You can manage user authorizations and profiles in your SAP systems more efficiently with these seven tips on changing settings for the Profile Generator.
Key Concept
Activity groups are data containers for the Profile Generator to generate authorization profiles. Generally an activity group (or role, since Release 4.6C) represents a job role (e.g., HR manager, payroll expert, chief accountant, etc.). Activity groups are assigned to users to provide the necessary access rights.
Every HR administrator who supports the SAP authorization concept is familiar with the Profile Generator (transaction PFCG) that aids in managing user authorizations and profiles in SAP systems. Using this standard SAP tool, you can more effectively configure job roles for users throughout the whole enterprise. Generally, the Profile Generator is in charge of retrieving all the required authorization objects for the selected transactions that are for users to pass the authorization checks.
I’m going to give you tips to help you control the PFCG settings. Let’s start with the place in the system where you can change these settings. You use special definitions in table PRGN_CUST, which contains customizing settings for the Profile Generator. You maintain this using transaction SM30 — maintain table views (Figure 1). You can execute the same command via transaction SM30_PRGN_CUST. From a security point of view, you only need the authorizations S_TABU_DIS, DICBERCLS = SS and ACTVT = 03 to display the PRGN_CUST table, and ACTVT = 02 to change the PRGN_CUST table.

Figure 1
Transaction SM30 leads to the Maintain Table Views: Initial Screen
When you are using the HR module, you can start the Profile Generator tool by accessing it in the Organizational Management (OM) node of the IMG tree via the customizing transaction SPRO. Press F5 to see the customizing tree. Use the menu path of the Implementation Guide for R/3 Customizing (IMG): Personnel Management>Organizational Management>Basic Settings>Authorization Management>Maintain Profiles or transaction PFCG. The Profile Generator is a central tool for generating authorizations and authorization profiles. They form the set of functions describing the user’s work area, which is called an activity group or role. The activity groups are assigned to agents. Agents within activity groups are organizational objects. The types of organizational agents you can create within the HR module are organizational units, positions, jobs, persons, and work centers. Agent types are work center, job, organizational unit, person, position, and user. The Profile Generator allows you to maintain authorizations for people who have different job roles and perform the same functions for the same position but in different company areas.
Now, I’ll take you through seven functionalities, using nine PRGN_CUST keys. Some of the settings are managed by changing one PRGN_CUST parameter, and others by changing several parameters (e.g., to control the generation of the profile SAP_ALL). See Table 1 for summarized information about the PRGN_CUST keys and a description of their values for controlling some of the PFCG settings.
Control (show/hide) the Organizational Management button in PFCG |
HR_ORG_ACTIVE |
Yes * |
Shows the Organizational Management button in PFCG |
No |
Hides the Organizational Management button |
Changes the Organizational Management to be automatically maintained in the CUA (central user administration) |
PD_ORG_ACTIVE |
Yes |
Changes are automatically maintained in CUA |
No* |
Changes are not automatically maintained in CUA |
Deactivation in PFCG display mode of the buttons User Master comparison and HR Organizational Management |
USER_PROF_IN_DISP_MODE |
No |
Deactivation |
Yes* |
Activation |
Locking a system against importing user assignments of roles |
USER_REL_IMPORT |
No |
Lock |
Yes* |
Unlock |
Preventing authorization profiles from being transported with roles |
PROFILE_TRANSPORT |
No |
Authorization profiles are not transported with roles |
Yes* |
Authorization profiles are transported with roles |
Controlling the generation of the profile SAP_ALL |
ADD_ALL_CUST_OBJECTS |
No |
Admit full authorization for customer authorization objects (namespace Y, Z) in profile SAP_ALL |
Yes* |
No full authorization for customer authorization objects in SAP_ALL |
|
ADD_OLD_AUTH_OBJECTS |
Yes |
Admit full authorization for out-of-date authorization objects (class AAAA) in profile SAP_ALL |
No* |
No full authorization for out-of-date authorization objects in SAP_ALL |
|
ADD_S_RFCACL |
Yes |
Admit full authorization for S_RFCACL in profile SAP_ALL |
No* |
No full authorization for S_RFCACL in SAP_ALL |
Automatic user master comparison |
AUTO_USERCOMPARE |
Yes* |
Activate the user master comparison |
No |
Automatic user master comparison is deactivated |
|
|
Table 1 |
Keys in PRGN_CUST for controlling some of the PFCG settings |
|
- Tip 1. You can control (show or hide) the Organizational Management button in PFCG. For example, if you are not using indirect assignment of users to activity groups, you can ignore the status display of the Organizational Management button, or you may want some people to be able to have access to the button but not others.
You should run the HR organizational management comparison if you make changes to your local HR model or transport changes into the system that affect the indirect role assignment. (The indirect role assignment means that you do not assign the role directly in transactions SU01, SU10, or PFCG to one or more users, but link the role with one organizational unit such as work center, organizational unit, or job using HR-ORG. The users are then assigned the role linked with this organizational unit indirectly using the authorization path US_ACTGR [table T77AW]).
The indirect user assignments (for positions, jobs, etc.) can only be processed when they have been compared to the roles. User assignments assigned by position, job, etc., are entered as the so-called “indirect user assignments” in the roles. The direct user assignment may be done by the User tab in PFCG or by the object User in Organizational Management. To hide the button, you have to set the customizing switch HR_ORG_ACTIVE in the table PRGN_CUST to NO, as shown in Figure 2. In this case, the HR comparison is not selectable. To activate Organizational Management, HR_ORG_ACTIVE in table PRGN_CUST must be set to YES.

Figure 2
Maintain the entries in Change View screen (transaction SM30)
Note
The activity group maintenance (up to Release 4.6B) has two different views — basic maintenance view and overall view (OM):
- If you use the basic maintenance view, you can assign menus, authorizations, and user master records. The user master record contains master data such as the password. Only users who have a user master record can log on to the system.
The overall view in PFCG displays all assignments for an activity group — relationships, links such as task or user assignments, etc. It is related to the personnel development HR application via the Organizational Management button on the User tab.
The Profile Generator since Release 4.6C offers a simple view (menu maintenance for Workplace).
- Tip 2. If you want the changes made in Organizational Management to be automatically maintained in the central user administration, you must add the key PD_ORG_ACTIVE in table PRGN_CUST with the value YES.
- Tip 3. If you want to deactivate the User master comparison and HR Organizational Management functions in PFCG display mode, switch USRPROF_IN_DISP_MODE in the PRGN_CUST table to NO. If you make changes to the users assigned to the activity group or generate an authorization profile for them, then you must compare the user master records via the User compare button. This compares the authorization profiles with the user master records. It removes the profiles that are no longer current from the user master records and adds the current profiles instead. The status in the Organizational Management button shows whether you need to update the indirect user assignments. If the status is red, then the user assignments are not current.
The two User compare and Organizational Management functions on the User tab are also active in display mode (Figure 3). Both buttons can no longer be selected (Figure 4), but the status specifications (green or red traffic lights) on the User tab continue to be displayed. This does not result in any safety hazards because the role itself cannot be changed by these functions, and the required authorizations, in particular S_USER_AGR, ACTVT = 22, are always checked.

Figure 3
Organizational Management and User compare buttons are active in display mode (transaction PFCG)

Figure 4
Organizational Management and User compare buttons are hidden in display mode (transaction PFCG)
- Tip 4. If you want to lock a system against importing user assignments of roles, you can specify this in the Customizing table PRGN_CUST. Add the line USER_REL_IMPORT and the value NO.
When you transport roles via the PFCG tool, you can also transport user assignments. Locking a system against importing user assignments into the target system is important because it prevents the replacement of entire user assignment of roles in the target system. In addition, according to your company authorization plan you may have different user assignments in the target system. Usually in the test /TST/ and development /DEV/ system you have TEST users that are not recommended to present in the productive system. However, if you transport the activity groups with the assignment of user TEST1, in the target system you see the message, “User TEST1 does not exist.” To prevent that replacement and discrepancy, fill in the customizing table PRGN_CUST key USER_REL_IMPORT with the value NO.
- Tip 5. To prevent authorization profiles from being transported with the roles, in the transport source system make an entry in the table PRGN_CUST called PROFILE_TRANSPORT with the value NO. Note: In this case you must regenerate the profiles in the target system using transaction SUPC.
- Tip 6. If you want to control the generation of the profile SAP_ALL, which contains all authorizations including newly released authorizations, use the following customizing switches in table PRGN_CUST (from SAP R/3 4.6): ADD_ALL_CUST_OBJECTS, ADD_OLD_OBJECTS, and ADD_S_RFCACL.
If you have created customer-specific authorization objects (namespace Y, Z) and you want to admit full authorization for them in the standard profile SAP_ALL, then you should enter the customizing key ADD_ALL_CUST_OBJECTS = NO in PRGN_CUST. The default value of ADD_ALL_CUST_OBJECTS is YES.
If you want to generate profile SAP_ALL and you want to admit full authorization for out-of-date authorization objects (class AAAA), just enter the value YES for ADD_OLD_OBJECTS in the customizing table PRGN_CUST. The switch ADD_OLD_OBJECTS by default is NO. It is not entered as a record in table PRGN_CUST but the system behaves as if it is equal to the value NO.
You can take advantage of the opportunity to manage the logon authorization checks in a trusting system by the parameter ADD_S_RFCACL in table PRGN_CUST. (R/3 systems may establish trusted relationships between each other. If a calling R/3 system is known to the called system as a trusted system, no password must be supplied.) The data provided by the trusted system is checked for system name, client, user name, and other optional data. This data must match the field values of authorization object S_RFCACL. If the switch ADD_S_RCACL in PRGN_CUST is YES, then that means admitting full authorization for object S_RFCACL in profile SAP_ALL. The default system value is ADD_S_RFCACL = NO. Again, you are not going to find it as a record in PRGN_CUST because you add it manually. If you want to check if S_RFCACL is not assigned to any user, enter transaction code S_BCE_68001397 in the command field. This report gives you information about the users who have the S_RFCACL authorization object. The result may be, “No matching user found,” even if you do have users with profile SAP_ALL. In this case you have to regenerate profile SAP_ALL adding the value for ADD_S_RFCACL = YES.
Note
Report RSUSR406 generates profile SAP_ALL in the current client. To generate SAP_ALL in all clients, use the AGR_REGENERATE_SAP_ALL report. The above parameters just control/customize the SAP_ALL generation. They do not perform the generation. The reports RSUSR406 and AGR_REGENERATE_SAP_ALL do the generation.
- Tip 7. You can activate or deactivate the automatic user master comparison. Because the assignments in organizational management are time dependent, the time dependency must be taken into account when user assignments are set up. This occurs during a comparison in which the relationship period from organizational management is transferred to the indirect user assignments. Changes in the organizational structure itself (to the assignment user position or deletion of assignments, for example) cannot automatically be compared.
The standard setting of the system causes a user master comparison to be run automatically when a role is saved in the PFCG. This function can be deactivated both globally and individually. For a good performance of the user buffer, up-to-date authorizations are a must. It is worth keeping an eye on the accuracy of authorizations because this guarantees that your users get the functionalities planned for them when they log on to the system. Otherwise a noncompliance with the user buffer may appear. This occurs when the user tries to perform activities in the system and the application programs and transactions are checked against the authorization objects. If the authorizations are not contained by the user buffer, then the activities cannot be performed.
To ensure that only valid authorization profiles are contained in the user master record, the HR administrator has to execute a global or individual comparison. For an effective record of all changes in the user master record, the comparison should be executed before the user logs on. The switch/parameter AUTO_USERCOMPARE is used for global deactivation in table PRGN_CUST. If you set the value AUTO_USERCOMPARE = NO, the automatic user master comparison is deactivated on all clients of the system.
Note
Make all changes in your development system. Table PRGN_CUST is cross-client. The system warns you that each change you make in PRGN_CUST has an effect on all other clients in the system. Therefore you have to plan and coordinate all your decisions carefully. When you add new entries and save the PFCG parameters, the system asks you to enter a change request. Enter a description for the request, fill in the name of the system in which you want to insert the changes, save the request, and transport it (Figure 5).

Figure 5
Create a change request
Alternatively you can deactivate the comparison client and user specifically. To do this, navigate to the PFCG role maintenance (change of roles screen) and deactivate the option Automatic comparison of the user master when the role is saved in the menu path Utilities>Settings. The setting only refers to the user who made it, and only to the current client.
If the automatic comparison is deactivated globally (AUTO_USERCOMPARE = NO), then you cannot run an individual regeneration because the option Automatic comparison of the user master when the role is saved cannot be selected in this case.
Maria Nikolova
Maria Nikolova has worked as a senior SAP expert for the National Electricity Company (NEK) in Bulgaria since January 1999. Maria has a master’s degree in telecommunications as an engineer from the Technical University in Sofia, Bulgaria. She has experience with an MIS project implementation of SAP R/3 (headquarters and rollout), the authorization concept and user administration, SAP Customer Competence Center (SAP CCC) , SRM, and the SD, HR, CO, Asset Management (AM), MM, and PM modules. Prior to joining NEK, she worked as a manager of Equipment Engineering Ltd. for four years.
You may contact the author at searchsapmnikolova@yahoo.com.
If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.