Organizational Levels
“Organizational Levels” (Org Levels) as opposed to authorization fields is another of the core concepts that we come across while creating roles in PFCG. We can access the organizational level values defined for a role by clicking the “org level” button in the main toolbar within PFCG.
In the role below, we see Org Levels like Company Code, Purchasing Org, Purchasing Group, Sales Org, Division, Plant, etc.
In the expanded view of the authorization data in PFCG, the org levels defined earlier appear side-by-side with the authorization fields. In fact, all org levels are also authorization fields but not all auth fields are org levels. For example, the org level Plant appears as an authorization field in two objects, M_LFPL_ORG and M_MATE_WRK. On the other hand the field Activity is not an org level. Once we maintain a particular value for an org level in a role, all authorization objects using the same org level as a field will automatically take the same value. Its technically feasible to break an org level, so that for a particular object, its value is different from its defined org level value but this defeats a the purpose of defining something as an org level.
Another difference between org levels and normal auth fields come to light while deriving a role from another master role. A normal auth field will be inherited by the child role with the same value as maintained in the parent but an org level can be maintained in the individual child roles.
Organizational Levels in most cases are intrinsically linked to the enterprise structure of an organization and largely determined during the customizing steps for the SAP systems. The below screen-shot from the SPRO transaction shows the options for configuring different org levels like company code, controlling area, purchase org, sales org etc. So its not really the security administrator who defines the org levels. He can only use the existing org levels defined during functional configuration.
Its possible to change an authorization field to an org level for the purpose of security by executing the program PFCG_ORGFIELD_CREATE. However, since this program impacts all roles which contain the org field it should only be run after a thorough analysis of all impacted roles. Also certain auth fields like Activity can never be changed to an org level.
aninda
u r really great,i live in illinois u.s and i am reading ur site for a while its really good. thanks
Hi,
Ur article is really amazing.. gr8 work!
Can u pls explain breif more about Org levels.
The article above is about org levels. Do you have any specific questions about org levels which is not answered. In such a case, let me know and I will try to answer.
hii Aninda..
your posts are really good and also helpful for beginners as well. your efforts are appreciated.
Thanks and regards.
Naveen.
Hi aninda,
it was really good article.
i have query in this
the following is my query
suppose if i want to give authorizations to 2 compny codes,sales orgnizations..in this case where i have to give these two??in org.levels or in authorizations???
Since these are org levels, I would suggest updating them in the org level section. This way any object using these fields will automatically pick the org level values.
Hi, you have a very interesting site. I have a question regarding Organizational Levels… do they get added to roles because of the transaction and/or objects added? If I were to remove objects and auths from a role, would I also be removing Org Levels from it? I guess I’m not understanding the relation between roles and Org Levels, and how they appear on some roles….
Hi Gabriel,
All Org Levels are also authorization fields in at least one authorization object. So if you remove an auth object from a role which contains an org level field (either by deleting the object or removing the tcode which had pulled it in in the first place), you would be impact the org level list as well. In such a case, if the role doesn’t have any more object with the particular org level field, you will no longer see it in the org level list inside the role.
Regards,
Aninda
hi Aninda,
there is one more sub type under org level
: Account type
can you explain about it
Hi Munish,
There are quite a few org levels in the SAP system. Different clients also configure org levels according to their security requirements. I would suggest use the field technical help (button F1) and try what you can find.
Regards,
Aninda
Hi Aninda. A small question related to org levels. Do you know in which table I can find the text description of org level fields. For ex. I know WERKS is for plants. Similarly I need to find description for some more org levels.
Hi Nitesh,
Please refer to the tables USORG and USVAR. They have the data you need.
Regards,
Aninda
Hi Aninda,
i really admire your work. you have done a great job.
i have few question in regards of org fields.
how can we figure out what company codes, plants or etc exist in the system to assign in the role in a reference to functional modules such as FICO, MM, PP, SD. and if i assign a company code with a plant value to org field would the user only able to access to that particular plant or plants in such company code? or we have to do something else here to restrict a user.
Thanks,
Danish
Check the aassignment of org levels under SPRO. The nodes under enterprise structure > definition and assignment tells about the different values of org levels created and the assignments between them. Ideally this information should come from your functional team as they are responsible for building the enterprise structure of the company.
Hi Aninda,
Recently I created a parent role, Added an auth object manually which pulled Plant and ACTVT, As the auth field Plant was an Org Level too. I maintained the Org Levels as they were Red and set the value of Plant as * , Immediately the value * was filled for auth field Plant and everything was green and I saved and Generated and clicked on push button for values to be inherited to all the child.
In my exp, previously too..I have done this exercise, I used to change all the child roles for their org levels. And immediately I got into edit mode in PFCG -Authorizations. Org Levels dialog used to pop up EMPTY for me to define org levels values for say plant, company code etc. As per relevance, I used to maintain specific org level value and not *
But this time, Nothing was Red in the child role, rather when I checked the Org Levels, It had also inherited * value for Plant, Company Code. I was surprised.. Coz I never saw such behaviour of Inhereting * in org levels in chidl role too….
I am very sure that in Parent I maintained Org levels as * not the manually added auth object plant as *…. I also tried reproducing the same case in test roles, And again in child, org levels very automaticallhy inherited as * ..
The main relevance/difference of org level concept is dat we can set org levels in child role and rest auth objects is inherited from parent.. But in my case, it didn’t fall true 🙁 Any comments.. (Please note out of 50 times, I have faced this scenario for the 1st time!! )
Thanks,
Vinita
Hi Vinita,
Believe I have already replied to this in your FB post but will add the same her for the benefit of the site visitors.
For an org level which is not maintained with any values at the child/derived role level, values will be copied from the parent role when you try to push the values from it.
Regards,
Aninda
can any help me regarding the below question…is there any way to search a existing role via organization level..
Hi Akram,
I have trouble understanding the question. The AGR_1252 table gives the org level values mapped to roles if this is what you need.
Regards,
Aninda
HI,is there a report that details Org Levels by role that can be used to check build?
you don’t need a report. just use the table agr_1252
Hi Aninda !
Very correct explanation of the org. level button in PFCG.
Just a question:
Is org. level mightier than the fields of auth. objects ??
Ex.: I define Company Code in auth. object field 4711, but define the company code under org. level “*”, which one overrides whom !!
Is it something like “Central govt. law breaks the law of a state govt. !! In our case, org. level breaks the auth. field ??
‘will be pleased for your position.
Kumar/Germany
Hi Kumar,
The company code value defined at auth level will prevail and regarding other auth values for same company code which are unmaintained at auth level will fetch data from Org level.
But maintaining the company code at auth level in parent role will cause all the derived roles to inherit the same for that particular object irrespective of the org level values of the derived roles.
Thanks,
Rinku Maurya
Hi Sir,
Can you please let me know the reason for not adding the ACTVT as a org level?
I think, it’s beacause, anytode addition will come with S_tode object by default.
Please let me know.
TIA.
-Vandy
Changing ACTVT to a org level would mean that all activity values in a role will have the same values. That doesn’t make sense at all.
Hi,
In my project one of the system , i tried to give some values in Organizational level in role.
But this value is not updated in the relevant authorization objects .This is something weird that i am facing first time in my experience.
Any idea/suggestions.
Hi Aninda !
How can you change org level to field level?
SAP provides a standard program PFCG_ORGFIELD_DELETE for this purpose. But be very very careful before you use this program. Research more to understand the implications of running the program.
Hi Aninda,
One question. if possible, can you please elaborate the significance of the reoport PFCG_ORGFIELD_upgrade during SAP upgrade?
Hi Aninda,
My requirement is to restrict user access to Site/Plant data based upon certain criteria.
Lets just say the user has a parameter in a custom table. This is their assigned Plant/Site. They should only be able to access this Plants data.
The Role i am using is SAP_PM_WOC_ORDER_PROCESS with specifically the Auth Object I_SWERK.
I guess I am wanting the place I also put my code to validate the plant also.
We have not implmented an org structure and have no plans to do so.
Any help would be appreciated.
Mike
SAP’s way to implement this is be using the org levels within roles. So that you can maintain the restricted value of the plant in the users role and as long as the transaction under question actually checks I_SWERK, you are all set.
Thanks,
Aninda
Hi Aninda
Can org feilds can be converteded to normal feild ? If yes how do we handle it ?
I believe there is program for that but I never had occasion for using it. Seearch for ORGFIELD* in SA38 and google.
Hi Aninda,
We have around 4000 Profit centers in our ogranization. Client require authorizations based on Profit centers only. Please let me know if creating RESPAREA as an Org Filed thru PFCG_Orgfield_create is better option or creating a new role with auth object K_PCA only with required restrictions and attatching it to the users along with other roles is best practice for maintanance purpose in long run.
Thanks and Regards,
Arun
The answer would depend on how many separate groupings of cost centers and business roles that you would need. Also, do you expect requirements to keep changing even after intial build. Also would a single role have same level of access to all the cost centers it would have access to. My thoughts would be to promote RESPAREA to an org level as it sounds like one in how your enterprise structure. However, even after conversion to an org level, this field poses its own challenges.
Hi Aninda,
Good Post, lot of information.
One question :
Suppose there is a role change, for EG: Maintaining plant values & company codes restriction or addition.
How a developer will be knowing whether to change Org level values or else to change the values in a particular object(means Activity) because same Plant & Company codes also exist in Auth Objects.
Please could you brief on this aspect.
Thanks
harish
Hence, good coding practice dictate never to hard code field values in your programs but always use variables.
After reading a lot of books and surfing over the internet, this is the first page that made me understand the concepts of ORG levels and auth fields.You are really a star trainer i thank you form the bottom of the heart and please continue this service as many many hearts are thanking you for your teaching capability.
I have a situation in my current Project- This is a small data clean up Project.As this organisation is seperated from a big enterprise, In the new system remains many unused Org levelsexisting from the older parent organisation.Now the task is to remove these unused org levels from the system.
From security side there are fwew tasks.
1.Kindly let me know -how to remove the unused org levels from the roles and users
2.Kindly let me know- how to remove the unused org levels and authorisation fields from the system, tables etc.
3. Kindly let me know how to differentaite or list the unused and used org levels from the system.
i will be awaiting for your reply every minute from now. you aremy life saver. Please expalin me how to proceed this small project as iam totally new and have a huge responsibilty on me to take up forward. after reading your psost i have got good hope that you will help me.
ultimate task is the security person should restrict view for all identified purchasing organizations/sales organization/storage location in the development client
What you just mentioned is a small consulting project 🙂 and not just for security. It will be a collaborative effort between the business owners who identify the obsolete org values, the functional team who update the config entries in SPRO and finally the security analyst who remove obsolete org values from roles.
Hi Aninda,
How to find who and when a field got promoted or demoted to Org field, any such table exist in SAP BW system.
Thanks,
Raj
You can check for the table logs for USORG and USVAR in case you have table logging active in your SAP environment
What happens when we manually add an Auth Object to a role? Why is it not recommended by SAP?
Manually adding an auth object is certainly possible but discouraged as there is no trace about why the object was added. The better option is to update SU24 entry for the transaction which would need the object and pull these into the role through expert mode generation.
could you please explain about authorization values
Thank you so much for explaining the org levels concept in a clear manner. I have a question for you. How can I get the list of t-codes which has org fields in them and under which authorisation object they are?.Is there any table or program to see the required info.
AGR_1252 is used to find the org fields mapped to roles. Similarly is there any table or program to see the list of t-codes which has org fields in them and under which auth object they are?
I was wondering if you could tell me if Org level are cumulative when a user has mulitple roles.
For example F-41 is in a derivied role with Company Code 0001 & 0002. In the second role that is a master role for other tcodes and does not have F-41 but has Org level as *. Will the combined access for ORG Level be *.
Check if the same object(s) which give the org level access in first role is also present in the second role. Without the same authorization objects, having * in org level in the second role will not give out the extra access to F-41.