Assign permission roles through organisation chart

Here we have a position and employee holding it. An employee has 0105 infotype record with system username. Boom, we have everything to set up automatic permission roles assignment to this user based on his position or job in the organizational chart. If that Vasya was hired to a manager role, he’ll get manager role assigned to him the same time we have 0001 infotype created. When he moves to HR Director his manager role is revoked and a new one assigned to HR Director. Once he gets terminated all permissions are revoked immediately. Information Security Officer will adore you. Here is a standard solution to assign permission roles in SAP HR.

Should we do this?

Read More

Watching SAP Query

I think you’ve read SAP courses very carefully with attention. And you know SAP Query logging abilities for sure. I didn’t know that. I’ve read some courses and have found curious things I’d like to share with you.

For example, we can log everything user runs in ad-hoc query or SAP Query. Let’s set it up.
Open SQ02, menu Extras – Set Logs.
sq02 logging

Here we add infosets and info areas (like standard and global). The first column is for the area (space for standard and G for global). Second is for Infoset or asterisk.

Read More

FAQ. What SAP learning materials to use

It’s a good question where to start when you enter SAP market. The easiest way is to go to SAP official courses at But also it’s the most expensive way. So, let me share some thoughts on my reader’s question – where to start with good SAP learning materials for free?

If you want to go for some private courses, feel free to contact me – I have something for you!


What resources would you recommend to learn SAP? I’m interested in technical architecture, testing, courses.


Personally, I learn SAP on these free resources:

Great SAP licensing news


Have you heard that great news from SAPPHIRE? Right away SAP told they’ll allow access to your SAP data in read-only mode without additional licenses or another license which could cost less than regular named user or employee user license?

Is not it great for 3rd party developers to download data from SAP and provide a user-friendly portal solution or mobile app for employees? There are tons of customers who don’t want to pay for ESS but would like to share paystubs or leave overview for their employees through digital!

Here is the link

SAP ABAP Quality

Life throws me interesting tasks. The other day I was thinking about ABAP code quality automation. There is a tool to control ABAP quality and it’s called ATC – ABAP Test Cockpit. Guess, we can setup system to verify ABAP code for quality in ABAP Code Inspector where we set rules for naming, code blocks, conventions, etc. We can ask the system to schedule code checks before any transport request moves forward to quality or production. The system will stop any transfer in case there are mistakes in code or even variables naming.


Testing ABAP Code in SAP

testing ABAP code in SAP (image owner/author is unknown)

Read More

Permission roles derivation (inheritance)

Continuing with SAP alphabet. Hope we both understand that there are template roles and functional and they differ.
First ones are never assigned to end users and in fact are templates for functional roles. We use them to quickly edit function in one place and derive changes to functional. Functional roles are already typed with exact permissions for personnel areas, employee groups and subgroups, business units and other objects.

If you don’t want to die creating all combinatoric variety of functional roles per each personnel area and employee group, you can use derivation tool. When deriving we define master role (template) with a nice user menu, setup authorization objects with organizational levels. Then with easy we create derived role which references to master role. Derived role inherits menu and all authorization objects from the master role. When we do any change in master role it reflects in slave roles. Also we can do any changes in slave roles without any effect to master. You only can’t change user menu in slave role.

In pictures it looks like this.

Create master role

Read More

Organisational Levels – Simplify SAP Permission roles management

How to maintain a huge number of permission roles in SAP?

Have you ever maintained a huge number of permission roles in SAP systems? It’s a nightmare when you need to change dozens of roles to run a new personnel area or a plant. Clever boys in SAP have provided two really working solutions to us. Permission roles inheritance and organizational levels. The first one is explained in details here, while the second part is below for your convenience.

Solution – Organizational Levels

Organisational levels are variables which could be filled centrally instead of filling up in each permission object manually. The organizational level is created in PFCG_ORGFIELD_CREATE report. Run it, fill with technical field name (like PERSK) you want to make available as org. level. If you made a mistake, run PFCG_ORGFIELD_DELETE report to delete. So you create an organizational level for PERSK field in the P_ORGIN object and can set it up within one window. It’s very convenient in HCM where you could have several P_ORGIN objects within a single role.

Change role and authorization in PFCG transaction

Change role and authorization in PFCG transaction

Read More

LSMW errors when you work with files

Sometimes when you load file in LSMW (Read Data step) system throws an error with a code without any human explanation. To understand this I advise you to look at this ABAP code from the standard LSMW program. Having this function module return codes (the same time error codes for LSMW) it would be easier to understand what’s wrong. Here is the list of LSMW errors when you work with text files. This step occurs just before you run convert data in legacy workbench. These return codes represent errors SAP shows us during file read step.

filename                      = l_filename
filetype                      = l_filetype
codepage                      = l_codepage
*     HAS_FIELD_SEPARATOR           = ‘ ‘
*     HEADER_LENGTH                 = 0
*     READ_BY_LINE                  = ‘X’
*     FILELENGTH                    =
*     HEADER                        =
data_tab                      = “l_upload_table”
file_open_error               = 1
file_read_error               = 2
no_batch                      = 3
gui_refuse_filetransfer       = 4
invalid_type                  = 5
no_authority                  = 6
unknown_error                 = 7
bad_data_format               = 8
header_not_allowed            = 9
separator_not_allowed         = 10
header_too_long               = 11
unknown_dp_error              = 12
access_denied                 = 13
dp_out_of_memory              = 14
disk_full                     = 15
dp_timeout                    = 16
OTHERS                        = 17