Short Description of the Procedure for Creating Roles

These instructions describe the procedure for creating simple roles.

Step 1

Enter a name for the role and choose Create Role.

You should note that the roles supplied by SAP begin with the prefix "SAP_". If you are creating

your own user roles, do not use the SAP namespace.

Step 2

On the next screen, describe the functions that the role is to include.

Step 3

Assign transactions to the role on the Menu tab page:

- By specifying the transactions directly

- By assigning menu branches from the SAP menu

The menu options selected in this step are displayed in the Session Manager and on the "SAP
Easy

Access" logon screen as the User menu for all users who are assigned to the role.

Step 4

On the Authorizations tab page, choose Change authorizationdata.

Depending on the transactions you have chosen, the system may display a dialog box that asks you

to maintain the organizational levels. These are authorization fields that occur in several

authorizations at the same time and that can be maintained together, An example is the company

code, which occurs in several authorization objects. When you assign values to the organizational

levels, you maintain the authorization fields for all authorizations in the tree display that is displayed

at the same time.

The system displays a tree display for all authorizations that are proposed by SAP for the chosen
transactions. The authorizations already have some values.

- Yellow traffic light icons in the tree display indicate that you need to manually postprocess

authorization values. You enter these values by clicking a white line next to the name of the

authorization field. Once you have maintained the values, the authorizations are regarded as

having been manually modified. They are not overwritten if you include additional transactions

and reprocess the authorizations. By clicking the traffic light icon, you can assign full

authorization for the hierarchy level for all unmaintained fields.

- Red traffic light icons indicate that there are organizational levels that do not yet have values.

You can enter or change these values by choosing Org. levels....

- If you want additional functions in the tree display, such as to copy or summarize

authorizations, choose Utilities -> Settings and select the appropriate option.

- Generate an authorization profile for the authorizations by choosing Generate.

- Enter a name for the authorization profile in the next dialog box, or use the valid name in the

customer namespace that is proposed.

- Exit the tree display once the profile is generated.

- If you change the menu selection and call up the menu display for the authorizations again, the

system tries to mix the authorizations for the newly added transactions with the existing

authorizations. This may mean that the traffic light icons turn yellow, as new incomplete

authorizations appear in the tree display. You need to either manually assign values to these, or

delete them.

- You can delete an authorization by first deactivating it and then deleting it.

- General authorizations such as spool display and print are not usually stored with transactions.

For this purpose, you can add authorization templates to the existing data. To do this, choose

Edit -> Insert authorizations -> From template... and choose one of the templates (for

example, SAP_USER_B Basis authorization for application users or SAP_PRINT Print

authorization). Alternatively, you can create a separate role for these general authorizations

whereby the overview is much clearer.

ep 5

On the Users tab, assign the users to the role.

- The system displays the menu options for the role in the Session Manager as the user menu for

the users assigned.

- Otherwise, the generated authorization profiles are automatically entered in the user master

records when you perform the User master record comparison . To do this, choose

Compare users on the Users tab page and choose Full comparison.

- If you do not restrict the period of the assignments and use the default period (current date to

12.31.9999), no further action is necessary. If you make any other time restrictions, you need

to schedule report PFCG_TIME_DEPENDENCY to run daily. This report automatically

updates the user master records. You must also schedule this report if you are using

Organization Management.

Caution

Never enter the generated authorization profiles directly in the user master records, as is the case

with authorization profiles that are created manually. You can only link generated profiles and users

by assigning the corresponding role to the users, and then performing a user master record

comparison. During the comparison of the user master records, the profiles for the role are entered

for all users of the role.

Step 6

To transport the role to another system, you must enter the role in a transport request.

- To do this choose Role -> Transport. You can now specify whether or not the user

assignment should also be transported.

- The authorization profiles are transported unless you have explicitly specified that you do not

want to transport the profiles.

- After the import into the target system, you have to perform a complete user master

comparison again for hte imported roles. You can start this comparison manually or use report

PFCG_TIME_DEPENDENCY to execute it automatically, if the report is scheduled to run

periodically in the target system.

See also:

For information, choose Help -> Application Help.