Hope you are doing well.
In my organization, I have Configured the role and profile for our new user.
I want to share with you about the settings and details. One document is really help me to learn this factor. One of our friend Sudeep wrote a excellent document MM Related Authorization Objects – How to Find out & Assig, Its really help me a lot.
There is also very deeply explain about authorization in this document.
Lets discuss about role and profile..
What is a Role?
A role is assigned to an user, its used to choose a T-code/Menu and its create authorization profile…
Suppose Role A has authorization for t-code MM01, and the role is assigned to use ABC, It means the user is able to use the t-code MM01.
What is a Profile?
A profile is the element in the authorization system. Its allow an user to access the system.
For authorization check, The system checks on the particular profile which is assigned to user for the proper authorization.
T-code = PFCG
This is initial screen of Role maintenance..
If you have a old role and you want to copy as a new role, then you can choose the option copy as…
Enter the old role in Role field then press copy as…
Give the new name in to Role and press “Copy all”, your new role will be copied. Then you can change the role as you wish.
If you want to create a new one then just enter the name in Role and then press “Single Role”
The initial creation for the particular role will come.
We have to maintain The Menu, Authorization and User (If you want to maintain workflow, then you can maintain).
Click on the Menu tab.
In this tab we will enter the t-codes which we want to give authorization to an user.
There are many option to insert t-code
Lets give the authorization of all inventory management option, It means the use can do these all things which is in under inventory management tab in main menu.
As we can see the Menu tab’s colour is Green. It means we have successfully assign the t-codes to this particular user.
Save your settings.
Now Go to Authorization tab.
Here you have use a profile name for this role.
If you click the option, then system will propose you a 10 digit profile name and profile text (You can change the profile text) , you can continue with system proposed profile name or you can give as yours.
I use System proposed profile name, I have click on the option.
System propose me a profile name.
Save you data.
It will take all standard fields, which will need for the inventory management.
Then you gave generate the profile. Select the last option “Expert Mode for Profile Generation”
You have to give the authorization for required data for inventory management.
Suppose you give company code X in this field, Then the user will only can do a entry for company code X. It is for the all field which is shown in above figure.
After compete the all field, press save/enter.
We can there are no red colour on any field.
Now press back and go back to the initial screen. You can see the Authorization tabs also will green coloue. That means this tab is successfully completed.
Now press the User tab
Here just give the user id in the field “user ID”, to whom you want to give the authorization.
You can restrict the role and profile with validity period.
In default it come current date to 31.12.9999.
It means the profile and role is successfully assigned to this particular user.
Now we can see the User option is also in green colour mode. It means we have successfully done this tab.
Now just save you data and press back.
Now we can see in User master record from SU01, the new role and profile is assigned to the user.
Now Log in with new user.
When the user trying to enter t-code under inventory management, the user can do the all. But whenever he will try to enter t-code under purchasing and all (without inventory management), he will get a message
If any authorization missing in inventory management, then we can also add the activity to the user. Its is clearly discuss on this document
If we want to restrict the storage location and G/L account, then we have to assign the storage location and G/L in Role and we have to activate “Authorization Check for Storage Locations”
Go to OLMB-Authorization Management-Authorization Check for Storage Locations and Authorization Check for G/L Accounts.
Tick for the storage location which you want check the authorization for user.
Tick for the company code which you want to check for the authorization.
This way you can restrict authorization for an user.