Creating Roles (PFCG) in SAP S/4 HANA On premise
Creating Roles (PFCG) in SAP S/4 HANA On premise
Roles enable you to define user menus and authorizations for users in your system.
1. Start Role Maintenance (transaction PFCG) and enter a name for the role.
Do not enter a name that begins with a namespace prefix or the prefix SAP.
2. Choose Single Role.
3. Enter a text to describe the function of the role.
4. On the Menu tab, assign transactions, reports, programs, Internet links, and intranet links to the role.
The activities in the role menu structure are used by the system to create the authorizations automatically.
The following table lists some of the ways to create user menus.
Table 1: Functions for Creating User Menus
From the SAP Menu Copy menu structures from the SAP menu into the user menu by selecting checkboxes. Expand the menu branch to put lower-level nodes or individual transactions and programs in the user menu.
From Another Role Copy the menu structure of an existing role into the current role. You can select the menu structure of a role delivered by SAP.
From Area Menu Copy area menus (SAP standard area menus or your own) into the user menu of a role. Choose an area menu from the list of menus and select the transactions you want.
Transaction Code Enter transaction codes directly.
Report Enter reports, programs, transaction variants, and queries in the user menu.
Other Enter Internet and intranet links. Enter a descriptive text and the URL.
5. On the Authorizations tab, choose Change Authorization Data.
An input window may appear, depending on which activities you selected. You are prompted to edit the organizational levels. Organizational levels are authorization fields, which occur in a lot of authorizations. For example company code. If you enter a particular value in the dialog box, the authorization fields of the role are maintained automatically.
The authorizations which are proposed automatically for the selected activities of the role are displayed in the following screen. Some authorizations have default values.
Wherever traffic lights appear in the tree display, edit the authorization values manually. Edit the authorization values by expanding the object classes and editing the authorization field.
When you have maintained the values, the system considers the authorizations manually modified and does not overwrite them when you copy more activities into the role and edit the authorizations again. To assign complete authorizations (*) for the hierarchy level for all unmaintained fields, choose the traffic lights.
Wherever there are red traffic lights ( ), there are organizational levels with no values. You can enter and change organizational levels with Organizational Levels….
To display other functions in the tree, such as copying or collecting authorizations, choose Utilities Settings .
6. Choose (Generate) to generate an authorization profile for the authorizations.
You are prompted for an authorization profile name. The system proposes a valid name in the customer namespace.
7. Leave the tree display after the profile generation
If you change the menu selection and call the authorization tree display again, the authorizations for the new activities are added to the existing authorizations. Traffic lights may be switched to yellow because new, incomplete authorizations appear in the tree display. Assign values manually or delete them. Delete an authorization by deactivating it first and then deleting it.
You can add general authorizations, such as spool display or print with authorization templates to the existing data. Choose Edit Insert authorizations From template … . Choose a template (SAP_USER_B – Basis authorizations application users or SAP_PRINT – Print Authorization). You can also create a separate role for clarity.
8. On the User tab, assign users to the role.
The user menu appears when the assigned user logs on to the system. The system automatically enters the generated authorization profiles in the user master record of this user, when you compare the user master.
9. On the User tab, choose User Comparison.
If you do not want to restrict the assignment validity period (default validity date is until 9999-12-31), no further action is required. To restrict the validity period, schedule the program PFCG_TIME_DEPENDENCY, which updates user master records, daily. If you use organizational management, schedule the program.
You cannot enter generated authorization profiles directly into user master records. Generated profiles are only assigned to user master records by assigning users to roles and then comparing users. The system enters the profiles for the role in all appropriate user master records.
You have created a role. A user menu appears for the user to whom this role is assigned when that user logs on to the system. The user has the authorizations, which you specified to perform the activities in the user menu.