216/22, 12550 PM Role Administration Show TOC Role Administration Purpose You can use the role administration functions to manage roles and authorization data. The role management too creates authorization data ‘automatically based on selected menu functions, and presents it for postprocessing, Is also integrated with organizational management. ‘We recommend you use the role maintenance functions (transaction PFCG) to maintain your roles, authorizations and profiles. Athough you can continue to create profiles manually, you need detaled knowledge ofall SAP authorization components. ‘The role administration functions support you in performing your task by automating various processes and allowing you more flexibly in your authorization plan. You can also use the Cental User Administration functions to centrally edt the roles delivered by SAP or your wn, ew roles, and fo assign the roles to ary number af users. ‘The roles (previously: activity groups), which are based on the organizational plan af your company, form the basic framework of the tol ‘These roles form the lnk botween the user and the corresponding authorizations. The actual authorizations ané rofl ara stored in the SAP system as objec, With the roles, you assign to your users the usor menu that Is dsplayed aftr they log on to the SAP system. Roles also contain the authorizations that users can use to access the transactions, reports, Web-based applications, and so on that are contained inthe menu. "When you work with the role administration too, you work wih a level of information thats step away from she actual objects inthe SAP. system. The graphic below shows how these two levels are separated, yet linked together withthe role administration function. Structure of Role Administration nips: nelp.sap.com/dactsaphelp_nW73)7.3.16len-SI52/67 14204396 11418961000068322400/contenthim?no_cache=true~‘text=With the role. 18216/22, 12550 PM Role Administration Roles Transactions Role Administration / Profile Generator Purchaser Reports Transactions Accountant Reports Tasks ae ~ / Objects in the ae SAP System Hee NS / Object Class Authorization A ithorization__ Role ‘ Object ae Implementation Notes Since the standard SAP system contains a large numberof roles already, you should check whether you can use these before detning your To got an overview ofthe roles del sd with the system, do one othe fllowing In the SAP Easy Access menu, choose Tools + Administration -» User Maintenance —>Infosystem Roles —+ Roles By Complex Selection Criteraan then Execute In ale adminisvation (Tools + Administration -» User Maintenance -+Roles), choose the input help forthe Role fil. It you want to make modifications to an existing role, make a copy oft and modi this. I you do net find suitable roles, write job descriptions before beginning your workin role administration (see also Ital Installation Procedure). Either nave all maintenance tasks performed centrally by a single superuser, or dstibute the maintenance tasks to several users in order to Increase system securty. For more information, see Organization of the Authorization Administration. Features ntps:nelp.sap.com/dacisaphelp_nW73)7.3.16len-SI52/6714a04396 1141896"000068322400/contenthtm?no_cache-true~‘text=With the role... 23216/22, 12550 PM Role Administration ‘The system administrator chooses transactions, menu path (in the SAP menu) or area menus, I the role administration (transaction PFCG), ‘and combines them in 8 ree. The selecied functions correspond to the activites of @ user ora group of users. The tree corresponds to the user menu that is cisplayed tothe users fo whom this role is assigned when they log on tothe system, ‘The role adminis jan tool aulomatically provides the required authorizations for Trafic ights show you which values you have nol yet edited. After you have entered al of the values, generate an authorization profile fram the authorizations and assign the role tothe users. 32 selacted functions. Some ofthese have default values. Inthe rao administration, you can + Chango and assign roles + Create roles + Derive roles + Compare roles + Transport and dstibute roles Process Flow With the role administration functions, you are work in the upper level displayed inthe above graphic. You define the roles forthe various job descriptions wih the permitted activites. The ole administration tool determines the authorizations for users fr a particular role based on this Information. The basic process is as follows: 4. Assign transactions to jb descriptions Define job descriptions for each application area in your company (or example, n a job description matrix). For each pasion, determine the menu paths and transactions that the users in ths postion need to access. Determine the necessary access authorizations (display, change), as well as any restrictions that may apply. 2. Ecit the rales with the role administration (transaction PFCG), Using tho role maintonanco functions, create te roles that correspond to each of th job descriptions. For each role, solect those tasks (reports and transactions) that belong tthe corresponding job 2. Generate and edit authorization profes In this ste, the tol automaticaly bulds the authorization profile thal apples tothe rol. Ta acceptor change the suggested profile, you ‘must work your way Uxough the prafile tre structure and confirm the individual authorizations that you want to sign tothe role 4 Assign users In this step, you assign users tothe relevant role 5. Update the user master records The user assignment and generated profile need to bo updated inthe user master records. There are a number of ways of doing this (depending on the release) « Inallreleases, you can schedule a background job that requary updates the user master records © As of release 45, you can ether use the function User compare, or you can have the system automaticaly update the user master records when you save the roles. (Choose Uiitias + Seltngsand activate the option Aulomatic comparison at save.) Note Even f you use the User Comparison function or the Automatic Comparison at Save option , we recommend that you schedule a background job and ansure that all user mas records are aulomatically updated on a regular basis. Mora information + Assigning Standard Roles + Role Adminstration Functions, -ntps:nelp.sap.com/dacisaphelp_nW73)7.3.16len-SI52/67 14204396 114189610000e8322400/contenthin?no_cache-true~text=With the role. 38