Skip to Content

How do we set the Authorizations in Role Creation?


I am new to Security and in need of help!

I have this scenario and need your expertise idea and guidance.

1) Initial requirement: (Solved)

  • Please create an user administration role.
    Users having this role should not be able to add roles to an user.

So far, I have created a single role "ZES_VAL_USER_ADMIN" using the TCD PFCG.

To this role, I have assigned the transaction SU01 - MAINTAIN USERS. By assigning this role, Users could access SU01 but were not able to add Roles to an user.

2) New Requirement:

Now, I need to modify the authorizations of this role "ZES_VAL_USER_ADMIN" and generate the profile, so that the users now should be able to Assign Roles to users.

I tried giving the S_USER_GRP Activities with the "create and assign" options, but still, the users with this role are not able to assign roles in SU01.

Please see the attached snapshots.

Error Message:

Please help!

Thanks in advance,


1.pfcg.jpg (69.0 kB)
Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

6 Answers

  • Best Answer
    Oct 22, 2013 at 11:46 AM


    What value did you enter for CLASS? That relates to user group on su01 login data tab

    Being new to security you may want to read up on authorisation concepts and learn about transactions SU53 and ST01

    In pfcg traffic lights are there to help - green is good as it means you completely maintain the authorisation



    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 22, 2013 at 04:52 PM

    Isn't SU53 and ST01 are the two life savers for many Security Consultants who doesn't understand from where to start?

    Unfortunately many consultant are just surviving because these t-codes come to Aid.


    To answer your question, there is one more help that SAP provides when you add a t-code through role menu. It's reads from tables USOBX_C and USOBT_C and populates possible SAP recommended auth objects which will be needed for a transaction (not necessarily always, but most of the time).

    Which ones for SU01?? The answer is in the second screenshot you have provided.

    S_USER_GRP will only allow you to control access on User Creation and modification of all the tabs except "Role" and "Profile"

    For your role to enable access to role assignment, you need S_USER_AGR as well as S_USER_PRO (on and above S_USER_GRP.

    The full requirement is not mentioned by you, however from what I understand:


    ACTVT = 02,03,08,22 should suffice

    ACT_GROUP = * or Z*/Y* or specific role names (as per requirement)

    S_USER_PRO (If you don't use this, generated profiles for roles will not be added to the user)

    ACTVT = 02,03,08,22

    ACT_GROUP = T* or * (please note * will enable the role to provide access to assign SAP Standard Profiles like SAP_ALL, SAP_NEW etc. So please check the requirement first).

    Add comment
    10|10000 characters needed characters exceeded

    • Hello Mitchel

      Try these two Authorization objects

      S_USER_AGR which deals with Roles and

      S_USER_PRO which deals with Profiles

      Make sure you have activities 02,03 and 22


      Deepak M

  • Oct 30, 2013 at 01:35 AM

    To assign roles through SU01, SU10 or PFCG

    S_USER_AGR with 02, 22 or 78

    S_USER_GRP with 02,22

    S_USER_PRO with 22

    To create/maintain roles through PFCG

    S_USER_AGR with 02, 22 ,64

    S_USER_TCD with PFCG

    S_USER_VAL with * [For changing activity field values]

    So based on these values you can decide which one to keep and which one to remove in the security role you are creating.



    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 22, 2013 at 02:08 PM


    Kindly follow the procedures mentioned above.

    To change the user of a particular group, you need to have field contents ACTVT: 02, 22 maintained in your user buffer for the authorization object: S_USER_GRP.

    But to change the role assignment of an user, you need to have the authorization object: S_USER_AGR with the required field contents

    Once you run SU53/ST01, I am sure that you would get to see all the missing and required authorizations to solve the issue.


    Ameet Kumar

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 22, 2013 at 02:24 PM

    Run SU53 and find the missing authorisation.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 05, 2013 at 04:14 PM

    Hi Debugger

    Welcome to Security Team

    Su53 tcode is like a magic wand for Sap Security.

    As most of the people above gave you solution in finding missing authorization.

    I am gonna give 2 small tips for you as a security consultant

    1.End users should always have access to Su53, so that they can send missing auth screenshot to us (Security team). So a general role for SU53. if not we have ST01 (trace) to find out where exactly is the error.

    2. Trace will not work for custom objects

    Below are the values for return codes for TRACE

    *The return code shows whether or not the authorization code was

    successful. *

    - *ST01 Return Code *

    *0 *

    Authorization check passed

    *1 *

    No Authorization

    *2 *

    Too many parameters for authorization check

    *3 *

    Object not contained in user buffer

    *4 *

    No profile contained in user buffer

    *6 *

    Authorization check incorrect

    *7,8,9 *

    Invalid user buffer

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Colleen Hebbert

      I completely agree with Colleen. Also would like to say, searching Internet for solutions doesn't always help. Carrying some basic concepts is always required.