Skip to Content
avatar image
Former Member

Roles mapping for a user

Dear experts,

I have a BASIS query.

I have created a role "ABC_XYZ" which has authorization for company code - "1000" and has been assigned user "SMK001".

My query is,Can I use the same role "ABC_XYZ" assigned user "SMK002" but having authorization for different company code - "2000" only.

Can we restrict the legal entities and other business objects at user level instead of role level?

Any input appreciated.

Thanks in advance.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Apr 05, 2007 at 11:33 AM

    yes you can. by making the companycode an organizational level (SE38: PFCG_CREATE_ORG_LEVEL or something like that) and using derivation for your roles, you can quite easily make duplicates of your ABC_XYZ role (which should be the 'mother' role and make 'child' roles which only differ from the mother on organizational level(s).

    http://help.sap.com/saphelp_47x200/helpdata/en/1c/c38028816c11d396bc0000e82de14a/frameset.htm

    Message was edited by:

    Dimitri

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 05, 2007 at 12:02 PM

    Hi Sandeep,

    You can use the concept of Master/derived role to enforce organizational level restrcitions.

    - Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.

    - The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either.

    - Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.

    Please visit http://www.sapsecurityonline.com/tutorials/derived_role.htm

    for more info on derived roles.

    I dont think that it is possible to restrict two different company codes using a same role. You will have to go for Derived role concept to enforce the org level restrictions.

    Hope it helps.

    Please award points if it is useful.

    Thanks & Regards,

    Santosh

    Message was edited by:

    NAVABOTHU SANTOSH KUMAR

    Message was edited by:

    NAVABOTHU SANTOSH KUMAR

    Add comment
    10|10000 characters needed characters exceeded