07-01-2010 6:10 PM
Hello Experts,
I am new to the field of SAP and security. I have the following questions:
1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
2. What is a derived role and what is its usage?
I appreciate your help regarding this. If you could point me to some documentation regarding this that will be very helpful.
Regards, Ben
07-01-2010 10:26 PM
Hi,
please use search before asking question. You can find answers for your questions (for example [here|http://help.sap.com/crmcg_en/1c/c38028816c11d396bc0000e82de14a/frameset.htm]). Also click on icon with letter I in PFCG. You can also try to google for course ADM940.
Cheers
07-01-2010 10:33 PM
Hi ,
when you create a role and insert transactions in the menu and go to authorization data
steps :
PFCG - create a single role( click on the button to create )
click on the menu button insert transactions ( eg : ME01, ME58 ETC... )
then click authorization tab go to the display/cahnge authorization data , you will see see the underlying objects.
on the next screen you will see tabs .......... open, changed, maintained, organization levels,
if you find any entries in Organization levels then this role has organization levels.
Normally this feature is helpful when you build a Parent/child relationship role ie Derived role
Lets say you build a Parent role as : Z:Parent role-1
Child role 1 as : Z:Child Role -1
Child role 2 as : Z:Child Role -2
in the above example if you give a company code value as * and derive it to the child role
it will get its value from parent as *.
You can create N number of child roles as per business requirement.
The Major advantage is you maintain authorization for parent but the organization values can be maintained on each child
role based on the business requirement.
So authorization object changed can be done in Parent , but organization values can be maintained exclusively for child roles.
07-01-2010 11:39 PM
Ben,
I am new to the field of SAP and security. I have the following questions:
1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
if you want to restrict on region vice (best use org level & values (plant,company code, sales org)
In role u will notice them in red color
2. What is a derived role and what is its usage?
Derived role inherits menu struture and the function from the parent role. Derived role do not differ in their functionalities(identical menu & trans) but have different characterticts with regard to Org levels.
Eg1; Master role
PFCG -> role name -> create->menu->enter tcodes-.Auth tab->export mode->read old status and merge with new data->Pop for org levels (give a full access)->see to that everything is green->generate it.
http://e-mory.blogspot.com/2007/12/sap-pfcg-create-role.html
Eg2: Derived role
pfcg->role name->create->in describtion tab towards right enter the master role name->Auth tab->export mode->read old status and merge with new data->you will get a pop for org levels (here you can restrict on plant lvel,purchasing group,company code....)
->let say for plant : 1000 ->generated / user comparssion
Once the role is added to the user. User will be albe to see only those plant related details (1000) (i.e he will have access to only plant 1000)
suppose if the user enters 2000,he will get a error message saying no access to 2000
NOTE: Any changes to the role should be done in master role (like adding tcodes)
.http://www.rssfeeddirectory.org/directory/items/346239.aspx
https://cw.sdn.sap.com/cw/docs/DOC-12021
http://help.sap.com/saphelp_wp/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm
Thanks,
Sri
07-02-2010 7:22 AM
>
> If you could point me to some documentation regarding this that will be very helpful.
Hello Ben,
that is easy: help.sap.com
search there for the 2 items.
well documented, often asked already-->thread locked
sorry.