Creating New Org values

Question: We are creating derived roles, a master role with individual derived roles.
As we know the only values that don't get pushed down are the org. values.
However we are controlling on values that are not org levels. So I would like to make them org levels, for instance company code.

I know you can create org levels in SE38 with PFCG_ORGFIELD_CREATE.
However if you do this will it make company code an org value in every role that it exists?

If so do we have to go into every role or will a value be populated automatically from the role itself?

Is it possible to pick and chose which role you want the new org levels to adhere to?

Any help would be greatly appreciated!!!

Thanks!

Answer:
I know you can create org levels in SE38 with PFCG_ORGFIELD_CREATE.
However if you do this will it make company code an org value in every role that it exists?

Yes

If so do we have to go into every role or will a value be populated automatically from the role itself?

IIRC Values in the fields will become populated as org levels without any further action required from you

Is it possible to pick and chose which role you want the new org levels to adhere to?

No. This is the downside to creating org levels. You can force individual fields in roles to ignore org level behaviour but this is on a role by role basis and not practical to maintain. If you find yourself needing to do this then your design does not suit creating additional org levels.

Answer:
If you create an org level from a field you have already used you may not get the desired results. If you have mixed values in different authorizations where they need to be descrete for different object, the creation of the org level will combine ALL the values into all the authorizations. So be careful and analyse the results of the report BEFORE commiting the results.

Answer:
Test mode

Create org level field KOSTL
Update authorization value proposals (SU24 data)
Conflicts (manual follow-up needed)
Values collected in role: SAP_CA_CL_MAINTAIN
Original values:
Authorization objectAuthorization Values
I_KOSTL T_P092043200
New org level values:
*

Values collected in role: SAP_ESSUSER
Original values:
Authorization objectAuthorization Values
P_TRAVL T_8000022406
P_TRAVL T_8000022407 *
New org level values:
*

Values collected in role: SAP_HR_REPORTING
Original values:
Authorization objectAuthorization Values
P_TRAVL T_P092020100 *
New org level values:
*
01

Thanks so much for your help!!!

Answer:
Looking at my last reply, I didn't get the entire message in.

What is in the last reply is the report that you run PFCG_ORGFIELDS_CREATE, and the results that I get.

My question is why does it say (manual follow up needed) for some of the roles.
All roles affected are at the end of the report. But it lists out conflicts above the list.

Creating new authorization object

Question: Hi all,

Is it possible to create new authorization object, fields for that and the values. If yes, please guide me regardint the same.
_________________
Regards,

Sailesh K

Answer:
New Authorisation object can be created using transaction SU21 and fields for that can be created in SU20. You need to assign a class for athorisation object

Creating customized authorization objects
Question: Hi

I am new to sap security can any body explain how to create customizing authorization objects , i know we can create through su21 any body explain briefly

Answer:
Read the documentation in SU21.

Note: First look for an appropriate SAP standard object before you create deviations from the standard.

Creating authorization profile
Question: Hi,
We normally use Role(PFCG) and authorization profiles are generated automatically .
I need to create Authorization profile in 3.1h .Both simple and Composite.

Can anyone guide me how to do?
Is it through su02? what has to be added in Object ? and in Authorization?

Thanks.

Answer:
You create and modify Authorization roles in SU02. The values assigned to each authorization object must be determined by members of each business unit. Either that or you asign no values to any of the parameters and let the users test each transaction assigned to the role and determine the different org levels and parameters through testing. It is a long process however if the business cannot help you define the roles it is the only other way to do it.

Answer:
And I assume you will need to create custom authorizations as well. That is done through SU03.


How to create authorization levels
Question: hello,

I found note that names a report that needs to be run so that I can
change a field and make it organizational level(done it). But when I look at that field within a certain object in the PFCG, its still yellow like before, and I cant find it under the button "organizatinal level"......do I have to somehow generate my new organizational level field? And in that case how, because the su24 and others are just for transactions.

grateful for some help
//Vinnie

Answer:
1. Did you run the reports in test mode and not change mode?
2. are you relying on the text name or the technical value of the field. The program PFCG_ORGFIELD_CREATE uses the techincal name and there are several fields that look the same in text but are not technically, Company code and Company come to mind.

Note that if you create the org level and then decide to remove it there is a bug in the PFCG_ORGFIELD_DELETE program that corrupts the SU24 entries the the customer adds that are not in the SAP source table. you will have to corrext these manually.

Answer:
Hello,

I managed to create a organizational level object running the report. But normally when you see standard organizational levels they appear red until they are filled in. When I look in the object containing the field I changed, and add it to a role, its still yellow. That is my problem, it doesnt really change and it does not show under the button organizational level. So what do I have to do to see it there, and also to see the field red in the object.

thank you in advance
Vincent
_________________
6-years experience. Prepared to work all over the globe, but so far Sweden and Denmark. Speak english, swedish, finish and spanish fluently.

Answer:
Was the object added by you in SU24 or was it SAP delivered?. GO to SU24 and remove the object from the tcode that is brining it in and readd and see if it correts itself.

Answer:
the object I used is ygo_sec_op and is not connected to any tcode......I checked that too..............more ideas please......maybe we can solve this:)

//Vincent
_________________
6-years experience. Prepared to work all over the globe, but so far Sweden and Denmark. Speak english, swedish, finish and spanish fluently.

Answer:
ygo_sec_op? the "Y" implies a customer developed object. The report that creates the org level manipulates the customer table in SU24 and then changes AGR_1251, but it your ygo_sec_op was not changed then the code may ignore MANUALY inserted objects (highly possible I did not pay attention to this part of the code). So it may be working as designed.

The best practice it to tie all required objects to a tcode and configure it in SU24 with the most restrictive access ( usually view if the tcode has to be shared between change and view) and the you ADD manual authorization to increase access with the priviso that you have a standard to support its inclusion in the role. If you have a manual ( there are some exceptions) without a standard, this would indiate to you that the tcode needing the access has been removed and the MANUAL should also be removed.

Try removing the object fromthe role, exit PFCG entirely and re-open the role and add it back ( the exit entirley may not be needed in all cases).

Answer:
thanks for your input, stupid me playing with y fields.

It works fine for the standard fields, but not for the customized ones, atleast it seems like. Just like you said.

thanks for your help

cheers
Vincent

Answer:
Custom Fields ot Objects? you can add the fields in the table and link your custome fieild to an SAP variable. Table USorg is the link between Field and variable in table USVAR. If you add a USVAR then you MUST transport talbe USVART to get it to work in the other systems ( you should take USVAR as well).

Did removing the object and re-add help or is it truely a 'Y' onject and new fields?


How to create an authorization object and assign a table
Question: How do I create an new auth group and assign a table to this group in S_TABU_DIS

Answer:
Tcode SUCU, The "group" does not have to exist but you can create one in SE54

Create Authorization object
Question: Hello,

I need to restrict access for a specific field of a table.

Can you tell me how to know the authorization object links to this field AND how to create a auth. object ?

Thanks.

Answer:
There is no easy way doing this. Auth Object(s) for standard tables are S_TABU_DIS, S_TABU_CLI. You can use this to restrict access to display only or client specific tables. However if that requirement is mandatory you need to create a custom t.code to display table restricting the field.

Answer:
What do you mean by the statement "restrict specific field of a table?"
Can you be a bit more specific in your problem?
_________________
Regards
Vijay

Answer:
One option could be S_TABU_LIN, but I think you are better off with a custom transaction

Answer:
Exact.

We find a solution by creating a specific transaction.