Create Role and Profile for New user Using PFCG

Lets discuss about role and profile..

What is a Role?
A role is assigned to an user, its used to choose a T-code/Menu and its create authorization profile…

Suppose Role A has authorization for t-code MM01, and the role is assigned to use ABC, It means the user is
able to use the t-code MM01.
What is a Profile?
A profile is the element in the authorization system. Its allow an user to access the system.
For authorization check, The system checks on the particular profile which is assigned to user for the proper
authorization.

Create Role
T-code = PFCG

This is initial screen of Role maintenance..

If you have a old role and you want to copy as a new role, then you can choose the option copy as…
Enter the old role in Role field then press copy as…

Give the new name in to Role and press “Copy all”, your new role will be copied. Then you can change the role
as you wish.
If you want to create a new one then just enter the name in Role and then press “Single Role”

1
The initial creation for the particular role will come.
We have to maintain The Menu, Authorization and User (If you want to maintain workflow, then you can
maintain).
Click on the Menu tab.

In this tab we will enter the t-codes which we want to give authorization to an user.
There are many option to insert t-code

Its used to enter a single t-code. Suppose you want to give the authorization for MM01 only,
then you have to click on transaction, and give the t-code MM01.

2
 Its used to enter a whole menu area. Suppose you want to give the authorization for
all Inventory management’s T-codes , then click From SAP Menu and Select the Inventory Management option.

Lets give the authorization of all inventory management option, It means the use can do these all things which is
in under inventory management tab in main menu.

As we can see the Menu tab’s colour is Green. It means we have successfully assign the t-codes to this
particular user.

Save your settings.

Now Go to Authorization tab.

3
Here you have use a profile name for this role.

You can use the profile name as you wish or you can select Propose profile name to click the option
If you click the option, then system will propose you a 10 digit profile name and profile text (You can change the
profile text) , you can continue with system proposed profile name or you can give as yours.

I use System proposed profile name, I have click on the option.

System propose me a profile name.

Save you data.

It will take all standard fields, which will need for the inventory management.

Then you gave generate the profile. Select the last option “Expert Mode for Profile Generation”

4
You have to give the authorization for required data for inventory management.

Suppose you give company code X in this field, Then the user will only can do a entry for company code X. It is
for the all field which is shown in above figure.

After compete the all field, press save/enter.

We can there are no red colour on any field.

Now press in the screen.

You can see a message, press generate. You can see a success message
Now press back and go back to the initial screen. You can see the Authorization tabs also will green coloue.
That means this tab is successfully completed.

5
Now press the User tab

Here just give the user id in the field “user ID”, to whom you want to give the authorization.
You can restrict the role and profile with validity period.

In default it come current date to 31.12.9999.

Now after giving the user name, press and then in the next screen,
press
Save your data, You can see a success message
It means the profile and role is successfully assigned to this particular user.

Now we can see the User option is also in green colour mode. It means we have successfully done this tab.

Now just save you data and press back.

Now we can see in User master record from SU01, the new role and profile is assigned to the user.

Now Log in with new user.

6
When the user trying to enter t-code under inventory management, the user can do the all. But whenever he will
try to enter t-code under purchasing and all (without inventory management), he will get a
message
If any authorization missing in inventory management, then we can also add the activity to the user. Its is clearly
discuss on this document
MM Related Authorization Objects – How to Find out & Assig,
If we want to restrict the storage location and G/L account, then we have to assign the storage location and G/L
in Role and we have to activate “Authorization Check for Storage Locations”

Go to OLMB-Authorization Management-Authorization Check for Storage Locations and Authorization Check for
G/L Accounts.

Tick for the storage location which you want check the authorization for user.

Tick for the company code which you want to check for the authorization.

This way you can restrict authorization for an user.