Transaction SUPO: Promote authorization fields to organizational levels
The latest SAP S/4HANA version comes with 40+ organizational levels that you can use to authorize end-users. Organizational levels are maintained at the header of a role and populate the value(s) to all authorization objects that require the organizational field.
In some cases, customers have the requirement to promote authorization fields to organizational levels. One of the main reasons to promote authorization fields is the desire to decrease the maintenance effort of your roles. Maintaining organizational values can be tough. Fortunately, all SAP ABAP systems allow promoting non-org fields to org fields.
With SAP NetWeaver 7.50 Support Package 9, SAP provides new functionality to promote authorization fields to customer-specific organizational levels. You can get more information from SAP Note 727536 (FAQ | Use of customer-specific organizational levels in PFCG).
Note that former reports like PFCG_ORGFIELD_CREATE, PFCG_ORGFIELD_DELETE, PFCG_ORGFIELD_UPGRADE are obsolete, and you are required to use transaction SUPO.
You can learn more about transaction code SUPO in SAP Note 2535602 (SUPO | Documentation, and transport connection for organizational level maintenance). Please note that SAP tcode SUPO_PREPARE is no longer required and has been locked.
Xiting strongly advises to be extremely careful when using transaction SUPO as irreparable issues can occur. Use the information on this site at your own risk.
How to Use Transaction SUPO (Org Levels for Profile Generator)?
When you start transaction SUPO, you can see an overview of the available organizational fields (both SAP standard and customer-specific ones). You can double-click in the column “Authorization Field” to see more details about the field.
There are four ways to see where the organizational level is being used:
- SAP Standard applications through SU22 data
- All applications through SU24 data (including customer-specific applications)
- Roles that contain the organizational level
- Authorization objects that use the organizational level
If you double-click in the column “Org. Level in SU22” it will show you all the standard applications (transaction codes, function modules, etc.) which use the organizational level based on SU22 data. This works for SAP standard applications only.
Double-click in the column “Org. Level in SU24” to see all the applications (transaction codes, function modules, etc.) based on SU24 data that use the organizational level. This works for all applications including customer-specific ones.
Double-click in the column “Org. Level in Roles” to see all the roles that use the organizational level in its authorizations.
Double-click in the column “Objects” to see all the authorization objects that use the organizational level as one of its fields. You can further check authorization objects in transaction SU21 (Maintain Authorization Objects).
How to Create and Delete Organizational Levels?
To create and delete you have to be in change mode of the transaction. Once in change mode, you can either use OK commands or the buttons from the navigation pane. In some releases, the buttons are not shown and hence we are also mentioning the OK commands. The OK commands are as follows:
- =CREA_OLVL -> to create an organizational level
- =DELE_OLVL -> to delete an organization level
Note: once you promote a new organizational level you cannot go back easily. Be careful when using this functionality.
Once you enter the OK command or click on the icon a new line will show. You can enter the desired authorization field and then hit save. For my example below – which I strongly advise not to replicate – the authorization field CLASS will get promoted as an organizational level. The system will ask you for a workbench transport which indicates that the change is client independent.
To refresh the screen, you have to restart the transaction so that the columns will get updated with information regarding the newly promoted organizational level.
Once you promote the authorization field to an organizational field, you have to update your SU24 data as well as your role data. In my example, the authorization field CLASS exists in various roles through objects like S_USER_GRP. The roles still contain the value but not as an organizational value on the header. That needs to be updated. Fortunately, the role still continues to work as the authorization profile did not get impacted. However, to maintain org levels, standard, or custom ones, you have to follow the standard approach through transaction PFCG – Profile Generator.
As an example, we can see that S_USER_GRP has the value SUPER but not through the header (which is empty).
If you were to maintain the value at the header level, the old value which was previously maintained will remain as a “manual” value. You have to manually update the authorization profile with the “Read old merge new” functionality of PFCG. Please note that this only works if you have properly maintained roles. If you don’t, you run the risk of impacting your roles significantly.
SAP recommends using report AGR_RESET_ORG_LEVELS which will reset (delete) all values of the organizational fields that are not maintained at the header level. Executing the report will lead to open organizational levels that you have to post-maintain. Please also note that you can only process one role at a time and it will be a time-consuming endeavor.
Removing a Proposed Organizational Level
Removing a previously promoted organizational level can be tricky or even impossible. If you have maintained the organizational level in one of your roles and saved the profile, you cannot delete any longer as it exists in table AGR_1252. It only works when the organizational level is not used in any of the roles. You can check table AGR_1252 where the organizational level is in use and temporarily remove the authorization objects from the roles and then delete the organizational level. After that, you have to go back to your roles and add the previously removed authorizations back.
Frequently Asked Questions (FAQs)
Role maintenance will not be impacted by the transaction SUPO. However, by promoting non-org fields to organizational fields you have to update the impacted roles that carry the newly promoted organizational field. The ABAP authorization and role management processes remain the same.
When promoting a new organizational level, you have to post-maintain old roles. Your old roles contain the newly promoted org level as “normal” authorization objects which need to be updated.
Transaction SUPO comes with the SAP basis component BC-SEC as part of SAP Package S_PROFGEN. Your SAP system must be on SAP NetWeaver 7.50 Support Package 9.
Transaction SUPO does not have any side-effects on your ABAP role administration. You can continue to use transactions PFCG (Profile Generator), PFUD (User Master Data Reconciliation), SUPC (Mass Generation of Profiles), SUIM (User Information System), SU24 (Maintain Authorization Default Values), etc. You continue to build your roles through the profile generator (e.g. by adding SAP transaction codes to the role menu) and build the authorization profile.
Transaction SUPO does not require any customization in table SSM_CUST, USR_CUST, etc. There is also not need to customize in transaction SPRO (IMG activity).
Transaction SUPO can be a useful instrument to promote authorization fields to organizational fields to simplify the authorization management process. However, you should be aware of the risks and impact this has on your system. If you are unsure whether or not to promote an authorization field, please feel free to reach out to one of our experts to learn more.
- SAP Security Hardening – Implement Security by Design and Zero Trust - 12. July 2022
- SAP Security Orchestration with Xiting’s Security Solutions - 21. October 2021
- CMMC Compliance in SAP - 24. August 2021