How to Control Users Access to Projects

Introduction

Controlling user access to projects is crucial for maintaining security and ensuring that only authorized personnel can view or modify specific projects. Many organizations need to assign projects to specific groups of users while restricting access for others. In this guide, we will explore how you can manage user access through role-based authorizations using T-Code PFCG in SAP. This process allows you to grant different levels of access, such as full access, display-only, or limited modifications, based on organizational elements like company code or plant. 

Understanding User Access Control in SAP

In SAP, user access to projects can be controlled through roles and authorizations. There are two main types of access levels:
  • Full Access: Users with this role can view, modify, and manage all projects.
  • Restricted Access: Users can only access specific projects assigned to them based on predefined criteria.
However, it is important to note:
  • ✅ If projects fall under different organizational elements (e.g., different company codes), access control can be enforced.
  • ❌ If projects belong to the same organizational element, restricting access may not be possible.

Who Manages User Access?

Typically, functional consultants do not have access to the PFCG transaction code, which is used to manage roles and authorizations. This responsibility usually falls under the BASIS team, which handles SAP system administration.

Step-by-Step Guide to Controlling User Access with T-Code PFCG

Step 1: Open T-Code PFCG

  1. Log in to SAP.
  2. Navigate to Transaction Code PFCG.

Step 2: Create a New Role

  1. In the PFCG screen, enter a role name, e.g., "ZPSTEST".
  2. Click Create Role to proceed.

Step 3: Configure Role Authorization

  1. Click on the Authorization tab.
  2. Save the profile when prompted.
  3. Click Change Authorization Data.
  4. Choose SAP_ALL and adopt reference.
  5. Confirm Yes to insert all authorizations.

Step 4: Modify Authorization for Project Access

  1. Expand the Project System (PS) section.
  2. Navigate to PS: Project Manager for Project Definition.
  3. Locate the fields: 
    • Activity for Authorization Check
    • Number of Responsible Persons
  4. Click the Change button for the first field.
  5. Click Cancel Full Authorization to remove unrestricted access.
  6. Select specific actions to allow (e.g., Display only).
  7. Click Save.

Step 5: Assign Responsible Person

  1. Click on Number of Responsible Persons.
  2. Select a user, e.g., "XYZ".
  3. Save the changes.

Step 6: Generate the Profile

  1. Return to the previous screen.
  2. Click Generate Profile to finalize the role.

Step 7: Assign Role to Users

  1. In the Change Roles screen, go to the User tab.
  2. Assign the ZPSTEST role to the required users.
  3. Save and exit.

Testing & Troubleshooting

Testing User Access

  • To verify the access settings, create a dummy user in IDES and assign the new authorization profile.
  • Log in as the dummy user and check if the access restrictions are applied correctly.

Troubleshooting Tips

  • If users still have full access, check if other roles are overriding the restrictions.
  • Ensure that organizational elements are configured correctly.
  • If needed, consult with the BASIS team for further assistance.

FAQs

1. Can I assign a project to a specific group of users?

Yes, you can create a role and assign it to specific users, restricting access based on organizational elements like company code or plant.

2. What happens if multiple roles are assigned to a user?

If a user has multiple roles, the most permissive role takes precedence. Ensure that conflicting authorizations are not assigned.

3. Do functional consultants have access to T-Code PFCG?

No, functional consultants usually do not have access to PFCG. This task is managed by the BASIS team.

4. Can I limit project access within the same organizational element?

No, restricting access within the same company code or plant is generally not possible in standard SAP configurations.

5. How do I modify an existing role?

Use T-Code PFCG, select the role, and navigate to the Authorization tab to modify permissions.

6. What is the easiest way to test authorization changes?

Create a dummy user in the IDES system and assign the modified role. Log in as that user to verify the access settings.

Conclusion

Managing user access to projects is essential for security, compliance, and efficiency in an SAP environment. By using T-Code PFCG, you can create roles, define authorizations, and ensure that only the right users have access to sensitive project data.

If you need further assistance, consult your BASIS team for expert guidance on authorization management.
 

SAP PS Tips

Read Also
Authorisation Control in CJ20n

Get help for your SAP PS problems
SAP PS Forum - Do you have a SAP PS Question?

SAP Project System Books
SAP PS Books - Certification, Interview Questions and Configuration

SAP Project System Tips
SAP PS Tips and Project System Discussion Forum

Main Index
SAP ERP Modules, Basis, ABAP and Other IMG Stuff

All the site contents are Copyright © www.erpgreat.com and the content authors. All rights reserved.
All product names are trademarks of their respective companies.  The site www.erpgreat.com is in no way affiliated with SAP AG.
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk.
 The content on this site may not be reproduced or redistributed without the express written permission of
www.erpgreat.com or the content authors.