PFCG – Authorization maintenance

This post demonstrate how you can use the transaction PFCG to create and maintain access to within SAP by creating Roles and Composite Roles. The main idea here is to create a role and make it part of a composite role to facilitate user and access administration. Further information and best practices on the subject can be found here.

Single Roles:

To create a single role, go to PFCG, type the name of the role you want to create and click on “Create Role” button.


You will then be redirected to the screen below where you can insert a description for the role and then start the authorization assignment. In this first tab, just fill in the description.


In the menu tab, you can create a folder and assign transactions that will be used by this role. In this example I have created the folder “Display Vendor Information” and assigned the transaction XK03.


The next tab is Authorizations. There you will notice that the profile name and text are blank, leave it that way because once we are done a new profile will be generated for this role. Simply click on “Change Authorization Data”


You might be prompted to enter details on what groups of people, organization and companies you wish to give access to check vendor information using this role. This is where you will need the help of a key user.


Now you can mitigate the access level in the lowest level possible, the authorization objects. In the example below, we are avoiding that users that will have this role assigned in their profile can view financial and sales data for vendors, only purchasing data. I.e: Address. Notice that they cannot modify data, because the activity assigned is Display.


Once you are done, click on the fourth icon, marked in red in the picture below and perform the creation of the profile. Click save and then back.


Composite Roles:

Very similar to single roles, just go to PFCG, type in the desired name and hit “Create Comp. Role”


Type in a description for your composite role and then assign the roles that users will have access to. In this example, interns from purchasing department will have access to view material and general information about vendors.


Press the button “Read menu” to check how the end user menu will look like.


Enter the end user login and click on User comparison. This will assign the necessary the composite role to the end user and subsequently all the underlying single roles.


Finally, this is how the end user menu will look like:



About Bruno Carvalho

Coffee addicted tech guy.
This entry was posted in SAP Basis and tagged , , , , , , , , , , , . Bookmark the permalink.

One Response to PFCG – Authorization maintenance

  1. Pingback: SAP Security and authorization: From concept to implementation | SAP and Database administration

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s