Bulk Processing of Roles with Transaction PFCGMASSVAL

The problem

In today’s world, it is essential for an authorization concept to be dynamic and adaptable, so that standards of a company can be supported or protected in the best possible way. Thus, it is not unlikely that several SAP roles need to be modified through profile generator by a process change or a new process altogether. These changes can take a variety of forms. Be it modifications to an organizational level, adjusting authorization field values of a certain authorization object, or adding or removing a transaction from the role menu. Depending on the number of roles to be adjusted, such a task can take a few hours, if not days with updates through transaction PFCG. In order to make such changes more time-efficient, a mass role processing tool has been developed by SAP, the functionalities of which I would like to explain to you below.

The solution

The t-code that this blog is covering is the PFCGMASSVAL. This can be imported into your SAP system by SAP Note «2177996 – PFCGMASSVAL: Mass maintenance of authorization values in roles» (usually by your SAP Basis Team).

With this transaction, SAP offers you the ability to make PFCG mass changes with the following options:

  • Change organizational levels
  • Adjust field values of authorizations for an object
  • Adjust field values of authorizations for a field (Cross-Object)
  • Add/delete manual authorization for an object
  • Add F4 as default value without changing to status “changed”
Figure 1: Overview of transaction PFCGMASSVAL

Functionality

In order to be able to explain the individual functionalities of the transaction, I would like to run through a practical example from the everyday life of authorization administration, specifically, role maintenance.

The purchasing department has asked you to adjust all single roles and derived roles mapped to users in the production system that have an overall authorization “*” for document types of purchase orders replacing it with the value “NB” for a normal purchase order.

In addition, the company has grown. A new location in Germany was identified. This has been entered into the SAP system under plant “9999” and is to be added in all roles that include authorizations for Germany.

It must be determined in advance which ABAP roles are to be updated. This can be done via the direct selection of roles, a masked entry, or via a “Roles with Authorization Data” search, in which you can identify roles to be modified according to your requirements.

Figure 2: Overview Selection

The following processing modes are also available in the selection form:

  • Simulation
  • Execute with prior simulation
  • Direct execution

TIP: It is always recommended to use “Execute with prior simulation”, as you still have the option of checking the previous summary of the changes.

In the next step, the changes to be made must be defined. Since the selection parameters will need updated depending on the type of field change, each change variant is explained individually below.

Change Organizational Levels

Use this option to adjust the values of the organizational levels contained in the roles. The following modification options are available:

  • Add a value
  • Replace a value
  • Replace all field values
  • Delete a value

In the organizational level field, the field to be edited must be selected. This can also be selected by the F4 input help.

Last but not least, the new values must be defined by which the roles are to be extended. This is done via the respective button and the entry of the desired values. For our example, the master data value “9999” must therefore be entered with the action “Add”.

Figure 3: Changing the Organizational Level Overview

Change field values of authorizations for an object

With the help of this action, it is possible to change values of a field to a specific object. In our example, the object M_BEST_BSA. Similar to changing an organizational level, the following actions are available:

  • Add a value
  • Replace a value
  • Replace all field values
  • Delete a value

To replace the value “*” with the requested value “NB”, the selection must look like this.

Figure 4: Overview Changing Authorization to Object

Change field values of authorizations for a field (Cross-Object)

Similar to the action of changing field values of an individual object, it is also possible to adjust field values across objects using transaction PFCGMASSVAL. This can be advantageous, for example, if you want to create a display role and only want the field values for the display activities for field ACTVT. Another advantage here is the further setting options of the transaction, which additionally appear in the mask when changes to field values are selected:

Figure 5: Advanced Settings for Field Value Changes

You can use these settings to determine which authorization instances are to be changed, taking into account the activity field value and maintenance status of the authorization object itself. You will also be offered the option to prevent the authorization object from switching to the “Modified” status. This is advisable if you maintain your roles in the SU24 authorization checks context of SAP and do not want to lose the where-used list for field values per transactions.

Add/Delete manual authorizations for an object

As in the maintaining of authorization objects in the SU24 context, it is possible to add or remove manual authorization instances via PFCGMASSVAL. This can be helpful in situations if you need to maintain a value role concept for certain authorization objects and need to expand or reduce the scope of the roles. As usual, the affected object must be selected, including the values.

Figure 6: Adding/Deleting a Manual Authorization

Review the changes and generate the profile

As soon as your selection of changes is completed, the simulation can be executed. Depending on the previous selection, you can check the changes, select the roles to be adjusted, and have the system make the changes.

Figure 7: Review and execution of changes

Due to the change to the authorization profiles, the last step is to regenerate the profile of each role. You can also initiate this via the PFCGMASSVAL, which completes the updates to the roles.

Figure 8: Generating the modified profiles

Conclusion on SAP Transaction PFCGMASSVAL

In summary, the use of PFCGMASSVAL can save a significant amount of time utilizing mass maintenance functionality. Within a very short period of time, certain authorization values can be updated in a large number of roles making it less time consuming for you to maintain roles.

As you have probably noticed, the PFCGMASSVAL, unfortunately, does not offer the ability to extend the role menu in bulk by a transaction code or to inactivate authorization object instances of the roles in mass.

XAMS can actively support you with the Role Designer and Role Replicator modules.

Do you need support in the area of SAP Security? Then Xiting is at your side as a 360-degree solution provider. In addition to SAP Authorization Management (Auth Management), we also cover the areas of SAP Fiori, SAP S/4HANA, SAP HANA Security, GRC, and many more. We also offer ongoing webinars on various SAP security and special topics to ensure your long-term compliance. We also offer some customizing options to respond individually to customer challenges.

Erwin Lachenmaier
Latest posts by Erwin Lachenmaier (see all)
Contact

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 9888 155
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]
Contact
Webinars

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now