Creating Master Roles and Child Roles in SAP

Purpose:

This tutorial will guide SAP users through the step-by-step process of creating a Master Role and
Child Roles linked to it within SAP. Master Roles and Child Roles are used to simplify and organize
role maintenance, especially in complex SAP environments with many users and varying
authorization needs.

What are Master Roles and Child Roles?

• Master Role (Composite Role): A Master Role is essentially a container role. It doesn't
directly contain authorizations itself. Instead, it groups together multiple Child Roles. Think
of it as a "parent" role. Users are not directly assigned Master Roles.

• Child Role (Single Role): Child Roles are Single Roles that do contain the actual authorizations
(transaction codes, authorization objects, etc.). They represent specific functions or tasks
within SAP (e.g., "Sales Order Entry", "Invoice Processing", "Material Master Display"). Child
Roles are assigned to Master Roles.

Benefits of Using Master Roles and Child Roles:

• Simplified User Assignment: You assign users to Master Roles only. The Master Role, in turn,
grants authorizations based on the Child Roles it contains. This simplifies user
administration, especially when users need multiple authorizations.

• Centralized Role Maintenance: You maintain and update authorizations within Child Roles.
Changes made to a Child Role are automatically reflected in all Master Roles that include
that Child Role. This reduces redundancy and ensures consistency.

• Role Reusability: Child Roles are designed to be reusable. A single Child Role (e.g., "Display
Material Master") can be included in multiple Master Roles that represent different job
functions (e.g., "Sales Manager", "Purchasing Agent").

• Clear Role Structure: Master/Child Role concept creates a hierarchical and more organized
role structure, making it easier to understand and manage authorizations within your SAP
system.

• Reduced Role Proliferation: By reusing Child Roles in Master Roles, you can potentially
reduce the total number of roles you need to create and maintain.

Transaction Code:

We will be using the primary transaction for Role Maintenance in SAP:

• PFCG - Role Maintenance: This transaction is used to create, change, display, and manage
both Single Roles (which we'll use as Child Roles) and Composite Roles (which we'll use as
Master Roles).

Procedure:
Part 1: Creating a Master Role (Composite Role)

1. Open PFCG Transaction: Log in to your SAP system and execute transaction code PFCG (Role
Maintenance).

2. Enter Role Name for Master Role:

o In the "Role" field, enter a name for your new Master Role. Role names typically
follow a naming convention (e.g., Z_MASTER_SALES_USER,
Z_COMPOSITE_PURCHASER). Start with Z or Y to denote custom roles.

o Click on the "Composite Role" radio button. (Important: Ensure "Composite Role" is
selected to create a Master Role).

o Click the "Single Role" button to Create.

3. Enter Description and Organizational Levels (if needed):

o Description Tab: Go to the "Description" tab. Enter a meaningful "Description" and

"Short Description" for your Master Role (e.g., "Master Role for Sales Users",
"Composite Role - Purchasing Department").

o Organization Levels (Optional): If your roles need to be restricted by organizational

levels (e.g., Company Code, Sales Organization), you can maintain these on the
"Organization Levels" tab. This is less common for Master Roles themselves but can
be relevant if you want to control the organizational scope of the entire Master
Role. Typically, organizational levels are controlled more granularly within Child
Roles.

4. Navigate to "Roles" Tab: Click on the "Roles" tab within PFCG for your Master Role. This is
where you will assign Child Roles to your Master Role.

5. Assign Child Roles to the Master Role:

o In the "Roles" tab, you will see a table or section to add roles.

o Click on the "Insert Role" button (or similar - often an icon of inserting a row or a
magnifying glass to search).

o Search and Select Child Roles: In the pop-up window, search for the Child Roles you
want to include in this Master Role. You can search by Role Name, Description, etc.
Select the desired Child Roles and add them to the Master Role. You can add
multiple Child Roles.

6. Save Master Role: Once you have assigned all the desired Child Roles, click the "Save" button
(diskette icon or "Save" button in PFCG).

o Important: Do NOT maintain Authorizations, User Assignment, or Menu in the

Master Role itself. These are managed in the Child Roles. The Master Role is purely a
container.
Part 2: Creating Child Roles (Single Roles)

Now, we create the Child Roles that will contain the actual authorizations and be assigned to the
Master Role.

1. Open PFCG Transaction (again, if needed): Execute transaction code PFCG (Role
Maintenance).

2. Enter Role Name for Child Role:

o In the "Role" field, enter a name for your new Child Role. Child Role names should
also follow a naming convention (e.g., Z_SINGLE_SALES_ORDER_CREATE,
Z_CHILD_INVOICE_DISPLAY). Start with Z or Y.

o Ensure the "Single Role" radio button is selected. (This is key for creating a Child Role
- it will be a Single Role).

o Click the "Single Role" button to Create.

3. Enter Description and Menu (Transaction Codes):

o Description Tab: Enter a meaningful "Description" and "Short Description" for your
Child Role (e.g., "Child Role - Create Sales Orders", "Single Role - Display Vendor
Invoices").

o Menu Tab: Go to the "Menu" tab. This is where you define which transaction codes
this Child Role will authorize.

▪ Click the "Transaction" button in the Menu tab.

▪ Enter the Transaction Code you want to add to this role (e.g., VA01 for
Create Sales Order, MIRO for Invoice Verification, MM03 for Display
Material Master).

▪ Repeat for all Transaction Codes that this Child Role should authorize.

▪ You can also add folders (using "Folder" button) to organize transactions in
the menu, if desired, for user-friendliness in SAP Easy Access menu.

4. Maintain Authorizations (Crucial Step):

o Authorizations Tab: Click on the "Authorizations" tab.

o Propose Profile Name: Click the "Propose Profile Name" button. The system will
suggest a profile name based on the Role name. Accept it.

o Change Authorization Data: Click the "Change Authorization Data" button (pencil
icon). This is where you define the authorization objects and authorization values
for this Child Role.
 o Authorization Objects: The system will list authorization objects relevant to the
transaction codes you added in the "Menu" tab. You need to maintain the
authorization values for each relevant authorization object.

▪ Double-click on an authorization object to expand it and see the fields.

▪ For each field, specify the authorization values that this role should grant.
You can use:

▪ Specific Values: Enter exact values (e.g., specific Company Codes,

Sales Organizations, etc.) if the authorization should be restricted.

▪ "*" (Asterisk): Grant authorization for all values in a field (use with
caution, grants broad authorization).

▪ Ranges: Define ranges of values.

▪ Authorization Fields: Some fields can use authorization fields for

more dynamic authorization checks (advanced topic).

▪ Example: For a "Create Sales Order" Child Role, you might need to maintain
authorization objects like V_VBAK_AAT (Sales Document Type), V_VKORG
(Sales Organization), V_VTWEG (Distribution Channel), V_SPART (Division),
and others depending on your security requirements. You would specify
allowed Sales Document Types, Sales Organizations, etc., in the
authorization values.

o Generate Profile: After maintaining all necessary authorization values for all relevant
authorization objects, click the "Generate Profile" button (often a "Generate" icon
or a traffic light icon). This generates the authorization profile in the backend based
on your settings.

5. Save Child Role: Click the "Save" button to save your Child Role.

o Important: Do NOT assign users directly to Child Roles. Child Roles are assigned to
Master Roles.

Part 3: Assign Users to the Master Role

1. Open PFCG Transaction: Execute transaction code PFCG.

2. Enter Master Role Name: Enter the name of your Master Role (e.g.,
Z_MASTER_SALES_USER).

3. Navigate to "User" Tab: Click on the "User" tab in PFCG for your Master Role.

4. Enter User IDs: In the "User Assignment" table, enter the User IDs that should be assigned
this Master Role.
 5. User Comparison: Click the "User Comparison" button (often represented by a user icon
with arrows or a "User Reconciliation" button). This step is crucial. It updates the user buffer
and ensures that the authorizations from the Child Roles (via the Master Role) are properly
assigned to the users. Choose "Complete Comparison" if prompted.

6. Save User Assignment: Click the "Save" button to save the user assignments to the Master
Role.

Testing and Verification:

1. Log in as a Test User: Log in to SAP with one of the User IDs you assigned to the Master Role.

2. Check SAP Easy Access Menu: Verify that the SAP Easy Access menu (transaction SAPGUI)
reflects the transaction codes you added to the Child Roles that are part of the Master Role.
Users should see the menu structure based on the roles assigned.

3. Test Authorizations: Try to execute the transaction codes that are included in the Child
Roles. Verify that the user is authorized to perform the actions defined in the Child Role
authorizations (e.g., create sales orders, display vendor invoices). Also, test negative
authorizations - try to perform actions that should not be authorized based on these roles.

Key Considerations and Best Practices:

• Naming Conventions: Establish clear naming conventions for Master Roles and Child Roles to
make them easily identifiable and understandable.

• Granularity of Child Roles: Design Child Roles to be granular and task-oriented (e.g., "Create
Sales Order - Domestic", "Display Vendor Master - Company Code 1000"). This promotes
reusability.

• "Principle of Least Privilege": When defining authorizations in Child Roles, always adhere to
the "principle of least privilege." Grant users only the authorizations they absolutely need to
perform their job functions. Avoid broad authorizations (using "*" unnecessarily).

• Regular Role Review and Maintenance: Roles should be reviewed and updated regularly to
reflect changes in business processes, job functions, and security requirements. Remove
unnecessary authorizations and add new ones as needed.

• Documentation: Document your Master Role and Child Role structure, descriptions, and the
authorizations they contain. This is essential for long-term maintainability and auditability.

• Testing in a Test System: Always create and test roles thoroughly in a non-production
(development or test) SAP system before transporting them to your productive system.

In Summary:

Master Roles and Child Roles are a powerful feature in SAP Role Management. By following these
steps, you can create a well-structured and efficient role concept that simplifies user administration,
centralizes authorization maintenance, promotes role reusability, and improves the overall security
and manageability of your SAP system. Remember to focus on defining clear and granular Child
Roles containing authorizations and then grouping them logically into Master Roles for user
assignment. Always test your roles thoroughly!

1 Managing Roles

1.1 Purpose
You can use the role administration functions to manage roles and authorization data.
The role management tool creates authorization data automatically based on selected menu
functions, and presents it for postprocessing. It is also integrated with organizational management.

We recommend you use the role maintenance functions (transaction PFCG) to maintain your roles,
authorizations and profiles. Although you can continue to create profiles manually, you need
detailed knowledge of all SAP authorization components.

The role administration functions support you in performing your task by automating various
processes and allowing you more flexibility in your authorization plan. You can also use the Central
User Administration functions to centrally edit the roles delivered by SAP or your own, new roles,
and to assign the roles to any number of users.

The roles (previously: activity groups), which are based on the organizational plan of your company,
form the basic framework of the tool. These roles form the link between the user and the
corresponding authorizations. The actual authorizations and profiles are stored in the SAP system as
objects.

With the roles, you assign to your users the user menu that is displayed after they log on to the SAP
system. Roles also contain the authorizations that users can use to access the transactions, reports,
Web-based applications, and so on, that are contained in the menu.
When you work with the role administration tool, you work with a level of information that is a step
away from the actual objects in the SAP system. The graphic below shows how these two levels are
separated, yet linked together with the role administration functions.

Structure of Role Administration

1.2 Implementation Notes

Since the standard SAP system contains a large number of roles already, you should check whether
you can use these before defining your own roles.

To get an overview of the roles delivered with the system, do one of the following:
In the SAP Easy Access menu, choose Tools Administration User
Maintenance Infosystem Roles Roles By Complex Selection Criteria and then Execute.

In role administration (Tools Administration User Maintenance Roles), choose the input help for
the Role field.

If you want to make modifications to an existing role, make a copy of it and modify this.

If you do not find suitable roles, write job descriptions before beginning your work
in role administration (see also Initial Installation Procedure).

Either have all maintenance tasks performed centrally by a single superuser, or distribute the
maintenance tasks to several users in order to increase system security. For more information,
see Organization of the Authorization Administration.

1.3 Features
The system administrator chooses transactions, menu paths (in the SAP menu) or area menus, in
the role administration (transaction PFCG), and combines them in a tree. The selected functions
correspond to the activities of a user or a group of users. The tree corresponds to the user menu
that is displayed to the users to whom this role is assigned when they log on to the system.

The role administration tool automatically provides the required authorizations for the selected
functions. Some of these have default values. Traffic lights show you which values you have not yet
edited. After you have entered all of the values, generate an authorization profile from the
authorizations and assign the role to the users.

In the role administration, you can:

▪ Change and assign roles

 ▪ Create roles

▪ Derive roles

▪ Compare roles

▪ Transport and distribute roles

1.4 Process Flow

With the role administration functions, you are work in the upper level displayed in the above
graphic. You define the roles for the various job descriptions with the permitted activities.
The role administration tool determines the authorizations for users for a particular role based on
this information. The basic process is as follows:

1. Assign transactions to job descriptions.

Define job descriptions for each application area in your company (for example, in a job
description matrix). For each position, determine the menu paths and transactions that the
users in this position need to access. Determine the necessary access authorizations
(display, change), as well as any restrictions that may apply.

2. Edit the roles with the role administration (transaction PFCG).

Using the role maintenance functions, create the roles that correspond to each of the job
descriptions. For each role, select those tasks (reports and transactions) that belong to the
corresponding job.

3. Generate and edit authorization profiles

In this step, the tool automatically builds the authorization profile that applies to the role. To
accept or change the suggested profile, you must work your way through the profile tree
structure and confirm the individual authorizations that you want to assign to the role.

4. Assign users
 In this step, you assign users to the relevant role.

5. Update the user master records

The user assignment and generated profile need to be updated in the user master records.
There are a number of ways of doing this (depending on the release):

▪ In all releases, you can schedule a background job that regularly updates the user
master records.

▪ As of release 4.5, you can either use the function User Comparison, or you can have
the system automatically update the user master records when you save the roles:
Choose Utilities User Settings and activate the option Automatic User Master
Adjustment when Saving Role.

Note
Even if you use the User Comparison function or the Automatic User Master
Adjustment when Saving Role option , we recommend that you schedule a
background job and ensure that all user master records are automatically updated
on a regular basis.

More information:

▪ Assigning Standard Roles

▪ Role Administration Functions.

1.5 What is Master Role in SAP?

Master Roles are the roles in SAP that has Transactions, Authorization Objects, and all organizational
level management.

1.6 How to Create a Master Role in SAP?

Please follow the steps below to create master roles in SAP:

Execute t-code PFCG in the SAP Command field.

Now enter the Role Name and click on the Single Role option.
Next, click on the Save button to save the new role
You have created a role that will be a master role once a child role is created for it.
Now create a Child role and click the Single Role button as shown in the image below

Save the child role by clicking on the Save icon.

Now once the Child Role is created in the Transaction Inheritence enter the role created by you
earlier
You have successfully created a master role with its child role
1.7 Copying the Authorizations of the Original Role to the Derived Role
1. Change the original role from which the authorizations are to be derived, in
the role administration tool. Choose the Authorizations tab and there click the Change
Authorization Data button.

2. Choose Authorizations Adjust Derived Generate Derived Roles.

The authorization data is copied to the derived roles.