Hi ,

when you create a role and insert transactions in the menu and go to authorization data

steps :

PFCG - create a single role( click on the button to create )

click on the menu button insert transactions ( eg : ME01, ME58 ETC... )

then click authorization tab go to the display/cahnge authorization data , you will see see the underlying objects.

on the next screen you will see tabs .......... open, changed, maintained, organization levels,

if you find any entries in Organization levels then this role has organization levels.

Normally this feature is helpful when you build a Parent/child relationship role ie Derived role

Lets say you build a Parent role as : Z:Parent role-1

Child role 1 as : Z:Child Role -1

Child role 2 as : Z:Child Role -2

in the above example if you give a company code value as * and derive it to the child role

it will get its value from parent as *.

You can create N number of child roles as per business requirement.

The Major advantage is you maintain authorization for parent but the organization values can be maintained on each child

role based on the business requirement.

So authorization object changed can be done in Parent , but organization values can be maintained exclusively for child roles.

Ben,

I am new to the field of SAP and security. I have the following questions:

1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?

if you want to restrict on region vice (best use org level & values (plant,company code, sales org)

In role u will notice them in red color

2. What is a derived role and what is its usage?

Derived role inherits menu struture and the function from the parent role. Derived role do not differ in their functionalities(identical menu & trans) but have different characterticts with regard to Org levels.

Eg1; Master role

PFCG -> role name -> create->menu->enter tcodes-.Auth tab->export mode->read old status and merge with new data->Pop for org levels (give a full access)->see to that everything is green->generate it.

http://e-mory.blogspot.com/2007/12/sap-pfcg-create-role.html

Eg2: Derived role

pfcg->role name->create->in describtion tab towards right enter the master role name->Auth tab->export mode->read old status and merge with new data->you will get a pop for org levels (here you can restrict on plant lvel,purchasing group,company code....)

->let say for plant : 1000 ->generated / user comparssion

Once the role is added to the user. User will be albe to see only those plant related details (1000) (i.e he will have access to only plant 1000)

suppose if the user enters 2000,he will get a error message saying no access to 2000

NOTE: Any changes to the role should be done in master role (like adding tcodes)

.http://www.rssfeeddirectory.org/directory/items/346239.aspx

https://cw.sdn.sap.com/cw/docs/DOC-12021

http://help.sap.com/saphelp_wp/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

Thanks,

Sri