SAP Authorizations Authorization roles (transaction PFCG)

Direkt zum Seiteninhalt
Authorization roles (transaction PFCG)
Check for permissions on the old user group when assigning a new user group to a user
You have an organizational structure that includes 4 hierarchical levels - authority, department, unit, functional area). The authorization concept in your organization states that access (processing) to Records Management objects should be allowed for an employee only within his/her own organizational unit. However, the authorization check should only take place on three levels. So if a unit is subdivided into further functional areas, all employees of the unit and the functional areas should have the same authorizations. Since department 2 and department 3 work very closely together, employees of department 2 should be able to read all files, transactions and documents of department 3 and vice versa.

If the FIORI interface is then used under SAP S/4HANA, the additional components must also be taken into account here. Authorizations are no longer made available to the user via "transaction entries" in the menu of a role. Instead, catalogs and groups are now used here. These are stored similar to the "transaction entries" in the menu of a role and assigned to the user. However, these catalogs must first be filled with corresponding tiles in the so-called "Launchpad Designer". It is important to ensure that all relevant components (tile component and target assignment component(s)) are always stored in the catalog. The FIORI catalog is used to provide a user with technical access to a tile. A corresponding FIORI group is used to make these tiles visually available to the user for access in the Launchpad.
Error analysis for authorizations (part 1)
The authorisation trace is a client- and user-independent trace. The results of this trace are written in the USOB_AUTHVALTRC table and can also be viewed in the STUSOBTRACE transaction by clicking the Evaluate button. This trace data can be used by developers to maintain the permission proposal values in the transaction SU22 (see also Tip 40, "Using the permission trace to determine suggested values for custom developments").

A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here. You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.

With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.

SAP Basis is the foundation of any SAP system. You can find a lot of useful information about it on this page: www.sap-corner.de.


Transaction SU53 can be used to immediately display the missing authorizations for a single SAP user.

The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.


You can use the previously created organisational matrix to either mass create new role derivations (role derivation) or mass update role derivations (derived role organisational values update).
Zurück zum Seiteninhalt