A role is you assign to your users the user menu that is displayed after they log on to the SAP system. Roles also contain the authorizations that users can use to access the transactions, reports, Web-based applications, and so on that are contained in the menu.
Roles should be created in Y & Z Only. From A to X. These are by default used for SAP.
Overview of Role
- Authorization / Authorization Objects
- Organization level /Field and field values.
In the menu, one can add SAP Transaction codes (Standard or custom), Reports, Web-based applications and etc.
Profiles are the objects that actually store the authorization data.
Authorization / Authorization Objects
An entry in the user master record as part of an authorization profile. Authorization consists of full or generic values for the authorization fields in an authorization object. The combination determines which activities a user can use to access certain data.
Combinations of authorization fields, which represent data and activities, are used to grant and check authorizations. Authorization objects are grouped together in authorization object classes.
This defines actually the organizational elements in SAP for example Company Code, Plant, Planning Plant, Purchase organization, Sales organization, Work Centers, etc.
Field and field values
In order to restrict the access one can control the values in the respective Authorization Objects. (For example Authorization object F_BKPF_BUK: Accounting Document: Authorization for Company Codes, contains the relation between fields: BUKRS = Company Code and ACTVT = Activity).
One should assign the role to a specific user with user comparison so they can access the particular T-code and authorization.
Types of Roles in SAP
- Individual / Common Role.
- Master and Derived Role.
- Composite Role.
Individual / Common Role
Base role with the desired Authorizations as per the purpose of the role; with the organizational levels as Company Code, Plant, Sales Organization, Profit Center and etc.
Master and Derived Role
With Transactions, Authorization Objects, and with all organizational level management.
With organizational level management and Transactions and Authorization Object copied from Master Role.
It’s a collection of many derived roles or single roles.
How to create a role in the SAP system?
Execute T-code PFCG
Create a role with starting Y or Z. As shown below.
Then click on sing role.
Add the Description and save.
Go to the Menu tab click on transaction add the T-code.
Enter the T-code and click on Assign Transactions.
Go on Authorizations Tab and click on Propose profile names.
Then Click on Change Authorization Data
Click on Yes
Click on Continue.
Click on generate.
Go on the Users Tab and add the users.
Click on User Comparision and click on YES and Full Comparssion.
How to copy role in SAP system
Execute T-code PFCG
Mention Role which wants to copy
And tap on the copy role option (or) GoTO Role and Copy (Shift+F11)
Select a new role name and click on Copy all
New Role Copied and then click on Change
GoTo Authorizations tab and click on Edit authorization data
Generate Profile Name
Click on change
Tap Generate profile
Click on generate
Once a profile has been generated
GoTo User tab Maintained user ID and click on User Comparison
Click on yes
Click on Full Comparison
Role Copied and assign to user