Practical tip: How you can avoid special roles and create new organizational levels in your SAP system based on an authorization field

| securityblog

Practical tip: How you can avoid special roles and create a new organizational level in your SAP system based on an authorization fieldIn the standard SAP system, there are many authorization fields that are not declared as organizational levels, but instead characterized by special values. But the more authorization fields without organizational levels that contain organization-specific values like location or country, the larger the proportion of special roles grows.

However, to achieve the greatest possible transparency in role administration and avoid unnecessary authorizations – not least with system security in mind – the creation of additional special roles should be avoided wherever possible.

 

A practical example: One of our customers configured their system so that employees could only select from printers with a specific country code. These users also required access to other printers in other locations, however. This raises the question: How can you assign additional country codes without having to create a multitude of special roles?

Add certain authorization fields to the organizational level

When we look at the standard SAP system, we can see that only selected authorization fields are declared as organizational levels, such as the sales organization (VKORG), plant (WERKS), and so on. By assigning an organizational level to an authorization field, we can make sure that authorization fields are assigned identically in each authorization object.

Absolute maintenance of organizational levels

The report “PFCG_ORGFIELD_CREATE” can be used to define organizational levels for an authorization object. But be careful: the following reports are already obsolete in NetWeaver version 7.50 and later:

  • PFCG_ORGFIELD_CREATE
  • PFCG_ORGFIELD_DELETE
  • PFCG_ORGFIELD_UPGRADE

As a result, when you try to start the reports, the system issues the error message “Report PFCG_ORGFIELD_* is obsolete”. For more information, refer to the SAP Note 2625102 – Report PFCG_ORGFIELD* is obsolete.

Excerpt from SAP transaction PFCG – authorization object S_BLOG, without organizational level:

Practical tip: How you can avoid special roles and create a new organizational level in your SAP system based on an authorization field

How can you correctly maintain organizational levels now?

To create custom organizational levels for the standard SAP system, call transaction SUPO – “Maintain Organizational Levels”. When the transaction starts, it displays an overview of all existing SAP standard organizational levels. To create or delete organizational levels, click the “Change” button.

Practical tip: How you can avoid special roles and create a new organizational level in your SAP system based on an authorization field

You can control the insertion and deletion of rows using OK codes, which you enter in the command field:

  • =CREA_OLVL to create a new organizational level
  • =DELE_OLVL to delete an existing organizational level

Practical tip: How you can avoid special roles and create a new organizational level in your SAP system based on an authorization field

In “Change” mode, you can also add or remove organizational levels without OK codes by clicking the “Name of Org. Level” field:

Practical tip: How you can avoid special roles and create a new organizational level in your SAP system based on an authorization field

Important information: To delete an authorization level, all authorization values with the authorization field must be deleted from all roles. There must not be any entry for it in the table AGR_1252.

In the new row, you can now enter the name of the new organizational level and the existing authorization field. To finish, click “Save” and add the change to a transport request:

Practical tip: How you can avoid special roles and create a new organizational level in your SAP system based on an authorization field

The responsible organizational level tables – USORG, USVAR, and USVART – are now updated automatically.

Practical tip: How you can avoid special roles and create a new organizational level in your SAP system based on an authorization field

Therefore, our goal is to raise certain authorization fields to the organizational level and then derive them.

Sophisticated role management helps you save time and resources

Crucial elements of role administration involve making it as transparent as possible and avoiding granting unnecessary authorizations, not least with system security in mind. With this approach, you can avoid having to define large numbers of special roles and also capture further positive effects by using the derivation principle throughout the system. The result: tremendous time savings in your role administration.

If you would like more information about avoiding special roles or support with your role management, visit our website or send us an e-mail.

Maximilian Hauer (SAST SOLUTIONS)
Maximilian Hauer (SAP Authorizations Consultant, SAST SOLUTIONS)

 

Further articles on the topic:

Role adjustments for technical SAP users – how to handle authorizations safely and effectively

Self-Adjusting Authorizations: SAST SOLUTIONS’s new tool intelligently slims down SAP roles