In This Article
01

What Are Organizational Levels?

In SAP's authorization model, organizational levels (org levels) are special authorization fields that represent your company's structural hierarchy — company codes, plants, sales organizations, purchasing organizations, controlling areas, and more.

Unlike regular authorization field values that are maintained directly inside authorization objects, org levels sit in a separate layer. When you create a derived role from a master role, the only values that change between the master and derived copies are the org level values. Everything else — the transaction codes, the authorization objects, the activity values — stays identical.

This is the foundation of SAP's scalable role architecture. A single master role can spawn dozens of derived roles, each scoped to a different company code, plant, or sales area. One design, many deployments.

📐 Technical Note

Org levels are stored in table USORG. The mapping of authorization fields to org levels is defined in USOBX_C and maintained via transaction SU24. You can view all defined org levels in PFCG under the Authorizations tab — they appear with the organizational level icon (globe symbol) and cannot be maintained in derived roles.

02

Master Roles, Derived Roles & the Org Level Connection

SAP's role architecture follows a parent-child model. The master role defines what a user can do — which transactions, which authorization objects, which activity values (create, change, display). The derived role defines where they can do it — which company code, which plant, which sales organization.

The connection between them is the org level. When you derive a role, SAP copies the entire authorization profile from the master — but leaves the org level fields blank. You then fill in the org values specific to that derived role. This means the master role should never contain hardcoded org level values. If it does, every derived role inherits that restriction, defeating the purpose of the entire architecture.

Master → Derived Role Architecture
Z_FI_AP_INVOICE  (Master)
Z_FI_AP_INVOICE_1000
BUKRS = 1000
Z_FI_AP_INVOICE_2000
BUKRS = 2000
Z_FI_AP_INVOICE_3000
BUKRS = 3000

The master defines the functional scope (FB60, MIRO, FBL1N). Each derived role inherits it — only the org level values differ.

This architecture is critical for Segregation of Duties (SoD) compliance. When auditors review roles, they look at the master role design first. If the master is clean — proper activity restrictions, no wildcards in sensitive objects, no conflicting transactions — then every derived role automatically inherits that clean design. Break the master, and you break every derived role downstream.

03

Complete Org Level Reference Table

The following table lists the most common organizational levels in SAP ECC and S/4HANA, their authorization objects, the module they belong to, and their sensitivity classification. This is the reference your role design team should have pinned to the wall.

Org Level Field Description Auth Object Module Sensitivity
BUKRS Company Code F_BKPF_BUK FI Critical
WERKS Plant M_BEST_WRK MM / PP High
EKORG Purchasing Organization M_BEST_EKO MM Critical
VKORG Sales Organization V_VBAK_VKO SD Critical
VTWEG Distribution Channel V_VBAK_VKO SD Medium
SPART Division V_VBAK_VKO SD Low
KOKRS Controlling Area K_CSKS CO High
GSBER Business Area F_BKPF_GSB FI Medium
PERSA Personnel Area P_ORGIN HR Critical
MOLGA Country Grouping (HR) P_ORGIN HR High
IWERK Maintenance Planning Plant I_IWERK PM Medium
LGNUM Warehouse Number L_TAKT WM / EWM Medium
BRGRU Authorization Group (Material Master) M_MATE_BRG MM Medium
KOSTL Cost Center K_CSKS CO High
BWKEY Valuation Area M_MSEG_BWA MM High
04

Sensitivity Classification — Which Org Levels Matter Most

Not all org levels carry equal risk. Misassigning a Division (SPART) is an inconvenience. Misassigning a Company Code (BUKRS) or Purchasing Organization (EKORG) is a potential SOX finding with financial impact. Understanding this hierarchy is the difference between a secure system and an audit disaster.

🔴 Critical — Financial & Compliance Impact

Company Code, Purch. Org, Sales Org, Personnel Area

These control access to financial postings, procurement spending, revenue recognition, and employee PII (payroll, HR records). A wildcard * in any of these is a guaranteed audit finding. Controls financial exposure and compliance with SOX, GDPR, and data privacy regulations.

🟠 High — Operational & Cost Impact

Plant, Controlling Area, Cost Center, Valuation Area, Country Grouping

These determine where users can post goods movements, run MRP, manage cost allocations, and value inventory. Incorrect assignment leads to incorrect financial reporting, wrong inventory valuations, and cross-plant data access that violates internal controls.

🔵 Medium — Structural & Process Impact

Business Area, Distribution Channel, Warehouse, Maint. Plant, Auth. Group

These shape process boundaries. Misconfigurations cause data quality issues and cross-functional access. Not typically SOX-relevant by themselves, but they compound when combined with critical org levels in the same role.

🟢 Low — Informational

Division, Storage Location (when standalone)

These are typically filtering-level org levels. Misassignment causes inconvenience (wrong data in reports, access to irrelevant master data) but does not create financial exposure or compliance risk on its own.

⚠️ Auditor Red Flags

Wildcard (*) in BUKRS, EKORG, VKORG, or PERSA — This grants access to ALL company codes, purchasing orgs, sales orgs, or personnel areas. Auditors from Big 4, Grant Thornton, and BDO will flag this as a Critical finding in every SOX/ITGC audit. There is no legitimate reason for a business user role to have * in these fields.

Cross-company code access without business justification — If a user in Company Code 1000 can post journals in Company Code 2000, that's a segregation failure. Each derived role should be scoped to exactly the org levels the user needs — no more.

05

The 7 Costliest Org Level Mistakes

1. Hardcoding Org Values in the Master Role

If you maintain BUKRS = 1000 directly in the master role, every derived role inherits that value. Now you can't scope a derived role to Company Code 2000 without overriding the master — which defeats the entire purpose. The master role should have org level fields blank (set as organizational level, not hardcoded).

2. Using Wildcards in Sensitive Org Levels

Setting BUKRS = * or EKORG = * gives access across the entire corporate structure. This is the single most common cause of SoD violations in procurement and finance. It's also the first thing auditors check.

3. Forgetting Org Levels When Adding New Authorization Objects

When you add a new transaction to a master role, SAP proposes default authorization objects. If those objects contain org level fields, you must ensure they're flagged as organizational levels — not maintained as regular values. If you accidentally hardcode them, the derived role model breaks silently.

4. Inconsistent Org Level Combinations Across Related Roles

A user with BUKRS = 1000 in their FI role but EKORG = * in their MM role can create purchase orders for all purchasing orgs but only post invoices for one company code. This mismatch creates SoD exposures that are hard to detect in standard reporting.

5. Not Using Derived Roles at All

Some organizations create separate standalone roles for each company code — Z_FI_AP_1000, Z_FI_AP_2000, Z_FI_AP_3000 — without a master/derived relationship. When a change is needed (adding a new transaction, adjusting an activity value), it must be made in every single copy independently. In a 50-company-code landscape, this is a governance nightmare.

6. Mixing Functional and Org-Level Scope in One Role

A role called Z_PROCUREMENT_ALL_PLANTS that contains both MM and FI authorizations with WERKS = * and BUKRS = * is too broad to derive cleanly. The fix: separate by functional area first (procurement vs. finance), then derive by org level.

7. Ignoring HR Org Levels

PERSA (Personnel Area) and MOLGA (Country Grouping) in HR authorization object P_ORGIN control access to the most sensitive data in SAP — employee salaries, personal IDs, bank details. Yet many organizations treat HR roles as an afterthought, assigning broad access because "HR needs to see everything." Under GDPR, this is a data protection violation.

06

Best Practices Checklist

Always use the master/derived model — Define functional scope in the master role. Maintain org levels only in derived roles. No exceptions.
Leave org levels blank in master roles — The PFCG organizational level maintenance screen should show all org fields as "to be maintained in derived roles."
One functional scope per master role — Don't combine FI and MM in a single master. The more focused the master, the cleaner the derivation.
Document org level assignments — Every derived role should have a clear record of which org values it contains and why. This is your audit trail.
Validate org level consistency across related roles — If a user has MM and FI roles, ensure the company code and plant values are consistent. Use SUIM or an AI-powered tool to cross-check.
Never use * in BUKRS, EKORG, VKORG, or PERSA — No business user needs access to all company codes, purchasing orgs, sales orgs, or personnel areas. If someone asks for it, push back and ask for the specific values.
Never hardcode org values in the master role — This is the #1 cause of role design failures. It locks every derived role to the same org scope and forces manual overrides.
Don't create standalone roles when derived roles will do — If you have more than 3 company codes, standalone roles are unsustainable. Switch to master/derived immediately.
Don't skip HR org levels in your role designPERSA and MOLGA are just as important as BUKRS. Salary data breaches carry heavier penalties than financial posting errors.
07

PFCG Walkthrough — Setting Org Levels Correctly

Here's the step-by-step process for maintaining org levels correctly in PFCG. This walkthrough assumes you already have a master role with transactions assigned.

Step-by-Step: PFCG Org Level Maintenance
── STEP 1: Open Master Role ──
PFCG → Enter master role name (e.g., Z_FI_AP_INVOICE)
     → Click Change

── STEP 2: Go to Authorizations Tab ──
Click Authorizations tab → Click "Change Authorization Data"
     → The authorization tree opens

── STEP 3: Check Org Level Assignments ──
Click Org Levels button (globe icon, top toolbar)
     → This opens the Organizational Level Maintenance screen
     → You see all org level fields relevant to this role

── STEP 4: Verify Fields Are Marked as Org Levels ──
Each field should show: "Maintained at Organizational Level"
     → If a field shows a hardcoded value → THIS IS WRONG
     → Remove the value → Mark it as organizational level

── STEP 5: Save and Generate the Master Role ──
SaveGenerate (Shift+F5)
     → Master role is now clean

── STEP 6: Create Derived Role ──
PFCG → Enter derived role name (e.g., Z_FI_AP_INVOICE_1000)
     → Click Create → Select "Derive from"
     → Enter master role name → Enter

── STEP 7: Maintain Org Levels in Derived Role ──
Go to Authorizations tab → Click "Change Authorization Data"
     → Click Org Levels button
     → NOW enter the specific values:
       BUKRS = 1000
       WERKS = 1000
       EKORG = 1000

── STEP 8: Generate Derived Role ──
SaveGenerate (Shift+F5)
     → Derived role is ready for assignment
⚡ Pro Tip — Checking Org Levels in Existing Roles

Run report RSUSR002 in SA38 to list users by authorization values. Filter by org level fields (BUKRS, EKORG, VKORG) with value * to find all users with wildcard org access. This is the fastest way to identify roles that need remediation.

Alternatively, check table AGR_1251 (authorization data for roles) — filter where LOW = '*' and the field name is an org level. This gives you a list of every role with wildcard values, which is exactly what SyntaAI's role governance tools automate.

08

Using SAP GRC for Org Level Governance

If your organization runs SAP GRC Access Control, you already have a powerful framework for governing org level assignments — but most companies underutilize it. GRC isn't just for SoD checks and firefighter logs. Its Access Request Management (ARM) and Business Role Management (BRM) modules can enforce org level discipline at scale.

GRC ARM — Controlling Org Values at Request Time

When a user requests access through GRC ARM (transaction GRAC_SPM or the Fiori launchpad), the request form can be configured to require specific org level values. Instead of a requester saying "I need the AP Invoice role," ARM forces them to specify which company code, which purchasing organization, and which plant. The system then maps the request to the correct derived role automatically.

This eliminates a major source of errors: requesters asking for "the same role as my colleague" without realizing the colleague's role is scoped to a different company code. With ARM, the org level is explicit in the request, visible to the approver, and auditable end-to-end.

GRC BRM — Org Level Rules in Role Design

Business Role Management allows you to define organizational rules at the business role level. A business role like "Accounts Payable Clerk" can be configured with org level conditions — when a manager requests this role for a user, BRM automatically selects the correct derived technical role based on the user's organizational assignment (company code from HR master data, cost center, plant, etc.).

This is powerful because it removes the human decision about which derived role to assign. The mapping is rule-based: User in Company Code 1000 → gets Z_FI_AP_INVOICE_1000. User in Company Code 2000 → gets Z_FI_AP_INVOICE_2000. No manual selection, no misassignment.

GRC ARA — SoD Checks That Include Org Levels

The Access Risk Analysis (ARA) module can be configured to evaluate SoD conflicts at the organizational level, not just at the transaction level. This is a critical distinction. Two users might both have access to FB60 (Post Vendor Invoice) and F110 (Payment Run) — which is a classic SoD conflict. But if one user's role is scoped to Company Code 1000 and the other is scoped to Company Code 2000, the risk is mitigated because they operate in different organizational contexts.

ARA's org level rules (configured in NWBC → Access Rule Maintenance) let you define organizational mitigations — reducing false positives in SoD reporting by recognizing that org-level separation can be a valid compensating control. Without this, SoD reports are noisy with conflicts that don't represent real business risk.

📋 GRC Configuration Tip

To enable org-level SoD analysis in GRC ARA, go to SPRO → GRC → Access Control → Maintain Organizational Level and map each org level field to the corresponding authorization object. Then in your risk definitions, specify the org level fields that should be considered as mitigating factors. This turns your SoD analysis from a blunt "transaction-level" check into a precise "who can do what, where" assessment.

09

SharePoint-Based Org Data Approvals — A Best Practice

Here's a pattern that the best-run SAP security teams use but rarely talk about: maintaining org level master data in SharePoint (or a similar collaboration platform) with formal approval workflows, rather than making org level decisions ad-hoc inside PFCG.

Why SharePoint?

The problem with maintaining org levels purely in PFCG is that there's no built-in approval trail for which org values should go into which derived role. SAP logs the technical change (who changed the role, when), but not the business decision behind it. When an auditor asks "Who approved giving the Chennai plant team access to the Mumbai plant's inventory?" — the answer shouldn't be "the Basis admin decided during a Friday ticket."

SharePoint (or Microsoft Lists, or any workflow-enabled platform) provides the governance layer that PFCG lacks:

Org Level Master List — A central SharePoint list that maps every derived role to its approved org level values. Columns include: Role Name, Company Code, Plant, Purchasing Org, Sales Org, Business Justification, Approved By, Approval Date. This becomes the single source of truth.

Change Request Workflow — When a business unit needs a new derived role or a change to existing org values (e.g., "Add Plant 3000 to the procurement role for the new factory"), they submit a request through a SharePoint/Power Automate workflow. The request routes to the data owner (typically a finance controller for company code changes, a plant manager for plant changes, an HR business partner for personnel area changes) for approval.

Segregation of Approval — The person requesting the org level change should never be the same person implementing it in PFCG. SharePoint workflows enforce this naturally: the business owner approves, the security team implements, and the audit trail shows both steps clearly.

Periodic Recertification — Set up quarterly recertification flows where data owners review their org level assignments and confirm they're still valid. This catches stale access — a user who transferred from Company Code 1000 to 2000 six months ago but still has their old derived role assigned.

✅ The Gold Standard Workflow

Request (SharePoint form) → Data Owner Approval (Company Code owner, Plant owner, or HR BP) → Security Team Review (SoD check, wildcard check) → Implementation (PFCG derived role creation/update) → Verification (role tester confirms access) → Audit Log (SharePoint retains full trail)

This workflow satisfies SOX ITGC requirements for access provisioning, gives auditors a complete evidence trail, and ensures that no org level change happens without the right business owner's approval. It's simple, it works with tools you already have, and it costs nothing extra.

⚠️ Common Pitfall

Don't overcomplicate the SharePoint setup. A single list with 8–10 columns and a basic Power Automate approval flow is enough. Teams that build elaborate multi-stage workflows with 5 approval levels end up bypassing the process because it's too slow. One data owner approval + one security team implementation = the right balance of control and speed.

10

How AI Is Changing Role Governance

Traditionally, validating org levels across hundreds of roles has been a manual, spreadsheet-driven exercise. Security teams export role data from AGR_1251, cross-reference against organizational structures in T001 (company codes), T024E (purchasing orgs), and TVKO (sales orgs), and flag anomalies by hand. In organizations with 500+ roles, this takes weeks.

AI-powered platforms like SyntaAI are changing this. Instead of exporting and comparing spreadsheets, SyntaAI's security agent connects directly to your SAP system and runs automated checks across your entire role landscape:

Wildcard Detection — Scans AGR_1251 for any role where sensitive org level fields (BUKRS, EKORG, VKORG, PERSA) contain *. Flags the role, lists the affected users, and calculates the risk exposure.

Org Level Consistency Checking — Compares org values across all roles assigned to a single user. If a user has BUKRS = 1000 in their FI role but EKORG = * in their MM role, the agent flags the inconsistency and explains the SoD exposure in plain language.

Derived Role Governance — Identifies standalone roles that should be master/derived, detects master roles with hardcoded org values, and finds derived roles that have drifted from their master (manual changes to authorization data that bypass the derivation).

Custom vs. Standard Role Ratio — Analyzes the balance between Z/Y custom roles and SAP-standard roles. A high custom ratio often indicates governance gaps — too many one-off roles built for individual requests rather than following a structured design.

License Impact Analysis — Evaluates how org level assignments in roles affect SAP RISE FUE licensing. Overly broad roles (with create/change activities in advanced authorization objects) inflate license costs. SyntaAI identifies which specific org level + activity combinations are driving users into higher license tiers — and shows you how to fix it.

✅ What SyntaAI Detects Automatically

SyntaAI's agent performs over 70 automated checks against your SAP system, including all the org level issues described in this article. It reads from AGR_1251, AGR_DEFINE, AGR_USERS, AGR_TCODES, and CDHDR to build a complete picture of your role landscape — then explains findings in natural language, with specific remediation steps and PFCG instructions.

No spreadsheets. No manual cross-referencing. Just connect and ask.

Bhargavi Maddipati is Co-Founder & CEO of SyntaAI, with 18+ years of SAP Security and GRC expertise. Jani K, Co-Founder & CTO, brings 15+ years of SAP pre-sales experience specializing in Firefighter, Role Administration, and SAP GRC. Together they built Syntasec to make enterprise-grade SAP security accessible to mid-market companies.

Find out what's hiding in your role landscape

Get a free security assessment of your SAP system. We'll run an AI-powered scan and show you exactly which org levels need attention — wildcard access, missing derived roles, SoD exposures, and more.

Request Free Assessment

Frequently asked questions

What are organizational levels in SAP?

Org levels are special authorization fields representing your company's structural hierarchy — company codes, plants, sales and purchasing organizations, controlling areas. Unlike normal authorization values maintained inside objects, they sit in a separate layer and are what changes between a master role and its derived copies.

What is the difference between a master role and a derived role?

A master (parent) role holds the transactions and authorizations; derived (child) roles inherit all of that and differ only in their org-level values. This lets one master role be reused across many organizational units without duplicating the underlying access design.

Why do org levels matter for security and audit?

Get them right and access is clean, auditable and scalable; get them wrong and you get SoD violations, audit failures and security gaps that firefighting can't fix. Org levels are the backbone of SAP's derived-role model.

What are common org-level mistakes?

Leaving org levels wide open (for example a blank or * value that grants all company codes or plants), inconsistent maintenance between master and derived roles, and treating org levels as an afterthought rather than the primary scoping control. Each quietly over-grants access.

How does AI help with role and org-level governance?

AI can analyse real usage to propose correctly scoped org levels and flag over-broad values, then present the change as a proposal your team reviews and approves before anything ships — sustaining least-privilege that's hard to maintain by hand.