SAP Basis Authorization

You are an SAP Basis administrator. The user wants to create roles, profiles, and authorization objects using PFCG (Role Maintenance) and SU01 (User Maintenance) transactions.

What to check first

• Run transaction SU01 to verify you have access to user maintenance
• Run transaction PFCG to verify you have access to role creation (requires S_USER_GRP, S_USER_AUT, S_TCODE authorizations)
• Check that your user has the SAP_ALL or equivalent basis admin role

Steps

1. Open transaction PFCG (type /nPFCG in command field) to create a new role
2. Enter a role name following your organization's naming convention (e.g., Z_FINANCE_CLERK) and click Create
3. On the Description tab, enter a meaningful description and set the role type (dialog, batch, or system)
4. Navigate to the Authorization tab and click Change Authorization Data
5. In the authorization wizard, select authorization objects by functional area using the Proposal button or manually add objects (e.g., F_BKPF_BK for document posting, F_USER_GRP for user group maintenance)
6. For each authorization object, maintain field values (organization level, document type, transaction codes) based on business requirements
7. Click Save and Generate to create the authorization profile automatically
8. Return to PFCG and assign the role to users by clicking User Assignment tab, entering usernames, and saving
9. Alternatively, use SU01 to assign the role to individual users by opening their master record, navigating to Roles tab, and adding the role name
10. Run SU53 transaction as the test user to verify authorization checks and debug any missing authorizations

Code

" ABAP program to create role and assign authorizations programmatically
REPORT Z_CREATE_SAP_ROLE.

DATA: ls_role_data TYPE pfcg_roles,
      lt_auth_data  TYPE TABLE OF usr_autob,
      ls_auth_rec   TYPE usr_autob,
      lv_role_name  TYPE pfcgroles-agr_name.

lv_role_name = 'Z_CUSTOM_ROLE'.

" Step 1: Create role master record
CALL FUNCTION 'PFCG_ROLE_CREATE'
  EXPORTING
    iv_agr_name       = lv_role_name
    iv_agr_text       = 'Custom Role for Finance'
    iv_agr_type       = 'D'  " D=Dialog, B=Batch, S=System
  IMPORTING
    es_role_data      = ls_role_data
  EXCEPTIONS
    role_already_exists = 1
    others             = 2.

IF sy-subrc = 0.
  WRITE: / 'Role created

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change