Users Roles in SAP and the Profile Generator Transaction (PFCG)

Espresso Tutorials

Fabian Bentz

13Excerpt from Beginner`s Guide to SAP Security and Authorizations

Role overview
This chapter provides an overview of user roles in SAP and introduces the profile generator transaction (PFCG). A role in SAP can be thought of as a person’s job in SAP, or a subset of a person’s job responsibilities in SAP.

Example of a user role in SAP
For example, if Tracy Levine is a sales clerk at company XYZ, her SAP user roles reflect sales clerk access. Tracy can have one role assigned to her that will be a compilation
of all transactions and authorizations required. However, Tracy can also have many roles assigned, which in totality will provide her the permissions necessary to complete her job tasks.

A role in SAP is created by the profile generator (transaction PFCG). Roles provide access to transactions, reports, Web applications, etc. Within each role, you can also view and maintain user assignments. The rule of least privilege is a fundamental principle in SAP Security. The rule can be summarized by the notion that a user should be given exactly what is needed to perform the job; not much more and not much less.

Keep reading in this downloadable PDF.


Author Tracy Juran (Levine), CPIM, is a Managing Consultant at IBM as part of the Security Services Risk and Compliance practice. She has extensive experience in SAP Security and Authorizations; SAP Governance, Risk, and Compliance (GRC); and core cross-functional business processes. Tracy is a die-hard Ohio State Buckeyes fan and loves to plan parties with friends and travel the world; her favorite destinations include Thailand, Peru, and Israel. She resides in Cincinnati, Ohio with her husband, Josh, their dog, Markley, and cat, Misha. For more information please visit