Question:
How critical it is to create a new org. level for maintaining roles (pfcg => authorizations => exp. mode)?
At the time, only the "plan version" is created but I think defining new levels like sales org. would help.
Answer:
It comes down to a maintenacne issue. Many of the org levles already exist and available for you to activate. You have to decide if the org levels used in the roles are "single threaded". Meaning in a role all values for the fields you are considering as an org level are the same for all authorization in that role, no mixing of "in MM I need value X. in FI I need value Y for the same field".
Ones to consider is Sales org, Movement type. Fields that occur numerious times in many auth objecs but have the same value.
Answer:
thanks for your reply john. We have about 10 different sales organizations and about 6 groups of users. Each group deals only with 1-2 sales org. and some users can access all of them. There is no overlapping between the responsibility of the sales orgs.
What problems or risks can occur when using a new org.level, except the need to check roles/profiles?
thanks in advance.
martin
Answer:
THere is no problem in using the org level and they are prefered. The only challenge is to ensure you analyze the report SAP generates to ensure you want what it suggests. In some authorizations the field may have an asterisk and other a specific value in the same role. So accepting the values without looking or noting where the discrepancies are, you may end up with more access than desired.