Solved: Organizational levels of the role

Former Member · ‎06-07-2010

Hello,

I am on ERP 6.0 and creating a new role in PFCG with below tcodes:

CX15

CX17

CX1I

CX1L

CX1O

CX1R

CX1Y

CX2V1

CX52

CX5I1

CXNQ

CXR3

CXR6

When I click on the Change Authorization Data tab, it display a window as below:

Maintain the values for the organizational levels of the role

Org Level From To

Consolidation unit

Consolidated entity

View

Do I need to enter the information for Consolidation unit, Consolidated entity and View?

If yes, how do I know what information to enter?

Thank you.

Former Member · ‎06-07-2010

Hi,

For organsational level values.. contact your functional people .. who has reported the requirement to create a new role.

check to which country .. compnay code ... controlling area .. e.t.c ..

based on this .. you need to discuss this with your functional team and get the values for these organisational values.

Sanketh.

Former Member · ‎06-07-2010

Hi,

For organsational level values.. contact your functional people .. who has reported the requirement to create a new role.

check to which country .. compnay code ... controlling area .. e.t.c ..

based on this .. you need to discuss this with your functional team and get the values for these organisational values.

Sanketh.

Former Member · ‎06-07-2010

Unfortunately, the functional people is not very sure, does this mean the only way to find out is wait till the users actually run the

tcode/report and then use SU53 to capture the missing authorization?

Bernhard_SAP · ‎06-07-2010

rather use ST01 to trace all checks at one single run....

b.rgds, Bernhard

Former Member · ‎06-08-2010

Bernhard,

Do you mean to ask a user to run the tcodes and then use ST01 to trace his authorization values?

Sri,

I am creating single role. I have not used a Master role before, what is the advantage of it as compared to

single role?

When creating a new role - pls select auth tab -> export mode -> read old status and merge with new data.
(by this the objects anr tcodes get pulled in to the role)

I cannot find the export mode under the auth tab...

Former Member · ‎06-08-2010

what happens when you click the expert mode instead?

Former Member · ‎06-08-2010

Hi Steven,

You can give full access to the role & ask the user to run the trace, while you have kept trace ON. After the user's activity is complete, check the trace file on what values has it recorded while the user did his/her activity. You will get the information on the values that you require.

Also for the Master & Derived role concept, you would use them if you would be having too many roles with same transaction codes & authorizations but with different Organizational levels

For the Expert Mode, the button is below the "Change Authorization data" icon, when you are in change mode

Former Member · ‎06-07-2010

Hi Steven,

Your Project's Functional Team can tell you on what information you need to enter that has been maintained

Former Member · ‎06-07-2010

Hi,

Kindly get in touch with the business as the values must have been maintained beforehand for each site. You can't wait for the users to execute the TCODES and then work accordingly on the SU53's.

Regards,

Manisha Nadir

Former Member · ‎06-08-2010

Steve,

Are you creating a master role using pfcg - then you can go with full authorization. based on this dervied roles will be created.

If it is a single role / dervied role then you have to get the values from busniess users / functional users.

Suggestion Is :

When creating a new role - pls select auth tab -> export mode -> read old status and merge with new data.(by this the objects anr tcodes get pulled in to the role)

Thanks,

Sri

Former Member · ‎06-08-2010

If you are absolutely sure that your business/functional team cannot help here, you could take help from an ABAPper as well. Check for the auth object(s) which contains the three org fields : "Consolidation unit,Consolidated entity,View" (you can do this by expanding the authorization data of the role). Once you have the technical names of these auth objects and org level values, you can check with an ABAPPER and trace back to the tables, etc where the values for these fields could be maintained.

If that also does not work, please try tracing user access without filling up values for these fields.

Keep SU53 as a last resort, that will be time consuming...

Good luck,

Soumya

Former Member · ‎06-08-2010

Steven,

I know that i am sounding arrogant and bad on this but the fact is, If i have a manufacturing plant somehwhere out there and i install SAP at home, i wouldnt have the plant shown in my home SAP environment, i will have to spend time to understand how to configure and then actually do it

You are trying to create authorizations for a functionality (Business Consolidation) for which you have NO Functional consultant who could help - I can understand that it is a "not-nice-to-be-in" kind of a situation. but i think you have ony 2 options left

1.

Ask the person who made the request, to give you details on what "dimensions" or "consolidation chart of accounts" should your authorizations be restricted to? It is a question that can help you out of the mess. If he gives you the details - well and good - maintain them. If he doesnt you need not do it

2

Go to any of the transactions CXNQ for example, on the selection screen parameter click on F1 for any of the fields, then go to customizing, change/maintain values as you deem correct (if you are the EXPERT) .........Viola, you will have these values in the F4 search help in PFCG role maintenance

I am sure everyone on the forum would be keen to know on the progress, so do post an update whenever you can