Every HR administrator who supports the SAP authorization concept is familiar with the Profile Generator (transaction PFCG) that aids in managing user authorizations and profiles in SAP systems. Using this standard SAP tool, you can more effectively configure job roles for users throughout the whole enterprise. Generally, the Profile Generator is in charge of retrieving all the required authorization objects for the selected transactions that are for users to pass the authorization checks.

I’m going to give you tips to help you control the PFCG settings. Let’s start with the place in the system where you can change these settings. You use special definitions in table PRGN_CUST, which contains customizing settings for the Profile Generator. You maintain this using transaction SM30 — maintain table views (Figure 1). You can execute the same command via transaction SM30_PRGN_CUST. From a security point of view, you only need the authorizations S_TABU_DIS, DICBERCLS = SS and ACTVT = 03 to display the PRGN_CUST table, and ACTVT = 02 to change the PRGN_CUST table.

Figure 1

Transaction SM30 leads to the Maintain Table Views: Initial Screen

When you are using the HR module, you can start the Profile Generator tool by accessing it in the Organizational Management (OM) node of the IMG tree via the customizing transaction SPRO. Press F5 to see the customizing tree. Use the menu path of the Implementation Guide for R/3 Customizing (IMG): Personnel Management>Organizational Management>Basic Settings>Authorization Management>Maintain Profiles or transaction PFCG. The Profile Generator is a central tool for generating authorizations and authorization profiles. They form the set of functions describing the user’s work area, which is called an activity group or role. The activity groups are assigned to agents. Agents within activity groups are organizational objects. The types of organizational agents you can create within the HR module are organizational units, positions, jobs, persons, and work centers. Agent types are work center, job, organizational unit, person, position, and user. The Profile Generator allows you to maintain authorizations for people who have different job roles and perform the same functions for the same position but in different company areas.

Now, I’ll take you through seven functionalities, using nine PRGN_CUST keys. Some of the settings are managed by changing one PRGN_CUST parameter, and others by changing several parameters (e.g., to control the generation of the profile SAP_ALL). See Table 1 for summarized information about the PRGN_CUST keys and a description of their values for controlling some of the PFCG settings.

• Tip 1. You can control (show or hide) the Organizational Management button in PFCG. For example, if you are not using indirect assignment of users to activity groups, you can ignore the status display of the Organizational Management button, or you may want some people to be able to have access to the button but not others.
  
  You should run the HR organizational management comparison if you make changes to your local HR model or transport changes into the system that affect the indirect role assignment. (The indirect role assignment means that you do not assign the role directly in transactions SU01, SU10, or PFCG to one or more users, but link the role with one organizational unit such as work center, organizational unit, or job using HR-ORG. The users are then assigned the role linked with this organizational unit indirectly using the authorization path US_ACTGR [table T77AW]).
  
  The indirect user assignments (for positions, jobs, etc.) can only be processed when they have been compared to the roles. User assignments assigned by position, job, etc., are entered as the so-called “indirect user assignments” in the roles. The direct user assignment may be done by the User tab in PFCG or by the object User in Organizational Management. To hide the button, you have to set the customizing switch HR_ORG_ACTIVE in the table PRGN_CUST to NO, as shown in Figure 2. In this case, the HR comparison is not selectable. To activate Organizational Management, HR_ORG_ACTIVE in table PRGN_CUST must be set to YES.

Figure 2

Maintain the entries in Change View screen (transaction SM30)

• Tip 2. If you want the changes made in Organizational Management to be automatically maintained in the central user administration, you must add the key PD_ORG_ACTIVE in table PRGN_CUST with the value YES.
  
  
• Tip 3. If you want to deactivate the User master comparison and HR Organizational Management functions in PFCG display mode, switch USRPROF_IN_DISP_MODE in the PRGN_CUST table to NO. If you make changes to the users assigned to the activity group or generate an authorization profile for them, then you must compare the user master records via the User compare button. This compares the authorization profiles with the user master records. It removes the profiles that are no longer current from the user master records and adds the current profiles instead. The status in the Organizational Management button shows whether you need to update the indirect user assignments. If the status is red, then the user assignments are not current.
  
  The two User compare and Organizational Management functions on the User tab are also active in display mode (Figure 3). Both buttons can no longer be selected (Figure 4), but the status specifications (green or red traffic lights) on the User tab continue to be displayed. This does not result in any safety hazards because the role itself cannot be changed by these functions, and the required authorizations, in particular S_USER_AGR, ACTVT = 22, are always checked.

Figure 3

Organizational Management and User compare buttons are active in display mode (transaction PFCG)

Figure 4

Organizational Management and User compare buttons are hidden in display mode (transaction PFCG)

• Tip 4. If you want to lock a system against importing user assignments of roles, you can specify this in the Customizing table PRGN_CUST. Add the line USER_REL_IMPORT and the value NO.
  
  When you transport roles via the PFCG tool, you can also transport user assignments. Locking a system against importing user assignments into the target system is important because it prevents the replacement of entire user assignment of roles in the target system. In addition, according to your company authorization plan you may have different user assignments in the target system. Usually in the test /TST/ and development /DEV/ system you have TEST users that are not recommended to present in the productive system. However, if you transport the activity groups with the assignment of user TEST1, in the target system you see the message, “User TEST1 does not exist.” To prevent that replacement and discrepancy, fill in the customizing table PRGN_CUST key USER_REL_IMPORT with the value NO.
  
  
• Tip 5. To prevent authorization profiles from being transported with the roles, in the transport source system make an entry in the table PRGN_CUST called PROFILE_TRANSPORT with the value NO. Note: In this case you must regenerate the profiles in the target system using transaction SUPC.
  
  
• Tip 6. If you want to control the generation of the profile SAP_ALL, which contains all authorizations including newly released authorizations, use the following customizing switches in table PRGN_CUST (from SAP R/3 4.6): ADD_ALL_CUST_OBJECTS, ADD_OLD_OBJECTS, and ADD_S_RFCACL.
  
  If you have created customer-specific authorization objects (namespace Y, Z) and you want to admit full authorization for them in the standard profile SAP_ALL, then you should enter the customizing key ADD_ALL_CUST_OBJECTS = NO in PRGN_CUST. The default value of ADD_ALL_CUST_OBJECTS is YES.
  
  If you want to generate profile SAP_ALL and you want to admit full authorization for out-of-date authorization objects (class AAAA), just enter the value YES for ADD_OLD_OBJECTS in the customizing table PRGN_CUST. The switch ADD_OLD_OBJECTS by default is NO. It is not entered as a record in table PRGN_CUST but the system behaves as if it is equal to the value NO.
  
  You can take advantage of the opportunity to manage the logon authorization checks in a trusting system by the parameter ADD_S_RFCACL in table PRGN_CUST. (R/3 systems may establish trusted relationships between each other. If a calling R/3 system is known to the called system as a trusted system, no password must be supplied.) The data provided by the trusted system is checked for system name, client, user name, and other optional data. This data must match the field values of authorization object S_RFCACL. If the switch ADD_S_RCACL in PRGN_CUST is YES, then that means admitting full authorization for object S_RFCACL in profile SAP_ALL. The default system value is ADD_S_RFCACL = NO. Again, you are not going to find it as a record in PRGN_CUST because you add it manually. If you want to check if S_RFCACL is not assigned to any user, enter transaction code S_BCE_68001397 in the command field. This report gives you information about the users who have the S_RFCACL authorization object. The result may be, “No matching user found,” even if you do have users with profile SAP_ALL. In this case you have to regenerate profile SAP_ALL adding the value for ADD_S_RFCACL = YES.

• Tip 7. You can activate or deactivate the automatic user master comparison. Because the assignments in organizational management are time dependent, the time dependency must be taken into account when user assignments are set up. This occurs during a comparison in which the relationship period from organizational management is transferred to the indirect user assignments. Changes in the organizational structure itself (to the assignment user position or deletion of assignments, for example) cannot automatically be compared.
  
  The standard setting of the system causes a user master comparison to be run automatically when a role is saved in the PFCG. This function can be deactivated both globally and individually. For a good performance of the user buffer, up-to-date authorizations are a must. It is worth keeping an eye on the accuracy of authorizations because this guarantees that your users get the functionalities planned for them when they log on to the system. Otherwise a noncompliance with the user buffer may appear. This occurs when the user tries to perform activities in the system and the application programs and transactions are checked against the authorization objects. If the authorizations are not contained by the user buffer, then the activities cannot be performed.

To ensure that only valid authorization profiles are contained in the user master record, the HR administrator has to execute a global or individual comparison. For an effective record of all changes in the user master record, the comparison should be executed before the user logs on. The switch/parameter AUTO_USERCOMPARE is used for global deactivation in table PRGN_CUST. If you set the value AUTO_USERCOMPARE = NO, the automatic user master comparison is deactivated on all clients of the system.

Figure 5

Create a change request

Alternatively you can deactivate the comparison client and user specifically. To do this, navigate to the PFCG role maintenance (change of roles screen) and deactivate the option Automatic comparison of the user master when the role is saved in the menu path Utilities>Settings. The setting only refers to the user who made it, and only to the current client.

If the automatic comparison is deactivated globally (AUTO_USERCOMPARE = NO), then you cannot run an individual regeneration because the option Automatic comparison of the user master when the role is saved cannot be selected in this case.

Maria Nikolova

Maria Nikolova has worked as a senior SAP expert for the National Electricity Company (NEK) in Bulgaria since January 1999. Maria has a master’s degree in telecommunications as an engineer from the Technical University in Sofia, Bulgaria. She has experience with an MIS project implementation of SAP R/3 (headquarters and rollout), the authorization concept and user administration, SAP Customer Competence Center (SAP CCC) , SRM, and the SD, HR, CO, Asset Management (AM), MM, and PM modules. Prior to joining NEK, she worked as a manager of Equipment Engineering Ltd. for four years.

You may contact the author at searchsapmnikolova@yahoo.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.