Question:
There are often cases where users can access a tcode in all the org elements such as companies. Taking FI posting FB01 as an example, users have access to company code *.
How should I limit the users' access to their own companies?
1. I use SUIM to get a list of roles by searching object F_BKPF_BUK with value *?
2. or I should work on field BUKS rather than the object?
How do you gurus do this?
Thx.
Answer:
If you are building at role level (rather than profile) you should be using the orglevel functionality of PFCG, this will populate all org levels with the same values. If you have been maintaining them in the objects rather than through the org level functionality you will need to clear out all the values before re-populating via org level method. Failure to do this can result in the original values staying in there & giving incorrect access
Answer:
Thanks Guest.
I should have made it clearer that the org elements authorisations were done from org level functionality in PFCG, not directly from auth objects. The problem is that now I am trying to correct the authorisations done by other guys.
I firstly need to find out all the roles having access to * in any of the org elements, then correct them to respective org elements.
Answer:
You can do SE16 search on the AGR_1252 ( it may be 1251) that houses the org values for a role and then look at the authorizaiton values in th eother table to look specifically for an asterisk ( using the select option determination "="; the button looking like a boquet of flowers).
I also recall a report SAP has to RESET all the orglevels that were overridded, you would have to search SE38 for all PRGN* reports or a where used on table AGR_DEFINE to find the report.( not logged on at present)
Answer:
I also recall a report SAP has to RESET all the orglevels that were overridded, you would have to search SE38 for all PRGN* reports or a where used on table AGR_DEFINE to find the report.( not logged on at present)
Thank you very much, John.
I am not quite sure what you mean the second part here. But it might well be for the problem I am thinking.
Basically I have a role copied from SAP_ALL_DISPLAY, it is currently with * for the org elements. Taking FB01 as an example, object F_BKPF_BUK has 03 and 08 to BUKS *. The problem is all the objects copied from SAP_ALL_DISPLAY has a status 'manually', even I use the PFCG's 'organizational levels' button, the new value for company code 1234 won't populate into BUKS in F_BKPF_BUK.
Is what you said for this problem? otherwise how can we solve our particular problem? - manually delete all of those first seems a bit tedious.
Answer:
Hi,
I really need an answer about how to change the org level values to the right ones for status "manually". If I go through every org element in the copy of SAP_ALL_DISPLAY, and delete the old values individually, it takes a lot of time.
I am just wondering if there is a smarter way to do it, so that I can learn a new method as well.
Thanks.
Answer:
for those of you who don't know the name of the report to reset org levels from individually maintained to system defaults: AGR_RESET_ORG_LEVELS report