{"id":1575,"date":"2021-03-04T10:49:58","date_gmt":"2021-03-04T09:49:58","guid":{"rendered":"https:\/\/sast-solutions.com\/blog-en\/?p=1575"},"modified":"2021-03-23T08:59:34","modified_gmt":"2021-03-23T07:59:34","slug":"practical-tip-avoid-special-roles-create-new-organizational-level-in-sap-system","status":"publish","type":"post","link":"https:\/\/sast-solutions.com\/blog-en\/2021\/03\/04\/practical-tip-avoid-special-roles-create-new-organizational-level-in-sap-system\/","title":{"rendered":"Practical tip: How you can avoid special roles and create new organizational levels in your SAP system based on an authorization field"},"content":{"rendered":"

\"PracticalIn the standard SAP system, there are many authorization fields that are not declared as organizational levels, but instead characterized by special values. But the more authorization fields without organizational levels that contain organization-specific values like location or country, the larger the proportion of special roles grows.<\/p>\n

However, to achieve the greatest possible transparency in role administration and avoid unnecessary authorizations \u2013 not least with system security in mind \u2013 the creation of additional special roles should be avoided wherever possible.<\/p>\n

<\/p>\n

 <\/p>\n

A practical example: One of our customers configured their system so that employees could only select from printers with a specific country code. These users also required access to other printers in other locations, however. This raises the question: How can you assign additional country codes without having to create a multitude of special roles?<\/p>\n

Add certain authorization fields to the organizational level <\/strong><\/h2>\n

When we look at the standard SAP system, we can see that only selected authorization fields are declared as organizational levels, such as the sales organization (VKORG), plant (WERKS), and so on. By assigning an organizational level to an authorization field, we can make sure that authorization fields are assigned identically in each authorization object.<\/p>\n

Absolute maintenance of organizational levels <\/strong><\/h2>\n

The report \u201cPFCG_ORGFIELD_CREATE\u201d can be used to define organizational levels for an authorization object. But be careful: the following reports are already obsolete in NetWeaver version 7.50 and later:<\/p>\n

    \n
  • PFCG_ORGFIELD_CREATE<\/li>\n
  • PFCG_ORGFIELD_DELETE<\/li>\n
  • PFCG_ORGFIELD_UPGRADE<\/li>\n<\/ul>\n

    As a result, when you try to start the reports, the system issues the error message \u201cReport PFCG_ORGFIELD_* is obsolete\u201d. For more information, refer to the SAP Note 2625102 – Report PFCG_ORGFIELD* is obsolete<\/a>.<\/p>\n

    Excerpt from SAP transaction PFCG \u2013 authorization object S_BLOG, without organizational level:<\/p>\n

    \"Practical<\/h2>\n

    How can you correctly maintain organizational levels now?<\/strong><\/h2>\n

    To create custom organizational levels for the standard SAP system, call transaction SUPO \u2013 \u201cMaintain Organizational Levels\u201d. When the transaction starts, it displays an overview of all existing SAP standard organizational levels. To create or delete organizational levels, click the \u201cChange\u201d button.<\/p>\n

    \"Practical<\/p>\n

    You can control the insertion and deletion of rows using OK codes, which you enter in the command field:<\/p>\n

      \n
    • =CREA_OLVL to create a new organizational level<\/li>\n
    • =DELE_OLVL to delete an existing organizational level<\/li>\n<\/ul>\n

      \"Practical<\/p>\n

      In \u201cChange\u201d mode, you can also add or remove organizational levels without OK codes by clicking the \u201cName of Org. Level\u201d field:<\/p>\n

      \"Practical<\/p>\n

      Important information:<\/strong> To delete an authorization level, all authorization values with the authorization field must be deleted from all roles. There must not be any entry for it in the table AGR_1252.<\/p>\n

      In the new row, you can now enter the name of the new organizational level and the existing authorization field. To finish, click \u201cSave\u201d and add the change to a transport request:<\/p>\n

      \"Practical<\/p>\n

      The responsible organizational level tables \u2013 USORG, USVAR, and USVART \u2013 are now updated automatically.<\/p>\n

      \"Practical<\/p>\n

      Therefore, our goal is to raise certain authorization fields to the organizational level and then derive them.<\/p>\n

      Sophisticated role management helps you save time and resources<\/strong><\/h2>\n

      Crucial elements of role administration involve making it as transparent as possible and avoiding granting unnecessary authorizations, not least with system security in mind. With this approach, you can avoid having to define large numbers of special roles and also capture further positive effects by using the derivation principle throughout the system. The result: tremendous time savings in your role administration.<\/p>\n

      If you would like more information about avoiding special roles or support with your role management, visit our website<\/a> or send us an e-mail<\/a>.<\/p>\n

      \"Maximilian
      \nMaximilian Hauer (SAP Authorizations Consultant, SAST SOLUTIONS)<\/strong><\/p>\n

       <\/p>\n

      Further articles on the topic:<\/h2>\n

      Role adjustments for technical SAP users \u2013 how to handle authorizations safely and effectively<\/a><\/p><\/blockquote>\n