PFCG Role creation in SAP CRM

Print Friendly

About time I could free up some time to write a useful article about this topic. I will try to explain things as good as I can …let’s see . Who is this article intended for? People that have some or a lot of experience with SAP Authorizations, but have little to no experience with SAP CRM Authorizations.

Transaction codes versus External Services

Ok, when I started working in SAP back in 2000 most people (end-users) using SAP were actually working in SAP using transaction codes. The SAP Authorization concept was based on:

  • Grouping relevant tasks (performed using transaction codes) and grouping them together in single authorization roles
  • Multiple single roles were joined in composite authorization roles
  • A transaction code was checked on the authorization object S_TCODE  and other authorization objects allowing to further distinct access based on e.g. document type/material type/sales org/company code... just to name some well known examples
  • Typically, in SAP ECC you had (and still have) different transaction codes based on the allowed activity (create /change/display ) which mostly was translated into a Transaction Short code ,followed by the allowed activity. (e.g. VA01/VA03/VA03  or  XD01/XD02/XD03)


When I started working with SAP CRM (at that time it was 3.0 and 4.0 release) end-users were still working with the SAP GUI and therefore evidently also using transaction code based access.

The big difference from an authorization point of view was that SAP CRM did not really know the concept of separate transaction codes by "allowed activity" as compared to SAP ECC.

Some examples:

  • The transaction code BP was used to create/change/display any business partner in the system (ranging from Customers/Employees/Contact persons/..). It was on authorization object level that we had to make the distinction on the allowed activity.

  • CRMD_ORDER was used to create/change/display  any business transaction (ranging from activities/leads/opportunities/sales and service order

  • The transaction code COMMPR01 was used to create/change/display products within SAP CRM.

In the newer SAP CRM releases, where people work in the WEB UI, they are actually no longer using transaction codes. Rather the SAP CRM WEBUI makes use of external services of the type UIU_COMP. In such a case I am referring to end-users (so not the consultants who still use certain SAPGUI transaction codes from an administration point of view).

Where in the older CRM releases you would typically check SU24 settings (the relationship between your transaction code and their corresponding authorization objects) you now will use SU24 to analyse the relationship between an external service and it’s relevant authorization objects.

Example of SU24 for transaction code BP

Executing this selection shows us:

Example of analysing an external service for the component BP_HEAD_MAIN



What you see below is that all these external services use a certain naming convention:


How can you add such an external service in a PFCG Role?

Step 1: create a new PFCG role using the transaction code PFCG








Step 2: In the menu tab, click on the button “Other”.

















Step 3: Select “Authorization Default Values for Services”.











Select “External Service” with as type “UIU_COMP”.

In the field Service, you now can add the “External Service Name”, which you also can lookup using the input help.






Step 4: If we now go to the tabpage “Authorizations”, we can generate a profile name, and see the relevant authorization objects for this external service (as they are currently maintained within SU24).











After manually entering a profile name or generating a default one, and next clicking on the button “Change Authoriation Data” you’ll see the following:


The authorization objects automatically addded in the above example are related to Business Partner Security, as the external service I added is the one used to create new business partners in the system of the type “INDIVIDUAL ACCOUNT”.

Clicking on the navigation link "create Individual account" will navigate to the following page:


I wish you all the best and speak to you soon!

By the way - if you like this article, please leave a comment or click on one of the social media buttons :-) it keeps me somehow motivated to share my knowlegde!


Davy Pelssers

Davy has been working as an SAP Consultant since 2000 and started working in the SAP IS-U Module , but as of 2002 he has mainly worked as functional SAP CRM consultant and SAP Authorizations consultant.
More about

20 thoughts on “PFCG Role creation in SAP CRM

Comment author said

By Francis Deveen on 21 September 2012 at 16:20

Great article


Comment author said

By tripti on 24 September 2012 at 06:54

nice article.


Comment author said

By Gaurav on 6 October 2012 at 17:57

CRM Security contents are very limited on web.Its very refreshing to see such a quality documents and it is a really good initiative .


Comment author said

By zakster on 14 November 2012 at 23:17

Excellent article! Thank you for taking the time to do this. I have a question on this article.

In the example you had provided, how did you know the appropriate external service for the "Individual account"? I'm trying to find the relationship between the workcenters and their contents and the corresponding external services so I can look the security needed for that screen in SU24.

Keep up the good work!


Comment author said

By Davy Pelssers on 14 November 2012 at 23:55

Hi Zack
I basically use several options for this purpose.
Either I am quickly able to identify the relevant component using a method explained in a previous post:

OR I can use ST01 authorization tracing!

Also have a look at my latests post about:
identifying the UIU_COMP values for workcenters and navigation links...

they are basically very useful for this purpose too!
you will see that with those queries I can easily find out for example the relevant Component Name; WindowName & Inbound Plug for a specific workcenter defined within the navigation bar profile assigned to my business role. Now as you saw in THIS post, the external service naming convention is actually composed of these 3 elements.... so this should get you started :-)



Comment author said

By Revanth on 17 December 2012 at 11:42

Nice article..

Can we have the authorization related to territory for the user to restrict on master data.
If so can you please send me the article it to my mail Id.


Comment author said

By Davy Pelssers on 17 December 2012 at 13:33

Hi, I have not elaborated any article on Territory management so far.
But here is what you should be able to do with it (regarding Account authorizations):
Territory based authorizations can be turned on / off in business transactions such
as opportunities, sales orders etc.
*Territory based authorizations can be defined at the header level of a document
as well as at the item level
*Territory based authorizations help you
Ensure that the employee responsible of the document is also assigned to the territory
of the document
Ensure that the account assigned to a document is also assigned to the territory of the
Ensure that the product assigned to a document is also assigned to the territory of the
*The level of access to the data can be also restricted used on Territory based
authorizations. A user may be given access to only his data, or his data and his
team’s data or to everything
Accounts in Territory Management
* Authorizations to define what accounts are available for use in business transactions using
the value help.
*Depending on Customizing maintained for a particular business document, the value help for
accounts in the business transactions is enhanced, so that the territory ID is already pre-filled
while doing the accounts search. Hence, the result list is already filtered and only contains
those accounts which belong to a user as per his/her territory assignments.
* Depending on the user’s role, the user is able to search for “My Accounts”, “My Team’s
Accounts”, “All Accounts” while creating business transactions.
* If the user enters an account manually by deleting the defaulted value help while creating a
business document, an authorization check shall be performed so that a user can only use
those accounts during document creation which belong to a territory that is being associated
with that business document.


Comment author said

By Help on 5 January 2013 at 22:04

Hi Davy - I have a question. So for CRM security with respect to PFCG roles is it always the role that is tied to a Business role or do we create separate PFCG roles also? If so can you let us know how would the reqirements be for building a private PFCG role?


Comment author said

By Davy Pelssers on 6 January 2013 at 17:46

Usually you start creating the 1 single authorization role based on the configured business role as mentioned in the article above. I personally then start splitting this large role up into multiple single roles , especially with regards to business transaction processing, and business partner access.
Basically I normally do NOT work with such 1 large single role as it gives me no flexibility or efficient manner to give different authorizations to different users. So when I mention splitting things up, I mean deleting external services from this large role and putting them in separate new single roles.
I next start creating an authorization matrix based on the authorization requirements I received during the blueprint phase or implementation phase.


Comment author said

By Alex Z on 22 March 2013 at 11:17

Very good post Davy!
Thank you


Comment author said

By vijay on 11 April 2013 at 13:15

Nice article


Comment author said

By Ann W on 15 April 2013 at 18:29

Very helpful article, Thank You!


Comment author said

By Arunkumar on 9 May 2013 at 11:46

Very good article . Thanks..


Comment author said

By Kiryl on 21 May 2013 at 13:06

Davy, you are born teacher, thank you so much!

Your materials are easy to read and full of useful information.


Comment author said

By Anurag Jain on 31 May 2013 at 14:39

Very Informative Post. I have not found this information on any other place.


Comment author said

By learning with fun and news pics on 21 June 2013 at 16:40

Great web site. Lots of helpful information here. I am sending it to several pals ans also sharing in delicious. And obviously, thanks for your effort!


Comment author said

By ajay on 22 August 2013 at 16:04

Hi Davy,

Thank you so much for sharing valuable information..and i have one doubt in SAP CRM Security..

Why we need to deactivate S_SERVICE object in CRM roles..what impact if we do not deactivate this object in CRM Roles..

Thanks In Advance..


Comment author said

By Davy Pelssers on 1 September 2013 at 11:15

Hi Ajay,
the reason that you need to deactivate this object is because it:
- is no longer used (was initially used by SAP..but obsolete at this moment)
- check on OSS for the object S_SERVICE and you will find a note about this!
- you can not generate the pfcg role without deactivating the object due to too many entries



Comment author said

By Davy Pelssers on 9 January 2014 at 13:23

Hi, for your information, the OSS notes I was talking about is the following:
1106781 - PFCG profile not generated because of S_SERVICE auth. object


Comment author said

By pannag bhusan kanungo on 17 July 2014 at 05:53

Mr Davy your all articles are awesome . thank you


Leave a Reply