Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Organization level control on Role

Dear security gurus.

I have 2 business roles in company and 2 subsidiaries under HQ.

Each company have

- Accout clerk

- Account manager

HQ's clerk&manager: be able to check all company's data.

Subsidiary's clerk&manager: be able to check ONLY their own company's data

In this case, I have to create these 6 roles, because

company code restriction can be controled only by role, not user.

Am I correct?

1.HQ's manager(Company code: *)

2.HQ's clerk(Company code: *)

3.Subsidiary1's clerk(Company code: 1)

4.Subsidiary1's manager(Company code: 1)

5.Subsidiary2's clerk(Company code: 2)

6.Subsidiary2's manager(Company code: 2)


Former Member
Former Member replied

There is another approach you can consider, Enabler Role based.

1. Create roles including only transactions and all associated authorizations. Keep org levels blank (comp code in your case). So you need to create 2 roles: CLERK and MANAEGR.

2. Create enabler roles for each company codes. These roles will not have any tcode. Only authorization objects related to org levels (company code) would be added to this role. So you need to create 2 enabler roles: COMPCODE1 and COMPCODE2.

Now you can assign appropriate combinations to any user. Ex, clerk of company 1 would be assigned CLERK and COMPCODE1 roles.

HQ managers and clerk would get their respective tcode basd role and multiple enabler roles.

This approach would be much easier to handle. As if there is any new position, you would just have to create a tcode based role. If there is a new company code, you would just need to create enabler role.

In enabler roles, you can also consider other finance related org levels apart from company code.



0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question