Register Login

PFCG SAP Roles and Authorizations Maintenance

Updated May 18, 2018


To manage roles and authorization data, we can use the role maintenance. The Profile Generator is the tool for role maintenance which creates authorization data based on selected menu functions automatically. For fine-tuning, these are then presented.

To maintain roles, authorizations, and profiles it is recommended to use the role maintenance functions and the profile generator (transaction PFCG). The detailed knowledge of all SAP authorization components are needed although one can continue to create profiles manually. You are supported by the role maintenance functions as automating various processes support you in performing your task and allow you to be more flexible in your authorization plan. To maintain the roles delivered by SAP centrally or your own, new roles and to assign the roles to any number of users the central user administration functions can be used.

The structure for the Profile Generator is formed by the roles (previously: activity groups), which are based on the organizational plan of your company. Between the user and the corresponding authorizations, these roles act as a connection. In the SAP system, as objects the actual authorizations and profiles are stored.

After logging on to the SAP System, the user menu is displayed with the roles that have been assigned to the users. Users can access the applications that are contained in the menu such as the transactions, reports, Web-based applications with the help of roles that contain the authorizations.


The role maintenance can help one to:

  • Change and Assign Roles
  • Create Roles
  • Create Composite Roles
  • Transport and Distribute Roles

Change and Assign Roles

SAP Easy Access - SAP menu

1. The pushbutton should be chosen. In the initial transaction SAP Easy Access role or the transaction PFCG should be created.

2. The name of the delivered standard role should be entered in the Role field.

3. By choosing Copy role, the standard role should be copied and a name from the customer namespace should be entered.

Only the copies of these roles (Z_) should be changed and not the delivered standard roles (SAP_). Otherwise, during a later upgrade or release change the standard roles that have been modified will be overwritten by newly delivered standard roles.

4. The Change option should be chosen (In the Role field, the new name is there)
5. On the Menu tab page, the username can be changed. It can be reduced, extended, and restructured.

Role Maintenance - Role   = ZTESTROLE - Create Role

Creating Roles

1. Create Role in the SAP Easy Access transaction die should be chosen or Tools? Administration? User Maintenance? Role Administration? Roles (transaction PFCG) should be chosen to start role maintenance.

2. The name of the role should be entered. SAP delivered roles that start with the prefix "SAP_". Instead of using the SAP namespace, use the customer namespace for your own user roles. "Y_" or "Z_" is the prefix here. From the names of the delivered roles; one cannot tell whether they are single or composite roles. A naming convention for your roles should be created so that it can be differentiated between single and composite roles.

3. Create option should be chosen.

4. On the Menutab page, transactions, reports, and Web addresses can be assigned to the role.

Create Roles - Role = ZTESTROLE, Description = this is just a stest role - Save  (Ctrl+S)

Change Role: Assign transactions

Transaction code Text
SU01 User Maintenance
SM21 Online System Log Analysis
PFC6 Role Maintenance

Add transactions  (Shift+F7)

Add additional objects - Select which type of object you want to add - click Web address or file

Transaction Code for Reports -  Report type - ABAP report 

Select from the Sap menu - Role menu - Role Maintenance

Selection of Transactions from the Menu - SAP standard menu - Office

Generate Authoration Profile:

Change authorization data on the Authorization tab should be chosen.

The Authorization field values should be maintained as required. The Profile generation expert mode pushbutton on the Authorizations tab should be chosen and then Read old version and adjust to new data to adjust the authorizations for the menu changes.

Change Authorization Data

Change Authorization Data on the Authorizations tab page should be chosen to generate the profile for the role.

Depending on which activities you select an input window may appear; the organizational levels should be entered when prompted. In a lot of authorizations organizational levels occur which are authorization fields (an organizational level is, for example, a company code). Die authorization fields of the role are maintained automatically if you enter a particular value in the dialog box. The automatically proposed authorizations for the selected activities of the role in the following screen are displayed. Default values are found in some authorizations.

You must adjust the authorization values manually wherever traffic lights appear in the tree display. By expanding the object classes and by clicking on the white fields to the right of the authorization field name, the authorization values can be maintained.

The authorizations count as manually modified when the values are maintained, and when more activities into the role are copied and the authorizations are edited; they are not overwritten. For the hierarchy level for all non-maintained fields the complete authorization can be assigned by clicking on the traffic lights.

Maintain the Role ORG Level Values

There are organizational levels with no values wherever there are red traffic lights. With Org. levels one can enter and change organizational levels.

With Utilities ? Settings you can get other functions in the tree display, such as copying or collecting authorizations.

A) For the authorizations an authorization profile should be generated. To do this, Generate should be chosen. An authorization profile name is prompted by the application. In the customer namespace a valid name is proposed.

B) After the profile generation the tree display should be left.

Change role :Authorizations
ZTESTROLE - Standard = Cross-application Authorization objects - Transaction Code Check Transaction start - Transaction Code   = PFCG  , SM21 ,SU01

Standard Basis: Administration

Status =Change
User Master  Maintenance: Authorization profile
Activity: Auth. profile in user master m - Create  or generate and Display change documents

Assign Full Authorization for Subtree

Set authorization field to '*' (full authorization) for Authorized =User Master Maintenance: Authorization profile

If you call the tree display for the authorizations again after changing the menu, the new authorizations and the existing authorizations are mixed. Because there are incompletely defined authorizations in the tree there may then be a few yellow traffic lights. You must assign values to these either manually, or delete them if you do not want to do this. First deactivate it and then delete it when deleting an authorization.

Assign profile Name for Generated Authorization Profile - You can change the default profile name here
Profile name  =  T-DV960001
Text                =  Profile for role ZTESTROLE
Execute (Enter)

Users can be assigned to the role immediately.

Entries should be saved.

Change Role: Authorizations

Generate (Shift+F5) - Status =Saved
User Master   Maintenance : Authorization profile
Auth. profile in user master m - Create or generate, Display, Delete, Display change documents

8. The profile for this role should be generated.

Generate Profile:

Open org.levels exist - There are open authorizations  = Click Post –maint

Change Role

Assign user - Create by - User  = SAP* -  Date  = 25.05.2008 -  Time  = 18:10:42

Information about Authorization Profile

Profile Name = T-DV960001 - Profile Text  = profile for role ZTESTROLE - Status  = Authorization profile is generated
Maintain Authorization Data and Generate Profiles - Change Authorization Data - Expert mode for profile Generation

Change Roles -  User comparison

9. If necessary, on the User tab page the users can be assigned and can be compared. Before you can assign users, the users must already exist in the system.

 Change Roles - Compare user master record

Compare Role User Master Record - User Information for user master comparison - Status =User assignment has since the last save - User master comparison

Change Roles

Save the role - you must save the role first save now - Yes


Change Role: Authorizations

Difine values - User Master Maintenance :User Grou
Full authorization
01    Create or generate
02    Change
03    Display
05    Lock
06    Delete
08    Display change documents
24    Archive
78    Assign


Change Role: Authorization

Changed      = Basis: Administration
Changed      = User Master Maintenance: User Groups
Activity         =  Display
Changed      = User Master Maintenance: Authorization profile
Activity          = Display
Auth. Profile in user master m= *

Creating Composite Roles

  1. In the role maintenance in the Role field a name should be entered (transaction PFCG). The names of simple and composite roles are not distinguished by the SAP System. To distinguish between simple and composite roles, own naming convention should be adopted.
  2. Create collective role should be chosen.
  3. In the following screen the composite role should be defined.
  4. The entries should be saved.
  5. In the Roles tab page the roles in the composite role should be entered. With the possible entries help all the simple roles in the system can be displayed. Composite roles cannot be included in a composite role.
  6. In the Menutab, the role menus which you read in with Read menu can be restructured. The menus of the roles do not get affected by this.
  7. The users’ names individually in the Users tab should be entered (manually or from the possible entries help) or Selection should be chosen. The selection criteria should be defined (such as all users in a user group)

Note: If Information on the Menutab page is chosen the information about menus of composite roles are also provided.

Detailed user information is displayed if a username is selected and Display is chosen.

Compare users should be chosen. After the comparison update the user data.

Note that on a gray background in its roles (not changeable) assigned users to a composite role are displayed. In the composite role the user assignment should be changed only. With the View pushbutton in the role maintenance initial screen an overview of Roles in composite roles can be displayed.

Transporting and Distributing Role

1. Tools ? Administration ? User Maintenance? Role Administration? Roles (transaction PFG) should be chosen to start role maintenance

2. The role to be transported should be entered and Transport Role should be chosen.
Appearance of the Mass Transport of Rolesscreen can be seen. The default settings for the options can be controlled single roles for composite roles are also transported and profiles generated for roles using Customizing switches (in the section Functions of the Utilities Menu see Role Maintenance Functions) are also transported.

After the role in a transport request has been included the authorizations profiles of the role should not be changed. The entire role should be transported afterwards if you need to the profiles need to be changed or for the first time they need to be generated.

3. Whether the user assignment and the personalization data must be transported also should be specified in the following dialog box. Entire user assignment of roles will be replaced in the target system if the user assignments are also transported. Using transaction SM30 enter it in the Customizing table PRGN_CUST lock a system so that user assignments of roles cannot be imported. The line USER_REL_IMPORT and the value NO should be added.

4. A transport request should be entered.

In a Customizing request the role should be entered. Transaction SE10 should be used to display this.

Along with the roles, transport the authorization profiles. This should be done in this SAP system to value SAP unless the profile parameter transport/systemtype is set. Only the profiles whose roles are assigned to customer-relevant delivery classes are transported in this case.

5. A user master comparison should be performed in the target system.


You are not authorized to change passwords in user group

SAP Easy Access -User menu for User TEst
User menu for TExt
User Maintenance

Display Authorization Data for User TESTUSER
Users   = TESTUSER          
Profile Parameter auth/new buffering   =   4
Authorization obj.  =    S_USER_GRP
Authorization check failed
Authorization  Object S_USER_GRP User Master maintenance: User Group
Activity       =05
User group in user master maintenance =

User's Authorization Data

Change role Authorizations
Status =Unchanged
Change   =Basis: Admnistration
Standard =Central Functions
Changed = Human Resources

Technical names on

Process Flow

With the role maintenance functions and the Profile Generator, the upper level shown in the graphic should be processed. For the various job descriptions with the permitted activities the roles are defined. The authorizations for users for a particular role based on this information are determined by the Profile Generator. Listed below is the basic process:

1. The job descriptions to transactions should be assigned.

In your company job descriptions for each application area should be defined (for example, in a job description matrix). For each description, the menu paths and transactions that the users require with this job should be determined. The required access authorizations (display, change) and any restrictions should be determined.

2. The activity groups or roles should be maintained with the role maintenance and the Profile Generator (transaction PFCG).

To create the roles or activity groups that correspond to the individual job descriptions the role maintenance functions should be used. The tasks (reports and transactions) that belong to the job should be chosen for each role or activity group.

3. Authorization profiles should be generated and maintained.

The authorization profile for the activity group or role in this step is automatically generated by the profile generator. Work must be done through the tree structure of the profile and the individual authorizations that you want to assign to the activity group or role should be confirmed to accept or change the proposed profile.

4. The users should be assigned.

In this step, users that belong to the relevant roles or activity groups should be assigned.

5. The user master records should be updated.

In the user master records, update the user assignment and the generated profile. A number of ways are there by which you can do this (depending on your release status):

- You can schedule a background job in all releases that updates the user master records regularly.
- You can either use the user comparison function or have the user master records automatically updated as of SAP R/3 4.5, when the activity groups or roles is getting saved. (Choose Utilities ?Settings,_and activate the option _Automatic comparison at save.)

It is recommended to schedule a background job and ensure that all user master records are automatically updated on a regular basis even if the User Comparison function or the option Automatic Comparison at Save is used.