![\"\"](\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/10\/org_level.jpg\" "\\"org_level\\"")
<\/a><\/p>\n <\/p>\n
\nAs we can see that org level fields can be maintained by “Organizational levels” button at the right top of pfcg-maintain authorization screen.<\/span><\/span><\/p>\n
\n<\/span><\/p>\n<\/span>
\n Based on the requirement, other non-org level authorization fields (barring a few exceptions) can also be converted into org level fields. Program<\/span> PFCG_ORGFIELD_CREATE<\/strong> needs to be executed for this purpose. But this should be done only after thorough analysis because this step may impact several other roles as that authorization field might be present in many roles and once converted to org level, the value will have to be maintained via organizational level button for all those roles.<\/span><\/span><\/p>\n
\n<\/span><\/p>\n
\nSome of the authorization fields which cannot be converted to org level fields are ACTVT (Activity), TCD(Tcode) etc.<\/span><\/p>\n
\n<\/span><\/p>\n<\/span>
\n As we saw that a normal authorization field can be converted to an org level field via program PFCG_ORGFIELD_CREATE. Similarly an org level field can be converted to a non-org level authorization field via program<\/span> PFCG_ORGFIELD_DELETE<\/strong>.<\/span><\/p>\n
\n<\/span>
\nTable AGR_1252<\/strong> maintains roles to org fields values relationship. In this table we can find the org field values that have been maintained for a role.<\/span><\/span><\/p>\n
\n<\/span><\/p>\n
\nTable AGR_1251<\/strong> maintains roles to auth fields values relationship. In this table, we can find the auth field values that have been maintained for roles. One point to notice here is that for fields which are org level fields, we do not get any value in this table, but some alphabets beginning with $<\/strong>, e.g. $WERKS which means plant.<\/span><\/span><\/p>\n
\n<\/span>
\n
\nEarlier in this topic, we had stated that org levels are important because in some roles we need to have same values for some authorization fields across all authorization objects. So instead of maintaining this value individually in all objects, we maintain it only once at the top by clicking on “Organizational levels” button. When a field is defined as org level field, it acts as an org level field for all the roles where it is used.
\n<\/span>
\n <\/span><\/p>\n
\nNow let us assume a scenario where there is an org level field called plant ($WERKS). For all authorization objects where this field is being checked, we want to maintain the same value, except for an object (say XYZ) where we do not want this due to some security requirement. Suppose we want plant values 100 and 200 for all the objects, but for object XYZ we want to maintain only value 100.<\/span> <\/span><\/p>\nCan this be done?<\/strong> <\/span><\/p>\nBecause once we maintain plant values 100 and 200 at the top using organizational levels button, object XYZ will also get value 100 and 200 for field plant. We can achieve our requirement by applying the concept of<\/span> org level breaking<\/strong>.<\/span><\/p>\n
\n<\/span>
\n
\nTo apply only value 100 for object XYZ, we need to manually change this field.<\/span><\/span><\/p>\n