You are on page 1of 2

This is a document which would help Functional Consultants to understand what are

the Roles and what are Authorizations in SAP.

1. How to add the Roles or transactions
2. Why restrict transactions
3. How to add Z transactions

Looking from BASIS team’s perspective they are not clear with these requirements and
they thus cannot take the decision for this and should be provided by Functional
Consultants.

This document explains the concept of Roles and Authorizations:

WHAT IS ROLES AND AUTHORIZATION CONCEPT:

Roles and Authorizations permit the users to access SAP Standard as well as custom
t-codes in a safe way.

There are basically two types of Roles:

1. Master Roles – With t-codes, Authorization Objects and organizational level.
2. Derived Roles –With organizational level and t-codes and Authorization Object
copied from Master Role.

This is to simplify the management of Roles.

A Role has components inside it:

1. t-codes
2. Profile
3. Authorization Objects
4. Organization level

EXPLAINING WITH AN EXAMPLE:
Hence, considering the above situation, we will create a common Master role for all 4
Maintenance In-charges say ZMPM_MAIN_IN_CHARGE_ROLE (Here the role name
starts with ZMPM to make us understand that it is a Z Master Role
for Plant Maintenance ) with t-codes mentioned above with all rights (with value “*”)
inside the t-codes but only restricting release of Maintenance order with the help of
authorization objectI_VORG_ORD and removing value: BFRE and
field: BETRVORG but with all any organizational level (sayplant) assignment.
Now based on this Master Role we have to create derived Roles for all 4 Maintenance
In-charges individually say for first Maintenance In-Charge we create a derived
role ZDPM_MAIN_IN_CHARGE_ROLE_MI1 referring the above Master
Role ZMPM_MAIN_IN_CHARGE_ROLE. This will copy all the t-codes and
authorization objects from Master Role but will not copy the organizational level
assignments which we have assigned in Master Role. Hence, we need to maintain the
organizational level for the derived role (say PlantP1).
Here once we save (& Generate) the Master as well as Derived Role we can assign
this role to the User ID for the particular Maintenance In-charge.