SAP User Role Creation

SAP User Creation:

Execute Transaction Code SU01 and fill the entire fields. When creating a new user, we must enter an initial password for that user on the Logon data tab. All other data is optional.

SAP Roles:
The SAP System supports different types of roles. User-specific menus can be displayed for users after they have logged on to the SAP System by using either pre-defined roles or roles you created. The role also contains the authorizations users need to access the transactions, reports, web-based applications and so on, contained in the menu. We can assign a role to an unlimited number of users.

Different Roles in SAP:

Roles are classified into different types. They are: 1. Single Role 2. Composite Role 3. Parent Role and Derived Role Single Role: Single Roles contain authorization data. Say if we have some single role to create an object and also we can edit, create or delete that object based on authorization data defined. Steps to Create a Single Role:Step 1:

Login to the SAP System and Choose the push button Create Role or the Transaction Code PFCG in the initial transaction SAP Easy Access. By using this, we can access/go to the role maintenance.

Step 2: Specify a name for the role. The roles delivered by SAP have the prefix 'ZSAP_'. Do not use the SAP namespace for user roles. SAP does not distinguish between the names of simple and composite roles. You should adopt your own naming convention to distinguish between simple and composite roles. Types the role name ZSAP_TECHNICAL3_BASIS that has to be created and click on push button create Role. Enter a short description for the Role and Save

Step 3:

Click on Menu tab and Select Transactions. Assign Transactions. Once the Transactions are assigned, we can see that the color of Menu tab

has changed from red to green.

Step 4: Save the Menu tab and Click on Authorizations tab. Choose Maintain Authorization Data and Generate Profiles and Select Change Authorization Data [Click on Image].

Now save the Role and generate the authorization by clicking on Generate Profile Window. Assign Profile Name for Generated Authorization Profile. Go back by pressing the key F3. You can see that the colour of Authorization tab has also changed from red to green indicating that the role is Active.

Step 5: Select the User tab and Enter User Id names. Assign Roles to the Users which are available in the SAP System and Click on User Comparison button and Complete Comparison. Save the Role. Once the User is saved, we can see that the color of User tab has changed from red to green.

When all the above steps are complete, a Single Role has been created. To test whether the role is functioning properly or not the role has to be assigned to a user. The role can be assigned directly to a user through transaction code SU01 or the user can be assigned indirectly to the role. Composite Role: Composite Roles consist of Single Role (or) A Composite Role is collection of single roles. Users who are assigned composite roles are automatically assigned the associated single roles during the compare. Composite Roles do not themselves contain authorization data. A composite role is a container which can collect several different roles. We are not allowed to add composite roles to composite roles. Composite roles are also called roles. Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role.

Creating Composite Roles makes sense if some of employees need authorizations from several roles. Instead of adding each user separately to each role required, we can set up a composite role and assigned the users to that group. The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison. Steps to Create a Composite Role:Step 1: Login to the SAP System and Choose the push button Create Role or the Transaction Code PFCG in the initial transaction SAP Easy Access. By using this, we can access/go to the role maintenance.

Step 2: Specify a name for the role. The roles delivered by SAP have the prefix 'ZSAP_'. Do not use the SAP namespace for user roles. SAP does not distinguish between the names of simple and composite roles. You should adopt your own naming convention to distinguish between simple and composite roles. Types the role name ZSAP_FUNCT_BASIS that has to be created and click on push button create Comp. Role Enter a short description for the Role and Save

Step 3: Click on the Roles tab and Assign the Single Roles that already exist in SAP System and Save the Role.

Step 4: Select the Menu tab and Click on Read Menu button. It displays list of Role Menu. Once the Role Menu is displayed, Save it and see that the color of Menu tab has changed from red to green.

Step 5: Select the User tab and Enter User Id names. Assign Roles to the Users which are available in the SAP System and Click on User Comparison button and Complete Comparison button. Save the Role. Once the User is saved, we can see that the color of User tab has changed from red to green.

When all the above steps are complete, a Composite Role has been created. To test whether the role is functioning properly or not the role has to be assigned to a user or test user. The role can be assigned directly to a user through transaction code SU01 or the user can be assigned indirectly to the role.

Derived Role: Derived Roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before. The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created a new in the inheriting role. User assignments are not passed on either. Derived Roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level. Steps to Create a Derived Role:Step 1: Login to the SAP System and Choose the push button Create Role or the Transaction Code PFCG in the initial transaction SAP Easy Access. By using this, we can access/go to the role maintenance.

Step 2: Specify a name for the role. The roles delivered by SAP have the prefix 'ZSAP_'. Do not use the SAP namespace for user roles.

SAP does not distinguish between the names of simple and composite roles. You should adopt your own naming convention to distinguish between simple and composite roles.

Types the role name ZSAP_TECHNICAL2_BASIS that has to be created and click on push button create Role Enter a short description for the Role and Save

Step 3:

Click on Menu tab and Assign Role Name ZSAP_TECHNICAL_BASIS in the Derive from Role text box. Once the Derive from Role name is assigned, save it and we can see that the color of Menu tab has changed

from red to green. Step 4:

Click on Authorizations tab. Choose Maintain Authorization Data and Generate Profiles and Select Change Authorization Data [Click on Image] and Save it.

Now save the Role and generate the authorization by clicking on Generate Profile Window. Assign Profile Name for Generated Authorization Profile. Go back by pressing the key F3. You can see that the colour of Authorization tab has also changed from red to green indicating that the role is Active.

Step 5: Select the User tab and Enter User Id names. Assign Roles to the Users which are available in the SAP System and Click on User Comparison button and Complete Comparison. Save the Role. Once the User is saved, we can see that the color of User tab has changed from red to green.

When all the above steps are complete, a Composite Role has been created. To test whether the role is functioning properly or not the role has to be assigned to a user or test user. The role can be assigned directly to a user through transaction code SU01 or the user can be assigned indirectly to the role.