05. Role maintenance

We can do following activity in role maintenance:

1.    Changing and Assigning Roles

2.    Creating Roles

3.    Creating Composite Roles

4.    Transporting and Distributing Roles

01.  Changing and Assigning Role

1.    Choose the push button Create role or the transaction PFCG in the initial transaction SAP Easy Access.

2.    Enter the name of the delivered standard role in the Role field.

3.    Copy the standard role by choosing Copy role and enter a name from the customer namespace. Do not change the delivered standard roles (SAP_), but rather only the copies of these roles (Z_). Otherwise, the standard roles that you have modified will be overwritten by newly delivered standard roles during a later upgrade or release change.

4.    Choose Change (the new name is in the Role field).

5.    You can change the user menu on the Menu tab page. You can reduce, extend or restructure it.

6.    On the Authorizations tab choose Change authorization data.

7.    Maintain the authorization field values as required. To adjust the authorizations for the menu changes, choose the Profile generation expert mode pushbutton on the Authorizations tab and then Read old version and adjust to new data.

8.    Generate the profile for the role.

9.    Assign users on the User tab page and compare users if necessary. The users must already exist in the system before you can assign them.

02. Creating Roles

1.    To start role maintenance, either choose Create Role in the SAP Easy Access transaction die or    Tools? Administration? User Maintenance? Role Administration? Roles (transaction PFCG).

2.    Enter the name of the role. Roles delivered by SAP start with the prefix "SAP_". For your own     user roles, instead of using the SAP namespace, use the customer namespace. This means that the prefix is "Y_" or "Z_". You cannot tell from the names of the delivered roles whether they are single or composite roles. You should therefore create a naming convention for your roles so that you can differentiate between single and composite roles. Choose Create.

3.    You can assign transactions, reports, and Web addresses to the role on the Menu tab page

4.    To generate the profile for the role, choose Change Authorization Data on the Authorizations tab page.

An input window may appear, depending on which activities you selected You are prompted to enter the organizational levels. Organizational levels are authorization fields which occur in a lot of authorizations (an organizational level is, for example, a company code). If you enter a particular value in the dialog box, die authorization fields of the role are maintained automatically. The authorizations which are proposed automatically for the selected activities of the role are displayed in the following screen. Some authorization have default values.

Wherever traffic lights appear in the tree display, you must adjust the authorization values manually. You can maintain the authorization values by expanding the object classes and clicking on the white fields to the right of the authorization field name.

When you have maintained the values, the authorizations count as manually modified and are not overwritten when you copy more activities into the role and edit the authorizations again. You can assign the complete authorization * for the hierarchy level for all non-maintained fields by clicking on the traffic lights.

Wherever there are red traffic lights, there are organizational levels with no values. You can enter and change organizational levels with Org. levels.

If you want other functions in the tree display, such as copying or collecting authorizations, you can show them with Utilities ? Settings.

a. Generate an authorization profile for the authorizations. To do this, Choose Generate. You are prompted for an authorization profile name. A valid name in the customer namespace is proposed.

b. Leave the tree display after the profile generation.

If you change the menu and then call the tree display for the authorizations again, the authorizations of the new activities are mixed with those for the existing authorizations. There may then be a few yellow traffic lights, because there are authorizations in the tree that are incompletely defined. You must either manually assign values to these, or if you do not want to do this, delete them. To delete an authorization, deactivate it first and then delete it.

6. You can also assign users to the role immediately.

7. Save your entries.

03. Creating Composite Roles

1. Enter a name in the Role field in the role maintenance (transaction PFCG).The SAP System does not distinguish between the names of simple and composite roles. You should adopt your own naming convention to distinguish between simple and composite roles.

2. Choose Create collective role.

3. You can define the composite role in the following screen.

4. Save your entries.

5. Enter the roles in the composite role in the Roles tab page. You can display all the simple roles in the system with the possible entries help.

You cannot include composite roles in a composite role.

6. You can restructure the role menus which you read in with Read menu, in the Menutab.

This does not affect the menus of the roles.

Note also the information about menus of composite roles provided if you choose Information on the Menu tab page.

7. Either enter the names of the users individually in the Users tab (manually or from the possible entries help) or choose Selection. You can define selection criteria (such as all users in a user group)

If you select a username and choose Display, detailed user information is displayed.

Choose Compare users. The user data is updated after the comparison.

Note that users which are assigned to a composite role are displayed on a gray background in its roles (not changeable). The user assignment should only be changed in the composite role.You can display an overview of Roles in composite roles with the View pushbutton in the role maintenance initial screen.

04. Transporting and Distributing Roles

1. To start role maintenance, choose Tools >Administration >User Maintenance > Role Administration > Roles (transaction PFCG).

2. Enter the role to be transported and choose Transport Role.

The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for rolesusing Customizing switches

You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.

3. In the next dialog box, specify whether the user assignment and the personalization data should also be transported. If the user assignments are also transported, they will replace the entire user assignment of roles in the target system. To lock a system so that user assignments of roles cannot be imported, enter it in the Customizing table PRGN_CUST using transaction SM30. Add the line USER_REL_IMPORT and the value NO.

4. Enter a transport request.

The role is entered in a Customizing request. Use Transaction SE10 to display this.

The authorization profiles are transported along with the roles. Unless the profile parameter transport/systemtype is set in this SAP system to value SAP. In this case, only the profiles whose roles are assigned to customer-relevant delivery classes are transported.

5. Perform a user master comparison in the target system.