Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Alternate to derived roles

Former Member
0 Kudos

The question is related to authorization. I dont want to create the derived roles. I want to assign organizational level directly to the users. For example to assign SAP standard role to different users who needs access to different sales sales organization.

The same role will get assign to the users for accessing different organizational values.

How to configure this scenarion in R3. (ECC)

5 REPLIES 5

Former Member
0 Kudos

Hi,

I don't think you can do this without Derived Roles, However you can try one role will have t-codes and another role have org levels.

Regards,

Arjun

Former Member
0 Kudos

Hello

First, this question should be addressed on the security forum to get effective response.

Second, No. you can't unless the system is HR system. Again, to be sure, ask security experts.

Cheers!

Javed

Former Member
0 Kudos

Next closest thing is business partner profiles, but that is not a guarantee that you will get around all org-level relevant checks and will need PFCG roles in the end.

Worth investigating though, you need to tell use more than just "access to sales organization"...

Access from where? What type of access?

Cheers,

Julius

0 Kudos

Hi,

be a were to use SAP authorizations as designed. If you do it in an other way and you have to deal with changing authorization personal then you introduce troubles is my experience. Sure you can work with roles that only have the organizational values, but this is the same as derived roles. The reason I heard is to many authorization records, but if you compare this with the transactional data is this nothing. If you use the derived option and do not change the content of the role but only the organizational values, are changes done on one place and the generation takes care of everything else.

have fun

Bye

Jan van Roest

Former Member
0 Kudos

Hi Samir,

what you are looking is the so called "area role concept". Actually this concept is not SAP standard but it is described in the SAP book "Authorizations in SAP Software: Design and Configuration: SAP Authorization System Design and Configuration". In the book it is chapter 9. This concept also uses HCM OM. Not sure if you use it.

On the other a side, a big disadvanatage is that you cannot differentiate on an organzational level. Because if you assign the organizational values to the user, you are not able to assign individual organzational values you may need for some authority objects.

Kind regards