Understanding the difference between when to update P_PERNR and/or P_ORGIN auth objects and the impact they have when you grant access is very important when it comes to HCM authorizations (one of the foundation pieces). Often when getting results back from SU53 authorization error, the error shows changes are needed to both P_ORGIN and P_PERNR but most times it is one or the other that must be updated (meaning the other is a false positive). i.e. If you are working on an employee role where the user should only have access to see his/her own information the result is that only P_PERNR should be updated and P_ORGIN should not be updated as this is only needed when giving access to see others information. If you are updating a manager role that allows the manager to see employees below them in the organization chart then you have to make a decision. Is this an error that impacts the manager from viewing or updating their own information or is the error impacting the manager from viewing or updating an employee’s information? Depending on the answer to this question you will know if you have to update P_ORGIN or P_PERNR in most cases. At times both may have to be updated. Note: This is written from the perspective of already having configured roles. There are much deeper dives that can be done on P_ORGIN and P_PERNR but since this is my first blog that is for now. Hopefully, someone may find this helpful or it helps start a conversation.