Building and Maintenance of Roles

PFCG is the transaction you use to create and maintain security roles in SAP. PFCG, or profle generator, is a powerful tool that allows the security administrator to quickly build security roles by frst building a menu of transactions that instruct the profle generator to bring in authorization objects that you then maintain authorization values for based on the requirements you are trying to meet.

That last statement about bringing in authorization objects is the key to the power of PFCG. SAP delivers the system with associations of transactions and authorization objects so that when you place a transaction in a role’s menu, the PFCG will know what objects to include in the authorization section of the role. Many security administrators new to SAP often don’t know or understand this relationship. Further, many don’t know they can make adjustments to these relationships by using another transaction called SU24, as well as add relationships for custom transactions.

While this discussion is focused on PFCG, it is hard to discuss PFCG without mentioning SU24. SU24 is the confguration transaction for PFCG. Using SU24, you can control what authorization objects are included in a role every time you place a transaction in the role’s menu. This function aids the role build process because you don’t have to rediscover what objects are necessary to make a given transaction work, nor keep a separate cross reference of transactions and authorization objects. Not only does the profle generator add the necessary objects whenever a transaction is added to the menu, it also uses the information in SU24 to remove objects when
a transaction is removed from the menu.

Leave a Comment