Scribd
Upload
14 views11 pages

SAP Role Maintenance - v1.0

The Security User Guide (SUG) provides instructions for SAP Role Maintenance, detailing the creation and management of various role types including single, master, derived, and composite roles. It emphasizes the importance of maintaining proper authorizations and following naming conventions for roles, as well as the process for assigning roles to users. The document is intended for internal use only and is version 1.0, dated June 7, 2021.

Uploaded by

kalyansakinela9
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
14 views11 pages

SAP Role Maintenance - v1.0

The Security User Guide (SUG) provides instructions for SAP Role Maintenance, detailing the creation and management of various role types including single, master, derived, and composite roles. It emphasizes the importance of maintaining proper authorizations and following naming conventions for roles, as well as the process for assigning roles to users. The document is intended for internal use only and is version 1.0, dated June 7, 2021.

Uploaded by

kalyansakinela9
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 11

Security User Guide (SUG)

XXXXX

Version 1.0
Date: 06.07.2021

Confidential: Strictly for use XXXXX only


Security User Guide (SUG)

Document Change Control


Release Dated Description Documented/Changed
version by
v1.0 06.07.202 Draft version Adithya Kothuri (Adi)
1

Confidential: Strictly for use XXXXX only


Security User Guide (SUG)

Table of Contents
SAP Role Maintenance..........................................................................................................................4
Navigation.........................................................................................................................................4

Confidential: Strictly for use XXXXX only


Security User Guide (SUG)

SAP Role Maintenance

Transaction code PFCG


Use A valid SAP user master record must also include role (s) with the required
privileges to have the user perform day in, day out tasks corresponding to
the roles & responsibilities held by them. Such privileges are granted only
through role creation and subsequent user assignment.

Navigation

 On the SAP Easy Access screen, in the command box, input the transaction code as PFCG

 On the resultant screen to follow, which is Role Maintenance screen, navigate through
the following options, as applicable

Roles in SAP can be termed as, Single role (A data container with group of
authorizations), Master role (A single role with enterprise-wide access),
Derived role (A single role mirroring a master role, except for the org. level values
, Company code, Operating concern, Controlling area, Credit control area, Sales org., Plant
etc.) & Composite role (A data container with group of single roles bundled in it).

SAP system does not distinguish between the names of the simple/single & composite
roles. Role administrator should adopt their own naming convention to distinguish between
the roles.

Roles delivered by SAP start with the prefix “SAP_”. For custom roles, use the customer
name space with prefix “Y_or Z_”.

Do not change the delivered standard roles (SAP_*), but rather only the copies of these
roles (Z_*). Otherwise, the standard roles that you have modified will be overwritten by
newly delivered standard roles during a later upgrade or release change.

Confidential: Strictly for use XXXXX only


Security User Guide (SUG)

a. Navigation to the Master role setup: On the Role Maintenance screen, input the

custom role to be created and click on push button.

o On the resultant screen, enter the description of the role, click on save and
proceed to the Menu tab

o In the Menu tab, click on the Insert node push button to add

transaction code (s) & click on push button to assign


the t-codes to the role. Successful addition of the transaction code (s) will result
in similar output as depicted below

o Proceed to the Authorizations tab & click on the


push button (Relevant only during role creation) under the Edit Authorization
Data and Generate Profiles. At this stage, role administrator will be prompted
to enter the values against each org. level. Since the role being setup is a master

Confidential: Strictly for use XXXXX only


Security User Guide (SUG)

role, it requires full authorization. So, a value as * against each org. level will
need to be maintained

To assign full authorization against all the org. levels at once, click on the

push button & click on push button

o On the resultant Change Role: Authorizations screen, all the transaction codes
(s) dependent auth objects will be displayed. At this stage, the role administrator
must update the dependent authorization values under each auth object

Confidential: Strictly for use XXXXX only


Security User Guide (SUG)

Auth objects requiring an update can be identified through amber traffic light
. Depending upon the volume of auth objects requiring an update, role
administrator may prefer to maintain them manually or have the system put to do

so by clicking on the push button.

o As a next step, click on the Generate icon push button to generate the profile
which would group all the t-code (s) dependent auth objects.

o Once the profile is generated, click on the back button and look for the
green icon in the tab and the role is ready for user assignment

o To transport the role (s) to the target client in a different landscape, click on the
back push button on the same screen and navigate through the following
path: More -> Utilities -> Mass Transport

Confidential: Strictly for use XXXXX only


Security User Guide (SUG)

b. Navigation to the Derived role setup: On the Role Maintenance screen, input the

custom role to be created and click on push button.

o On the resultant screen, enter the description of the role and in the Description tab,
under the Transaction Inheritance section enter the master role from which the
derive role is to derive the values (Transaction codes, auth object & auth object
values)

A check to see if the transaction inheritance went successful or not, look


for the green light in the Menu tab

o Proceed to the Authorization tab, click on the push


button under the Edit Authorization Data and Generate Profiles, a dialog box
prompting to maintain the org. values against each org. level will be observed. Key in
the values as relevant and click on push button

Confidential: Strictly for use XXXXX only


Security User Guide (SUG)

o As a next step, click on the Generate icon push button to generate the profile
which would group all the t-code (s) dependent auth objects

o It is to observe on the Change Role: Authorization screen that the auth values are
not pushed from the master role

Confidential: Strictly for use XXXXX only


Security User Guide (SUG)

To ensure the same, refer to the master role using the back push button , enter the

master role name, enable the change mode ( ), in the Authorizations tab, under the

Edit Authorization Data and Generate Profiles, click on the push


button

o On the resultant screen, click on the Generate derived Roles push button and

look for the following message . Now


refer to the derived role to see if the auth values are also pushed from the master
role to the derived role and once it is confirmed, the role is ready for user
assignment

c. Navigation to the Composite role setup: On the Role Maintenance screen, input the

custom role to be created and click on push button.

o On the resultant screen, enter the description of the role and proceed to the Roles
tab. In the Roles tab, add the single roles that are to be bundled as part of the

composite role being created and click on push button

Confidential: Strictly for use XXXXX only


Security User Guide (SUG)

o On successful addition of the single roles, the composite role is ready for user
assignment

*** End of Security User Guide***

Confidential: Strictly for use XXXXX only

You might also like