If business requires, it's possible in SAP to promote non-organizational authorization fields to organizational fields. This can be done using PFCG_ORGFIELD_CREATE. However, upon use it is possible that you receive the message that the program has become obsolete. To counter this, SAP has delivered a new transaction: SUPO/SUPO_SEL (see note 2625102). Once done in DEV, you will need to do this in QAS and PROD, and do the field conversion as well because the conversion is NOT transportable.
Please note, there is a CON in promoting to organizational level: If the field is an "authorization group" type of field, and used by (for example) 4 authorization objects, you should check that you are using all 4 with the same values for the groups (most often this is not the case, and promoting will lead to inconsistencies and problems in maintenance). For example, the authorization groups for programs and tables are not good candidates for organizational levels as they are not scalable in this way. Central customer, customer and GL account groups are not good candidates either because they are being used by multiple objects throughout your SAP role concept.
However, there is a solution!
Would you like to restrict authorization fields that are being used by multiple authorization objects? This can be done! With CSI Role Build & Manage you can derive all roles with appropriate values, even if the authorization fields that it needs to be derived on, are not stated as organizational values.
This means that if you would like to derive roles with account types, vendor account groups, authorization groups for only one specific authorization object, it’s possible in CSI RBM. Define the values in the central codification document and CSI RBM will build these roles for you:
It's a PRO that there's no need to promote organization levels first. Just document all your values that deriving should take into account into one central codification sheet. All roles will be derived with the correct values.
CSI RBM has comparison features available to find inconsistencies between your role concept's design, and the role concept that is being used in your SAP system, which results in no more inconsistencies in the role setup.
Interested how you can speed up role building in an automated and compliant way? Let's schedule a demo session! Send us a message at email@example.com.