Skip to Content
author's profile photo Former Member
Former Member

Basic Information about Organizational Level & Org. level value.

Hello Experts,

I am new to the field of SAP and security. I have the following questions:

1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?

2. What is a derived role and what is its usage?

I appreciate your help regarding this. If you could point me to some documentation regarding this that will be very helpful.

Regards, Ben

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

4 Answers

  • Posted on Jul 01, 2010 at 09:26 PM

    Hi,

    please use search before asking question. You can find answers for your questions (for example [here|http://help.sap.com/crmcg_en/1c/c38028816c11d396bc0000e82de14a/frameset.htm]). Also click on icon with letter I in PFCG. You can also try to google for course ADM940.

    Cheers

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jul 01, 2010 at 09:33 PM

    Hi ,

    when you create a role and insert transactions in the menu and go to authorization data

    steps :

    PFCG - create a single role( click on the button to create )

    click on the menu button insert transactions ( eg : ME01, ME58 ETC... )

    then click authorization tab go to the display/cahnge authorization data , you will see see the underlying objects.

    on the next screen you will see tabs .......... open, changed, maintained, organization levels,

    if you find any entries in Organization levels then this role has organization levels.

    Normally this feature is helpful when you build a Parent/child relationship role ie Derived role

    Lets say you build a Parent role as : Z:Parent role-1

    Child role 1 as : Z:Child Role -1

    Child role 2 as : Z:Child Role -2

    in the above example if you give a company code value as * and derive it to the child role

    it will get its value from parent as *.

    You can create N number of child roles as per business requirement.

    The Major advantage is you maintain authorization for parent but the organization values can be maintained on each child

    role based on the business requirement.

    So authorization object changed can be done in Parent , but organization values can be maintained exclusively for child roles.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jul 01, 2010 at 10:39 PM

    Ben,

    I am new to the field of SAP and security. I have the following questions:

    1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?

    if you want to restrict on region vice (best use org level & values (plant,company code, sales org)

    In role u will notice them in red color

    2. What is a derived role and what is its usage?

    Derived role inherits menu struture and the function from the parent role. Derived role do not differ in their functionalities(identical menu & trans) but have different characterticts with regard to Org levels.

    Eg1; Master role

    PFCG -> role name -> create->menu->enter tcodes-.Auth tab->export mode->read old status and merge with new data->Pop for org levels (give a full access)->see to that everything is green->generate it.

    http://e-mory.blogspot.com/2007/12/sap-pfcg-create-role.html

    Eg2: Derived role

    pfcg->role name->create->in describtion tab towards right enter the master role name->Auth tab->export mode->read old status and merge with new data->you will get a pop for org levels (here you can restrict on plant lvel,purchasing group,company code....)

    ->let say for plant : 1000 ->generated / user comparssion

    Once the role is added to the user. User will be albe to see only those plant related details (1000) (i.e he will have access to only plant 1000)

    suppose if the user enters 2000,he will get a error message saying no access to 2000

    NOTE: Any changes to the role should be done in master role (like adding tcodes)

    .http://www.rssfeeddirectory.org/directory/items/346239.aspx

    https://cw.sdn.sap.com/cw/docs/DOC-12021

    http://help.sap.com/saphelp_wp/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

    authorization-error-after-transport

    Thanks,

    Sri

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 02, 2010 at 06:22 AM

    >

    > If you could point me to some documentation regarding this that will be very helpful.

    Hello Ben,

    that is easy: help.sap.com

    search there for the 2 items.

    well documented, often asked already-->thread locked

    sorry.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.