PFCG is transaction on SAP that used for configuring role for user. Why would role is important for user on SAP?
This role is invented by SAP to restricting user for accessing the unwanted tcode. For example we don’t want the user have access for SU01 for creating user or change the other user password. Another example, we don’t want the user to access the classified report (maybe like salary report of a your company).etc.
Without further ado.
1. Go To Tcode PFCG
2. Input name then click single role
3. fill in description
4. Then click menu on tab strip
5. Click icon with label ‘transaction’
6. Input tcode that accessible for this role.
7. If green light active on menu tab strip then go to next tab, authorization
8. Click icon ‘propose profile name’ to automatically generate profile name.
This profile name will be used for specific roled user.
9. Then click Change Authorization Data
10. In the new screen, then open the top of tree ‘Cross-application Authorization Objects’
it means that the role is going to check whether the user with this profile are authorize to access the tcode.
In this example the user with this profile only allowed to access tcode SE11, SE19, SE24, SE37, SE38, SE80
11. Click the circle icon with red & white color, then back.
12. We can see the authorization tab strip in green light. if not u need to regenerate the authorization data.
13. Then go to user tab strip
14. Input user you want to give the role. save.
15. Go to Tcode su01, make sure the role on user on a green light icon.
if not then delete the role. input the role name. save.
16. To test the role is working go to registered tcode first in my case SE11, SE19, SE24, SE37, SE38, SE80 with the user with role. The code should be accesible to user.
17. Check the other tcode registered (ne SE11, SE19, SE24, SE37, SE38, SE80).
SAP will trigger the error message that the user are not authorized for the tcode.