you can find more SAP related downloads at http://sapdocs.info

1. Authorization Concept
The authorizations for users are created using roles and profiles. The administrator
creates the roles, and the system supports him or her in creating the associated authorizations.
Authorization
B Object Class Authorization Object A
Create, Change,Display
User Master SUPER
Maintenance: User
Groups B
Basis Admin Activity Display
User Group Finance
Fig 1.1 Authorization Concepts
Authorization objects allow complex checks that involve multiple conditions that allow
a user to perform an action. An authorization is always associated with exactly one authorization
object and contains the value for the fields for the authorization objects.
An authorization is a permission to perform a certain action in the SAP System. The
action is defined on the basis of the values for the individual fields of an authorization object.
When a user logs on to a client of an SAP system, his or her authorizations are loaded in the user
context. The user context is in the user buffer( in the main memory) of the application Server.
When the user calls a transaction, the system checks whether the use has an
authorization in the user context that allows him/her to call the selected transaction.
Authorization checks use the authorizations in the user context.
All the authorizations are permissions. There are no authorizations for prohibiting. Everything
that is not explicitly allowed is forbidden.
The user gets the necessary authorization through Roles. The role also contains the
authorizations users need to access the transactions, reports, web-based applications and so on,
contained in the menu.
The details of user administration is specified in my other BOK “User Administration in SAP
R3 System”.
How to Create a new Role

2. There are 2 ways, for creation of new roles
• Copy an existing role (SAP pre-defined role).
• Creating a new role, based up on the business requirements.
Copy an existing role
You can use the user role examples just as they are delivered with the SAP System.
Prerequisites
Check the suitability of the roles delivered by SAP before you create your own roles. If you want
to modify them, all you need to do is copy the SAP template (Roles provided by SAP). And
modify that newly created one.
Procedure
The copying a existing role is described below.
Using this icon (Copy Role). .
To create a single role:
1. Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP
Easy Access. You go to the role maintenance.
2. Choose the pushbutton Copy role.
3. Now select the appropriate role, delivered by SAP in the source role and specify the user
defined role as the target role
4. Now choose the pushbutton “copy all/ copy selectively.”
5. Now new role has been created successfully. Now we can edit the new role by pressing
the pushbutton “change role”.
6. And based on the requirements deselect/remove unnecessary authorizations from that
SAP.

3. 7. Now we can assign this new role to the user.
This reduces the risk of giving all the authorizations to a user.

4. For example, consider a business scenario where we want to create a role for a particular user,
who works in sales department.
Creating a new role
Based up on the business requirements we have to create roles, which are not provided by SAP.
Here in the above scenario, we have to assign only that particular role with which he will be
able to create, change and view the Sales Order.
Procedure
The creation of a single role is described below.
To create a single role:
1. Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP
Easy Access. You go to the role maintenance.

5. 2. Specify a name for the role.
The roles delivered by SAP have the prefix 'SAP_'. Do not use the SAP namespace for
your user roles.
3. To distinguish between the names of User defined roles and SAP predefined roles, we
will prefix the role with ‘Z_’ or ‘Y_’.
4. Choose Create Role.
5. Enter a meaningful role description text. You can describe the activities in the role in
detail. And save the role.
You may use an existing role as a reference.

6. Assign transactions, programs and/or web addresses to the role in the Menu tab.

7. 6. The user menu which you create here is called automatically when the user to whom this
role is assigned logs on to the SAP System.

8. 7. You can create the authorizations for the transactions in the role menu structure in the
authorizations tab.
To get the profile name for this particular role, press the pushbutton “propose profile names”.
SAP will supply with a profile name.
And press the pushbutton ‘Change Authorization Data’ for maintaining authorization data and
generating profiles.
Profile generator

9. Specify the company code, division, sales organization distribution channel etc, press Save
button.
If we don’t specify any organization code, we will see the red color dot against each
Authorization Object. To avoid this, its better to specify the company code and the rest.
Authorization object
Activity
User group
Tasks
For each role, there will be some Authorization objects, User group, Activity and Tasks, which I
had specified in fig 1.1.
However, all the authorization values must be manually checked and adjusted if required in
accordance with the actual requirements and authorities.
Profile generator

10. Once we see all the authorization object are green, then we can generate the profile for this
particular role by pressing that ‘generate’ pushbutton .
With this we have successfully created a role.
Advanced Concepts
If you want to call the transactions in a role in another system, enter the RFC destination of the
other system in the Target system field.
You should only use RFC destinations which were created using the Trusted System concept to
guarantee that the same user is used in the target system. This is only necessary if you want to
navigate via the Easy Access Menu in the SAPgui.
If you use the Workplace Web Browser, you can use any destination containing a logical system
with the same name.
If the Target system field is empty, the transactions are called in the system in which the user is
logged on.
You can also specify a variable which refers to an RFC destination. Variables are assigned to the
RFC destinations in the transaction SM30_SSM_RFC.
To distribute the role into a particular target system, specify the target system (its Release must
be 4.6C) and choose Distribute. This function is most useful when you use the Workplace.

11. You can create the user menu:
o from the SAP menu
You can copy complete menu branches from the SAP menu by clicking on the
cross in front of it in the user menu. Expand the menu branch if you want to put
lower-level nodes or individual transactions/programs in the user menu.
o from a role
this function copies a defined role menu structure in the same system into the
current role. You can also copy the menu structure of a role delivered by SAP.
Click on the menu branches and copy them.
o from an area menu
You can copy area menus (SAP Standard and your own) into a role menu. Choose
an area menu from the list of menus and copy the transactions you want.
o Import from file
o Transaction
You can put a transaction code in the user menu directly.

12. o Program
This function puts programs, transaction variants or queries in the user menu.
They need not be given a transaction code.
ABAP Report
Choose a report and a variant. You can skip the selection screen.
o Others
By choosing the other button, you can add Internet Address or Links or Files.
When integrating files, you must use the storage paths instead of URLs. You can
also specify BW Web Reports, and links to external mail systems and Knowledge
Warehouse.
7. Save your entries.
Result
You have created a role. Role maintenance automatically creates the authorizations that are
associated with the transactions specified in the menu tree. However, all the authorization values

13. must be manually checked and adjusted if required in accordance with the actual
requirements and authorities.