Creating Roles



       1.      Specify a name for the role. Choose a name that does not begin with a namespace prefix or the prefix SAP.

       2.      Now enter a text to describe the functions of the role.

       3.      Assign transactions, reports, programs and/or internet/intranet links to the role in the Menu tab. The activities in the role menu structure are used by the system to create the authorizations automatically. You can specify the authorization data in the Authorizations tab.

You can create the user menu:



from the SAP menu

Copy menu branches from the SAP menu into the user menu by clicking on checkboxes. Expand the menu branch if you want to put lower-level nodes or individual transactions/programs in the user menu.

from another role

Copy the menu structure of an existing role into the current role. It can be the menu structure of a role delivered by SAP.

From an area menu

Copy area menus (SAP standard area menus or your own) into the user menu of a role. Choose an area menu from the list of menus and copy the transactions you want.

Transaction code

Direct input of a transaction code


Put reports, programs, transaction variants or queries in the user menu


Enter Internet/intranet links. Enter a descriptive text and the Web address.

       4.      Under the Authorizations tab, choose Change authorization data.

An input window may appear, depending on which activities you selected You are prompted to enter the organizational levels. Organizational levels are authorization fields which occur in a lot of authorizations. For example company code. If you enter a particular value in the dialog box, die authorization fields of the role are maintained automatically.

The authorizations which are proposed automatically for the selected activities of the role are displayed in the following screen. Some authorization have default values.

Wherever traffic lights appear in the tree display authorization values must be edited manually. You can maintain the authorization values by expanding the object classes and clicking on the white fields to the right of the authorization field name.

When you have maintained the values, the authorizations count as manually modified and are not overwritten when you copy more activities into the role and edit the authorizations again. You can assign the complete authorization (*) for the hierarchy level for all non-maintained fields by clicking on the traffic lights.

Wherever there are red traffic lights, there are organizational levels with no values. You can enter and change organizational levels with Org. levels.

If you want other functions in the tree display, e.g. copying or collecting authorizations, you can show them with Utilities ® Settings.

       5.      Generate an authorization profile for the authorizations. Choose .

You are prompted for an authorization profile name. A valid name in the customer namespace is proposed.

       6.      Leave the tree display after the profile generation.

If you change the menu selection and call the authorization tree display again, the authorizations for the new activities are added to the existing authorizations. Traffic lights may be switched to yellow because new, incomplete authorizations appear in the tree display. Assign values manually or delete them. You can delete an authorization by deactivating it first and then deleting it.

You can add general authorizations, e.g. spool display or print with authorization templates to the existing data. Choose Edit ® Insert authorizations ® From template. Choose a template (SAP_USER_B – Basis authorization for application users or SAP_PRINT – print authorization). You can also create a separate role for clarity.

       7.      Assign users to the role in the User tab.

The user menu is displayed when the assigned user logs on to the SAP System. The generated authorization profiles are automatically entered in this user‘s user master record when the user master is compared.

       8.      Choose User comparison in the User tab. Choose Complete comparison.

If you do not want to restrict the assignment validity period (current date until 31.12.9999), no further action is required. To restrict the validity period, you must schedule the program PFCG_TIME_DEPENDENCY, which updates user master records, daily. It must also be scheduled if you use the organization management.

Do not enter generated authorization profiles directly into user master records. Generated profiles are only assigned to user master records by assigning users to roles and then comparing users. The profiles for the role are entered in all appropriate user master records.


You have created a role. A user menu is displayed to the user to whom this role is assigned when he or she logs on to the system. The user has the authorizations which you specified to perform the activities in the user menu.