Org Level in ERM

Hi ,
In Role Management Tab, under Roles when we go to search and try to assign the derived roles the system is not able to display any values in the dropdown in Derived Org. Level. These values are already maintained in Configuration.
Thanks in advance.
Srinivas

Srinivas,
   This means that org level sync job has not finished successfully or there was some issue with the org level data. Can you try to reboot the server and test the scenario again. If it still doesn't work then I will recommend you to just run the org level sync job again.
Regards,
Alpesh

Similar Messages

  • Mass role Import in ERM "unable to determine matching org. level" Error

    I am trying to upload the Derived Roles into the ERM. I have already uploaded all the Parents Roles. The volumes of the Derived Roles is huge in my SAP Backend system.
    I am not able to understand what should be the content of Org File which we upload. Please correct if I am wrong
    1>Example a role Z_TEST_D is derived from Z_TEST on the org levels EKGRP,KOART,GSBER,WERKS.
    2>I have run Org Synchronization Job in the ERM
    3>Downloaded Z_TEST (Parent Role) and uploaded it into ERM(It was easy because there was no org file)
    4> Downloaded Z_TEST_D(Derived Role) through /VIRSA/RE_DNLDROLES Tcode in backend.
    5>Downloaded the AGR_1252 information for this role which contained the Org levels and values
    6>I put all those information into the Org File and then tried to upload it throws me the error Role Z_TEST_D : not imported; unable to determine matching org. level for WERKSin the system
    So I again tried with the another method by changing the input sheet for the Org File
    Z_TEST_D BUKRS 0* 9*
    Z_TEST_D EKGRP *
    Z_TEST_D KOART *
    Z_TEST_D GSBER *
    Z_TEST_D WERKS *
    and tried to upload it again gave me the same error. I have checked the ERM all these Org Levels are fetched into the ERM. I am not sure if I am missing any basic things.
    Current Support pack: SP10 Hot Fix 2.
    Please share your experience and best practice to upload the roles,

    Hello Rahul,
    I had that same problem with SP10 also. The way I resolved itand this sounds crazywas to move that WERKS line up one or two rows.
    The problem I noticed was not with all derived roles, but when there was a problem, it was always the last line of the Org file for the role that was causing the problem. And the problem was not always WERKS either.
    If the next time you run it, the error occurs on the "new" last line (e.g. GSBER), move that line up also. Eventually they all make it in. I have not seen this problem repeated in SP12. Don't delete the line, just shift the order within the number of rows the role has.
    P.S. I have several hundred derived roles, about 10 - 15% had this import problem.
    -Dylan

  • ERM -- unable to determine matching org. level for BRGRU in the system

    Hello,
    I have a problem.
    When I trY to import in the ERM (SAP GRC AC 5.3 SP5) a mass import of roles (derived roles) using the template Organizational Template.
    Some of the roles gives me this error:
    "Role not imported; unable to determine matching org. level for BRGRU in the system".
    In the file I put for example
    ZAPVAPINTE     BUKRS     0083
    Am I doing it right? or do I have to put $BURKS?
    Best regards.
    Pablo Mortera.

    I have found that when you run the background job "syncronization of the organizational values" it pulls the org value name and all "values" assigned to it.  If you don't have values specified (on the table level) for the org name, you get this error.  We have many fields that we use values for these fields but they aren't specified in the table.
    For example:  We have the org value "PLVAR" with the values "AL", "01", "02", "03", and "GB" assigned to it.  You can actually see these values in the backend system using SE11.  We do not get this error on this org value.  However, we have another org value "SACHZ" that we use, but we do not have any values assigned to it on the table level, so it is giving us this error.  We are trying to find out how to populate the "values" field since this was not done through configuration.
    Here are the steps:  (1) Go to SE11 in your backend system.  (2)  Put your org value (example:  PLVAR) in the "DATA TYPE" field and click display. (3) Double click on the Domain name.  (4)  Go to the Value Range Tab and click on the "Value Table" name if there is one.  This is the table that has the org values assigned in it - normally done through configuration. (5) go to Utilities --> table contents --> display.  (6) execute the table contents.  These are the values that the sync job pulls over.  If there are no values there or if there is no "values table" name, you get the error.  If there are values there, you don't get it.
    We are working with our technical team to get the values in these fields to see if that works.  Another quick way to see if there are values assigned to the org field is to use "Org Value Mapping" in ERM.  Select the "derived org level field" you want to see and click on the "org value from" magnifying glass.  If no values are there, a "values table" hasn't been populated in SE11. 
    It doesn't make much sense to me though because we can still use values for these fields for our derived roles....we just don't populate the table with them.
    I'll update this message if we find a solution.
    Thanks,
    Peggy

  • Mass Role Import  -- 9000 derived roles with 9 org Levels, how to get TXT

    Hello,
    I hava a problem.
    I want to use the (Mass Role Import) Bulk Role Import element in the ERM  (SAP GRC AC 5.3 )for importing SAP roles (I only found that way to import roles from SAP).
    I have 100 primary roles and more or less 9000 derived roles with 9 org Levels.
    Is there a way to get this 9000 derived roles with their 9 org Levels in a TXT file?. Or do I have to do it manually this part to insert it in the "Bulk Role Import ".
    Can someone help me?
    Thank you in advance.
    Pablo Mortera.

    Hi Mike,
    what kind of TA´s are in your role. Is it possible to integrate a "dummy" TA (without conflicting
    your SOD)?
    In my example I have CO TA´s bundled in a role:
    Role:   ZXXXX_O:CO_ORDERMANAGER_CRE - CO Order Manager Pflege
    with
    KO01 Create Internal Order ...
    KO02 Change Order ... 
    KO04 Order Manager ... 
    KOK2 Collective Proc. Internal Orders ... 
    KOK4 Aut. Collect. Proc. Internal Orders
    update this role with TA KO01 and KOKRS will be available for derivation.
    Done this manually without import in ERM.
    Reg,
    Ulrich

  • Org Level, fund center/cost center level restriction for tcodes????

    I am looking to see whether org level restriction and cost center/fund center level restriction is possible for certain set of transactions.
    I am using USOBX table for this analysis. This table has a check flag field ( same as in SU24) which says whether the Tcode (program) does the authority check for certain auth objects. Example- X (checked but not maintained in USOBT). This table pulls up several authorization objects under the 'X' category. However, when I do the System trace for the same tcode, all the objects (marked as X) are not captured. Instead only a few are captured.
    Can we rely on the USOBX data or should we do system Trace for every tcode. I am just pulling a report and not creating roles at this point. So trace is time consuming. But data reliability is equally important.
    My objective is to verify whether org level and cost center/fund center level restriction is possible or not for some tcodes.
    Do you have any suggestion to achieve this faster (through USOBX or any other means)?
    Thanks in advance
    Kee

    I would suggest you to check USOBX_C and USOBT_C instead of USOBX and USOBT as it will have your customization as well and not just the standard ones given by SAP.
    Also when check field is X ...it means the object is checked but not maintained for the t-code as you already said but I am not sure how much it will help you as the they will not be pulled by PFCG when you are creating the role until you change the object to Check / maintain . When you do that the check field will be Y and not X. So basically it is the Y one which you need to see.
    Going for trace is time consuming for every t-code and I am not sure if it really needed. When your roles are in testing phase and are tested by the functional team or the team which needs it and if they are missing some object, you can run a trace and find the missing object....
    I am not sure on what basis you want to change some field to Org level ...but typically it is done if you want to do segregation of roles based on these org level. There could be various other reasons and it is better to talk to your functional counterparts before changing a field to Org level.
    for ex : If you want to segregate on company code, you will create co. code as Org level and create roles for different company code.

  • How to Inactive Item Status at Org Level

    How to Inactive Item Status at Org Level and what are the implications of doing so.
    What are the prerequisits before inactivating an item status.
    The Procedure I am following is
    Changing the Item Attribute control to Org Level for Item Status
    Log on to Organization Items and Selecting the Item Status as Inactive.
    Can any one please let me know what are the pre requisits before Inactivating an Items and The procedure I am following is correct.
    Thanks
    Srinivasa Garikipati

    Hi;
    Please check serial attribute and org attribute problems with item master and see its helpful
    Also you can check:
    http://oz1-n.blogspot.com/2009/06/interview-questions-for-oracle-11i-apps.html part
    1. Once an item is assigned to an organization, is it possible to remove this association at a later time?
    2. How do I inactivate an item?
    Regard
    Helios

  • New Org Level impact in existing roles

    Hi,
    I would like to set/create 2 fields as organizational levels. For example KLART and DOKAR. Checking these I realized there is a big amount of roles "affected" by this change.
    Because I plan to use the organizational level only for new roles , I would like to know which impact could have  this change for existing roles, should one modify the existing roles after creating the Org Levels ? or in contrast they still work as always an no changes / adjustments is needed?
    Thanks and regards
    FedeX

    Thanks Bernhard,
    I have a question
    As I mentioned before my goal is that the existing roles keep working after running that program... and do not want to perform any adaptation....only if there is a real error that avoid work correctly.
    In these 2 cases the role will keep working properly ( I mean restricting in the way that it uses to do).
    1) In case field is copied to the Orglevel area after running the program and the value(s) will stay in both places (OrgLevel and Original place)
    2)  In case field is NOT copied to the Orglevel area after running the program but the value still in the original place .
    right?
    Thanks
    FedeX

  • GRC 10: How to upload Org Level Rules in GRC 10?

    Hello Friends,
    we have implemented GRC 10 recently but missed to move org level rules from GRC 5.3 to 10. I don't see an option to load org rules in SPRO. Can you please let me know how can i load org rules from 5.3 to 10 with out disturbing the existing risks / functions? or is there an option to update tables directly for org rules?

    Hi Colleen Lee,
    Thank you for your response. Yes i see Master Data > Exception Access Rules > Organizational Rules and i am able to create org rules but i am trying to find an option to upload all at a time as we have around 50 org rules and have 2600 lines in it. creating manually will take so long and looking for alternate.
    Thanks & Regards 
    Pradeepthi

  • Adjust manually changed Object field as per org level values

    HI,
    I have a role wherein a field maintained at org. level has been changes in object manually. hence it no more follows the the org. level values assigned.
    The requirement is "this object should get adjusted for its field to have values as per the org. level values" As I remember there is a SAP standard report that when executed for this role, will correct the object and we will be able to again have it's field values aligned with org. level values.
    I am not able to recollect or find the name of the report.
    Need help!!
    Thanks.
    ~ Pranali

    That this option is available in any authorization which is not copied from a standard one is still a mystery to me...
    I normally just check for them to see whether someone toasted the role and solve the root cause problem. Training is the hard way.
    Solution: Delete the authorization and open the role again to maintain the org. level.
    As this is in a development system generally, there are some pre-requisites though to be able to avoid it. Role admin is a very specialized task and everyone always wants more.
    Sandbox systems are cool places to mix the two of them and let people be creative with prototypes etc. Development systems also have feelings and enemies...
    Cheers,
    Julius

  • EXTEND VENDOR  FROM PURCHASE ORG LEVEL TO CO CODE LEVEL

    Dear friends,
    I have create a  vendor master  at purchase organization level  using  T code mk01,  Now  want to extend it to company code level, please suggest me  how to extend vendor code  form  purchase oganiztion level to  company code,
    With regards,
    ARABBAS
    Note : Please search forum before posting
    Edited by: Jeyakanthan A on May 30, 2011 9:48 PM

    Hi
    MK01 can be used for maintaining the vendor details at the purchasing org level & for general data
    FK01 can be used for maintaining the vendor details at the company code level & for general data.
    XK01 can be used for maintaining the vendor details at the company code , purchasing org level and general data
    if wnat extend vendor at company code level,then use t-code xk01 or fk01
    check following link
    [Vendor create]
    Regards
    Kailas Ugale

  • Vendor - MArk for Deletion at Comp code & Pur Org Level

    Hi Gurus
    I want a list of vendors (about 150 Vendor)  to be  Marked for Deletion at Comp code & Pur Org Level  
    How to proceed ?

    hi,
    To be able to archive, you must set the deletion flag in the master record. You can set this flag for a complete vendor or for individual company codes or purchasing organizations.
    You can archive data from different tables using the archiving object FI_ACCPAYB...
    Mark a vendor for deletion centrally as follows:
    Choose Master records ->Maintain centrally -->Mark for deletion.
    The initial screen appears.
    Enter the vendor account number and, if you wish, the company code and a purchasing organization.
    If you do not specify the key for a purchasing organization, you cannot delete this area at a later date, should you wish to.
    Select ENTER .
    The screen for specifying data for deletion appears.
    Select data to mark for deletion by clicking next to the appropriate field.
    Save your entries by choosing Vendor ->Save.
    The system displays the initial screen, with a message confirming that the data has been saved.
    Mark a vendor master record for deletion for the Accounting Department as follows:
    Choose Master records -> Mark for deletion.
    The system displays the initial screen.
    Enter the vendor's account number and the company code.
    Select ENTER .
    The system displays the screen for selecting areas to mark for deletion.
    Select the data either in the company code or in all areas to mark for deletion.
    If you click next to the All areas field, the system will later delete all data for all company codes and for all purchasing areas in this vendor master record.
    Save your entries by choosing Vendor -> Save.
    After you mark a vendor master record for deletion, you can still post to the vendor account. This is necessary, since you might still need to clear open items. When you post, the system issues a warning that you are posting to an account that is marked for deletion.
    Displaying Archived Vendor Master Data
    To display single documents for the archiving object FI_ACCPAYB using Archive Information System you require an information structure that has been created based on one of the following standard field catalogs provided by SAP:
    ●     SAP_FI_ACCPAY_1 (vendor master data FI)
    ●     SAP_FIACCPAY_2 (vendor master data SD)
    Each information structure must be active and filled.
    Edited by: Priyanka Paltanwale on Aug 21, 2008 9:09 AM

  • Question on org level values in derived roles

    I have a set of derived roles for a retail org.
    They have set the org level for the WERKS object to the store number i.e. 0012. in the  M_MSEG_LGO, M_MSEG_WMB,   and M_MSEG_WWE but set it to "" in the  M_MRES_WWA and M_MSEG_WWA. Needless to stay the "" is overiding the site restriction.
    My question is, how can they allow store to store transfers and goods issues for other sites but only do POs and goods receipts for their default store?
    If the transactions in the role are using the same object, it doesn't seem like it can be done but I am told it can! I can't figure it out. Can anyone assist?
    Thanks

    If you are talking about  straight authorization object ( then your design cannot go with derived role concept )
    If your controls are only through the organizational object  only then derived role design will help
    If its a mix of both standard object + organizational level object derived role will not help you.
    Please note
    the WERKS is the organization level  in your case the plan value is 0012
    do not set the values in parent role and also do not populate this value were its "$werks"
    what is TCODE you are using ?
    Edited by: Franklin Jayasim on Jul 21, 2010 11:45 PM

  • GRC AC ARA v10 SP13 - Org Rule Org Level Missing

    Hi Experts!
    Testing ARA Organization Rules soon and have noticed that one of my key Org Levels, $BUKRS, is missing. I have not yet used this functionality on this system. I am already doing the following:
    running the authorization sync job daily (we are in the middle of multiple project builds)
    checked the target systems USORG table for Org Level $BUKRS entry.
    active ruleset function has that Org Level $BUKRS entry and it appears on the Risk Analysis reports
    All other Org Levels are available to use except for this one. Any ideas!
    Thanks in advance.
    -john

    Alessandro,
    Ran both sync jobs again, but it is still not (see below). Checked the logs to be sure it completed.
    We do have two different ECC system connectors (One Production landscape, the other Project landscape), but both have the USORG table for Org Level $BUKRS entry.
    Any other ideas? Is there a GRC ARA GRAC* table I can update or check for this?
    Thanks,
    -john

  • Basic Information about Organizational Level & Org. level value.

    Hello Experts,
      I am new to the field of SAP and security. I have the following questions:
    1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
    2. What is a derived role and what is its usage?
    I appreciate your help regarding this. If you could point me to some documentation regarding this that will be very helpful.
    Regards, Ben

    Ben,
    I am new to the field of SAP and security. I have the following questions:
    1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
    if you want to restrict on region vice (best use org level & values (plant,company code, sales org)
    In role u will notice them in red color
    2. What is a derived role and what is its usage?
    Derived role inherits menu struture and the function from the parent role. Derived role do not differ in their functionalities(identical menu & trans) but have different characterticts with regard to Org levels.
    Eg1; Master role
    PFCG -> role name -> create->menu->enter tcodes-.Auth tab->export mode->read old status and merge with new data->Pop for org levels (give a full access)->see to that everything is green->generate it.
    http://e-mory.blogspot.com/2007/12/sap-pfcg-create-role.html
    Eg2: Derived role
    pfcg->role name->create->in describtion  tab towards right  enter the master role name->Auth tab->export mode->read old status and merge with new data->you will get a pop for org levels (here you can restrict on plant lvel,purchasing group,company code....)
    ->let say for plant : 1000 ->generated / user comparssion
    Once the role is added to the user. User will be albe to see only those plant related details (1000) (i.e he will have access to only plant 1000)
    suppose if the user enters 2000,he will get a error message saying no access to 2000
    NOTE: Any changes to the role should be done in master role (like adding tcodes)
    .http://www.rssfeeddirectory.org/directory/items/346239.aspx
    https://cw.sdn.sap.com/cw/docs/DOC-12021
    http://help.sap.com/saphelp_wp/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm
    Re: Authorization error after transport
    Thanks,
    Sri

  • How to distribute new object from org level

    Hi Expert,
    I'm trying to create a new object: MATKL to org level through program: PFCG_ORGFIELD_CREATE. But I find there are only distribute to all roles. Could you advice if it can be distribute by selected role instead of all roles? Any advice on hierarchy problem?
    Rdgs,
    Emily

    Hi Colleen,
    Actually I want to grant authorization on MM section by separate material group. It's to fulfil some special users are able to access particular material group. So I'm thinking to create new material group org value and distribute from the top level (org level). Could you advice if there is any method can achieve my purpose more safety or easily?
    If I want to control some users access some particular material number which limited by control different material group. Can I just assign object: M_MATE_WGR and control the value for access? If yes, where to assign?
    Rdgs,
    Emily

Maybe you are looking for

  • Output not coming right, if we give LIFNR in selection screen

    Hi, i have LIFNR in selection screen, when i execute my report without inserting value in it...output is proper coming, but when i insert value in LIFNR, report doesn't display any data... please check my code and guide me... TABLES : bsik,bkpf,bseg,

  • Export QT: Interlaced or Progressive

    Hi all, Wonder if you can help me. When I do an export QT from FCP in DV PAL, I have the option to choose Interlaced or Progressive. Now I 've tried both and both files play OK on my computer. My question is when would you use Interlaced and when wou

  • Broken Blog Link

    Hello! I have been reading quite a bit of discussions and they have sure helped me understand building my first web site. Now, as stated in the Subject line, I have a broken blog link in my finished site and I need some advice on how to fix it. You c

  • Fgv with two types of variables

    it goes something like this i want the FGV to have a cluster of two 1D arrays of double (that will be the FGV variable). and the data that i'm "adding" is a double number/constant (whatever), this will be the added variable. the main idea is that i w

  • Fix for No Audio QT7.5

    Hi Try removing obsolete QuickTime Components: FFusion, Xvid Delegate, 3ivX, DivX, XviD, msmpeg4v1, msmpeg4v2, AviImporter, EX_M4S2, and Casio AVI Importer Find in Library/Quicktime. This worked for me. I tried running Repair Permissions - Nothing. T