PFCGMASSVAL: authorization changes for multiple roles or objects at the same time

With transaction PFCGMASSVAL, SAP has introduced a function that can save a lot of time, especially in authorization management. PFCGMASSVAL allows the change of authorizations across multiple roles and objects in just one step.

Use case: You have 20 different consultant roles for external consultants in the development and test systems. For the production system, however, the external consultants should now only have display rights. Previously, this would have meant opening each of these consultant roles for the production system individually in the PFCG and adjusting all authorization objects individually. With PFCGMASSVAL this is now only one step.

But be careful: In most cases, a manual check is still necessary. It is also advisable to back up the roles to be changed in advance (mass download) in order to be able to import a backup just in case.

What can be changed with PFCGMASSVALL?

You can use the transaction PFCGMASSVAL to make general settings in all selected roles. You can change:

  • organizational levels
  • field values for an authorization object
  • field values for an authorization field in several / all authorization objects

In addition, the transaction allows deleting or adding manual authorizations.

It is recommended to execute all changes in simulation mode first.

In our use case, we could therefore include all 20 consultant roles in the PFCGMASSVAL and select the option “Change field values of authorizations for a field”. Here we let the field “ACTVT” in all objects be marked with “03” (Display). Other values will be overwritten and the roles will only have display permissions.

But be careful: If the display permission for individual objects is not assigned via the values of the field “ACTVT”, they are of course not rewritten with this action. Also or levels remain unconsidered with the option “Field values of authorizations for a field”. So, as always, to be safe, the roles should be manually checked and/or tested.

Can I restrict the changes via PFCGMASSVAL?

Yes, this is possible. But only limited. You can select whether the changes should apply only to active or only to inactive authorizations, for example. The authorization status can also be used to limit the changes – for example, you could allow the changes only for authorization objects that have the status “maintained”. Or overwrite all except those with the status “default”. You can also exclude derived roles from the change.

Good to know: If you check the “No change to ‘Changed’ status” option, objects whose status would change as a result of the adjustments will not be considered.

An example for our use case: An object with the status “Standard” contains the field “ACTVT” with the specification “01”. If it is overwritten with “03”, as we actually specified, the status would change to “Changed”. Since we have excluded this via the option above, this object will not be overwritten. In this case, the status would remain at “01”.

However, you can see this exactly in the table with the changes, which the PFCGMASSVAL shows you after the simulation or the execution, and smooth it out manually if necessary.

Leave a Reply

Your email address will not be published. Required fields are marked *