Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member

Hello everyone, recently our client had a requirement that the OM Org Structure should be controlled by few users; and other OM users should not be allowed to alter the structure.

In any organization, the Organizational structure is maintained in OM (Organizational Management) module of SAP HR. Here, the Org units normally represent plants, departments etc. Cost centers are assigned to Org units. These cost centers are used to understand the expenses over departments, plants etc.

For an ordinary OM user, who is supposed to create positions for employees and maintain the reporting hierarchy etc. it is not necessary to let them have access to alter the Organizational structure, cost center assignments etc. This access needs to be restricted to only super OM users. (This may seem like a bookish theory; but this required. And bdw, 'ordinary OM user' and 'super OM user' are my own ways of understanding the users; not SAP's .


For this reason, below activities should be restricted for an ordinary OM user.

  1.   Organizational Unit creation
  2.   Org. unit to org. unit relationship creation, change and delete
  3.   Master Cost center to org. unit relationship creation, change and delete



We achieved this by designing a role for ordinary OM user. I have listed down almost "every" single step so that anyone who has no experience in role creation will also be able to understand . Sorry to the experts who already know these small things; you may run faster jumping over those points! I know experts understand the importance of steps by step explanation for starters.


Let’s create a role- ROLE_RESTRICT_OU_STRUCT_CHNG

This role will contains T-codes required for an OM user like PO13, PO10D, PPOM_OLD, PPOS_OLD. Make sure the T-codes PPOC_OLD and PO10 are not included in the role.


  1. Use T-code PFCG to create a role
    Enter the suitable name and description for the role.
  2. Now go to Menu tab- Here you can add the Transaction codes (T-codes)
    Add T-codes as shown in below screenshot.
  3. Save the Role.Now, go to Authorizations Tab and click on ‘Change Authorization Data’.
  4. Select the Plan Version- 01. The screen looks as shown below.
  5. Set the values for fields in ‘Master Data’ node as shown below.
  6. Save.
  7. Now, it comes to re-designing PLOG object- ‘Personnel Planning’.
    You will see below node under PLOG.

  8. Remove Object Type ‘O’ from it and Save.
    Let’s move to second node now. Remove Object Type ‘O’ from it and Save. The node looks as shown in below snapshot.
  9. Let's not edit the node containing function codes DISP and LISD; as these are only display and listed display activities.
  10. Now go to Manually option option on screen to add one PLOGI object. You see below screen; key in Authorization object as "PLOG" and press Enter key.
  11. Below node with a yellow triangle gets added to the tree as shown below. Expand it; and fill in details as mentioned in next step.

    1. Click on the pencil in front of the Infotype field; and fill the details as shown below.

      Additional Entry to above snapshot is 'FROM'- 5011 and 'TO' *. Save.
      Here we have excluded below infotypes-
      1. Infotype 1000 (Object) - This infotype stores any object that is created in system. We don’t want user to create Org unit; so this infotype is excluded.
      2. Infotype 1015 (Cost planning) – We don’t want user to alter/create any cost related activities in the Organizational structure.
      3. Infotype 1018 (Cost Distribution)
      4. Infotype 1036 (Costs)
      5. Infotype 1209 (Cost Data)
      6. Infotype 5010 (Planning of Pers. Costs)
      7. Infotype 1008 (Acct. Assignment Features)

  12. Now let’s edit the Sub type Field values.
    We will remove below mentioned subtypes-
    1.  A*
    2.  B*
    3.  A011-
    Master Cost center
    4.  B011-
    Master Cost Center
    5.  A002-
    Reports (line) to
    6.  A014-
    Cost center distribution
    7.  B014- Cost center distribution
    8.  A056- Person has cost center
    9.  B056- Persons on cost center
    10. B002- Is line supervisor of
    11. A262- Reports to


  13. Post doing all this editing we have changed the manually added PLOG object as shown below.
  14. Now it’s time to assign this role to an OM user.
    I have created a sample user using T-code SU01.
    User- AJ_NO_OU.
    Let’s assign this user in the ‘User’ tab of role. After assigning the role, you'll get to see below screen.
  15. That's it! We are done with all required activities Now it's time to check whether everything we did is correct or not.
  16. Let’s test the user role.
    Log in to SAP client using pre-defined login credentials.
    Enter the T-codes- PPOC_OLD or PO10. You’ll get error as "You are not authorized to use transaction PPOC_OLD" (or PO10). This ensures that our T-code assignment is correct.
  17. Now enter the T-code PPOM_OLD; and key in already existing org unit. For testing I have created an OU 50012045-AJ_Test

  18. Check restriction of OU creation/deletion-
    Now; let’s check whether we have succeeded in restricting the OU (Org Unit) creation.
    Put cursor on an OU (click); then try crating an OU using (Create) option.
    No OU will be created; and you face the message- "No authorization".
  19. Check restriction of Master Cost Center assignment/deletion-
    ‘Go to Account assignment -->
    Click on an OU--> Click on Master Cost Center . You will result somewhat as shown in below snap.

  20. Now we go to 'Cost Distribution' option, 'Account Assignment Feature'; and both these options lead to error message "No authorization". (Cheers! Seeing these errors actually ensures that our role is correct! )
  21. Try to change the relationships between to Org units; system won't allow you.
  22. You might think that I'm only testing the "NOT ALLOWED" activities; what about the "ALLOWED" activities? . Here, I'm doing that too. Create positions under Org units; move the positions from one OU to other OU. System allows me to do so without any error.
  23. So, finally we can say that we have secured the Organization's Structure from any alterations!
  24. My clients are happy with this; I hope this helps to you too. And if your organization looks into segregation of user activities and roles, I'm sure this will be helpful.
3 Comments
Labels in this area