Sorun Cevaplayalım

İşinizle ilgili öngörüler edinin, gerçek zamanlı bilgilere göre karar alın.

SAP Eğitim ve Sertifika Dönemleri

Uzmanlığınızı ve deneyiminizi SAP çözümleri kullanarak tasdik edin.

Çözüm Ekibi Başvurusu

Kullanıcılara hızlı ve pratik çözümler üreterek görev almak isteyenler.

PFCG (Role Maintenance)

Övünç DİNÇ

Çözüm Ekibi
Kayıtlı Üye
8 Eki 2016
Tepki puanı
Kullandığınız SAP Modülleri
  1. SAP MM
  2. SAP PP
Katılım Bölgesi
  1. İzmir
Transaction code PFCG is a role maintenance administration to manage roles and authorization data. The tool for role maintenance, the Profile Generator automatically creates authorization data based on selected menu functions.

SAP recommend that to use the role maintenance functions and the profile generator (transaction code PFCG) to maintain the roles, authorizations, and profiles. Although we can continue to create profiles manually.These roles are the connection between the user and the corresponding authorizations. The actual authorizations and profiles are stored in the SAP system as objects. With the roles, we can assign to any users which will be the user menu that is displayed after they log on to the SAP System.

Roles contains the authorizations with which users can access the transactions, reports, Web-based applications, and so on that are contained in the menu. In the role maintenance, we can also change and assign roles, creating roles, creating composite roles and transport and distributing roles. In short it simplifies the creation of authorization.

Types of Role :-

  1. Single Role
  2. Composite Role
  3. Derived Role (Child Role)
  4. Master Role (Parent Role)
  5. Copy Role
We can create user role in SAP security by using one of the following navigation method :-

  • SAP Path – SAP Menu -> tools -> administration -> user Maintenance -> Role -> Administration -> Role.
  • Transaction code -> PFCG.
1.Single role Creation
A role is a container that collects the transactions, reports, web links so on along with its authorization and generate the associated profiles.

Step 1 : Enter T-code “PFCG” in SAP command.


Step 2 :- Role Naming Convention

  • Enter new role ID that you want to create ( in this configuration we are going to create Z_SINGLE_ROLE). A naming convention for your roles should be created so that it can be differentiated between single,composite, master and derived roles.By choosing Copy role, the standard role should be copied and a name from the customer namespace should be entered. Only the copies of these roles (Z_/ Y_) should be changed not the delivered standard roles (SAP_) Otherwise during a later upgrade or release change the standard roles that have been modified will be overwritten by newly delivered standard roles.
  • The Change option should be chosen (In the Role field, the new name is there) and save it after required modification
  • Storage Table – AGR_DEFINE

Step 3 :- Description Tab – On create role screen update the following details.

  • Description – Enter the role text so that you can describe the purpose of creating role accordingly.
  • Long Text – update the long text of the role.
  • After updating all required information, click on save button.
  • Storage Table – AGR_TEXTS

Step 4 :- Menu Tab. This section describes the options available to you when creating a role menu

  • Copying Menus –

  1. For single roles, when reading menus from the following sources -> The SAP menu, Roles, Area menus and A file.
  2. For composite roles, when reading menus from single roles

  • Insert Nodes –

  1. Transactions
  2. Reports
  3. Authorization Default Value
  4. Others

  • Additional Activities –

  1. Translate Nodes
  2. Display Documentation
  3. Find in Documentation
  4. Compress menu

  • Other Node Details – Control the Navigation menu of the NWBC
  • Menu Options – Control the menu properties of the NWBC
  • You can restructure the menu using Drag & Drop. If you have not included any menu nodes in the menu, the status display on the Menu tab page is red. Once you have assigned at least one menu node, the status display is green.
  • Click on the transaction option as shown below and add T-codes as required.
  • Storage Table :-
  • AGR_TCDTXT/AGR_TCODES – Assignment of role to tcode.
  • AGR_HIERT – Role menu text
  • AGR_HIER2 – Menu structure information
  • AGR_OBJ – Assignment of menu nodes to role
  • Click on Menu Tab , there are many options which you can add as Transaction/ Reports/ Other, Authorization defaults etc. click on add transaction.

  • Assign transaction according to requirement and save it.

  • You will see all assigned transaction display in role menu.

Step 5 :- Authorization Tab is basically for users are created using roles and profiles. The administrator creates the roles, and the system supports him or her in creating the associated authorizations. An authorization is a permission to perform a certain action in the SAP System. The action is defined on the basis of the values for the individual fields. You must generate authorization profiles before you can assign them to users. An authorization is generated for each authorization level and an authorization profile for the whole role as represented in the browser view.

There are two options in Authorization tab :- If you are generating the profile for the first time, there is no difference between the two modes.once choose one of the below mentioned option, assign full authorization to the role, save and generate it.

  1. Change Authorization Data :- If a new t-code is added to a role it will pull the authorization objects corresponding to that t-code but not any of those which was deleted by us earlier, provided that object is not related to newly added t-code. Or we can say that change mode will compare the authorization in the role for newly added t-code with SU24 and and will add all the necessary objects.

2.Expert Mode for profile generation :-

  • Delete and recreate profile and authorizations – All authorizations are recreated. Values which had previously been maintained, changed or entered manually are lost. Only the maintained values for organizational levels remain.
  • Edit old status – The last saved authorization data for the role is displayed. This is not useful, if transactions in the role menu have been changed.
  • Read old status and compare with new data – If you change transactions in the role menu, this option is the preconfigured. The profile generator compares the existing authorization data with the authorization default values for the menu transactions. If new authorizations are added during this process, they receive the status New. Authorizations that already existed receive the status Old.

Storage Tables :-

  1. AGR_PROF – Profile name for role.
  2. AGR_1252 – organizational element for authorizations.
  3. AGR_1016 – Name of the activity profile.
  4. TOBJ – Authorization Object.
  5. USR10 – User master authorization profiles.
  6. USR12 – Authorization Values.
  7. AGR_TIME – Time stamp for role including profile
Authorization Objects :–
  1. S_USER_AUT – (User Master Maintenance) This authorization object defines which authorizations the administrator can process. You can use the activities to specify the types of processing (such as creating, deleting, displaying change documents).
  2. S_USER_GRP – The authorization object is used in role administration when assigning users to roles and during the user master comparison.
  3. S_USER_SAS – (User Master Maintenance) System-specific assignments.The authorization object S_USER_SAS is checked in transactions SU01, SU10, PFCG, and PFUD when you assign roles, profiles, and systems to users.
  4. S_USER_AUT – (User Master Maintenance)
  5. S_USER_PRO – Profiles are protected with this authorization object
  6. S_USER_AGR – This authorization object protects roles. The roles combine users into groups to assign various properties to them
  7. S_USER_TCD – Transactions that an administrator can assign to a role
  8. S_USER_VAL – This authorization object allows the restriction of values that a system administrator can insert or change in a role.
  9. S_USER_SYS – Authorization object for system assignment in the Central User Administration (CUA).
  10. S_USER_ADM – The authorization object S_USER_ADM protects general Customizing and administration tasks for user and authorization administration. It consists solely of the authorization field S_ADM_AREA
Traffic Lights :-
  1. Red – It means that some organizational values has not been maintained in org field in profile generator
  2. Green – All the organizational filed are maintained (values are assigned)
  3. Yellow – It means that there are some or all field in certain authorization instance which are blank (not maintained)
Status Text for Authorizations :-
  1. Standard – It means that all values in authorization field of an authorization instance is unchanged from the SAP default value. (i.e. the values which are getting pulled from SU24).
  2. Manual – It means that at least one authorization field has been manually added, i.e. it was not proposed by profile generator.
  3. Changed – It means that the proposed value in at least one of the fields in an authorization instance has been changed.
  4. Maintained – It means that at least one of the field values in an authorization instance was blank when it was pulled from SU24 (i.e. SAP default value) and that blank field has been updated with some value
Note :- In below screen you will find the different color codes define distinct security specific objects/concepts. Let’s discuss these below.

Blue LineRole – In our case it’s the new role which we have just created.

Pink Line – Authorization Class – These group Authorization Objects which protect similar application components.

Green Line – Authorization Object – Its a template or structure with a number of fields each of which needs to filled up with appropriate data to allow access.

Yellow Line – Authorization – This is an unique instance of an authorization object with values specified for its different fields. An authorization is actually similar to an object.

Off-white Line – Authorization Field – These are the unique fields within each authorization object. Different authorization objects will have different sets of authorization fields.


Make sure before moving to User tab from authorization tab, the status is saved and generated.

  • Click on Authorization Tab and then change authorization data.

  • Assign authorization according to the requirement.

  • Save assigned authorization

  • Once you will save it will give you profile name for role.

  • You can check the status on right side as it saved and generated.

Step 6 :User Comparison :- Comparing the user master. This is basically updating profile information into user master record so that user are allowed to use the transaction contained in the menu tree of their role. If you are also using the role to generate authorization profile, then you should note that the generated profile is not entered in the user master record until the user master record have been compared. You can automate this by scheduling this report PFCG_TIME_DEPENDENCY on.

Mention user name.

  • Click on user comparison button.
  • Save and click on back button
Storage Table – AGR_USER – assignment of role to user

  • Click on User Tab you can see Tab is with yellow color. Assign user and click on user comparison button.

  • Click on complete comparison.

  • Save it now you can see the green button which means the comparison is done successfully.

Övünç DİNÇ

Çözüm Ekibi
Kayıtlı Üye
8 Eki 2016
Tepki puanı
Kullandığınız SAP Modülleri
  1. SAP MM
  2. SAP PP
Katılım Bölgesi
  1. İzmir
2. Composite Role Creation
Composite roles can simplify the user administration. They consist of single roles. Users who are assigned a composite role are automatically assigned the associated single roles during the compare. We can not add composite role to composite role.

We can maintain composite role in SAP system by using one of the following navigation method.

  1. SAP Menu Path -> SAP Menu -> Tools -> Administration -> User Maintenance -> Role -> Administration -> Roles.
  2. Transaction Codes -> PFCG
  3. Storage Table – AGR_AGRS
Step 1:- Run PFCG in SAP command field and enter.

Step 2:- Role Name.

  1. Update the composite role name in the role field.
  2. Click on composite role tab to create new composite roles in SAP.

Step 3:- Description Tab.

  1. Update the descriptive text of the composite role.
  2. Enter the descriptive long text of the composite role.
  3. Click on save button and save the data.

Step 4:- Role Tab.

  1. Enter list of all single role which you want into composite role ans enter.
  2. All role will come along with the description.
  3. You can add/select/deselect/delete/inactive the role from this tab also.
  4. Save it.

Step 5:- Menu Tab

  1. Click on read menu option right hand side (system will fetch all single role from role tab automatically once you will click on read menu button).
Once all single role will shown on screen Save it.



Step 6:- User Tab

  1. Update user name for user comparison.
  2. Click on user comparison button.
  3. Save it

  • Click on User Tab you can see Tab is with yellow color. Assign user and click on user comparison button
  • Click on complete comparison.
  • Save it now you can see the green button which means the comparison is done successfully.


Kayıtlı Üye
13 Ara 2017
Tepki puanı
Kullandığınız SAP Modülleri
  1. SAP MM
  2. SAP PP
  3. SAP CO
  4. SAP FI
  5. SAP SD
  6. SAP HR
  7. SAP QM
  8. SAP LE
  9. SAP PS
  10. SAP WM
  11. SAP ABAP
Bilgilendirme için teşekkürler. Ayrıca Türkçe içeriğin geliştirilmesi için gayretiniz için de teşekkür ederim. İngilizcesi olanların ulaşabildiği derin bir kaynak var fakat Türkçe kaynak konusunda ciddi bir eksiklik var. Umarım siteniz bu konuda öncü olur

Övünç DİNÇ

Çözüm Ekibi
Kayıtlı Üye
8 Eki 2016
Tepki puanı
Kullandığınız SAP Modülleri
  1. SAP MM
  2. SAP PP
Katılım Bölgesi
  1. İzmir
Teşekkürler.Umarım Türkçesi de olur.

Bilgilendirme için teşekkürler. Ayrıca Türkçe içeriğin geliştirilmesi için gayretiniz için de teşekkür ederim. İngilizcesi olanların ulaşabildiği derin bir kaynak var fakat Türkçe kaynak konusunda ciddi bir eksiklik var. Umarım siteniz bu konuda öncü olur

Arkadaşlar merhabalar,
Konuya eş değer türkçe kaynak için aşağıdaki konu bağlantısını kullanabilirsiniz.

SAP BASIS - PFCG Rol Bakım Menüsü