PFCG - ROLE MAINTENANCE

To manage roles and authorization data, we can use the role maintenance. The Profile Generator is the tool for role maintenance which
creates authorization data based on selected menu functions automatically. For fine-tuning these are then presented.
To maintain roles, authorizations, and profiles it is recommended to use the role maintenance functions and the profile
generator(transaction PFCG). The detailed knowledge of all SAP authorization components are needed although one can continue to
create profiles manually. You are supported by the role maintenance functions as automating various processes support you in performing
your task and allow you to be more flexible in your authorization plan. To maintain the roles delivered by SAP centrally or your own, new
roles and to assign the roles to any number of users the central user administration functions can be used.
The structure for the Profile Generator is formed by the roles (previously: activity groups), which are based on the organizational plan of
your company. Between the user and the corresponding authorizations, these roles act as a connection. In the SAP system, as objects the
actual authorizations and profiles are stored.
After logging on to the SAP System, the user menu is displayed with the roles that have been assigned to the users. Users can access the
applications that are contained in the menu such as the transactions, reports, Web-based applications with the help of roles that contain the
authorizations.

Features:

The role maintenance can help one to:

Change and Assign Roles
Create Roles
Create Composite Roles
Transport and Distribute Roles

Change and Assign Roles

SAP Easy Access - SAP menu
1. The pushbutton should be chosen. In the initial transaction SAP Easy Access role or thetransaction PFCG should be created.

2. The name of the delivered standard role should be entered in the Role field.
3. By choosing Copy role, the standard role should be copied and a name from the customer namespace should be entered.
Only the copies of these roles (Z_) should be changed and not the delivered standard roles (SAP_).Otherwise, during a later upgrade or
release change the standard roles that have been modified will be overwritten by newly delivered standard roles.
4. The Change option should be chosen (In the Role field, the new name is there)
5. On the Menutab page, the user name can be changed. It can be reduced, extended, and restructured.
Role Maintenance - Role = ZTESTROLE - Create Role

Creating Roles
1. Create Role in the SAP Easy Access transaction die should be chosen or Tools? Administration? User Maintenance? Role
Administration? Roles (transaction PFCG) should be chosen to start role maintenance.
2. The name of the role should be entered. SAP delivered roles that start with the prefix "SAP_". Instead of using the SAP namespace, use
the customer namespace for your own user roles. "Y_" or "Z_" is the prefix here. From the names of the delivered roles; one cannot tell
whether they are single or composite roles. A naming convention for your roles should be created so that it can be differentiated between
single and composite roles.
3. Create option should be chosen.

4. On the Menutab page, transactions, reports, and Web addresses can be assigned to the role.

Create Roles - Role = ZTESTROLE, Description = this is just a stest role - Save (Ctrl+S)

Change Role: Assign transactions

Transaction code

Text

SU01

User Maintenance

SM21

Online System Log Analysis

PFC6

Role Maintenance

Add transactions (Shift+F7)

Add additional objects - Select which type of object you want to add - click Web address or file

Transaction Code for Reports - Report type - ABAP report

Select from the Sap menu - Role menu - Role Maintenance

Selection of Transactions from the Menu - SAP standard menu - Office

Generate Authoration Profile:

Change authorization data on the Authorization tab should be chosen.
The Authorization field values should be maintained as required. The Profile generation expert mode pushbutton on the Authorizations tab
should be chosen and then Read old version and adjust to new data to adjust the authorizations for the menu changes.

Change Authorization Data

Change Authorization Data on the Authorizations tab page should be chosen to generate the profile for the role.
Depending on which activities you select an input window may appear; the organizational levels should be entered when prompted. In a lot
of authorizations organizational levels occur which are authorization fields (an organizational level is, for example, a company code). Die
authorization fields of the role are maintained automatically if you enter a particular value in the dialog box. The automatically proposed
authorizations for the selected activities of the role in the following screen are displayed. Default values are found in some authorizations.
You must adjust the authorization values manually wherever traffic lights appear in the tree display. By expanding the object classes and by
clicking on the white fields to the right of the authorization field name, the authorization values can be maintained.
The authorizations count as manually modified when the values are maintained, and when more activities into the role are copied and the
authorizations are edited; they are not overwritten. For the hierarchy level for all non-maintained fields the complete authorization can be
assigned by clicking on the traffic lights.

Maintain the Role ORG Level Values

There are organizational levels with no values wherever there are red traffic lights. With Org. levels one can enter and
change organizational levels.
With Utilities ? Settings you can get other functions in the tree display, such as copying or collecting authorizations.
A) For the authorizations an authorization profile should be generated. To do this, Generate should be chosen. An authorization
profile name is prompted by the application. In the customer namespace a valid name is proposed.
B) After the profile generation the tree display should be left.

Change role :Authorizations

ZTESTROLE - Standard = Cross-application Authorization objects - Transaction Code Check Transaction start - Transaction Code
= PFCG , SM21 ,SU01

Standard Basis: Administration

Status =Change
User Master Maintenance: Authorization profile
Activity: Auth. profile in user master m - Create or generate and Display change documents

Assign Full Authorization for Subtree

Set authorization field to '*' (full authorization) for Authorized =User Master Maintenance: Authorization profile
If you call the tree display for the authorizations again after changing the menu, the new authorizations and the existing authorizations are
mixed. Because there are incompletely defined authorizations in the tree there may then be a few yellow traffic lights. You must assign
values to these either manually, or delete them if you do not want to do this. First deactivate it and then delete it when deleting an
authorization.

Assign profile Name for Generated Authorization Profile - You can change the default profile name here
Profile name = T-DV960001
Text
= Profile for role ZTESTROLE
Execute (Enter)
Users can be assigned to the role immediately.
Entries should be saved.

Change Role: Authorizations

Generate (Shift+F5) - Status =Saved
User Master Maintenance : Authorization profile
Activity
Auth. profile in user master m - Create or generate, Display, Delete, Display change documents

8. The profile for this role should be generated.

Generate Profile:
Open org.levels exist - There are open authorizations = Click Post maint

Change Role
Assign user - Create by - User = SAP* - Date = 25.05.2008 - Time = 18:10:42
Information about Authorization Profile
Profile Name = T-DV960001 - Profile Text = profile for role ZTESTROLE - Status = Authorization profile is generated
Maintain Authorization Data and Generate Profiles - Change Authorization Data - Expert mode for profile Generation

Change Roles - User comparison

9. If necessary, on the User tab page the users can be assigned and can be compared. Before you can assign users, the users must
already exist in the system.

Change Roles - Compare user master record

Compare Role User Master Record - User Information for user master comparison - Status =User assignment has since the last
save - User master comparison

Change Roles
Save the role - you must save the role first save now - Yes

Change Role: Authorizations

Difine values - User Master Maintenance :User Grou
Activity
Full authorization
01 Create or generate
02 Change
03 Display
05 Lock
06 Delete
08 Display change documents
24 Archive
78 Assign

Change Role: Authorization

ZTESTROLE
Changed
= Basis: Administration
Changed
= User Master Maintenance: User Groups
Activity
= Display
Changed
= User Master Maintenance: Authorization profile
Activity
= Display
Auth. Profile in user master m= *

Creating Composite Roles

In the role maintenance in the Role field a name should be entered (transaction PFCG). The names of simple and composite roles

are not distinguished by the SAP System. To distinguish between simple and composite roles, own naming convention should be adopted.
Create collective role should be chosen.
In the following screen the composite role should be defined.
The entries should be saved.
In the Roles tab page the roles in the composite role should be entered. With the possible entries help all the simple roles in the

system can be displayed. Composite roles cannot be included in a composite role.

In the Menutab, the role menus which you read in with Read menu can be restructured. The menus of the roles do not get affected
by this.

The users names individually in the Users tab should be entered (manually or from the possible entries help) or Selection should
be chosen. The selection criteria should be defined (such as all users in a user group)
Note: If Information on the Menutab page is chosen the information about menus of composite roles are also provided.
Detailed user information is displayed if a username is selected and Display is chosen.
Compare users should be chosen. After the comparison update the user data.
Note that on a gray background in its roles (not changeable) assigned users to a composite role are displayed. In the composite role the
user assignment should be changed only. With the View pushbutton in the role maintenance initial screen an overview of Roles in
composite roles can be displayed.

Transporting and Distributing Role

1. Tools ? Administration ? User Maintenance ? Role Administration ? Roles (transaction PFG) should be chosen to start role maintenance
2. The role to be transported should be entered and Transport Role should be chosen.
Appearance of the Mass Transport of Rolesscreen can be seen. The default settings for the options can be controlled single roles for
composite roles are also transported and profiles generated for roles using Customizing switches (in the section Functions of the Utilities
Menu see Role Maintenance Functions) are also transported.
After the role in a transport request has been included the authorizations profiles of the role should not be changed. The entire role should
be transported afterwards if you need to the profiles need to be changed or for the first time they need to be generated.
3. Whether the user assignment and the personalization data must be transported also should be specified in the following dialog box.
Entire user assignment of roles will be replaced in the target system if the user assignments are also transported. Using transaction SM30
enter it in the Customizing table PRGN_CUST lock a system so that user assignments of roles cannot be imported. The line
USER_REL_IMPORT and the value NO should be added.

4. A transport request should be entered.

In a Customizing request the role should be entered. Transaction SE10 should be used to display this.
Along with the roles, transport the authorization profiles. This should be done in this SAP system to value SAP unless the profile parameter
transport/systemtype is set. Only the profiles whose roles are assigned to customer-relevant delivery classes are transported in this case.
5. A user master comparison should be performed in the target system.
SAP
Information
You are not authorized to change passwords in user group

SAP Easy Access -User menu for User TEst

User menu for TExt
User Maintenance

Display Authorization Data for User TESTUSER

Users = TESTUSER
Profile Parameter auth/new buffering = 4
Authorization obj. = S_USER_GRP
Description
Authorization check failed
Authorization Object S_USER_GRP User Master maintenance: User Group
Activity
=05
User group in user master maintenance =
User's Authorization Data

Change role Authorizations

Status =Unchanged
ROLE2
Change =Basis: Admnistration
Standard =Central Functions
Changed = Human Resources

Utilities
Technical names on

Process Flow
With the role maintenance functions and the Profile Generator, the upper level shown in the graphic should be processed. For the various
job descriptions with the permitted activities the roles are defined. The authorizations for users for a particular role based on this information
are determined by the Profile Generator. Listed below is the basic process:
1. The job descriptions to transactions should be assigned.
In your company job descriptions for each application area should be defined (for example, in a job description matrix). For each
description, the menu paths and transactions that the users require with this job should be determined. The required access authorizations
(display, change) and any restrictions should be determined.
2. The activity groups or roles should be maintained with the role maintenance and the Profile Generator (transaction PFCG).
To create the roles or activity groups that correspond to the individual job descriptions the role maintenance functions should be used. The
tasks (reports and transactions) that belong to the job should be chosen for each role or activity group.
3. Authorization profiles should be generated and maintained.
The authorization profile for the activity group or role in this step is automatically generated by the profile generator. Work must be done
through the tree structure of the profile and the individual authorizations that you want to assign to the activity group or role should be
confirmed to accept or change the proposed profile.
4. The users should be assigned.

In this step, users that belong to the relevant roles or activity groups should be assigned.
5. The user master records should be updated.
In the user master records, update the user assignment and the generated profile. A number of ways are there by which you can do this
(depending on your release status):
- You can schedule a background job in all releases that updates the user master records regularly.
- You can either use the user comparison function or have the user master records automatically updated as of SAP R/3 4.5, when the
activity groups or roles is getting saved. (Choose Utilities ?Settings,_and activate the option _Automatic comparison at save.)
It is recommended to schedule a background job and ensure that all user master records are automatically updated on a regular basis even
if the User Comparison function or the option Automatic Comparison at Save is used.