Sunteți pe pagina 1din 66

Roles & Authorizations

Access to SAP system are assigned to users through roles maintained in their user
master. In this article, we explore how access to the SAP system is extended to users
through roles. We also talk about the related concepts of authorization objects and
authorizations.

The transaction to create/maintain roles is PFCG. Lets create a role in PFCG and try to
understand the various options available to us therein. We name the new role
ZTEST_HR_ACCESS and click the Single Role button. (Note that you can follow any
naming convention for your roles as long as they do not begin with SAP or /).

Role Maintenance (PFCG) initial screen

Inside, PFCG, there are again a number of tabs which need to be filled with data as part
of the role creation process. We start with maintaining role name and description. There
is also the option of specifying a parent role as shown in the diagram below. A child role
inherits all T-codes and authorizations from its parent except the organizational levels
(we will discuss org levels in a later article). The Long text field might be used as an
audit log to track the background behind creating the new role.
PFCG Role Description

In the menu tab, we maintain the T-codes that the role will have access to. In addition
to T-codes, we can also add reports, queries and URL. There are lots of options to build
the menu of a role. You can copy from an existing area menu defined in SAP, copy from
another role or import from a text file.
PFCG Menu

Once we have maintained the menu for the role, we go into the Authorization tab. We
have an option of generating a profile name or following our own naming convention. I
would suggest following a naming conventions of our own (even though I have used the
generated profile name in the example) as the profile name can help in subsequent
reporting on authorizations. We save the new profile and click either of the two
highlighted buttons, Change Authorization Data & Expert mode for profile generation to
get into authorization data maintenance.
PFCG Authorization Tab

The next screen is for maintenance of authorization data. The different color codes
define distinct security specific objects/concepts. Lets discuss these below

Blue Line Role In our case it's the new role which we have just created
ZTEST_HR_ACCESS.

Pink Line Authorization Class These group Authorization Objects which


protect similar application components.

Green Line Authorization Object Though called an object, an authorization


object is more akin to an OOP class. It's a template or structure with a number of
fields each of which needs to filled up with appropriate data to allow access.
Yellow Line -Authorization This is an unique instance of an authorization
object with values specified for its different fields. Carrying the OOP analogy
forward, an authorization is actually similar to an object.

Off-white Line Authorization Field These are the unique fields within each
authorization object. Different authorization objects will have different sets of
authorization fields.

To understand how security works at the application level, we take the example of
the S_TCODE object. To start a transaction, a user needs this authorization
object in his user buffer with the the transaction maintained as a field value. In
the example below, a user with the new role would be able to start transactions PA30,
PA40 and SU53. However, starting a transaction is only the first level of check, any
number of different authorization objects can be

checked at each step of the transaction. These checks are for presence of individual
authorizations in the user buffer.

During role maintenance, we maintain all the open field values (marked by yellow
triangles) so all authorizations become green. Once finished we generate the role,
by clicking the button with the a circle and red and white quadrants. This final step is
the most important step in the entire process as this creates one or
more authorization profiles for the role. It is actually the authorization profiles
present the user buffer that give access to SAP applications. The role is just
helps in easier maintenance of authorization profile. Even now, its technically
feasible to directly modify authorization profiles but is strongly discouraged from SAP.
Once generated, the role can be assigned through PFCG itself or through SU01.
PFCG Role Authorization Data

In the next article, we discuss the link between transactions and authorization objects.
This will in turn help us to understand how the authorization objects are pulled into the
role during maintenance.

Difference between Change authorization data and Expert mode for profile
generation in Change Roles.

During general maintenance of roles, the option of Change authorization data is


sufficient. This includes addition/removal of T-code, updating of authorization values in
roles.
The expert mode is meant to re-read SU24 entries for the T-codes that make up a role
and pull these into the role. Thus, you are most likely to use expert mode when the
SU24 entry for a T-code has changes after the T-code was initially added to the role.
PFCG-ROLE MAINTENANCE

PFCG - ROLE MAINTENANCE


We can use the role maintenance to manage roles and authorization data. The tool for role
maintenance, the Profile Generator automatically creates authorization data based on selected
menu functions. These are then presented for fine-tuning.
We recommend that you use the role maintenance functions and the profile generator (transaction
PFCG) to maintain your roles, authorizations, and profiles. Although you can continue to create
profiles manually, you need detailed knowledge of all SAP authorization components.
The role maintenance functions support you in performing your task by automating various
processes and allowing you more flexibility in your authorization plan. You can also use the central
user administration functions to centrally maintain the roles delivered by SAP or your own, new roles,
and to assign the roles to any number of users.
The roles (previously: activity groups), which are based on the organizational plan of your company,
form the structure for the Profile Generator. These roles are the connection between the user and
the corresponding authorizations. The actual authorizations and profiles are stored in the SAP
system as objects.
With the roles, you assign to your users the user menu that is displayed after they log on to the SAP
System. Roles also contain the authorizations with which users can access the transactions, reports,
Web-based applications, and so on that are contained in the menu.
Features
In the role maintenance you can:

Changing and Assigning Roles


Creating Roles
Creating Composite Roles
Transporting and Distributing Roles

1)Changing and Assigning Role


1. Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy

Access.
2. Enter the name of the deliver
ed standard role in the Role field .
3. Copy the standard role by choosing Copy role and enter a name from the customer namespace.
Do not change the delivered standard roles (SAP_), but rather only the copies of these
roles (Z_). Otherwise, the standard roles that you have modified will be overwritten by newly
delivered standard roles during a later upgrade or release change.
4. Choose Change (the new name is in the Role field).
5. You can change the user menu on the Menutab page. You can reduce, extend or restructure it.
6. On the Authorizations tab choose Change authorization data.
7. Maintain the authorization field values as required. To adjust the authorizations for the menu
changes, choose the Profile generation expert mode pushbutton on the Authorizations tab and
thenRead old version and adjust to new data.
8. Generate the profile for the role.
9. Assign users on the User tab page and compare users if necessary.The users must already
exist in the system before you can assign them.;
2) Creating Roles
1. To start role maintenance, eit her choose Create Role in the SAP Easy Access transaction die
or Tools ? Administration ? User Maintenance?Role Administration? Roles (transaction PFCG).
2. Enter the name of the role. Roles delivered by SAP start with the prefix "SAP_". For your own
user roles, instead of using the SAP namespace, use the customer namespace. This means that the
prefix is "Y_" or "Z_". You cannot tell from the names of the delivered roles whether they are single
or composite roles. You should therefore create a naming convention for your roles so that you can
differentiate between single and composite roles.
3. Choose Create.

4. You can assign transactions, reports, and Web addresses to the role on the Menutab page
5. To generate the profile for the role, choose Change Authorization Data on the Authorizations tab
page.
An input window may appear, depending on which activities you selected You are prompted to enter
the organizational levels. Organizational levels are authorization fields which occur in a lot of
authorizations (an organizational level is, for example, a company code). If you enter a particular
value in the dialog box, die authorization fields of the role are maintained automatically.The
authorizations which are proposed automatically for the selected activities of the role are displayed in
the following screen. Some authorization have default values.
Wherever traffic lights appear in the tree display, you must adjust the authorization values manually.
You can maintain the authorization values by expanding the object classes and clicking on the white
fields to the right of the authorization field name.
When you have maintained the values, the authorizations count as manually modified and are not
overwritten when you copy more activities into the role and edit the authorizations again. You can
assign the complete authorization for the hierarchy level for all non-maintained fields by clicking
on the traffic lights.
Wherever there are red traffic lights, there are organizational levels with no values. You can enter
and change organizational levels with Org. levels.
If you want other functions in the tree display, such as copying or collecting authorizations, you can
show them with Utilities ? Settings.
a. Generate an authorization profile for the authorizations. To do this, Choose Generate.You are
prompted for an authorization profile name. A valid name in the customer namespace is proposed.
b. Leave the tree display after the profile generation.
If you change the menu and then call the tree display for the authorizations again, the authorizations
of the new activities are mixed with those for the existing authorizations. There may then be a few
yellow traffic lights, because there are authorizations in the tree that are incompletely defined. You
must either manually assign values to these, or if you do not want to do this, delete them. To delete
an authorization, deactivate it first and then delete it.
6. You can also assign users to the role immediately.
7. Save your entries.

3) Creating Composite Roles


1. Enter a name in the Role field in the role maintenance (transaction PFCG).The SAP System
does not distinguish between the names of simple and composite roles. You should adopt your own
naming convention to distinguish between simple and composite roles.
2. Choose Create collective role.
3. You can define the composite role in the following screen.
4. Save your entries.
5. Enter the roles in the composite role in the Roles tab page. You can display all the simple roles
in the system with the possible entries help.
You cannot include composite roles in a composite role.
6. You can restructure the role menus which you read in with Read menu, in the Menutab.
This does not affect the menus of the roles.
Note also the information about menus of composite roles provided if you choose Information on
the Menutab page.
7. Either enter the names of the users individually in the Users tab (manually or from the possible
entries help) or choose Selection. You can define selection criteria (such as all users in a user
group)
If you select a username and choose Display, detailed user information is displayed.
Choose Compare users. The user data is updated after the comparison.
Note that users which are assigned to a composite role are displayed on a gray background in its
roles (not changeable). The user assignment should only be changed in the composite
role.You can display an overview of Roles in composite roles with the View pushbutton in the role
maintenance initial screen.
4) Transporting and Distributing Roles
1. To start role maintenance, choose Tools ? Administration ? User Maintenance ? Role
Administration ? Roles (transaction PFG).
2. Enter the role to be transported and choose Transport Role.
The Mass Transport of Rolesscreen appears. You can control the default settings for the
options Also transport single roles for composite roles and Also transport generated profiles for
roles using Customizing switches (see Role Maintenance Functions in the section Functions of the
Utilities Menu).
You should not change the authorizations profiles of the role after you have included the role in a
transport request. If you need to change the profiles or generate them for the first time, transport
the entire role again afterwards.
3. In the following dialog box, specify whether the user assignment and the personalization data
should also be transported. If the user assignments are also transported, they will replace the entire
user assignment of roles in the target system. To lock a system so that user assignments of roles
cannot be imported, enter it in the Customizing table PRGN_CUST using transaction SM30. Add the
line USER_REL_IMPORTand the value NO.
4. Enter a transport request.

The role is entered in a Customizing request. Use Transaction SE10 to display this.
The authorization profiles are transported along with the roles. Unless the profile parameter
transport/systemtype is set in this SAP system to value SAP. In this case, only the profiles
whose roles are assigned to customer-relevant delivery classes are transported.

5. Perform a user master comparison in the target system.


Process Flow
You process the upper level shown in the graphic with the role maintenance functions and the Profile
Generator. You define the roles for the various job descriptions with the permitted activities. The
Profile Generator determines the authorizations for users for a particular role based on this
information. The basic process is as follows:
1. Assign the job descriptions to transactions.
Define job descriptions for each application area in your company (for example, in a job description
matrix). Determine for each description the menu paths and transactions that the users with this job
require. Determine both the required access authorizations (display, change) and any restrictions.
2. Maintain activity groups or roles with the role maintenance and the Profile Generator
(transaction PFCG).
Use the role maintenance functions to create the roles or activity groups that correspond to the
individual job descriptions. For each role or activity group, choose the tasks (reports and
transactions) that belong to the job.
3. Generate and maintain authorization profiles.
In this step, the profile generator automatically generates the authorization profile for the activity
group or role. To accept or change the proposed profile, you must work through the tree structure of
the profile and confirm the individual authorizations that you want to assign to the activity group or
role.
4. Assign users.
In this step, you assign the users that belong to the relevant roles or activity groups.
5. Update the user master records.
The user assignment and the generated profile must be updated in the user master records. There
are a number of ways in which you can do this (depending on your release status):
- In all releases, you can schedule a background job that regularly updates the user master
records.
- As of SAP R/3 4.5, you can either use the user comparison function or have the user master
records automatically updated when saving the activity groups or roles. (Choose Utilities
?Settings,_and activate the option _Automatic comparison at save.)
Even if you use the User Comparison function or the option Automatic Comparison at Save, we
recommend that you schedule a background job and ensure that all user master records are
regularly automatically updated.

PFCG - ROLE MAINTENANCE


To manage roles and authorization data, we can use the role maintenance. The Profile
Generator is the tool for role maintenance which creates authorization data based on selected menu
functions automatically. For fine-tuning, these are then presented.
To maintain roles, authorizations, and profiles it is recommended to use the role maintenance
functions and the profile generator (transaction PFCG). The detailed knowledge of all SAP
authorization components are needed although one can continue to create profiles manually. You
are supported by the role maintenance functions as automating various processes support you in
performing your task and allow you to be more flexible in your authorization plan. To maintain the
roles delivered by SAP centrally or your own, new roles and to assign the roles to any number of
users the central user administration functions can be used.
The structure for the Profile Generator is formed by the roles (previously: activity groups), which are
based on the organizational plan of your company. Between the user and the corresponding
authorizations, these roles act as a connection. In the SAP system, as objects the actual
authorizations and profiles are stored.
After logging on to the SAP System, the user menu is displayed with the roles that have been
assigned to the users. Users can access the applications that are contained in the menu such as the
transactions, reports, Web-based applications with the help of roles that contain the authorizations.
Read More About SAP BASIS
Features:
The role maintenance can help one to:
Change and Assign Roles
Create Roles
Create Composite Roles
Transport and Distribute Roles
Change and Assign Roles
SAP Easy Access - SAP menu
1. The pushbutton should be chosen. In the initial transaction SAP Easy Access role or
the transaction PFCG should be created.

2. The name of the delivered standard role should be entered in the Role field.
3. By choosing Copy role, the standard role should be copied and a name from the customer
namespace should be entered.
Only the copies of these roles (Z_) should be changed and not the delivered standard
roles (SAP_). Otherwise, during a later upgrade or release change the standard roles that have been
modified will be overwritten by newly delivered standard roles.
4. The Change option should be chosen (In the Role field, the new name is there)
5. On the Menu tab page, the username can be changed. It can be reduced, extended, and
restructured.
Role Maintenance - Role = ZTESTROLE - Create Role
Creating Roles
1. Create Role in the SAP Easy Access transaction die should be chosen or Tools? Administration?
User Maintenance? Role Administration? Roles (transaction PFCG) should be chosen to start role
maintenance.
2. The name of the role should be entered. SAP delivered roles that start with the prefix "SAP_".
Instead of using the SAP namespace, use the customer namespace for your own user roles. "Y_" or
"Z_" is the prefix here. From the names of the delivered roles; one cannot tell whether they are single
or composite roles. A naming convention for your roles should be created so that it can be
differentiated between single and composite roles.
3. Create option should be chosen.
4. On the Menutab page, transactions, reports, and Web addresses can be assigned to the role.

Create Roles - Role = ZTESTROLE, Description = this is just a stest role - Save (Ctrl+S)
Change Role: Assign transactions
Transaction code Text

SU01 User Maintenance

SM21 Online System Log Analysis

PFC6 Role Maintenance

Add transactions (Shift+F7)


Add additional objects - Select which type of object you want to add - click Web address or
file
Transaction Code for Reports - Report type - ABAP report
Select from the Sap menu - Role menu - Role Maintenance
Selection of Transactions from the Menu - SAP standard menu - Office
Generate Authoration Profile:
Change authorization data on the Authorization tab should be chosen.
The Authorization field values should be maintained as required. The Profile generation expert mode
pushbutton on the Authorizations tab should be chosen and then Read old version and adjust to new
data to adjust the authorizations for the menu changes.
Change Authorization Data
Change Authorization Data on the Authorizations tab page should be chosen to generate the profile
for the role.
Depending on which activities you select an input window may appear; the organizational levels
should be entered when prompted. In a lot of authorizations organizational levels occur which are
authorization fields (an organizational level is, for example, a company code). Die authorization fields
of the role are maintained automatically if you enter a particular value in the dialog box. The
automatically proposed authorizations for the selected activities of the role in the following screen
are displayed. Default values are found in some authorizations.
You must adjust the authorization values manually wherever traffic lights appear in the tree display.
By expanding the object classes and by clicking on the white fields to the right of the authorization
field name, the authorization values can be maintained.
The authorizations count as manually modified when the values are maintained, and when more
activities into the role are copied and the authorizations are edited; they are not overwritten. For the
hierarchy level for all non-maintained fields the complete authorization can be assigned by clicking
on the traffic lights.

Maintain the Role ORG Level Values


There are organizational levels with no values wherever there are red traffic lights. With Org. levels
one can enter and change organizational levels.
With Utilities ? Settings you can get other functions in the tree display, such as copying or
collecting authorizations.
A) For the authorizations an authorization profile should be generated. To do this, Generate should
be chosen. An authorization profile name is prompted by the application. In the customer
namespace a valid name is proposed.
B) After the profile generation the tree display should be left.
Change role :Authorizations
ZTESTROLE - Standard = Cross-application Authorization objects - Transaction Code Check
Transaction start - Transaction Code = PFCG , SM21 ,SU01
Standard Basis: Administration
Status =Change
User Master Maintenance: Authorization profile
Activity: Auth. profile in user master m - Create or generate and Display change documents
Assign Full Authorization for Subtree
Set authorization field to '*' (full authorization) for Authorized =User Master Maintenance:
Authorization profile
If you call the tree display for the authorizations again after changing the menu, the new
authorizations and the existing authorizations are mixed. Because there are incompletely defined
authorizations in the tree there may then be a few yellow traffic lights. You must assign values to
these either manually, or delete them if you do not want to do this. First deactivate it and then delete
it when deleting an authorization.
Assign profile Name for Generated Authorization Profile - You can change the default profile
name here
Profile name = T-DV960001
Text = Profile for role ZTESTROLE
Execute (Enter)
Users can be assigned to the role immediately.
Entries should be saved.
Change Role: Authorizations
Generate (Shift+F5) - Status =Saved
User Master Maintenance : Authorization profile
Activity
Auth. profile in user master m - Create or generate, Display, Delete, Display change
documents
8. The profile for this role should be generated.
Generate Profile:
Open org.levels exist - There are open authorizations = Click Post maint
Change Role
Assign user - Create by - User = SAP* - Date = 25.05.2008 - Time = 18:10:42
Information about Authorization Profile
Profile Name = T-DV960001 - Profile Text = profile for role ZTESTROLE - Status = Authorization
profile is generated
Maintain Authorization Data and Generate Profiles - Change Authorization Data - Expert mode for
profile Generation
Change Roles - User comparison
9. If necessary, on the User tab page the users can be assigned and can be compared. Before you
can assign users, the users must already exist in the system.
Change Roles - Compare user master record
Compare Role User Master Record - User Information for user master comparison - Status
=User assignment has since the last save - User master comparison
Change Roles
Save the role - you must save the role first save now - Yes
Change Role: Authorizations
Difine values - User Master Maintenance :User Grou
Activity
Full authorization
01 Create or generate
02 Change
03 Display
05 Lock
06 Delete
08 Display change documents
24 Archive
78 Assign

Change Role: Authorization


ZTESTROLE
Changed = Basis: Administration
Changed = User Master Maintenance: User Groups
Activity = Display
Changed = User Master Maintenance: Authorization profile
Activity = Display
Auth. Profile in user master m= *
Creating Composite Roles
In the role maintenance in the Role field a name should be entered (transaction PFCG). The names
of simple and composite roles are not distinguished by the SAP System. To distinguish between
simple and composite roles, own naming convention should be adopted.
Create collective role should be chosen.
In the following screen the composite role should be defined.
The entries should be saved.
In the Roles tab page the roles in the composite role should be entered. With the possible entries
help all the simple roles in the system can be displayed. Composite roles cannot be included in a
composite role.
In the Menutab, the role menus which you read in with Read menu can be restructured. The menus
of the roles do not get affected by this.
The users names individually in the Users tab should be entered (manually or from the possible
entries help) or Selection should be chosen. The selection criteria should be defined (such as all
users in a user group)
Note: If Information
on the Menutab page is chosen the information about menus of composite roles are also provided.
Detailed user information is displayed if a username is selected and Display is chosen.
Compare users should be chosen. After the comparison update the user data.
Note that on a gray background in its roles (not changeable) assigned users to a composite role are
displayed. In the composite role the user assignment should be changed only. With the View
pushbutton in the role maintenance initial screen an overview of Roles in composite roles can be
displayed.
Transporting and Distributing Role
1. Tools ? Administration ? User Maintenance? Role Administration? Roles (transaction PFG) should
be chosen to start role maintenance
2. The role to be transported should be entered and Transport Role should be chosen.
Appearance of the Mass Transport of Rolesscreen can be seen. The default settings for the options
can be controlled single roles for composite roles are also transported and profiles generated for
roles using Customizing switches (in the section Functions of the Utilities Menu see Role
Maintenance Functions) are also transported.
After the role in a transport request has been included the authorizations profiles of the role should
not be changed. The entire role should be transported afterwards if you need to the profiles need to
be changed or for the first time they need to be generated.

3. Whether the user assignment and the personalization data must be transported also should be
specified in the following dialog box. Entire user assignment of roles will be replaced in the target
system if the user assignments are also transported. Using transaction SM30 enter it in the
Customizing table PRGN_CUST lock a system so that user assignments of roles cannot be
imported. The line USER_REL_IMPORT and the value NO should be added.
4. A transport request should be entered.
In a Customizing request the role should be entered. Transaction SE10 should be used to display
this.
Along with the roles, transport the authorization profiles. This should be done in this SAP system to
value SAP unless the profile parameter transport/systemtype is set. Only the profiles whose roles
are assigned to customer-relevant delivery classes are transported in this case.
5. A user master comparison should be performed in the target system.
SAP
Information
You are not authorized to change passwords in user group
SAP Easy Access -User menu for User TEst
User menu for TExt
User Maintenance
Display Authorization Data for User TESTUSER
Users = TESTUSER
Profile Parameter auth/new buffering = 4
Authorization obj. = S_USER_GRP
Description
Authorization check failed
Authorization Object S_USER_GRP User Master maintenance: User Group
Activity =05
User group in user master maintenance =
User's Authorization Data

Change role Authorizations


Status =Unchanged
ROLE2
Change =Basis: Admnistration
Standard =Central Functions
Changed = Human Resources
Utilities
Technical names on

Process Flow
With the role maintenance functions and the Profile Generator, the upper level shown in the graphic
should be processed. For the various job descriptions with the permitted activities the roles are
defined. The authorizations for users for a particular role based on this information are determined
by the Profile Generator. Listed below is the basic process:
1. The job descriptions to transactions should be assigned.
In your company job descriptions for each application area should be defined (for example, in a job
description matrix). For each description, the menu paths and transactions that the users require
with this job should be determined. The required access authorizations (display, change) and any
restrictions should be determined.

2. The activity groups or roles should be maintained with the role maintenance and the Profile
Generator (transaction PFCG).
To create the roles or activity groups that correspond to the individual job descriptions the role
maintenance functions should be used. The tasks (reports and transactions) that belong to the job
should be chosen for each role or activity group.

3. Authorization profiles should be generated and maintained.


The authorization profile for the activity group or role in this step is automatically generated by the
profile generator. Work must be done through the tree structure of the profile and the individual
authorizations that you want to assign to the activity group or role should be confirmed to accept or
change the proposed profile.

4. The users should be assigned.


In this step, users that belong to the relevant roles or activity groups should be assigned.

5. The user master records should be updated.


In the user master records, update the user assignment and the generated profile. A number of ways
are there by which you can do this (depending on your release status):
- You can schedule a background job in all releases that updates the user master records regularly.
- You can either use the user comparison function or have the user master records automatically
updated as of SAP R/3 4.5, when the activity groups or roles is getting saved. (Choose Utilities
?Settings,_and activate the option _Automatic comparison at save.)
It is recommended to schedule a background job and ensure that all user master records are
automatically updated on a regular basis even if the User Comparison function or the option
Automatic Comparison at Save is used.

Its quite common in the SAP world that one transaction calls another via different menu
options. At the code level this is often implemented via the ABAP construct CALL
TRANSACTION. We know that to start a transaction from menu or typing via the
command window, a S_TCODE check is performed at the SAP kernel level. However
whether a S_TCODE check is performed for the CALL TRANSACTION statement can be
controlled by us through the SE97 tcode. Its not often that we need to mess with the
SE97 settings but its good to know about the option is available if needed.

The start screen for the transaction is shown below. We basically enter the transaction
which we would want to modify and click the execute button.
SE97 Initial Screen

In the next screen, we get a list of the different called transactions and whether the
S_TCODE check is performed during the call. The date shown on this screen is stored in
the TCDCOUPLES table.
SE97 List of Called Transactions

Some may consider SE97 to be similar to SU24 as it controls check indicators for
S_TCODE for the CALL TRANSACTION statement. Like SU24, you can not enforce a
check for S_TCODE without a corresponding statement at the code level. To over-ride a
a check for S_TCODE, the check indicator value should be set to No. To activate a
check, the value should be set to YES. The message options for a YES value control how
the system will react if a user doesnt have access to the called transaction. SAP
documentation mentions the following different options

Maint Flag Reaction Recommendation

Cannot be used if actions that build on


I Info I-message + continue
the successful CALL TRANSACTION follo

E message + remain in the


Only possible if an input-ready field
E Error transaction, cursor in input-
exists, otherwise a short dump occurs
ready field

A message + return to Easy As warning, but a dialog box is display


A Terminate
Access Menu instead of a message in the status line

W, X, E-message + return to Easy


Warning Most secure reaction, therefore default
Space Access Menu

To better understand the features of the SE97 transaction, I would suggest that you
further review the following two notes. The notes are especially important because they
mention different cases where the SE97 indicators might not work and reasons why
they dont.
358122 Function description of transaction SE97
515130 SE97 does not always work

Another case where I have had to use SE97 a lot is its use with custom transactions.
Like Su24, a custom transaction would come with zero entries in the TCDCOUPLES table
and any new entries would have to be created from scratch. To add new entries to
SE97 we simply use the Add New Transaction button and select the appropriate
options.
SE97 Add New Transaction

Like SU24 changes, the SE97 changes would also create a transport and would need to
be moved into subsequent systems in the SAP landscape.

Parent & Derived Roles

The concept of parent and derived roles was introduced by SAP to simplify role
administration tasks. Its specially helpful while mapping security for large enterprises
spread across multiple geographies or divisions. A child role derived from a parent role
will have all attributes (transactions/ authorization object values) same as it parent
except the values of the Organizational Level fields (plant, company code, sales
organization). Thus maintenance is simplified as only the org levels need be maintained
at the derived role level. This also ensures that there is no opportunity to make
mistakes during authorization maintenance for the multitude of derived roles and also
reduces testing effort for roles.

Creating the parent role follows the same process as creating any other single role. In
the example below we create a global role Z_CREATE_SO_GLOBAL which allows the
creation of Sales Orders (transaction VA01) for all company code, sales orgs.

PFCG - Define Parent Roles

With the parent already defined we create a child role Z_CREATE_SO_US which allows
SO creation for the US companies. We maintain the parent role name as shown below.
PFCG - Derived Roles - Definition

The menu for a derived role can not be individually maintained as all entries are
inherited from the parent.
PFCG - Derived Roles - Menu can not be changed

Now we maintain the org levels values relevant for the child role. In the example below,
we have used a dummy value of @ but in a production system the correct value for org
levels should be used. The other need not be maintained at this stage. Now we save the
authorization entry for the derived role.
PFCG - Derived Roles - Maintain Org Levels

To populate the rest of the authorization values for the child role, we go into the
authorization maintenance screen for the parent and click the button push from gl.
This option pushes the non org level values from the parent to the child role and
generates the profiles for both.

The most critical success factor for a parent-derived role concept is how well, the
different business processes mapped by SAP roles are mirrored across the different
divisions in an enterprise. In other words, a parent-derived role concept will not be very
beneficial in case an enterprise follows different business process in its different
subsidiaries.

Composite Roles
Till now, all our discussion on role administration has been concentrated on creation
and maintenance of single roles. A single role as we have seen till now is a
collection of T-codes and/or authorization objects. However in addition to
these, SAP also allows to create composite roles which contain one or more
single roles. In this post, we will discuss the technical and business reasons for
working with composite roles.

During role creation, the PFCG initial screen allows us to choose whether we create a
single or composite roles. Once created, there is no way to changing a single role to a
composite or vice versa. In the screen below, we look at the role definition of the
SAP_AUDITOR composite role provided by SAP to allow the use Audit Information
System (AIS). You will notice that the individual tabs inside PFCG are different from
those for a single role. for ex, we do not have the common transaction or authorization
tabs. Instead we have the Roles tab and also a menu tab. The roles tab allows us to
specify any number of single roles that constitute the composite role as well as the
system for the roles. This is important in a SAP system with CUA installed as a
composite role defined in the central CUA system can point to roles defined in the child
systems.
PFCG - Composite Role Definition

Even though transactions cannot be directly added to a composite role, a composite


role can have its own menu structure. We display the same through the Auditor role
provided by SAP
PFCG - Composite Role Menu

Depending on role design or user assignment strategies, composite roles can be used in
a number of ways. Let's look at a few scenarios using composite roles. This is not an
exhaustive list in any way but just meant to give an idea of the common uses for
composites
Single roles are mapped to tasks performed by users . Since a typical user
performs multiple tasks, the total access for a user is represented through a
composite role which includes the individual task roles.
Access is divided into transaction role ( which contain transactions but no
authorization object access ) and value/controller roles (authorization objects but
no transactions). Complete access is represented through a composite role with
the transaction and value roles.
The entire system landscape consists of a number of separate SAP systems (like
ECC, BW, SRM, CRM etc.) and users are administered through a CUA connecting
the individual systems. A user getting role A in ECC will need the corresponding
role B in BW and role C in CRM. This can be achieved through a composite role
created in the central system which links the individual roles in the different
systems.

Organizational Levels

Organizational Levels (Org Levels) as opposed to authorization fields is another of the


core concepts that we come across while creating roles in PFCG. We can access the
organizational level values defined for a role by clicking the org level button in the
main toolbar within PFCG.

In the role below, we see Org Levels like Company Code, Purchasing Org, Purchasing
Group, Sales Org, Division, Plant, etc.
PFCG - Org Levels

In the expanded view of the authorization data in PFCG, the org levels defined earlier
appear side-by-side with the authorization fields. In fact, all org levels are also
authorization fields but not all auth fields are org levels. For example, the org
level Plant appears as an authorization field in two objects, M_LFPL_ORG and
M_MATE_WRK. On the other hand the field Activity is not an org level. Once we
maintain a particular value for an org level in a role, all authorization objects using the
same org level as a field will automatically take the same value. Its technically feasible
to break an org level, so that for a particular object, its value is different from its
defined org level value but this defeats a the purpose of defining something as an org
level.

Another difference between org levels and normal auth fields come to light while
deriving a role from another master role. A normal auth field will be inherited by the
child role with the same value as maintained in the parent but an org level can be
maintained in the individual child roles.
PFCG - Org Levels vs Auth Fields

Organizational Levels in most cases are intrinsically linked to the enterprise


structure of an organization and largely determined during the customizing
steps for the SAP systems. The below screen-shot from the SPRO transaction shows
the options for configuring different org levels like company code, controlling area,
purchase org, sales org etc. So its not really the security administrator who
defines the org levels. He can only use the existing org levels defined during
functional configuration.
SPRO - Enterprise Structure

It's possible to change an authorization field to an org level for the purpose of security
by executing the program PFCG_ORGFIELD_CREATE. However, since this program
impacts all roles which contain the org field it should only be run after a thorough
analysis of all impacted roles. Also certain auth fields like Activity can never be
changed to an org level.

Authority-Check
This post talks about the program level mechanism to implement a check for a
particular authorization object. SAP Business applications are coded in the SAP
proprietary language, ABAP. All transactions call ABAP programs at the back-end and it
is this code which is responsible for checking security.

The security check for an authorization object is through the standard ABAP
construct AUTHORITY-CHECK. The actual form of this statement is given below for
checking display access (ACTVT 03) to a table belonging to particular table
authorization group (DIBERCLS SC).

AUTHORITY-CHECK OBJECT S_TABU_DIS


ID ACTVT FIELD 03
ID DIBERCLS FIELD SC.

Copying a portion of the SAP code which is used to check for table access
Authority-Check for Tables

This statement checks the user buffer of the person executing the program/ T-code to
see if he has an authorization for S_TABU_DIS with actvt 03 and dibercls sc.
Depending on the contents of the user buffer, the statement might return different
values (the values of the system field SY-SUBRC)

0 signifies a successful check, i.e. user has the correct authorization


4 denotes user has the authorization object in the buffer but not with the correct
values
12 denotes that the user has no authorizations for the specified object