SAP Community Network Wiki - Community Profiles - PFCG-ROLE MAINTENANCE

Page 1 of 8

Log In

Register

About Us

How to Contribute
Welcome Guest

SDN Community
Home Forums Wiki Blogs

BPX Community
Articles eLearning

BusinessObjects
Downloads

University Alliances
Career Center

SAP EcoHub
InnoCentive Idea Place

Code Exchange

Events

PFCG-ROLE MAINTENANCE
Added by Swati Garg, last edited by Swati Garg on Oct 12, 2007 PFCG - ROLE MAINTENANCE We can use the role maintenance to manage roles and authorization data. The tool for role maintenance, the Profile Generator automatically creates authorization data based on selected menu functions. These are then presented for fine-tuning. We recommend that you use the role maintenance functions and the profile generator (transaction PFCG) to maintain your roles, authorizations, and profiles. Although you can continue to create profiles manually, you need detailed knowledge of all SAP authorization components. The role maintenance functions support you in performing your task by automating various processes and allowing you more flexibility in your authorization plan. You can also use the central user administration functions to centrally maintain the roles delivered by SAP or your own, new roles, and to assign the roles to any number of users. The roles (previously: activity groups), which are based on the organizational plan of your company, form the structure for the Profile Generator. These roles are the connection between the user and the corresponding authorizations. The actual authorizations and profiles are stored in the SAP system as objects. With the roles, you assign to your users the user menu that is displayed after they log on to the SAP System. Roles also contain the authorizations with which users can access the transactions, reports, Web-based applications, and so on that are contained in the menu.

Features
In the role maintenance you can: Changing and Assigning Roles Creating Roles Creating Composite Roles Transporting and Distributing Roles 1)Changing and Assigning Role 1. Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy Access.

http://wiki.sdn.sap.com/wiki/display/profile/2007/10/12/PFCG-ROLE+MAINTENANCE

11/23/2010

SAP Community Network Wiki - Community Profiles - PFCG-ROLE MAINTENANCE

Page 2 of 8

2. 3.

Enter the name of the delivered standard role in the Role field . Copy the standard role by choosing Copy role and enter a name from the customer namespace.

Do not change the delivered standard roles (SAP_), but rather only the copies of these roles (Z_). Otherwise, the standard roles that you have modified will be overwritten by newly delivered standard roles during a later upgrade or release change.

4. 5. 6.

Choose Change (the new name is in the Role field). You can change the user menu on the Menu tab page. You can reduce, extend or restructure it. On the Authorizations tab choose Change authorization data.

http://wiki.sdn.sap.com/wiki/display/profile/2007/10/12/PFCG-ROLE+MAINTENANCE

11/23/2010

SAP Community Network Wiki - Community Profiles - PFCG-ROLE MAINTENANCE

Page 3 of 8

7. 8.

Maintain the authorization field values as required. To adjust the authorizations for the menu changes, choose the Profile generation expert mode Generate the profile for the role.

pushbutton on the Authorizations tab and then Read old version and adjust to new data.

9.

Assign users on the User tab page and compare users if necessary.The users must already exist in the system before you can assign them.

http://wiki.sdn.sap.com/wiki/display/profile/2007/10/12/PFCG-ROLE+MAINTENANCE

11/23/2010

SAP Community Network Wiki - Community Profiles - PFCG-ROLE MAINTENANCE

Page 4 of 8

2) Creating Roles 1. To start role maintenance, either choose Create Role in the SAP Easy Access transaction die or Tools ? Administration ? User Maintenance?Role

Administration ? Roles (transaction PFCG).

2. Enter the name of the role. Roles delivered by SAP start with the prefix "SAP_". For your own user roles, instead of using the SAP namespace, use the customer namespace. This means that the prefix is "Y_" or "Z_". You cannot tell from the names of the delivered roles whether they are single or composite roles. You should therefore create a naming convention for your roles so that you can differentiate between single and composite roles. 3. Choose Create.

4. 5.

You can assign transactions, reports, and Web addresses to the role on the Menu tab page To generate the profile for the role, choose Change Authorization Data on the Authorizations tab page.

An input window may appear, depending on which activities you selected You are prompted to enter the organizational levels. Organizational levels are authorization fields which occur in a lot of authorizations (an organizational level is, for example, a company code). If you enter a particular value in the dialog box, die authorization fields of the role are maintained automatically.The authorizations which are proposed automatically for the selected activities of the role are displayed in the following screen. Some authorization have default values. Wherever traffic lights appear in the tree display, you must adjust the authorization values manually. You can maintain the authorization values by expanding the object classes and clicking on the white fields to the right of the authorization field name.

http://wiki.sdn.sap.com/wiki/display/profile/2007/10/12/PFCG-ROLE+MAINTENANCE

11/23/2010

SAP Community Network Wiki - Community Profiles - PFCG-ROLE MAINTENANCE

Page 5 of 8

When you have maintained the values, the authorizations count as manually modified and are not overwritten when you copy more activities into the role and edit the authorizations again. You can assign the complete authorization for the hierarchy level for all non-maintained fields by clicking on the traffic lights.

Wherever there are red traffic lights, there are organizational levels with no values. You can enter and change organizational levels with Org. levels . If you want other functions in the tree display, such as copying or collecting authorizations, you can show them with Utilities ? Settings . a. b. Generate an authorization profile for the authorizations. To do this, Choose Generate.You are prompted for an authorization profile name. A valid name in Leave the tree display after the profile generation. the customer namespace is proposed. If you change the menu and then call the tree display for the authorizations again, the authorizations of the new activities are mixed with those for the existing authorizations. There may then be a few yellow traffic lights, because there are authorizations in the tree that are incompletely defined. You must either manually assign values to these, or if you do not want to do this, delete them. To delete an authorization, deactivate it first and then delete it. 6. 7. You can also assign users to the role immediately. Save your entries.

http://wiki.sdn.sap.com/wiki/display/profile/2007/10/12/PFCG-ROLE+MAINTENANCE

11/23/2010

SAP Community Network Wiki - Community Profiles - PFCG-ROLE MAINTENANCE

Page 6 of 8

3) Creating Composite Roles 1. 2. 3. Enter a name in the Role field in the role maintenance (transaction PFCG).The SAP System does not distinguish between the names of simple and Choose Create collective role. You can define the composite role in the following screen.

composite roles. You should adopt your own naming convention to distinguish between simple and composite roles.

4. 5. 6.

Save your entries. Enter the roles in the composite role in the Roles tab page. You can display all the simple roles in the system with the possible entries help. You can restructure the role menus which you read in with Read menu , in the Menutab.

You cannot include composite roles in a composite role. This does not affect the menus of the roles. Note also the information about menus of composite roles provided if you choose Information on the Menu tab page. 7. Either enter the names of the users individually in the Users tab (manually or from the possible entries help) or choose Selection. You can define selection criteria (such as all users in a user group) If you select a username and choose Display, detailed user information is displayed. Choose Compare users. The user data is updated after the comparison. Note that users which are assigned to a composite role are displayed on a gray background in its roles (not changeable). The user assignment should only be changed in the composite role.You can display an overview of Roles in composite roles with the View pushbutton in the role maintenance initial screen. 4) Transporting and Distributing Roles 1. 2. To start role maintenance, choose Tools ? Administration ? User Maintenance ? Role Administration ? Roles (transaction PFG). Enter the role to be transported and choose Transport Role.

The Mass Transport of Rolesscreen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Maintenance Functions in the section Functions of the Utilities Menu ).

http://wiki.sdn.sap.com/wiki/display/profile/2007/10/12/PFCG-ROLE+MAINTENANCE

11/23/2010

SAP Community Network Wiki - Community Profiles - PFCG-ROLE MAINTENANCE

Page 7 of 8

You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate 3. them for the first time, transport the entire role again afterwards. In the following dialog box, specify whether the user assignment and the personalization data should also be transported. If the user assignments are also

transported, they will replace the entire user assignment of roles in the target system. To lock a system so that user assignments of roles cannot be imported, enter it in the Customizing table PRGN_CUST using transaction SM30. Add the line USER_REL_IMPORTand the value NO. 4. Enter a transport request.

The role is entered in a Customizing request. Use Transaction SE10 to display this. The authorization profiles are transported along with the roles. Unless the profile parameter transport/systemtype is set in this SAP system to value SAP. In this case, only the profiles whose roles are assigned to customer-relevant delivery classes are transported.

http://wiki.sdn.sap.com/wiki/display/profile/2007/10/12/PFCG-ROLE+MAINTENANCE

11/23/2010

SAP Community Network Wiki - Community Profiles - PFCG-ROLE MAINTENANCE

Page 8 of 8

5.

Perform a user master comparison in the target system.

Process Flow
You process the upper level shown in the graphic with the role maintenance functions and the Profile Generator. You define the roles for the various job descriptions with the permitted activities. The Profile Generator determines the authorizations for users for a particular role based on this information. The basic process is as follows: 1. Assign the job descriptions to transactions.

Define job descriptions for each application area in your company (for example, in a job description matrix). Determine for each description the menu paths and transactions that the users with this job require. Determine both the required access authorizations (display, change) and any restrictions. 2. Maintain activity groups or roles with the role maintenance and the Profile Generator (transaction PFCG).

Use the role maintenance functions to create the roles or activity groups that correspond to the individual job descriptions. For each role or activity group, choose the tasks (reports and transactions) that belong to the job. 3. Generate and maintain authorization profiles.

In this step, the profile generator automatically generates the authorization profile for the activity group or role. To accept or change the proposed profile, you must work through the tree structure of the profile and confirm the individual authorizations that you want to assign to the activity group or role. 4. Assign users.

In this step, you assign the users that belong to the relevant roles or activity groups. 5. Update the user master records.

The user assignment and the generated profile must be updated in the user master records. There are a number of ways in which you can do this (depending on your release status): In all releases, you can schedule a background job that regularly updates the user master records. As of SAP R/3 4.5, you can either use the user comparison function or have the user master records automatically updated when saving the activity groups

or roles. (Choose Utilities ?Settings,_and activate the option _Automatic comparison at save.) Even if you use the User Comparison function or the option Automatic Comparison at Save, we recommend that you schedule a background job and ensure that all user master records are regularly automatically updated.

Contact Us Site Index Marketing Opportunities Powered by SAP NetWeaver

Legal Terms

Privacy

Impressum

http://wiki.sdn.sap.com/wiki/display/profile/2007/10/12/PFCG-ROLE+MAINTENANCE

11/23/2010