- 01 What Are Org Levels?
- 02 Master Roles, Derived Roles & Org Levels
- 03 Complete Org Level Reference Table
- 04 Sensitivity Classification — Which Org Levels Matter Most
- 05 The 7 Costliest Org Level Mistakes
- 06 Best Practices Checklist
- 07 PFCG Walkthrough — Setting Org Levels Correctly
- 08 Using SAP GRC for Org Level Governance
- 09 SharePoint-Based Org Data Approvals — A Best Practice
- 10 How AI Is Changing Role Governance
What Are Organizational Levels?
In SAP's authorization model, organizational levels (org levels) are special authorization fields that represent your company's structural hierarchy — company codes, plants, sales organizations, purchasing organizations, controlling areas, and more.
Unlike regular authorization field values that are maintained directly inside authorization objects, org levels sit in a separate layer. When you create a derived role from a master role, the only values that change between the master and derived copies are the org level values. Everything else — the transaction codes, the authorization objects, the activity values — stays identical.
This is the foundation of SAP's scalable role architecture. A single master role can spawn dozens of derived roles, each scoped to a different company code, plant, or sales area. One design, many deployments.
Org levels are stored in table USORG. The mapping of authorization fields to org levels is defined in USOBX_C and maintained via transaction SU24. You can view all defined org levels in PFCG under the Authorizations tab — they appear with the organizational level icon (globe symbol) and cannot be maintained in derived roles.
Master Roles, Derived Roles & the Org Level Connection
SAP's role architecture follows a parent-child model. The master role defines what a user can do — which transactions, which authorization objects, which activity values (create, change, display). The derived role defines where they can do it — which company code, which plant, which sales organization.
The connection between them is the org level. When you derive a role, SAP copies the entire authorization profile from the master — but leaves the org level fields blank. You then fill in the org values specific to that derived role. This means the master role should never contain hardcoded org level values. If it does, every derived role inherits that restriction, defeating the purpose of the entire architecture.
The master defines the functional scope (FB60, MIRO, FBL1N). Each derived role inherits it — only the org level values differ.
This architecture is critical for Segregation of Duties (SoD) compliance. When auditors review roles, they look at the master role design first. If the master is clean — proper activity restrictions, no wildcards in sensitive objects, no conflicting transactions — then every derived role automatically inherits that clean design. Break the master, and you break every derived role downstream.
03Complete Org Level Reference Table
The following table lists the most common organizational levels in SAP ECC and S/4HANA, their authorization objects, the module they belong to, and their sensitivity classification. This is the reference your role design team should have pinned to the wall.
| Org Level Field | Description | Auth Object | Module | Sensitivity |
|---|---|---|---|---|
| BUKRS | Company Code | F_BKPF_BUK | FI | Critical |
| WERKS | Plant | M_BEST_WRK | MM / PP | High |
| EKORG | Purchasing Organization | M_BEST_EKO | MM | Critical |
| VKORG | Sales Organization | V_VBAK_VKO | SD | Critical |
| VTWEG | Distribution Channel | V_VBAK_VKO | SD | Medium |
| SPART | Division | V_VBAK_VKO | SD | Low |
| KOKRS | Controlling Area | K_CSKS | CO | High |
| GSBER | Business Area | F_BKPF_GSB | FI | Medium |
| PERSA | Personnel Area | P_ORGIN | HR | Critical |
| MOLGA | Country Grouping (HR) | P_ORGIN | HR | High |
| IWERK | Maintenance Planning Plant | I_IWERK | PM | Medium |
| LGNUM | Warehouse Number | L_TAKT | WM / EWM | Medium |
| BRGRU | Authorization Group (Material Master) | M_MATE_BRG | MM | Medium |
| KOSTL | Cost Center | K_CSKS | CO | High |
| BWKEY | Valuation Area | M_MSEG_BWA | MM | High |
Sensitivity Classification — Which Org Levels Matter Most
Not all org levels carry equal risk. Misassigning a Division (SPART) is an inconvenience. Misassigning a Company Code (BUKRS) or Purchasing Organization (EKORG) is a potential SOX finding with financial impact. Understanding this hierarchy is the difference between a secure system and an audit disaster.
Company Code, Purch. Org, Sales Org, Personnel Area
These control access to financial postings, procurement spending, revenue recognition, and employee PII (payroll, HR records). A wildcard * in any of these is a guaranteed audit finding. Controls financial exposure and compliance with SOX, GDPR, and data privacy regulations.
Plant, Controlling Area, Cost Center, Valuation Area, Country Grouping
These determine where users can post goods movements, run MRP, manage cost allocations, and value inventory. Incorrect assignment leads to incorrect financial reporting, wrong inventory valuations, and cross-plant data access that violates internal controls.
Business Area, Distribution Channel, Warehouse, Maint. Plant, Auth. Group
These shape process boundaries. Misconfigurations cause data quality issues and cross-functional access. Not typically SOX-relevant by themselves, but they compound when combined with critical org levels in the same role.
Division, Storage Location (when standalone)
These are typically filtering-level org levels. Misassignment causes inconvenience (wrong data in reports, access to irrelevant master data) but does not create financial exposure or compliance risk on its own.
Wildcard (*) in BUKRS, EKORG, VKORG, or PERSA — This grants access to ALL company codes, purchasing orgs, sales orgs, or personnel areas. Auditors from Big 4, Grant Thornton, and BDO will flag this as a Critical finding in every SOX/ITGC audit. There is no legitimate reason for a business user role to have * in these fields.
Cross-company code access without business justification — If a user in Company Code 1000 can post journals in Company Code 2000, that's a segregation failure. Each derived role should be scoped to exactly the org levels the user needs — no more.
The 7 Costliest Org Level Mistakes
1. Hardcoding Org Values in the Master Role
If you maintain BUKRS = 1000 directly in the master role, every derived role inherits that value. Now you can't scope a derived role to Company Code 2000 without overriding the master — which defeats the entire purpose. The master role should have org level fields blank (set as organizational level, not hardcoded).
2. Using Wildcards in Sensitive Org Levels
Setting BUKRS = * or EKORG = * gives access across the entire corporate structure. This is the single most common cause of SoD violations in procurement and finance. It's also the first thing auditors check.
3. Forgetting Org Levels When Adding New Authorization Objects
When you add a new transaction to a master role, SAP proposes default authorization objects. If those objects contain org level fields, you must ensure they're flagged as organizational levels — not maintained as regular values. If you accidentally hardcode them, the derived role model breaks silently.
4. Inconsistent Org Level Combinations Across Related Roles
A user with BUKRS = 1000 in their FI role but EKORG = * in their MM role can create purchase orders for all purchasing orgs but only post invoices for one company code. This mismatch creates SoD exposures that are hard to detect in standard reporting.
5. Not Using Derived Roles at All
Some organizations create separate standalone roles for each company code — Z_FI_AP_1000, Z_FI_AP_2000, Z_FI_AP_3000 — without a master/derived relationship. When a change is needed (adding a new transaction, adjusting an activity value), it must be made in every single copy independently. In a 50-company-code landscape, this is a governance nightmare.
6. Mixing Functional and Org-Level Scope in One Role
A role called Z_PROCUREMENT_ALL_PLANTS that contains both MM and FI authorizations with WERKS = * and BUKRS = * is too broad to derive cleanly. The fix: separate by functional area first (procurement vs. finance), then derive by org level.
7. Ignoring HR Org Levels
PERSA (Personnel Area) and MOLGA (Country Grouping) in HR authorization object P_ORGIN control access to the most sensitive data in SAP — employee salaries, personal IDs, bank details. Yet many organizations treat HR roles as an afterthought, assigning broad access because "HR needs to see everything." Under GDPR, this is a data protection violation.
06Best Practices Checklist
PFCG Walkthrough — Setting Org Levels Correctly
Here's the step-by-step process for maintaining org levels correctly in PFCG. This walkthrough assumes you already have a master role with transactions assigned.
── STEP 1: Open Master Role ── PFCG → Enter master role name (e.g., Z_FI_AP_INVOICE) → Click Change ── STEP 2: Go to Authorizations Tab ── Click Authorizations tab → Click "Change Authorization Data" → The authorization tree opens ── STEP 3: Check Org Level Assignments ── Click Org Levels button (globe icon, top toolbar) → This opens the Organizational Level Maintenance screen → You see all org level fields relevant to this role ── STEP 4: Verify Fields Are Marked as Org Levels ── Each field should show: "Maintained at Organizational Level" → If a field shows a hardcoded value → THIS IS WRONG → Remove the value → Mark it as organizational level ── STEP 5: Save and Generate the Master Role ── Save → Generate (Shift+F5) → Master role is now clean ── STEP 6: Create Derived Role ── PFCG → Enter derived role name (e.g., Z_FI_AP_INVOICE_1000) → Click Create → Select "Derive from" → Enter master role name → Enter ── STEP 7: Maintain Org Levels in Derived Role ── Go to Authorizations tab → Click "Change Authorization Data" → Click Org Levels button → NOW enter the specific values: BUKRS = 1000 WERKS = 1000 EKORG = 1000 ── STEP 8: Generate Derived Role ── Save → Generate (Shift+F5) → Derived role is ready for assignment
Run report RSUSR002 in SA38 to list users by authorization values. Filter by org level fields (BUKRS, EKORG, VKORG) with value * to find all users with wildcard org access. This is the fastest way to identify roles that need remediation.
Alternatively, check table AGR_1251 (authorization data for roles) — filter where LOW = '*' and the field name is an org level. This gives you a list of every role with wildcard values, which is exactly what SyntaAI's role governance tools automate.
Using SAP GRC for Org Level Governance
If your organization runs SAP GRC Access Control, you already have a powerful framework for governing org level assignments — but most companies underutilize it. GRC isn't just for SoD checks and firefighter logs. Its Access Request Management (ARM) and Business Role Management (BRM) modules can enforce org level discipline at scale.
GRC ARM — Controlling Org Values at Request Time
When a user requests access through GRC ARM (transaction GRAC_SPM or the Fiori launchpad), the request form can be configured to require specific org level values. Instead of a requester saying "I need the AP Invoice role," ARM forces them to specify which company code, which purchasing organization, and which plant. The system then maps the request to the correct derived role automatically.
This eliminates a major source of errors: requesters asking for "the same role as my colleague" without realizing the colleague's role is scoped to a different company code. With ARM, the org level is explicit in the request, visible to the approver, and auditable end-to-end.
GRC BRM — Org Level Rules in Role Design
Business Role Management allows you to define organizational rules at the business role level. A business role like "Accounts Payable Clerk" can be configured with org level conditions — when a manager requests this role for a user, BRM automatically selects the correct derived technical role based on the user's organizational assignment (company code from HR master data, cost center, plant, etc.).
This is powerful because it removes the human decision about which derived role to assign. The mapping is rule-based: User in Company Code 1000 → gets Z_FI_AP_INVOICE_1000. User in Company Code 2000 → gets Z_FI_AP_INVOICE_2000. No manual selection, no misassignment.
GRC ARA — SoD Checks That Include Org Levels
The Access Risk Analysis (ARA) module can be configured to evaluate SoD conflicts at the organizational level, not just at the transaction level. This is a critical distinction. Two users might both have access to FB60 (Post Vendor Invoice) and F110 (Payment Run) — which is a classic SoD conflict. But if one user's role is scoped to Company Code 1000 and the other is scoped to Company Code 2000, the risk is mitigated because they operate in different organizational contexts.
ARA's org level rules (configured in NWBC → Access Rule Maintenance) let you define organizational mitigations — reducing false positives in SoD reporting by recognizing that org-level separation can be a valid compensating control. Without this, SoD reports are noisy with conflicts that don't represent real business risk.
To enable org-level SoD analysis in GRC ARA, go to SPRO → GRC → Access Control → Maintain Organizational Level and map each org level field to the corresponding authorization object. Then in your risk definitions, specify the org level fields that should be considered as mitigating factors. This turns your SoD analysis from a blunt "transaction-level" check into a precise "who can do what, where" assessment.
SharePoint-Based Org Data Approvals — A Best Practice
Here's a pattern that the best-run SAP security teams use but rarely talk about: maintaining org level master data in SharePoint (or a similar collaboration platform) with formal approval workflows, rather than making org level decisions ad-hoc inside PFCG.
Why SharePoint?
The problem with maintaining org levels purely in PFCG is that there's no built-in approval trail for which org values should go into which derived role. SAP logs the technical change (who changed the role, when), but not the business decision behind it. When an auditor asks "Who approved giving the Chennai plant team access to the Mumbai plant's inventory?" — the answer shouldn't be "the Basis admin decided during a Friday ticket."
SharePoint (or Microsoft Lists, or any workflow-enabled platform) provides the governance layer that PFCG lacks:
Org Level Master List — A central SharePoint list that maps every derived role to its approved org level values. Columns include: Role Name, Company Code, Plant, Purchasing Org, Sales Org, Business Justification, Approved By, Approval Date. This becomes the single source of truth.
Change Request Workflow — When a business unit needs a new derived role or a change to existing org values (e.g., "Add Plant 3000 to the procurement role for the new factory"), they submit a request through a SharePoint/Power Automate workflow. The request routes to the data owner (typically a finance controller for company code changes, a plant manager for plant changes, an HR business partner for personnel area changes) for approval.
Segregation of Approval — The person requesting the org level change should never be the same person implementing it in PFCG. SharePoint workflows enforce this naturally: the business owner approves, the security team implements, and the audit trail shows both steps clearly.
Periodic Recertification — Set up quarterly recertification flows where data owners review their org level assignments and confirm they're still valid. This catches stale access — a user who transferred from Company Code 1000 to 2000 six months ago but still has their old derived role assigned.
Request (SharePoint form) → Data Owner Approval (Company Code owner, Plant owner, or HR BP) → Security Team Review (SoD check, wildcard check) → Implementation (PFCG derived role creation/update) → Verification (role tester confirms access) → Audit Log (SharePoint retains full trail)
This workflow satisfies SOX ITGC requirements for access provisioning, gives auditors a complete evidence trail, and ensures that no org level change happens without the right business owner's approval. It's simple, it works with tools you already have, and it costs nothing extra.
Don't overcomplicate the SharePoint setup. A single list with 8–10 columns and a basic Power Automate approval flow is enough. Teams that build elaborate multi-stage workflows with 5 approval levels end up bypassing the process because it's too slow. One data owner approval + one security team implementation = the right balance of control and speed.
How AI Is Changing Role Governance
Traditionally, validating org levels across hundreds of roles has been a manual, spreadsheet-driven exercise. Security teams export role data from AGR_1251, cross-reference against organizational structures in T001 (company codes), T024E (purchasing orgs), and TVKO (sales orgs), and flag anomalies by hand. In organizations with 500+ roles, this takes weeks.
AI-powered platforms like SyntaAI are changing this. Instead of exporting and comparing spreadsheets, SyntaAI's security agent connects directly to your SAP system and runs automated checks across your entire role landscape:
Wildcard Detection — Scans AGR_1251 for any role where sensitive org level fields (BUKRS, EKORG, VKORG, PERSA) contain *. Flags the role, lists the affected users, and calculates the risk exposure.
Org Level Consistency Checking — Compares org values across all roles assigned to a single user. If a user has BUKRS = 1000 in their FI role but EKORG = * in their MM role, the agent flags the inconsistency and explains the SoD exposure in plain language.
Derived Role Governance — Identifies standalone roles that should be master/derived, detects master roles with hardcoded org values, and finds derived roles that have drifted from their master (manual changes to authorization data that bypass the derivation).
Custom vs. Standard Role Ratio — Analyzes the balance between Z/Y custom roles and SAP-standard roles. A high custom ratio often indicates governance gaps — too many one-off roles built for individual requests rather than following a structured design.
License Impact Analysis — Evaluates how org level assignments in roles affect SAP RISE FUE licensing. Overly broad roles (with create/change activities in advanced authorization objects) inflate license costs. SyntaAI identifies which specific org level + activity combinations are driving users into higher license tiers — and shows you how to fix it.
SyntaAI's agent performs over 70 automated checks against your SAP system, including all the org level issues described in this article. It reads from AGR_1251, AGR_DEFINE, AGR_USERS, AGR_TCODES, and CDHDR to build a complete picture of your role landscape — then explains findings in natural language, with specific remediation steps and PFCG instructions.
No spreadsheets. No manual cross-referencing. Just connect and ask.
Bhargavi Maddipati is Co-Founder & CEO of SyntaAI, with 18+ years of SAP Security and GRC expertise. Jani K, Co-Founder & CTO, brings 15+ years of SAP pre-sales experience specializing in Firefighter, Role Administration, and SAP GRC. Together they built Syntasec to make enterprise-grade SAP security accessible to mid-market companies.
Find out what's hiding in your role landscape
Get a free security assessment of your SAP system. We'll run an AI-powered scan and show you exactly which org levels need attention — wildcard access, missing derived roles, SoD exposures, and more.
Request Free AssessmentFrequently asked questions
What are organizational levels in SAP?
Org levels are special authorization fields representing your company's structural hierarchy — company codes, plants, sales and purchasing organizations, controlling areas. Unlike normal authorization values maintained inside objects, they sit in a separate layer and are what changes between a master role and its derived copies.
What is the difference between a master role and a derived role?
A master (parent) role holds the transactions and authorizations; derived (child) roles inherit all of that and differ only in their org-level values. This lets one master role be reused across many organizational units without duplicating the underlying access design.
Why do org levels matter for security and audit?
Get them right and access is clean, auditable and scalable; get them wrong and you get SoD violations, audit failures and security gaps that firefighting can't fix. Org levels are the backbone of SAP's derived-role model.
What are common org-level mistakes?
Leaving org levels wide open (for example a blank or * value that grants all company codes or plants), inconsistent maintenance between master and derived roles, and treating org levels as an afterthought rather than the primary scoping control. Each quietly over-grants access.
How does AI help with role and org-level governance?
AI can analyse real usage to propose correctly scoped org levels and flag over-broad values, then present the change as a proposal your team reviews and approves before anything ships — sustaining least-privilege that's hard to maintain by hand.