Skip to Content
avatar image
Former Member

Location security within roles and org sturucture

We have been using SAP for some time. We have some specific roles with certain location values for resticiting some access but generally all of our roles when it comes to the org levels, we have used asterisk (*). It was always an out os scope project, but now...things need to change.

Is the only way to builded a proper org sturcture. What document describes the PFCG insertion of $BUKRS in the company code, as an example, and the behavior you will have. Up to this point, those have always been change to (*).

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Jan 18, 2007 at 08:34 AM

    I was just reading note 323817 about "Creating org.level fields for the Profile Generator "

    Maybe that will help you on your way.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi jerry,

      You can check the objects in T-Code SU24. Every T-Code is pre-defined with some objects.

      Based on the objects defined when you add T-Code in PFCG it will prompt for org values

      Hope now you are clear.

      For better understanding just go through the following example:

      When you add T-code you VA01 there are n number of objects.

      The objects C_TCLS_MNT (T-Code VA01)

      Authorization C_TCLS_MNT defines whether characteristics are available for entry, using the organizational area.

      In classification, you can use organizational areas to restrict which characteristics are selected. This authorization checks whether a user can maintain characteristics of a certain organizational area.

      Organizational areas are defined separately for each class type, so authorizations for organizational areas in the user master can be restricted to certain class types. This means that the user has no authorization to maintain characteristics with organizational areas in other class types.


      You can define organizational areas for each class type in Customizing for Classification, under Classes.

      Defined fields

      Field Possible entries Description

      Actvt 23 Maintenance of characteristics for

      org. area allowed

      any other value Display characteristics for org.

      area only

      Class type (Any)

      001 Material class (standard)

      017 Document class (standard)

      and so on

      Org. area (Any) Organizational area


      Field Value

      Actvt 23

      Class type *

      Org. area A - E, K, V

      A user can only assign values to characteristics that belong to organizational areas A to E, K, or V. This setting applies to all class types.



  • avatar image
    Former Member
    Jan 18, 2007 at 01:35 PM

    Hi Jerry

    What I usually do is sitting together with the business consultant when creating or maintaining a role. They are the ones who customize the system and know exactly the limitation according to the organizational level.

    On the other hand, you can also request an authorization matrix from the business consultant. By using this, you know what to put into the organizational level and authorization objects limitation.



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      It surely is the business together with the functional consultants who have to give the data for OrgLevel restrictions in roles.

      best practice approach:

      1st let functional consultants decide and list on paper ; which tasks (TRX) are important to restrict on OrgLevel.

      2nd seek the avaiable orglevels on each TRC in Su24

      3rd let business tell you what teh values are ther roles should be restricted on based on the info in the first two steps.

      In a good project this is done before the roles are being build, it is the task of the security consultant to make both project team and busines aware of this issue before going into detailed design in the project. As it is possible that due to security restrictions the project needs to be adjusted on master dat level.

  • avatar image
    Former Member
    Jan 18, 2007 at 04:59 AM


    <information of no value and email address removed by moderator>


    Harry Sidhu

    Edited by: Julius Bussche on Feb 5, 2008 3:38 PM

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 05, 2008 at 03:39 PM

    Assumed closed.

    Add comment
    10|10000 characters needed characters exceeded