https://www.saptechnicalguru.

com/pfud/
SU01: How to Create a New User in SAP
Following are the detailed steps to Create a user in SAP

Step 1) Execute T-code SU01

Step 2)

1. Enter Username which you want to create.

2. Click the create button
Step 3) In the next screen

1. Click the Address tab.
2. Enter details
Step 4) Choose the user type in Logon Data tab.

There are 5 types of users in sap:-

1. Dialog user: – Normally it is used for interactive system access from

GUI (used for human users)
2. System user: – Normally it is used for Background processing,
communication within a system.
3. Communication user: – It is used for external RFC calls.
4. Service user: – Dialog user available to a larger, anonymous group of
users.
 5. Reference user: – General, non-person related users that allows the
assignment of additional authorizations. Example, Internet users
created with transaction SU01. No logon is possible.

Step 5) Type the initial password for 2 times.

On first logon of the new user, system will ask to reset the password.
Step 6)

1. Select the roles tab

2. Assign roles as per requirements

Step 7)

1. Select the profiles tab
2. Assign profiles as per requirements
You can assign SAP_ALL and SAP_New profile to user for full
authorization.

 SAP_ALL:You assign this profile to users who are to have all R/3
authorizations, including super-user authorization.
 SAP_NEW:You assign this profile to users who have access to all
currently unprotected components. The SAP_NEW profile grants
unrestricted access to all existing functions for which additional
authorization checks have been introduced. Users can therefore
continue to work uninterrupted with functions which are subject to new
authorization checks which were not previously executed.

Step 8)

1. Press save
2. Then the back button (F3) button

User will be created!

PFCG Role Maintenance
PFCG Role Maintenance can be used to manage roles and authorization in a SAP
system. In PFCG, the role represents a work that a person performs related to real-life
scenarios. PFCG allows you to define set of transactions that can be assigned to a
person to perform their daily work.
When the roles are created in a PFCG Transaction, you can use Transaction  SU01 to
assign these roles to individual users. A user in a SAP system can be assigned multiple
number of roles and that are related to his/her daily task in real-life.
These roles are in connection between user and authorizations in a SAP system. The
actual authorizations and profiles are stored in the form of objects in a SAP system.
Using PFCG Role Maintenance, you can perform the following functions −

 Changing and Assigning Roles

 Creating Roles
 Creating Composite Roles
 Transporting and Distributing Roles
Let us now discuss these functions in detail.
Changing and Assigning Roles
Run Transaction: PFCG

It will take you to role maintenance window. To change the existing role, enter the
delivered role name in the field.
Copy the standard role by clicking on Copy role button. Enter the name from
namespace. Click on value selection button and select the role to which you want to
copy this.
You can also select the delivered roles by SAP starts with SAP_, but then default roles
will be overwritten.

To change the role, click on the Change button in Role Maintenance.

Navigate to the Menu tab to change the user menu on the Menu tab page. Go to the
Authorization tab to change the Authorization data for that user.
You can also use the Expert Mode to adjust the authorizations for the menu changes
under Authorization. Click on Generate button to generate the profile for this role.
To assign the users to this role, go to User tab in Changes Role option. To assign a
user to this role, it should exist in the system.

You can also perform a User Comparison if required. Click on User Comparison option.
You can also click on the Information button to know more about Single and Composite
roles and User Comparison option to compare the master records.
Creating Roles in PFCG
You can create both single roles and composite roles in PFCG. Enter the role name and
click on Create Single or Composite Roles as shown in the screenshot below.

You can select from Customer namespace like Y_ or Z_. SAP delivered roles start with
SAP_ and you can’t take the name from SAP delivered roles.
Once you click on Create role button, you should add Transactions, Reports and Web
Addresses under the MENU tab in role definition.
Navigate to Authorization tab to generate the Profile, click on Change Authorization data
option.

As per your activity selection, you are prompted to enter the organizational levels. When
you enter a particular value in the dialog box, die authorization fields of the role are
maintained automatically.
You can adapt the reference for the roles. Once a role definition is done, you need to
generate the role. Click on Generate (Shift+F5).
In this structure, when you see red traffic lights, it shows the organizational levels with
no values. You can enter and change organizational levels with Organization levels next
to Maintained tab.
Enter the Profile name and click on the tick option to complete the Generate step.

Click on Save to save the profile. You can directly assign this role to users by going to
the User tabs. In a similar way, you can create Composite roles using the PFCG Role
Maintenance Option.

Transporting and Distributing Roles

Run the Transaction – PFCG and enter the role name that you want to transport and
click on Transport Role.
You will reach to role transport option. You have multiple options under the Transport
Roles −

 Transport single roles for composite roles.

 Transport generated profiles for roles.
 Personalization Data.

In the next dialog box, you should mention user assignment and the personalization
data should also be transported. If the user assignments are also transported, they will
replace the entire user assignment of roles in the target system.
To lock a system so that user assignments of roles cannot be imported, enter it in the
Customizing table PRGN_CUST using transaction SM30 and select the value
field USER_REL_IMPORT number.
This role is entered in customizing request. You can view this using Transaction SE10.

In Customizing request, authorization profiles are transported along with the roles.

Authorization Info System Transaction – SUIM

In Authorization Management, SUIM is a key tool using which you can find the user
profiles in a SAP system and can also assign those profiles to that User ID. SUIM
provides an initial screen that provides options for Searching Users, Roles, Profiles,
Authorizations, Transactions, and Comparison.
To open User Information System, Run Transaction: SUIM.
In a User Information System, you have different nodes that can be used to perform
different functions in a SAP system. Like in a User node, you can perform a search on
users based on selection criteria. You can get the locked list of users, users having
access to a particular set of transactions, etc.
When you expand each tab, you have option to generate different reports based on
different selection criteria. Like when you expand user tab, you have the following
options −

When you click on users by complex selection criteria, you can apply multiple selection
conditions simultaneously. The following screenshot shows you different selection
criteria’s.
Role Node
In a similar way, you can access different nodes like Roles, Profiles, Authorizations and
various other options under this user information system.
You can also use SUIM tool for searching roles and profiles. You can assign a list of
transactions to a particular set of user ID’s, by performing a search by transaction and
assignment in SUIM and assign those roles to that user ID.
Using the User Information system, you can perform various searches in a SAP system.
You can enter different selection criteria and pull the reports based on Users, Profiles,
roles, Transactions and various other criteria.
RSUSR002 − Users by Complex Selection Criteria.

1. How to Find Authorization Object Associated with a Transaction Code in SAP?

SU24  TCODE NAME
Default value is Yes
How to Define Composite Roles in SAP
In this scenario, we are going to define composite role Z_Composite_Roles.
Step 1: – Enter transaction code “PFCG” in the SAP command field and
enter.

Step 2: – On the role maintenance screen, update the following fields.
1. Update the composite role id in the role field
2. Click on the composite role tab to create new composite roles in SAP.
Step 3: – In the next screen, update the following details.
1. Update the descriptive text of the composite role
2. Enter the descriptive long text of the composite role.
3. Click on the save button and save the data.
Step 4: – Next click on the menu and update all the single roles that you want
to assign to the role, that’s how we create the composite role.
Step 5: – Click on the Users tab and update users that you want to assign to
roles, then click on user comparison. Press yes to continue.

Step 6: – Now click on the menu and right click on the role and open the
folder as shown below.
No menu is available, so click on menu options and select menu options as per
your requirements.

Now click on the import menu icon to copy the menus

Click on the save button (Ctrl+s) and save the configured composite roles data.

What are Derived Roles in SAP

The derived role receives the menu structure and various functions like
transactions, reports, web links, etc. from role referenced. So we can call it as a
parent role. The role only receives menus and functions if no t-codes have
been assigned to it. Derived roles are used to maintain security at
organizational levels and it helps to minimize administrative maintenance.
Let’s Learn how to create a derived role in SAP security
Enter transaction code “PFCG” in the SAP command field and enter.

In the next screen, enter the role name and click on the role tab as shown
below.

Now we derived a role from the existing role, click on the derived from role tab
to derive the existing role.
On importing role window, click the start search button and you can provide a
maximum number of hits.

Now select the particular role that we want to derive, here we selected the
master role. After selecting the role a window opens seeking that you want to
enter a specific role as the importing role, click on yes.

Update the descriptive name of the derived role and click on save button
(Crl+S).
Here you can see the menu has been inherited, Click on the menu and check
what are the menus that have been inherited.

Now we have to change the authorization data, click on the authorization tab
and click on change authorization data.
Here we can see the company code and account type organization level, assign
the values and click on save button.
Select generate button and then click on generate option.
Press enter to continue as shown below to assign a profile name for generated
authorization profile.

Click on the user tab and update the user id in the user field, then click on user
comparison.

Click on the complete comparison as shown below the image. Now you can see
user comparison in green color.
Finally, click on the save button and save the configured derived roles details.

S.No
Auth.Object
Description
1
S_TABU_DIS
Used to protect tables using authorization groups with activity

2
S_TABU_CLI
Auth object used to protect cross client tables

3
S_TABU_LIN
Auth object used to tables based on line items

4
S_TABU_NAM
New auth object to table access based on names

5
S_PROGRAM
Used to run ABAP reports/programs via SA38

6
S_DEVELOP
Auth object used to control ABAP objects or debug access

7
S_USER_AGR
Used to control roles

8
S_USER_AUT
Checked during authorization maintenance

9
S_USER_GRP
Used control user groups

10
S_USER_PRO
Used for profile maintenance

11
S_BDC_MONI
Used to protect batch input monitoring

12
S_BTCH_JOB
Used for background job monitoring and administration

13
S_BTCH_ADM
Used for background job administration

14
S_BTCH_NAM
User level control for background job scheduling 

15
S_SPO_ACT
Used for spool administration which controls S_ADMI_FCD

16
S_ADMI_FCD
Basis administration like spool and monitoring

17
S_SPO_PAGE
Used to control name of the o/p device and number of pages