SAP PFCG: 5 Things you did not know about this transaction

Posted by Fabio Mambretti on May 13, 2022 8:15:00 AM
Fabio Mambretti

Do you execute transaction PFCG daily, or even sometimes? Perhaps you're not aware of these functionalities that might be useful in some cases.

PFCG-1

During the ordinary system management this information might turn out to be useful.

1 -You can optimize the role-user link

By entering a role, even in display mode. Pressing the glasses button (after inserting the role name inside the "Role" field)

In the "Utilities" menu on top > "Optimize User Assignment" you will be brought to a specific program used to optimize the user/role link.

PFCG_UTILITIES

 

What does program "PRGN_COMPRESS_TIMES" allow you to do? Mainly two things:

PRGN_COMPRESS_TIMES

1. Remove expired validity roles from users

2. Optimize the role/user link. This means that if you the same role assigned more times, the validity date is modified by removing the overlapping entries

 

It is also possible to run this program in simulation mode, with the button "Simulation Run"

 

You can also run the program on a number of different users, on specific users or on one or more roles.

 

This program is useful to visually clean transaction SU01 (SAP users management)

 

Be mindful that if you do this activity you should always have a reason to do so, for audit purposes. Every change made by the program is traced in the logs. This program can also be planned in background.

 

2 - You can use it in different modes (complete or limited)

Yes, transaction PFCG has different views, even though they're often under-used.

There are three different views. You can see them by pressing the Goto -> Settings button inside the transaction

PFCG_SETTINGS

 

  1. Simple maintenance (Workplace menu maintenance)
  2. Basic maintenance (menus, profiles, other objects
  3. Complete view (Organizational Management and workflow)

 

View number 1 is the basic one:

PFCG_SIMPLE

 

It makes the following tabs visible:

  • Description
  • Menu
  • Authorization
  • User

View number 2 adds the Personalization tab, rarely utilized, which can be useful in from a role standpoint some configurations in some applications (i.e. GRC Process Control)

PFCG_PERSONALIZATION

View number 3 is the most complete one, which adds the Workflow and MiniApps tabs

PFCG_WORKFLOW

together with the button "Organizational MGMT" under the User tab. This button is used for managing roles inside the HR organizational structure, directly from transaction PFCG rather than from transactions like PPOMW

 

PFCG_ORGANIZATIONAL

 

3 - You can run the status overview on roles

This functionality can be useful to quickly and massively assess if there are PFCG tabs (Users, Menu and Authorizations) that are yellow or red (this means they're not completed)

 

Every tab inside transaction PFCG has a light that communicates its status.

 

You can get there by pressing Utilities -> Overview Status

PFCG_STATUS

This operation, which is display only, allows one to see the status of the various selected roles. Useful if you need to check for anomalies in a massive way.

 

4 - You can make so that the user comparison happens automatically

The comparison operation is used to check if the profile assigned to the role is correctly assigned to the user. This depends on the validity of the role-user link.

 

When you assign a role, the profiled assigned to it is not automatically assigned. An operation called user comparison is needed, done with the specific button inside the User tab in the PFCG 

PFCG_USER_SETTING

By setting the option below, it's possible to make this step automatic.

PFCG_USER_SETTINGS_COMPARE

 

5 -Role descriptions

Role description is language dependent. This means that if you create a role in Italian, you will only be able to maintain the description in Italian.

 

If you try to change the description when logged in another language, the below message will pop up

PFCG_TRANSLATE

 

To see other languages descriptions, you need to add a new language description using transaction SE63. Select from the menu Translation > ABAP Objects > Short text and search ACGR (Activity Group), which is another name for roles.

 

Proceeding in change mode, you will be able to translate the role into another language

SE63

 

It then becomes important to correctly maintain the roles master language.

 

Usually no translations are made and only the English language is maintained.

The master language of roles is defined in table AGR_FLAGS

AGR_FLAGS

 

Blog post originally translated from: https://www.aglea.com/blog/pfcg-sap-5-cose-che-non-conosci-su-questa-transazione

Iscriviti ora al canale YouTube AGLEA!

Topics: pfcg, PFCG SAP transaction, role translation

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all

SAP Security Blog AGLEA RSS Feed

Aglea s.r.l. - Subject to the management and coordination of Horsa S.p.A. - P. IVA: IT 03868780960 - 2024 | Privacy Policy - Cookie Policy