Role Structures Creation In SAP

Explain the role structures and its creation.
Roles consist of one or more profiles.
A role can be regarded as a container for one or more profiles that allow the profile generator to connect to these for creation and maintenance. The role name can have 30 characters.
SAP provides a set of approx. 2.250 standard roles that can be used as templates. The SAP standard role names start with SAP_*.
Overview of roles the PFCG
The main tool for the role creation is of course the profile generator transaction PFCG.
In the button Views, you can select according to different criteria such as: Single Roles, Composite Roles etc. and will get the corresponding results displayed.
If you click the Display (Glass) button, you get to the display mode of the role.
The role information is ordered and can be reviewed by selecting the different tabs.
The Description tab can be used as a log book, and for storing content or business process descriptions. Here you can also find the information of the user who has created the role and last changed it. If this role is derived from a master role, you can find the corresponding information here also.
The text information are stored in the table AGR_TEXTS.
The tab Menu has all menu entries that are part of the selected role.
The role menu is customizable. Personalized folders can be created and entries can be moved via drag and drop. Node names can be changes as well.
The menu structure is driven by the individual integration of transactions, reports etc.
The tab Workflow allows the assignment of workflow tasks to a role.
With that assigned users would become possible agents of corresponding workflow tasks.
The tab Authorizations leads to the profiles that are part of this role, where as a distinction between the integrated profiles will not become obvious. All profiles are loaded with their authorizations.
The authorization content is grouped by object classes. You can open the folders by clicking on them, or by using the buttons + - expanding / collapsing the entries on which your cursor is located.
The authorizations are displayed together with their field content.
To get the technical information displayed such as authorization object name etc., go to the menu and select Utilities Technical names on.
The authorizations can have various statuses like e.g Open, Changed, Maintained, Standard, Old, New or Manual.
Open: These authorizations are not yet fully maintained, and have open fields.
Changed: The SAP default suggestion [USOBT_C] was changed
Maintained: One of the fields that were delivered empty form the SAP® defaults was populated with a value.
Standard: This authorization is set up according to SAP default.
Old: No changes have occurred for this authorization while opening the role in editing mode.
New: This authorization was added when opening the role in edit mode.
Manual: At least one authorization was added manually.
If a standard SAP suggestion was changed, the default value will automatically be integrated again when the role is changed the next time. To reduce the maintenance effort, you may want to consider to reopen the role in expert mode after changing the SAP defaults.

Instead of selecting Edit old status, you switch to the merge status.

The profile generator will now bring in the SAP standards again.

Set them to inactive , if you want to go with your changed setting and save your changes. Regenerate the role, and open it again in expert mode as previously described.
The standards will no longer be automatically integrated. The role is stabilized.
The profile generator offers some additional features such as Merge Authorizations [menu path Utilities]. Duplicate authorization entries will be merged.
Another feature can be found in menu Utilities Reorganize. This will lead to a reorganization of profile numbers. To get an overview of all profiles that are part of this role go to menu entry Authorizations Profile overview.
When creating a role, the profile name can be adjusted.
The settings for the PFCG can be adjusted via menu path Utilities Settings:
Another interesting feature is in the menu Utilities Authorization object assignments. Position your cursor onto an authorization object within the role. Go to the menu entry just mentioned. You will get the origin of this authorization object displayed [transaction name incl. description] for this role.
In the tab Users you get an overview of all users that have the particular role assigned, and you can also run the user master comparison from here.
The button for the Organizational Management leads to the indirect role assignment where established.
The tab MiniApps lists services or applications that are supposed to be used via web browser.
The tab Personalization stores the objects that are part of a framework for application development and allows the saving of user dependant data for an application.
The table information is valid for both the single roles and the composite roles.


See Also
SUIM To Find Authorization Object Value

Get help for your Basis problems
Do you have a SAP Basis Question?

SAP Basis Admin Books
SAP System Administration, Security, Authorization, ALE, Performance Tuning Reference Books

SAP Basis Tips
SAP BC Tips and Basis Components Discussion Forum

Administration In SAP - Sapgui, Unix, SAP ITS, Router, Client Copy and IDES 

Main Index
SAP ERP Modules, Basis, ABAP and Other IMG Stuff

All the site contents are Copyright © and the content authors. All rights reserved.
All product names are trademarks of their respective companies.  The site is in no way affiliated with SAP AG. 
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk. 
 The content on this site may not be reproduced or redistributed without the express written permission of or the content authors.