How to maintain a huge number of permission roles in SAP?

Have you ever maintained a huge number of permission roles in SAP systems? It’s a nightmare when you need to change dozens of roles to run a new personnel area or a plant. Clever boys in SAP have provided two really working solutions to us. Permission roles inheritance and organizational levels. The first one is explained in details here, while the second part is below for your convenience.

Solution – Organizational Levels

Organisational levels are variables which could be filled centrally instead of filling up in each permission object manually. The organizational level is created in PFCG_ORGFIELD_CREATE report. Run it, fill with technical field name (like PERSK) you want to make available as org. level. If you made a mistake, run PFCG_ORGFIELD_DELETE report to delete. So you create an organizational level for PERSK field in the P_ORGIN object and can set it up within one window. It’s very convenient in HCM where you could have several P_ORGIN objects within a single role.

Change role and authorization in PFCG transaction

Change role and authorization in PFCG transaction

Below is a simple role with two objects.

Define Organizational Levels in SAP PFCG transaction

Define Organizational Levels in SAP PFCG transaction

Open Goto -> Organizational Levels.

As we see our new organizational level has appeared (by default PERSK is not a standard organizational level). Fill it with a new value and save.

Example of Organizational Levels in SAP PFCG transaction

Example of Organizational Levels in SAP PFCG transaction

Having done this we filled all P_ORGIN-PERSK fields in a role.

While working with permissions don’t forget to use permission roles derivation which makes life a way easier.