Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
Showing results for 
Search instead for 
Did you mean: 


SAP S/4HANA offers a significant transaction code - PFCGMASSVAL that allows consultant to perform mass maintenance on authorization data of roles. It is essentially a tool for making bulk changes to user permissions across multiple roles, saving great deal of time and effort compared to modifying them individually.

Important Note :

  • It works exactly on 1 to Many propagation on role(s)
  • ONE Authorization Object | Organizational Level update for N number of roles
  • Multiple Fields of an Authorization Object can be updated at one execution
  • Not possible to Add | Delete Transaction Code from Role Menu


Change Functionality of PFCGMASSVAL

For each type of field change you define whether you want to Add | Delete | Replace values. The following generally applies: As many changes as possible are made. This means: If you are adding a value and the required authorization is missing, or the value is already contained in the authorization, this value is removed from processing.

  • Add : Choose "Values" to enter the values that you want to add
  • Delete : Choose "Values" to enter the values that you want to delete
  • Replace All : All existing values of the organizational level or authorization are deleted. Choose "Values" to enter the values that you want to add
  • Replace : Choose "To Replace" to enter the values that you want to replace. Choose "Values" to enter the values that you want to add instead. This action only takes place if all values to be replaced of all fields exist. You cannot make partial replacements


Roles with Authorization Data :

This multi select options allows you to filter roles based on different selection criteria so that you can curate and refine specific set of roles for authorization maintenance.



Key Features of PFCGMASSVAL

PFCGMASSVAL transaction code offers a range of features, including the ability to :

Change Organizational Level value :

You change the values of organizational levels of the selected roles across all objects (global maintenance). This action does not affect authorizations whose organizational levels have already been maintained individually.

Change Field Values of an Authorization Object :

When you select an authorization object, all its authorization fields are displayed. Maintain the values for those fields that you want to change. If any of these fields is an organizational level, a warning icon is displayed.

This tells you that the value changes you make to this field only apply to individual authorizations and result in the maintenance status "Changed". The values from the global maintenance (see above) no longer apply for these authorizations.

Change Field Values of an Authorization Object (Cross-Object) :

With this type of field change you change the field values of authorizations for a specific authorization field, but for all authorization object that contain this field. Enter the name of the authorization field and maintain the values that you want to change. Entering the authorization object is optional; an input help is available for you to select the fields of the object.

If you are in the "Activity" (ACTVT) field and have specified an object, you are shown which activities are allowed for this object and can make your selection. Again, if a field is an organizational level, a warning icon is displayed. The same applies as in the previous section.

Add a Manual Authorization to an Object :

This function supplements the selected roles with a manual authorization for exactly one authorization object. Values can be entered for the fields of the authorization to be added, but they can also be left open. When maintaining organizational level fields, note the statements made for the previous two options.

The manual authorization is added to roles even if they already contain authorizations with the required field value combination. To avoid adding superfluous authorizations, use the processing mode "Execution with Previous Simulation" (Check out first picture).

This produces a results list containing the authorization to be added and also all existing authorizations for the same object, so that you can exclude any roles that do not need the new authorization before further processing.

Delete Manual Authorizations for an Object :

You use this function to delete manual authorizations for exactly one authorization object in the selected roles. The function only deletes those authorizations that contain all values of all fields that are maintained on the selection screen. If you do not maintain any values, all manual authorizations of this object are deleted.

Add F4 as Default Value without changing to status “Changed” :

The authorization default values of many applications values now have the additional value F4 in different authorization fields. This makes it possible to distinguish between displaying objects and listing them in input helps. You can use this function to Add F4 to authorizations of single roles whose menus contain the relevant applications. Since the maintenance status of the enhanced authorizations is retained, the new value can be used very quickly without any individual editing of roles. 

Old Authorization Status :

The change can be restricted to authorizations with the status "Standard", "Maintained", "Changed", or "Manual".

No Switch to Status "Changed" :

If this option is active, any changes that would result in the authorization status changing from "Standard" to "Changed" or from "Maintained" to "Changed" are discarded or ignored.

Note the following: Maintaining organizational levels individually also results in a status change from "Standard" to "Changed".

Supplement Long Text :

By choosing 'Text', you can save a description that is appended to the long text for all changed roles. However, the long text of a role can only be maintained if you are logged on in its original language.

Therefore, if you use this option, authorizations are only changed if the logon language matches the original language of the role. You can either “Type-in” or upload a “TXT” format file to load the text.


Best Practices for Using PFCGMASSVAL

It is recommended to :

  • Always use a Selection for roles to avoid affecting all roles
  • Run the Simulation first before making any changes. This mode simulates the changes you want to make and displays them in a results list
  • Use the selection options carefully to avoid changing authorization status ‘Standard’ and ‘Maintained’ into ‘Changed’
  • Generate the Profile for impacted roles to have updated profile and authorizations
  • After changing authorization data of root roles, adjust derived roles using PFCG for every root role using the menu path Authorizations -> Adjust Derived Roles
  • Activate the checkbox “Exclude Derived Roles” to avoid touching derived roles by mistake

 Best Use Cases for Using PFCGMASSVAL

Presenting few use cases where PFCGMASSVAL can be of higly beneficial

  • Mass update of Display authorization to Multiple Parent Roles

Example: Change Field Values of Authorizations for a Field (Cross-Object) used to Add Activity - ACTVT field of multiple authorization objects with values: “03 | F4”

  • Converting maintenance role to Display only role

Example: Change Field Values of Authorizations for a Field (Cross-Object) used to Replace All Activity - ACTVT field of multiple authorization objects with values: “03 | F4 | 33 | A6”

  • Mass update of an Authorization Object Field Values to Multiple Parent Roles

Example: Change Field Values of an Authorization Object used to change Document Status - STATUS and Document Type - DOKAR for Authorization Object: C_DRAD_OBJ

Similar case can be used to update Authorization Field of an Authorization Object to multiple roles


PFCGMASSVAL transaction code is a powerful tool in SAP S/4HANA that allows for efficient and effective management of authorization data. By understanding its features and following best practices, a Security Consultant can achieve mass operations simplified at a streamlined process through SAP Standard program without involving additional scripts. Unleash the power of SAP.