Org Level Help

Similar Messages

• Org Level, fund center/cost center level restriction for tcodes????

  I am looking to see whether org level restriction and cost center/fund center level restriction is possible for certain set of transactions.
  I am using USOBX table for this analysis. This table has a check flag field ( same as in SU24) which says whether the Tcode (program) does the authority check for certain auth objects. Example- X (checked but not maintained in USOBT). This table pulls up several authorization objects under the 'X' category. However, when I do the System trace for the same tcode, all the objects (marked as X) are not captured. Instead only a few are captured.
  Can we rely on the USOBX data or should we do system Trace for every tcode. I am just pulling a report and not creating roles at this point. So trace is time consuming. But data reliability is equally important.
  My objective is to verify whether org level and cost center/fund center level restriction is possible or not for some tcodes.
  Do you have any suggestion to achieve this faster (through USOBX or any other means)?
  Thanks in advance
  Kee

  I would suggest you to check USOBX_C and USOBT_C instead of USOBX and USOBT as it will have your customization as well and not just the standard ones given by SAP.
  Also when check field is X ...it means the object is checked but not maintained for the t-code as you already said but I am not sure how much it will help you as the they will not be pulled by PFCG when you are creating the role until you change the object to Check / maintain . When you do that the check field will be Y and not X. So basically it is the Y one which you need to see.
  Going for trace is time consuming for every t-code and I am not sure if it really needed. When your roles are in testing phase and are tested by the functional team or the team which needs it and if they are missing some object, you can run a trace and find the missing object....
  I am not sure on what basis you want to change some field to Org level ...but typically it is done if you want to do segregation of roles based on these org level. There could be various other reasons and it is better to talk to your functional counterparts before changing a field to Org level.
  for ex : If you want to segregate on company code, you will create co. code as Org level and create roles for different company code.

• How to Inactive Item Status at Org Level

  How to Inactive Item Status at Org Level and what are the implications of doing so.
  What are the prerequisits before inactivating an item status.
  The Procedure I am following is
  Changing the Item Attribute control to Org Level for Item Status
  Log on to Organization Items and Selecting the Item Status as Inactive.
  Can any one please let me know what are the pre requisits before Inactivating an Items and The procedure I am following is correct.
  Thanks
  Srinivasa Garikipati

  Hi;
  Please check serial attribute and org attribute problems with item master and see its helpful
  Also you can check:
  http://oz1-n.blogspot.com/2009/06/interview-questions-for-oracle-11i-apps.html part
  1. Once an item is assigned to an organization, is it possible to remove this association at a later time?
  2. How do I inactivate an item?
  Regard
  Helios

• Adjust manually changed Object field as per org level values

  HI,
  I have a role wherein a field maintained at org. level has been changes in object manually. hence it no more follows the the org. level values assigned.
  The requirement is "this object should get adjusted for its field to have values as per the org. level values" As I remember there is a SAP standard report that when executed for this role, will correct the object and we will be able to again have it's field values aligned with org. level values.
  I am not able to recollect or find the name of the report.
  Need help!!
  Thanks.
  ~ Pranali

  That this option is available in any authorization which is not copied from a standard one is still a mystery to me...
  I normally just check for them to see whether someone toasted the role and solve the root cause problem. Training is the hard way.
  Solution: Delete the authorization and open the role again to maintain the org. level.
  As this is in a development system generally, there are some pre-requisites though to be able to avoid it. Role admin is a very specialized task and everyone always wants more.
  Sandbox systems are cool places to mix the two of them and let people be creative with prototypes etc. Development systems also have feelings and enemies...
  Cheers,
  Julius

• Question on org level values in derived roles

  I have a set of derived roles for a retail org.
  They have set the org level for the WERKS object to the store number i.e. 0012. in the  M_MSEG_LGO, M_MSEG_WMB,   and M_MSEG_WWE but set it to "" in the  M_MRES_WWA and M_MSEG_WWA. Needless to stay the "" is overiding the site restriction.
  My question is, how can they allow store to store transfers and goods issues for other sites but only do POs and goods receipts for their default store?
  If the transactions in the role are using the same object, it doesn't seem like it can be done but I am told it can! I can't figure it out. Can anyone assist?
  Thanks

  If you are talking about  straight authorization object ( then your design cannot go with derived role concept )
  If your controls are only through the organizational object  only then derived role design will help
  If its a mix of both standard object + organizational level object derived role will not help you.
  Please note
  the WERKS is the organization level  in your case the plan value is 0012
  do not set the values in parent role and also do not populate this value were its "$werks"
  what is TCODE you are using ?
  Edited by: Franklin Jayasim on Jul 21, 2010 11:45 PM

• Basic Information about Organizational Level & Org. level value.

  Hello Experts,
    I am new to the field of SAP and security. I have the following questions:
  1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
  2. What is a derived role and what is its usage?
  I appreciate your help regarding this. If you could point me to some documentation regarding this that will be very helpful.
  Regards, Ben

  Ben,
  I am new to the field of SAP and security. I have the following questions:
  1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
  if you want to restrict on region vice (best use org level & values (plant,company code, sales org)
  In role u will notice them in red color
  2. What is a derived role and what is its usage?
  Derived role inherits menu struture and the function from the parent role. Derived role do not differ in their functionalities(identical menu & trans) but have different characterticts with regard to Org levels.
  Eg1; Master role
  PFCG -> role name -> create->menu->enter tcodes-.Auth tab->export mode->read old status and merge with new data->Pop for org levels (give a full access)->see to that everything is green->generate it.
  http://e-mory.blogspot.com/2007/12/sap-pfcg-create-role.html
  Eg2: Derived role
  pfcg->role name->create->in describtion  tab towards right  enter the master role name->Auth tab->export mode->read old status and merge with new data->you will get a pop for org levels (here you can restrict on plant lvel,purchasing group,company code....)
  ->let say for plant : 1000 ->generated / user comparssion
  Once the role is added to the user. User will be albe to see only those plant related details (1000) (i.e he will have access to only plant 1000)
  suppose if the user enters 2000,he will get a error message saying no access to 2000
  NOTE: Any changes to the role should be done in master role (like adding tcodes)
  .http://www.rssfeeddirectory.org/directory/items/346239.aspx
  https://cw.sdn.sap.com/cw/docs/DOC-12021
  http://help.sap.com/saphelp_wp/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm
  Re: Authorization error after transport
  Thanks,
  Sri

• User group [$CLASS] not an Org level field in IA, whereas it is in DA

  Hi All,
  We have an authorization problem that we faced while SAP Upgrade. In the development system while we upgraded all the roles, we did not face any issue. User group field [$CLASS] was actually an org level field in that system and the roles were upgraded based on that condition.
  When the Integration system was up and the upgraded roles were transported to IA, we noticed that they ended with a warning. On checking the logs we found out that User group [CLASS] actually was not an Org level value in the INtegration system, whereas it was an org level field in the development system.
  Can someone tell me the reason why it is different? Is there any settings we have to change to make User group  an org level field in IA. Thanks a lot for your help.
  Vijith

  Hello, I ran into this also and found these notes to explain why this is suddenly an org value and how to fix it:
  http://search.sap.com/notes?id=0001580048
  http://search.sap.com/notes?id=0001739055
  Basically, GRC 10 add-on makes the user group an org value and the note instructs how to undo this manually, but there is a required pre-requisite because you cannot modify this for SAP delivered fields normally.
  You know what else would be nice.... maybe there's a note that explains why Account Type is an org value.  It REALLY should not be, IMO.

• How to create new org.level and further actions?

  Hi experts!
  I need help on the follwing situation.
  For better separation of industries for the marketing staff we do use the branch (e.g. food, energy, ...).
  For that we want to adjust the authorizations to branch specific.
  The questions are:
  1) Is it possible to create a new organisational level "branch"?
  2) If I have a new org.level I think I have to adjust existing authorization objects. Do I only have to extend the belonging auth.objects with the new org.level?
  3) What else do I have to do if a new org.level branch is created to check authorizations on that?
  Thanks for your help in advance.
  Regards,
  Alex

  If I read your question correctly I think you want to create a new authorization field. To get that to work you'd need to adapt a lot of software. Definately not a path to follow.
  All authorization cheecks need to hard-coded into the software. Changing SAP standard software is something one wants to stay away from as long as possible. It'll keep haunting you when patching, upgrading etcetera.
  If you want to 'upgrade' an existing field to become organizational a forum serach on PFCG_ORGFIELD_CREATE should give you pointers.

• Mass Role Import  -- 9000 derived roles with 9 org Levels, how to get TXT

  Hello,
  I hava a problem.
  I want to use the (Mass Role Import) Bulk Role Import element in the ERM  (SAP GRC AC 5.3 )for importing SAP roles (I only found that way to import roles from SAP).
  I have 100 primary roles and more or less 9000 derived roles with 9 org Levels.
  Is there a way to get this 9000 derived roles with their 9 org Levels in a TXT file?. Or do I have to do it manually this part to insert it in the "Bulk Role Import ".
  Can someone help me?
  Thank you in advance.
  Pablo Mortera.

  Hi Mike,
  what kind of TA´s are in your role. Is it possible to integrate a "dummy" TA (without conflicting
  your SOD)?
  In my example I have CO TA´s bundled in a role:
  Role:   ZXXXX_O:CO_ORDERMANAGER_CRE - CO Order Manager Pflege
  with
  KO01 Create Internal Order ...
  KO02 Change Order ... 
  KO04 Order Manager ... 
  KOK2 Collective Proc. Internal Orders ... 
  KOK4 Aut. Collect. Proc. Internal Orders
  update this role with TA KO01 and KOKRS will be available for derivation.
  Done this manually without import in ERM.
  Reg,
  Ulrich

• GRC BRM: Update Org Levels of derived roles

  Dear GRC experts,
  we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
  I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
  If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
  For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
  Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
  In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
  Does anybody know how to automate this task?
  Many thanks for your help!
  Regards,
  Markus

  Hi Markus Richter
  Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
  Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
  Mass Child role Org value update in GRC 10
  Does this work for you as an approach?
  Regards
  Colleen

• Page level help text question

  APEX - 4
  DB version - 10g
  Web server architecture - OHS
  Browser - IE8
  Theme - 5
  I know how to set and display help text for a page item, and I see there is the option to add help text at the page level, but how does the user accessing the screen see the page level help text?
  I was thinking it might be a good way to add user help guide information at the page level.
  Thank you for any assistance.

  I know how to set and display help text for a page item, and I see there is the option to add help text at the page level, but how does the user accessing the screen see the page level help text?Using a Help page and region accessed via a help link (e.g. a navigation bar entry), or using the <tt>apex_application.help</tt> API method in a PL/SQL Dynamic Content region.
  This is covered in the APEX documentation which should be consulted before posting a question here.

• New Org Level impact in existing roles

  Hi,
  I would like to set/create 2 fields as organizational levels. For example KLART and DOKAR. Checking these I realized there is a big amount of roles "affected" by this change.
  Because I plan to use the organizational level only for new roles , I would like to know which impact could have  this change for existing roles, should one modify the existing roles after creating the Org Levels ? or in contrast they still work as always an no changes / adjustments is needed?
  Thanks and regards
  FedeX

  Thanks Bernhard,
  I have a question
  As I mentioned before my goal is that the existing roles keep working after running that program... and do not want to perform any adaptation....only if there is a real error that avoid work correctly.
  In these 2 cases the role will keep working properly ( I mean restricting in the way that it uses to do).
  1) In case field is copied to the Orglevel area after running the program and the value(s) will stay in both places (OrgLevel and Original place)
  2)  In case field is NOT copied to the Orglevel area after running the program but the value still in the original place .
  right?
  Thanks
  FedeX

• GRC 10: How to upload Org Level Rules in GRC 10?

  Hello Friends,
  we have implemented GRC 10 recently but missed to move org level rules from GRC 5.3 to 10. I don't see an option to load org rules in SPRO. Can you please let me know how can i load org rules from 5.3 to 10 with out disturbing the existing risks / functions? or is there an option to update tables directly for org rules?

  Hi Colleen Lee,
  Thank you for your response. Yes i see Master Data > Exception Access Rules > Organizational Rules and i am able to create org rules but i am trying to find an option to upload all at a time as we have around 50 org rules and have 2600 lines in it. creating manually will take so long and looking for alternate.
  Thanks & Regards 
  Pradeepthi

• EXTEND VENDOR  FROM PURCHASE ORG LEVEL TO CO CODE LEVEL

  Dear friends,
  I have create a  vendor master  at purchase organization level  using  T code mk01,  Now  want to extend it to company code level, please suggest me  how to extend vendor code  form  purchase oganiztion level to  company code,
  With regards,
  ARABBAS
  Note : Please search forum before posting
  Edited by: Jeyakanthan A on May 30, 2011 9:48 PM

  Hi
  MK01 can be used for maintaining the vendor details at the purchasing org level & for general data
  FK01 can be used for maintaining the vendor details at the company code level & for general data.
  XK01 can be used for maintaining the vendor details at the company code , purchasing org level and general data
  if wnat extend vendor at company code level,then use t-code xk01 or fk01
  check following link
  [Vendor create]
  Regards
  Kailas Ugale

• Vendor - MArk for Deletion at Comp code & Pur Org Level

  Hi Gurus
  I want a list of vendors (about 150 Vendor)  to be  Marked for Deletion at Comp code & Pur Org Level  
  How to proceed ?

  hi,
  To be able to archive, you must set the deletion flag in the master record. You can set this flag for a complete vendor or for individual company codes or purchasing organizations.
  You can archive data from different tables using the archiving object FI_ACCPAYB...
  Mark a vendor for deletion centrally as follows:
  Choose Master records ->Maintain centrally -->Mark for deletion.
  The initial screen appears.
  Enter the vendor account number and, if you wish, the company code and a purchasing organization.
  If you do not specify the key for a purchasing organization, you cannot delete this area at a later date, should you wish to.
  Select ENTER .
  The screen for specifying data for deletion appears.
  Select data to mark for deletion by clicking next to the appropriate field.
  Save your entries by choosing Vendor ->Save.
  The system displays the initial screen, with a message confirming that the data has been saved.
  Mark a vendor master record for deletion for the Accounting Department as follows:
  Choose Master records -> Mark for deletion.
  The system displays the initial screen.
  Enter the vendor's account number and the company code.
  Select ENTER .
  The system displays the screen for selecting areas to mark for deletion.
  Select the data either in the company code or in all areas to mark for deletion.
  If you click next to the All areas field, the system will later delete all data for all company codes and for all purchasing areas in this vendor master record.
  Save your entries by choosing Vendor -> Save.
  After you mark a vendor master record for deletion, you can still post to the vendor account. This is necessary, since you might still need to clear open items. When you post, the system issues a warning that you are posting to an account that is marked for deletion.
  Displaying Archived Vendor Master Data
  To display single documents for the archiving object FI_ACCPAYB using Archive Information System you require an information structure that has been created based on one of the following standard field catalogs provided by SAP:
  ●     SAP_FI_ACCPAY_1 (vendor master data FI)
  ●     SAP_FIACCPAY_2 (vendor master data SD)
  Each information structure must be active and filled.
  Edited by: Priyanka Paltanwale on Aug 21, 2008 9:09 AM