In the standard SAP system, there are many authorization fields that are not declared as organizational levels, but instead characterized by special values. But the more authorization fields without organizational levels that contain organization-specific values like location or country, the larger the proportion of special roles grows.
However, to achieve the greatest possible transparency in role administration and avoid unnecessary authorizations – not least with system security in mind – the creation of additional special roles should be avoided wherever possible.
A practical example: One of our customers configured their system so that employees could only select from printers with a specific country code. These users also required access to other printers in other locations, however. This raises the question: How can you assign additional country codes without having to create a multitude of special roles?
Add certain authorization fields to the organizational level
When we look at the standard SAP system, we can see that only selected authorization fields are declared as organizational levels, such as the sales organization (VKORG), plant (WERKS), and so on. By assigning an organizational level to an authorization field, we can make sure that authorization fields are assigned identically in each authorization object.
Absolute maintenance of organizational levels
The report “PFCG_ORGFIELD_CREATE” can be used to define organizational levels for an authorization object. But be careful: the following reports are already obsolete in NetWeaver version 7.50 and later:
As a result, when you try to start the reports, the system issues the error message “Report PFCG_ORGFIELD_* is obsolete”. For more information, refer to the SAP Note 2625102 – Report PFCG_ORGFIELD* is obsolete.
Excerpt from SAP transaction PFCG – authorization object S_BLOG, without organizational level:
How can you correctly maintain organizational levels now?
To create custom organizational levels for the standard SAP system, call transaction SUPO – “Maintain Organizational Levels”. When the transaction starts, it displays an overview of all existing SAP standard organizational levels. To create or delete organizational levels, click the “Change” button.
You can control the insertion and deletion of rows using OK codes, which you enter in the command field:
- =CREA_OLVL to create a new organizational level
- =DELE_OLVL to delete an existing organizational level
In “Change” mode, you can also add or remove organizational levels without OK codes by clicking the “Name of Org. Level” field:
Important information: To delete an authorization level, all authorization values with the authorization field must be deleted from all roles. There must not be any entry for it in the table AGR_1252.
In the new row, you can now enter the name of the new organizational level and the existing authorization field. To finish, click “Save” and add the change to a transport request:
The responsible organizational level tables – USORG, USVAR, and USVART – are now updated automatically.
Therefore, our goal is to raise certain authorization fields to the organizational level and then derive them.
Sophisticated role management helps you save time and resources
Crucial elements of role administration involve making it as transparent as possible and avoiding granting unnecessary authorizations, not least with system security in mind. With this approach, you can avoid having to define large numbers of special roles and also capture further positive effects by using the derivation principle throughout the system. The result: tremendous time savings in your role administration.
Maximilian Hauer (SAP Authorizations Consultant, SAST SOLUTIONS)
Further articles on the topic: