Wednesday, 11 June 2008

Roles and authorizations

Now and then you bump into the subject roles and authorization while working with SAP. Even if it is a solution to a note, a part of an installation guide, or just a error message that says you don’t got the right authorization to commit a transaction.That’s why I have created this blog to help you out creating simple authorizations.
The transaction is PFCG, and the job is done here.Lets say you run into this note: 128105 and you see that you have to add the following authorizations: Authorizations
The following authorizations are required for frontend printing:-
Device authorization for the object S_SPO_DEV- Device authorization for device '%LOC' for the object S_SPO_DEV- Authorization for the object S_RFC:RFC_TYPE 'FUGR'RFC_NAME 'LPRF'ACTVT 16
In this blog, I will create a new single role, add the authorizations above and then add it to a composite role. You could search up an existing role, and add the authorization to that, but I want to take it from the beginning.Start by entering the transaction PFCG and create a new single role. Before entering a name to the role, you might want to set up a prefix for roles. Ask your technical leader for which prefix you should use. If you don’t have it, you could use this:Z_... )Type of role = Single Contry = NO (If you got several countries)Module = ERP (If you got several systems)Function = PrinterAuthorization = 00 = read, 01, write …

1) Enter the name of the single role and press new single role:

2) Add a good description. Long text is optional.



Note: If you want to add a transaction, then press Menu and add it. According to the transaction, the necessary authorization objects are listed automatically in the Authorizations tab. This example we just want to add authorizations, so we go right on this.

3) Press the icon right to Profile Name, change the T to a Z and press Change Authorization Data

Now you get to the screen where you add the authorizations.


4) Select the Do not select templates

According to the note we follow, there are two authorizations object; S_SPO_DEV and S_RFC.

5) Press Manually and the authorizations object.


After adding the authorization, you can now edit them by changing the properties.


6) First, turn on Technical Names from the Utilities in the menu.

If you don’t know what to add, you can doubleclick on the technical name (S_RFC or S_SPO_DEV) to read more about them.But it says in the note what the values should be, so we start adding it.


7) Doubleclick in the white fields and add the values.

When it is all done and green, save the role and press the Generate Profile button.

Now the authorization should be ready, and you could add it to the end-users.You may want to add the single role to a composite role. A composite role can contain several single roles. Printing authorizations is a common authorization you want to add maybe to all the end users, but it might be several authorizations an end users should have. I create a new composite role called ZC_NO_ERP.COMMON.00 and add the previous single role.



8) Go back to the transaction PFCG and create a Composite Role




9) Add a description



You can now create several single roles and add it to this Composite Role.



10) Goto Roles and add the Single Role you created earlier.



Save the role and add the composite role to the end-users.

I hope this example / exercise was helpful, if not please give me comments and feedback of how I can improve.

Orginally posted by

Kristoffer Engh
Company: SAP Norway
Company URL:
http://www.sap.com
Relation to SAP: SAP Employee
Member in: SAP Developer Network
























3 comments:

Anonymous said...

I really like your blog and i really appreciate the excellent quality content you are posting here for free for your online readers. thanks peace claudia.

Anonymous said...

Thank you amazing blog, do you have twitter, facebook or something similar where i can follow your blog

Sandro Heckler

Anonymous said...

Thanks for the comment..Please check "Join this site" for following the posts in future.