Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Location security within roles and org sturucture

Former Member
0 Kudos

We have been using SAP for some time. We have some specific roles with certain location values for resticiting some access but generally all of our roles when it comes to the org levels, we have used asterisk (*). It was always an out os scope project, but now...things need to change.

Is the only way to builded a proper org sturcture. What document describes the PFCG insertion of $BUKRS in the company code, as an example, and the behavior you will have. Up to this point, those have always been change to (*).

1 ACCEPTED SOLUTION

dhorions
Contributor
0 Kudos

I was just reading note 323817 about "Creating org.level fields for the Profile Generator "

Maybe that will help you on your way.

10 REPLIES 10

Former Member
0 Kudos

Jerry,

<information of no value and email address removed by moderator>

Regards,

Harry Sidhu

Edited by: Julius Bussche on Feb 5, 2008 3:38 PM

dhorions
Contributor
0 Kudos

I was just reading note 323817 about "Creating org.level fields for the Profile Generator "

Maybe that will help you on your way.

Former Member
0 Kudos

This note is for creating additional Orglevels not about implementation of OrgLevels in general

0 Kudos

I misunderstood the question then. My bad

Former Member
0 Kudos

We haven't implemented org structure correct. But let me rephase the question a bit.

If I setup a test role, by adding in VA01 as the only transaction. On the organization, Define Organizational Levels, it fills in and ask for Company code, Controlling area, Division, Sales Organization, and Distribution channel. If you go to the organizational assignment under SU01...NONE of the structure is there. So....PFCG knows of a org structure, and SU01 does not. How do you correlate a user to the structure that PFCG knows about and will insert $BUKRS in authorities in the roles?

Former Member
0 Kudos

This is the bare basis of Security:

1 you create roles in which you assign Orglevels

2 you assign these roles to users

Pls read the right manuals or attend a security course.

read authorisations made easy (available from Amazone)

Former Member
0 Kudos

Hi jerry,

You can check the objects in T-Code SU24. Every T-Code is pre-defined with some objects.

Based on the objects defined when you add T-Code in PFCG it will prompt for org values

Hope now you are clear.

For better understanding just go through the following example:

When you add T-code you VA01 there are n number of objects.

The objects C_TCLS_MNT (T-Code VA01)

Authorization C_TCLS_MNT defines whether characteristics are available for entry, using the organizational area.

In classification, you can use organizational areas to restrict which characteristics are selected. This authorization checks whether a user can maintain characteristics of a certain organizational area.

Organizational areas are defined separately for each class type, so authorizations for organizational areas in the user master can be restricted to certain class types. This means that the user has no authorization to maintain characteristics with organizational areas in other class types.

Note

You can define organizational areas for each class type in Customizing for Classification, under Classes.

Defined fields

Field Possible entries Description

Actvt 23 Maintenance of characteristics for

org. area allowed

any other value Display characteristics for org.

area only

Class type (Any)

001 Material class (standard)

017 Document class (standard)

and so on

Org. area (Any) Organizational area

Example:

Field Value

Actvt 23

Class type *

Org. area A - E, K, V

A user can only assign values to characteristics that belong to organizational areas A to E, K, or V. This setting applies to all class types.

Cheers

Soma

former_member912992
Participant
0 Kudos

Hi Jerry

What I usually do is sitting together with the business consultant when creating or maintaining a role. They are the ones who customize the system and know exactly the limitation according to the organizational level.

On the other hand, you can also request an authorization matrix from the business consultant. By using this, you know what to put into the organizational level and authorization objects limitation.

Regards

Agoes

0 Kudos

It surely is the business together with the functional consultants who have to give the data for OrgLevel restrictions in roles.

best practice approach:

1st let functional consultants decide and list on paper ; which tasks (TRX) are important to restrict on OrgLevel.

2nd seek the avaiable orglevels on each TRC in Su24

3rd let business tell you what teh values are ther roles should be restricted on based on the info in the first two steps.

In a good project this is done before the roles are being build, it is the task of the security consultant to make both project team and busines aware of this issue before going into detailed design in the project. As it is possible that due to security restrictions the project needs to be adjusted on master dat level.

Former Member
0 Kudos

Assumed closed.