authorizations manually, deactivate authorizations

2.       Change the defaults using Transaction SU24 as described above and compare the roles.

If an authorization check fails during a transaction, you can see which authorization is missing by choosing System Utilities Display auth. check (Transaction SU53).

Test this example until you are happy with the result and the user can perform exactly the correct action in the plant/company code 0001. Change the organizational level to plant 0002 and company code 0002 and generate the authorization profile. You can then assign this role to the users who are to execute material master administration for plant 0002.

Installing a new module

Suppose you later want to install warehouse management. You need to undo all the changes you have made that affect authorization object M_MATE_LGN.

You should then check whether the functions in your role are still correct. Is the menu selection still current, for example? Always compare your authorization data.


End of Content Area