Easy way to see your access permissions

Do you know there is an easy way to see your access permissions in SAP? Sometimes you can find out even more what lazy security administrators forgot to cut out. 

All you need is to open one specific transaction, expand all the shown data and download the list to the MS Excel. Open it there, sort and remove duplicates to make it easy-looking. 

And here we go, SU56 allows you to see all your permissions with a user you logged in. It reads security buffer and shows all objects and security field values.

Don’t thank me, just share and subscribe! 

Assign permission roles through organisation chart

Here we have a position and employee holding it. An employee has 0105 infotype record with system username. Boom, we have everything to set up automatic permission roles assignment to this user based on his position or job in the organizational chart. If that Vasya was hired to a manager role, he’ll get manager role assigned to him the same time we have 0001 infotype created. When he moves to HR Director his manager role is revoked and a new one assigned to HR Director. Once he gets terminated all permissions are revoked immediately. Information Security Officer will adore you. Here is a standard solution to assign permission roles in SAP HR.

Should we do this?

Read More

Permission roles derivation (inheritance)

Continuing with SAP alphabet. Hope we both understand that there are template roles and functional and they differ.
First ones are never assigned to end users and in fact are templates for functional roles. We use them to quickly edit function in one place and derive changes to functional. Functional roles are already typed with exact permissions for personnel areas, employee groups and subgroups, business units and other objects.

If you don’t want to die creating all combinatoric variety of functional roles per each personnel area and employee group, you can use derivation tool. When deriving we define master role (template) with a nice user menu, setup authorization objects with organizational levels. Then with easy we create derived role which references to master role. Derived role inherits menu and all authorization objects from the master role. When we do any change in master role it reflects in slave roles. Also we can do any changes in slave roles without any effect to master. You only can’t change user menu in slave role.

In pictures it looks like this.

Create master role

Read More

Organisational Levels – Simplify SAP Permission roles management

How to maintain a huge number of permission roles in SAP?

Have you ever maintained a huge number of permission roles in SAP systems? It’s a nightmare when you need to change dozens of roles to run a new personnel area or a plant. Clever boys in SAP have provided two really working solutions to us. Permission roles inheritance and organizational levels. The first one is explained in details here, while the second part is below for your convenience.

Solution – Organizational Levels

Organisational levels are variables which could be filled centrally instead of filling up in each permission object manually. The organizational level is created in PFCG_ORGFIELD_CREATE report. Run it, fill with technical field name (like PERSK) you want to make available as org. level. If you made a mistake, run PFCG_ORGFIELD_DELETE report to delete. So you create an organizational level for PERSK field in the P_ORGIN object and can set it up within one window. It’s very convenient in HCM where you could have several P_ORGIN objects within a single role.

Change role and authorization in PFCG transaction

Change role and authorization in PFCG transaction

Read More