Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
Showing results for 
Search instead for 
Did you mean: 

Many of the Functional Consultants face issues in understanding what are the Roles and what are Authorizations in SAP. This is a document which would help people who are curious to know what is exactly the concept behind this and how does it work.

Functional Consultants have a lot of questions in mind regarding this concept and one of the main questions here is why should Functional Consultants worry about Roles and Authorization when it is a job of BASIS team.

Well, to answer this, it is not solely a job of BASIS team rather it is also like other activities, it an integrated activity which should be performed by both BASIS team and Functional team.

BASIS team have a know how about the User Management, Roles Creation, Profile Creation, Roles and Profile assignment, Authorization assignments etc. but main concern in most of the cases arises when the below questions are unanswered by BASIS team:

  1. Whom to Assign the Roles or transactions
  2. What to Restrict in a transaction and for whom
  3. How to authorize Custom transactions

and many more such questions cannot be answered by BASIS team. Hence, it becomes the role of a Functional Consultant to guide them with the exact process flow and exact organizational chart.

Explaining with a small example here, suppose we have a maintenance team as below:

  1. Supervisor – He is responsible for notifying the breakdown or Corrective Maintenance requirements
  2. Maintenance In-charge – He is responsible for assigning the above tasks to Engineers
  3. Head of the department – He is responsible for approving the Maintenance tasks.

Now, Functional Consultant is very well aware that for Supervisor would require only the transactions related to Notifications (say IW21, IW22, IW28, IW29 etc), Maintenance In-charge would require some of the notification related transactions (say IW22, IW28, IW29) and also order related transactions (IW31, IW32, IW38, IW39 etc) and the Head of the department would require notifications and order transactions (say IW28, IW29, IW38, IW39) and also along with this he require special permissions like releasing orders, approving permits, technical completions etc.

Looking from BASIS team’s perspective they are not clear with these requirements and they thus cannot take the decision for this and should be provided by Functional Consultants.

But, the main issue in most of the cases arises when Functional Consultants are not aware about the concept of Roles and Authorizations.

Hereby, this document will explain the basic concept of Roles and Authorizations:


Roles and Authorizations allow the users to access SAP Standard as well as custom Transactions in a secure way.

SAP provides certain set of generic Standard roles for different modules and different scenarios.

We can also define user defined roles based on the Project scenario keeping below concept in mind:

There are basically two types of Roles:

  1. Master Roles – With Transactions, Authorization Objects and with all organizational level management.
  2. Derived Roles –With organizational level management and Transactions and Authorization Object copied from Master Role.

The reason behind this concept is to simplify the management of Roles.


A Master Role or a Derived Role is having below components inside it:

  1. Transaction Codes
  2. Profile
  3. Authorization Objects
  4. Organization level

Transaction Codes: SAP Transaction codes (Standard or custom)

Profile: Profiles are the objects that actually store the authorization data and Roles are the Container that contains the profile authorization data.

Authorization Objects: Objects that define the relation between different fields and also helps in restricting/ allowing the values of that particular field (For ex: Authorization object I_VORG_ORD: PM: Business Operation for Orders, contains relation between fields: AUFART = Order Type and BETRVORG Business Transaction).

Authorization objects are actually defined in programs that are executed for any particular transactions. We can also create custom authorization objects for any particular transaction (generally custom transaction).

Organization level: This defines actually the organizational elements in SAP for ex: Company Code, Plant, Planning Plant, Purchase organization, Sales organization, Work Centers, etc.

Suppose we take an example of creating a role for Maintenance In-charges in a particular industry who are responsible for different maintenance plants. Consider the Scenario as under:

Company = C1, Maintenance Plants = M1, M2, M3 and M4 (Hence assuming 4 Shift In-charges).

As mentioned before, Maintenance In-charge will have rights to following transactions – IW22, IW23, IW28, IW29, IW31, IW32, IW38 and IW39 but he will not have rights to release the Maintenance order.


Hence, considering the above situation, we will create a common Master role for all 4 Maintenance In-charges say ZMPM_MAIN_IN_CHARGE_ROLE (Here the role name starts with ZMPM to make us understand that it is a Z Master Role for Plant Maintenance ) with transaction mentioned above with all rights (with value “*”) inside the transactions but only restricting release of Maintenance order with the help of authorization object I_VORG_ORD and removing value: BFRE and field: BETRVORG but with all any organizational level (say plant) assignment.

Now based on this Master Role we have to create derived Roles for all 4 Maintenance In-charges individually say for first Maintenance In-Charge we create a derived role ZDPM_MAIN_IN_CHARGE_ROLE_MI1 referring the above Master Role ZMPM_MAIN_IN_CHARGE_ROLE. This will copy all the transactions and authorization objects from Master Role but will not copy the organizational level assignments which we have assigned in Master Role. Hence, we need to maintain the organizational level for the derived role (say Plant P1).

Here once we save (& Generate) the Master as well as Derived Role we can assign this role to the User ID for the particular Maintenance In-charge.

Labels in this area