Transaction code PFCG is a role maintenance administration to manage roles and authorization data. The tool for role maintenance, the Profile Generator automatically creates authorization data based on selected menu functions.
SAP recommend that to use the role maintenance functions and the profile generator (transaction code PFCG) to maintain the roles, authorizations, and profiles. Although we can continue to create profiles manually.These roles are the connection between the user and the corresponding authorizations. The actual authorizations and profiles are stored in the SAP system as objects. With the roles, we can assign to any users which will be the user menu that is displayed after they log on to the SAP System.
Roles contains the authorizations with which users can access the transactions, reports, Web-based applications, and so on that are contained in the menu. In the role maintenance, we can also change and assign roles, creating roles, creating composite roles and transport and distributing roles. In short it simplifies the creation of authorization.
Types of Role :-
A role is a container that collects the transactions, reports, web links so on along with its authorization and generate the associated profiles.
Step 1 :– Enter T-code “PFCG” in SAP command.
Step 2 :- Role Naming Convention
Step 3 :- Description Tab – On create role screen update the following details.
Step 4 :- Menu Tab. This section describes the options available to you when creating a role menu
Step 5 :- Authorization Tab is basically for users are created using roles and profiles. The administrator creates the roles, and the system supports him or her in creating the associated authorizations. An authorization is a permission to perform a certain action in the SAP System. The action is defined on the basis of the values for the individual fields. You must generate authorization profiles before you can assign them to users. An authorization is generated for each authorization level and an authorization profile for the whole role as represented in the browser view.
There are two options in Authorization tab :- If you are generating the profile for the first time, there is no difference between the two modes.once choose one of the below mentioned option, assign full authorization to the role, save and generate it.
2.Expert Mode for profile generation :-
Storage Tables :-
Blue Line – Role – In our case it’s the new role which we have just created.
Pink Line – Authorization Class – These group Authorization Objects which protect similar application components.
Green Line – Authorization Object – Its a template or structure with a number of fields each of which needs to filled up with appropriate data to allow access.
Yellow Line – Authorization – This is an unique instance of an authorization object with values specified for its different fields. An authorization is actually similar to an object.
Off-white Line – Authorization Field – These are the unique fields within each authorization object. Different authorization objects will have different sets of authorization fields.
Make sure before moving to User tab from authorization tab, the status is saved and generated.
Step 6 :User Comparison :- Comparing the user master. This is basically updating profile information into user master record so that user are allowed to use the transaction contained in the menu tree of their role. If you are also using the role to generate authorization profile, then you should note that the generated profile is not entered in the user master record until the user master record have been compared. You can automate this by scheduling this report PFCG_TIME_DEPENDENCY on.
Mention user name.
SAP recommend that to use the role maintenance functions and the profile generator (transaction code PFCG) to maintain the roles, authorizations, and profiles. Although we can continue to create profiles manually.These roles are the connection between the user and the corresponding authorizations. The actual authorizations and profiles are stored in the SAP system as objects. With the roles, we can assign to any users which will be the user menu that is displayed after they log on to the SAP System.
Roles contains the authorizations with which users can access the transactions, reports, Web-based applications, and so on that are contained in the menu. In the role maintenance, we can also change and assign roles, creating roles, creating composite roles and transport and distributing roles. In short it simplifies the creation of authorization.
Types of Role :-
- Single Role
- Composite Role
- Derived Role (Child Role)
- Master Role (Parent Role)
- Copy Role
- SAP Path – SAP Menu -> tools -> administration -> user Maintenance -> Role -> Administration -> Role.
- Transaction code -> PFCG.
A role is a container that collects the transactions, reports, web links so on along with its authorization and generate the associated profiles.
Step 1 :– Enter T-code “PFCG” in SAP command.
Step 2 :- Role Naming Convention
- Enter new role ID that you want to create ( in this configuration we are going to create Z_SINGLE_ROLE). A naming convention for your roles should be created so that it can be differentiated between single,composite, master and derived roles.By choosing Copy role, the standard role should be copied and a name from the customer namespace should be entered. Only the copies of these roles (Z_/ Y_) should be changed not the delivered standard roles (SAP_) Otherwise during a later upgrade or release change the standard roles that have been modified will be overwritten by newly delivered standard roles.
- The Change option should be chosen (In the Role field, the new name is there) and save it after required modification
- Storage Table – AGR_DEFINE
Step 3 :- Description Tab – On create role screen update the following details.
- Description – Enter the role text so that you can describe the purpose of creating role accordingly.
- Long Text – update the long text of the role.
- After updating all required information, click on save button.
- Storage Table – AGR_TEXTS
Step 4 :- Menu Tab. This section describes the options available to you when creating a role menu
- Copying Menus –
- For single roles, when reading menus from the following sources -> The SAP menu, Roles, Area menus and A file.
- For composite roles, when reading menus from single roles
- Insert Nodes –
- Transactions
- Reports
- Authorization Default Value
- Others
- Additional Activities –
- Translate Nodes
- Display Documentation
- Find in Documentation
- Compress menu
- Other Node Details – Control the Navigation menu of the NWBC
- Menu Options – Control the menu properties of the NWBC
- You can restructure the menu using Drag & Drop. If you have not included any menu nodes in the menu, the status display on the Menu tab page is red. Once you have assigned at least one menu node, the status display is green.
- Click on the transaction option as shown below and add T-codes as required.
- Storage Table :-
- AGR_TCDTXT/AGR_TCODES – Assignment of role to tcode.
- AGR_HIERT – Role menu text
- AGR_HIER2 – Menu structure information
- AGR_OBJ – Assignment of menu nodes to role
- Click on Menu Tab , there are many options which you can add as Transaction/ Reports/ Other, Authorization defaults etc. click on add transaction.
- Assign transaction according to requirement and save it.
- You will see all assigned transaction display in role menu.
Step 5 :- Authorization Tab is basically for users are created using roles and profiles. The administrator creates the roles, and the system supports him or her in creating the associated authorizations. An authorization is a permission to perform a certain action in the SAP System. The action is defined on the basis of the values for the individual fields. You must generate authorization profiles before you can assign them to users. An authorization is generated for each authorization level and an authorization profile for the whole role as represented in the browser view.
There are two options in Authorization tab :- If you are generating the profile for the first time, there is no difference between the two modes.once choose one of the below mentioned option, assign full authorization to the role, save and generate it.
- Change Authorization Data :- If a new t-code is added to a role it will pull the authorization objects corresponding to that t-code but not any of those which was deleted by us earlier, provided that object is not related to newly added t-code. Or we can say that change mode will compare the authorization in the role for newly added t-code with SU24 and and will add all the necessary objects.
2.Expert Mode for profile generation :-
- Delete and recreate profile and authorizations – All authorizations are recreated. Values which had previously been maintained, changed or entered manually are lost. Only the maintained values for organizational levels remain.
- Edit old status – The last saved authorization data for the role is displayed. This is not useful, if transactions in the role menu have been changed.
- Read old status and compare with new data – If you change transactions in the role menu, this option is the preconfigured. The profile generator compares the existing authorization data with the authorization default values for the menu transactions. If new authorizations are added during this process, they receive the status New. Authorizations that already existed receive the status Old.
Storage Tables :-
- AGR_PROF – Profile name for role.
- AGR_1252 – organizational element for authorizations.
- AGR_1016 – Name of the activity profile.
- TOBJ – Authorization Object.
- USR10 – User master authorization profiles.
- USR12 – Authorization Values.
- AGR_TIME – Time stamp for role including profile
- S_USER_AUT – (User Master Maintenance) This authorization object defines which authorizations the administrator can process. You can use the activities to specify the types of processing (such as creating, deleting, displaying change documents).
- S_USER_GRP – The authorization object is used in role administration when assigning users to roles and during the user master comparison.
- S_USER_SAS – (User Master Maintenance) System-specific assignments.The authorization object S_USER_SAS is checked in transactions SU01, SU10, PFCG, and PFUD when you assign roles, profiles, and systems to users.
- S_USER_AUT – (User Master Maintenance)
- S_USER_PRO – Profiles are protected with this authorization object
- S_USER_AGR – This authorization object protects roles. The roles combine users into groups to assign various properties to them
- S_USER_TCD – Transactions that an administrator can assign to a role
- S_USER_VAL – This authorization object allows the restriction of values that a system administrator can insert or change in a role.
- S_USER_SYS – Authorization object for system assignment in the Central User Administration (CUA).
- S_USER_ADM – The authorization object S_USER_ADM protects general Customizing and administration tasks for user and authorization administration. It consists solely of the authorization field S_ADM_AREA
- Red – It means that some organizational values has not been maintained in org field in profile generator
- Green – All the organizational filed are maintained (values are assigned)
- Yellow – It means that there are some or all field in certain authorization instance which are blank (not maintained)
- Standard – It means that all values in authorization field of an authorization instance is unchanged from the SAP default value. (i.e. the values which are getting pulled from SU24).
- Manual – It means that at least one authorization field has been manually added, i.e. it was not proposed by profile generator.
- Changed – It means that the proposed value in at least one of the fields in an authorization instance has been changed.
- Maintained – It means that at least one of the field values in an authorization instance was blank when it was pulled from SU24 (i.e. SAP default value) and that blank field has been updated with some value
Blue Line – Role – In our case it’s the new role which we have just created.
Pink Line – Authorization Class – These group Authorization Objects which protect similar application components.
Green Line – Authorization Object – Its a template or structure with a number of fields each of which needs to filled up with appropriate data to allow access.
Yellow Line – Authorization – This is an unique instance of an authorization object with values specified for its different fields. An authorization is actually similar to an object.
Off-white Line – Authorization Field – These are the unique fields within each authorization object. Different authorization objects will have different sets of authorization fields.
Make sure before moving to User tab from authorization tab, the status is saved and generated.
- Click on Authorization Tab and then change authorization data.
- Assign authorization according to the requirement.
- Save assigned authorization
- Once you will save it will give you profile name for role.
- You can check the status on right side as it saved and generated.
Step 6 :User Comparison :- Comparing the user master. This is basically updating profile information into user master record so that user are allowed to use the transaction contained in the menu tree of their role. If you are also using the role to generate authorization profile, then you should note that the generated profile is not entered in the user master record until the user master record have been compared. You can automate this by scheduling this report PFCG_TIME_DEPENDENCY on.
Mention user name.
- Click on user comparison button.
- Save and click on back button
- Click on User Tab you can see Tab is with yellow color. Assign user and click on user comparison button.
- Click on complete comparison.
- Save it now you can see the green button which means the comparison is done successfully.