Copying roles from one SAP client to another using PFCG

Copying roles from one SAP client to another using PFCG

Roles be that if they are Single or Composite Roles are generally created and saved on a particular client to where that role was derived. As with most SAP Enterprise systems, there are multiple SAP Clients (Development, Quality Assurance and Production).

As per normal standards, when any changes are done, before they go into Production they should be tested, there is no exception with authorizations either.  Instead of creating roles manually for each client, this tutorial will show you how you can simply copy a role or roles from one SAP client to another.  In a real life scenario, you could copy a role from Development into Quality Assurance, perform tests and finally copy across into Production.

Below are the steps to copy a composite role from one client to another.

Client 1 --> Client where the roles are already created
Client 2 --> Client to which the roles are to be copied

1. Login to client 1, type in transaction code PFCG as shown below
1.png
2. In the Role Maintenance screen, enter the role that was created earlier.  In this tutorial, I am using composite role Z_Composite_Role_G-XXX that has been already created
2.png
3. Select the Role menu and choose option Download
3.png
4.Press Enter or click on the Tick for the Information Box
4.png
5. Select your directory in order to save the role in and then click on Save
5.png
6. Select “Always allow” for the following dialogue box (SAP GUI Security)
6.png
7. Login into client 2 and type in transaction code PFCG.  In the Role Maintenance screen, select Role menu and choose upload.
7.png
8. Press enter or click on the tick for the Information Box
8.png
9. Navigate to the location to where you had saved your downloaded role, select the role and click on Open
9.png
10. List of Roles to be imported screen is displayed. Don’t worry about the red lights, it is just information that the single roles (in the composite role) already exists, it is safe to overwrite this.  In most cases you would copy across custom single roles / composite roles and these lights would show up as Green.  Press the Tick button or press Enter on your keyboard.
10.png
The role has successfully been copied across into client 2, however the Profile still needs to be generated for the Single Roles (in order for the role setup to be completed).  For Custom Single roles, you will need to enter the Single Roles (associated to the Composite Roles) copied into Role Maintenance screen and click on the Pencil (change) icon and generate the profile (see Profile Generation section).  If there are multiple Single Roles (this needs to be repeated for each Single Role).

11. To find out your single roles (contained in the Composite Role) click on Change or Display in the Role Maintenance screen and select the Role tab to get the list of single roles (which may need their Profiles to be generateds). 
11.png