Changing Organization level for derived roles

Dear All,
Below is my query:
When there is any requirement to change the organization level of a derived role, we go to the role and change the organization level manually.
We have derived our roles, based on the units(company codes).
Now we have a scenario, where we need to add one unit in a particular derivation of all roles.
Please suggest if there is any way of updating the organization level in mass for a specific derivation.
Regards,
Reshma Vijayan.

Colleen Lee wrote:
At least with this option you are using the PFCG functionality and not hitting the tables directly
Hi Reshma, Colleen,
Some additional warnings about manipulating the downloads:
The downloadfile is a fixed record length text file, do not mess up the data positions.
Be aware of case (upper/lower) when manipulating the file.
Make sure you do a unicode download to preserve special characters in the menu texts.
There are very, very few checks done on the file contents when uploading again. It will allow you to pollute your AGR* tables in such a way you'll need an ABAP-er or SQL-savvy colleague to clean up the mess. It is very close to manipulating the tables directly.
I once managed to get entries into AGR_1251 which didn't show up in PFCG and wouldn't even disappear from the tables after I had deleted the roles in question.
And yes, I still use this method, but I won't advise it to anyone I cannot personally train to be aware of the pitfalls ;-)
Jurjen

Similar Messages

  • GRC BRM: Update Org Levels of derived roles

    Dear GRC experts,
    we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
    I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
    If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
    For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
    Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
    In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
    Does anybody know how to automate this task?
    Many thanks for your help!
    Regards,
    Markus

    Hi Markus Richter
    Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
    Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
    Mass Child role Org value update in GRC 10
    Does this work for you as an approach?
    Regards
    Colleen

  • Adding the organization level to one Role

    Hi Experts,
                    I have one role in PFCG, this role contains
    some authorizations.
    These role maintain the role.organization level values also.
    now i want to include one organization level  to this role
    for example
                       company code----
    > *
                       purchasing group------> *
                       division----
    > *
      now i want to add "Work center"        
    how can i include? is there any option is there?
    Thanks is advance
    sundar.c

    Thanks for the Doc. This will be my Plan B.
    I am still researching on How to Directly publish to Portal. I was able to do that from Query Designer using Publish to Portal and the report shows up as an iview in a PCD folder in the Portal. The Endusers have only Business Explorer Role and all they can see is the the Busineess Explorer tab of the Portal. So, I need to figure out a way to assign the iview to End user role.
    In one of the threads,
    Prakash Darji suggested
    "The "publish into Role" from WAD saves to BI Roles which doesn't help you in web deployment, so I typically don't use this. I usually "Publish to Portal" and then will add my iView on the portal to a portal role that users are assigned to. This would make these iViews available to users on the portal. "
    I am going to assign points for your suggestion though.

  • DB table for Derived Roles and Parent Roles

    Hi Expart,
    In which DB table the Derived Roles and Parent Roles are store .that is i need to find out the derived role and parent Role .i have completed the Complex and single role by table AGR_AGRS
    But i have to find out the table for Derived Role
    Plz help me to get those table
    Thanks in advance
    Tarak

    It's the same table as for the master role: AGR_DEFINE (field PARENT_AGR is filled for derived roles).
    ~As from Forum

  • How to define organizational levels for MM01/02/03

    Hello
    While creating/ changing/ displaying material, I'm not able to see company code as selection field in organization level.
    Can anyone please let me know from where the settings are done for this?
    Thanks
    Ankita Bansal

    Hi,
    Your Plant is assigned to company code.
    So, you can not see the Company code details in MM01/02/03.
    If you want to see for which company code your plant is attached you can see that in
    IMG>Enterprise Structure>Logistics-General--> Assign Plant to Company Code.
    Hope this helps..
    Regards,
    Siva

  • RFC FUNCTION/BAPI for derived Roles (PFCG)

    Hi all,
    I have found many RFC functions for Users and Roles management but nothing for create derived roles.
    Any idea for creating derived roles from external applications ?
    Thanks
    Andrea

    Hi Andrea,
    check the link below.
    automate update profiles by abap (without PFCG)
    Re: automate update profiles by abap (without PFCG)  ?
    Also check if this is helpful
    BAPI_JOBROLE_CLONE 
    Regards,
    SuryaD.

  • Check status for Derived role generation

    Hello,
    We are trying to place a check to validate and ensure that the child roles are generated using "generate derived role" (CtrlShiftF4) from the parent role. However, i'm not able to find an appropriate function module or table field via which this can be checked.
    Are there any options to check this?
    Thanks in advance
    Vijaya

    Hi,
    You can find the status of the roles whether the profile is generated or not .. with PFCG only.
    PFCG
    -> Utilities (M)
    -> Overview Status (CtrlShiftF11)
    Give the role names (for which you need to know whether they are generated or not)
    Tick/select - Only Display Roles with Errors and Warnings
    -> Execute
    It will display all the role names and profile name and their status green generated, yellow not generated. If you copy all data and paste it in the excel it would be like below...
    ZS_ECC_NPR_AFM_TESTING_GL     @IC\QSingle Role@     11/20/2011     12:47:32     VKUMAR     @5C\QNo menu exists@          @5D\QCurrent version not generated@     ZNPRAFMTES     @5D\QUser master record not completely updated@
    ZS_ECC_NPR_DATABASE_ADMIN_GL     @IC\QSingle Role@     08/02/11     18:02:26     MMAKUCH     @5C\QNo menu exists@          @5B\QAuthorization profile is generated@     ZNPRDTBADM     @5C\QNo users are assigned@
    Hope this helps you.
    Thanks,
    Vinod

  • Issue while changing validity date for assigned roles: SAP IDM 7.2 SP8

    Hello Experts
    I assigned the Task on repository for validity modification for Roles as in below screenshot:
    When I modify the role validity, Task defined for Validity modification doesnt get triggered and IDM executes the tasks defined as Modify Task and fails with below errors:
    1. Could not obtain repository name from Pending object.
    2. Error ! Audit id , Variable doesnt exist in MXPT_GET_ENTRYTYPE.
    I tried checking provisioning audit logs but could'nt find any Audit ID created for validity modification and I guess due to this tasks are getting cancelled.
    Why the task defined in Modify Valdity tasks doesnt get triggered when I modify the Role assignment validity ?
    Am I doing anything wrong with the SAP Standard way of working ?
    Regards
    Deepak Gupta

    Hi Deepak/Chris,
    We are also facing a similar issue in our project where modifying validity of the role does not trigger any task. We then changed the Modify attribute(in task tab) on the priveleges to "inhereted".
    The modify task is now triggered and completes successfully. However, no changes occur in backend.
    We need unedrstand where do we maintain the setting to define which attributes(if changed) will trigger an event task in the provisioning framework. the "check attributes modification" task within the provisioning framework executes the below query:
    select COUNT(VarName) from mxpv_audit_variables where AuditID=%AUDITID% and VarValue='%MSKEY%' and VarName='MARK_EXEC_MODIFY_ATTR%MSKEY%'
    The query gives the result as "False" in case we only modify the validity of the role assigned to user. Thus no event tasks are executed for the same.
    Can anyone please share where do we define the attributes for this query to give "True" as result for role validity modification.
    regards,
    Nits

  • Change log level for exit activity in BPEL

    Hi,
    Everytime my BPEL process reaches an exit activity it throws a WARNING log message saying:
    "The process instance has been terminated because an exit activity was encountered."
    This is not an error and should therefor not be logged at WARNING level. How do I change it to be INFO or any other level?

    In terms of access, I believe the audit files generated from the agent are created with full access to the entire portal, and I don't believe there is a way to restrict it to certain section apart from doing manipulation on the .log files that are exported.
    The process of creating the archiving agent involves going into the Audit Manager utility from the Admin section, and then you'll see it in the middle of the Main Settings page.
    I hope that helps.
    user5817265 wrote:
    Thanks Geoff. I knew I overlooked something simple.
    Is the owner the person who created the archive file? What controls who creates it?

  • Organization level control on Role

    Dear security gurus.
    I have 2 business roles in company and 2 subsidiaries under HQ.
    Each company have
    - Accout clerk
    - Account manager
    HQ's clerk&manager: be able to check all company's data.
    Subsidiary's clerk&manager: be able to check ONLY their own company's data
    In this case, I have to create these 6 roles, because
    company code restriction can be controled only by role, not user.
    Am I correct?
    1.HQ's manager(Company code: *)
    2.HQ's clerk(Company code: *)
    3.Subsidiary1's clerk(Company code: 1)
    4.Subsidiary1's manager(Company code: 1)
    5.Subsidiary2's clerk(Company code: 2)
    6.Subsidiary2's manager(Company code: 2)
    Yoshi

    Hi,
    I'd never give business access to all companies.
    My proposal:
    1.HQ's manager(Company code: 1, 2)
    2.HQ's clerk(Company code: 1, 2)
    3.Subsidiary1's clerk(Company code: 1)
    4.Subsidiary1's manager(Company code: 1)
    5.Subsidiary2's clerk(Company code: 2)
    6.Subsidiary2's manager(Company code: 2)
    You could also assign HQ both roles of subsidiaries:
    1.HQ's manager (MGR-01, MGR-02)
    2.HQ's clerk (CL-01, CL-02)
    3.Subsidiary1's clerk (CL-01
    4.Subsidiary1's manager (MGR-01)
    5.Subsidiary2's clerk (CL-02)
    6.Subsidiary2's manager (MGR-02)
    That way, you need only four roles
    MGR-01
    MGR-02
    CL-01
    CL-02
    - more effort with assigning the roles
    - saves a little effort on the roles management side
    - works only if needed transactions are exactly the same (Subsidiary vs HQ).
    greetings
    Alexander Walkenhorst

  • Question on org level values in derived roles

    I have a set of derived roles for a retail org.
    They have set the org level for the WERKS object to the store number i.e. 0012. in the  M_MSEG_LGO, M_MSEG_WMB,   and M_MSEG_WWE but set it to "" in the  M_MRES_WWA and M_MSEG_WWA. Needless to stay the "" is overiding the site restriction.
    My question is, how can they allow store to store transfers and goods issues for other sites but only do POs and goods receipts for their default store?
    If the transactions in the role are using the same object, it doesn't seem like it can be done but I am told it can! I can't figure it out. Can anyone assist?
    Thanks

    If you are talking about  straight authorization object ( then your design cannot go with derived role concept )
    If your controls are only through the organizational object  only then derived role design will help
    If its a mix of both standard object + organizational level object derived role will not help you.
    Please note
    the WERKS is the organization level  in your case the plan value is 0012
    do not set the values in parent role and also do not populate this value were its "$werks"
    what is TCODE you are using ?
    Edited by: Franklin Jayasim on Jul 21, 2010 11:45 PM

  • 'Protecting' your derived roles from being maintained on object level

    I'm redesigning an authorization concept that has been polluted in the past by maintaining object level values in the derived roles instead of the master roles.
    Now I would like to build in a kind of warning or authorization so that future role administrators can adjust master roles on object level, and derive the roles from the master, but are not allowed (or get a warning) to change object level values in the derived roles themselves.
    I'm looking for a warning similar to the warning you get when you are trying to change an organizational level value within the object rather than change the orglevel table.
    I have looked for entries in table PRGN_CUST, but found none.
    Also, the authorization checks for deriving roles [seem to be similar|http://help.sap.com/saphelp_nw04/helpdata/en/2b/84653f1b76b11ae10000000a114084/frameset.htm] to actually maintaining a role, so no distinction can be made here.
    Knowing al this, II think the answer is: 'no, this is not possible' but if you have dealt with the same problem successfully, please let me know.
    Kind regards,
    Lodewijk Borsboom

    Hi Lodewijk,
    There are exit paths in SU01 and PFCG which might (have) help(ed) but SAP removed the documentation on them because as (to my knowledge) as the code was integrated into BAPIs and org. management these exits (like many which have gone before them) caused no end to confusion over time.
    I heard that they would at some ponit be replaced by BADI's but I guess the same problem exists there and I have to date not seem any of them released.
    I have the documentation if you are interested but which release are you on? I suspect that SAP might even remove the exit coding anyway.
    As the other's have stated, I would also go for a detective control. You can always wipe the mistake out again from the master and this will let you know that someone is not sticking to the rules or doesn't understand the concept.
    This is also an advantage when compared to an error message or warning which only they see...
    Cheers,
    Julius

  • GRC Access Control 5.3 Organizational Levels - logical AND - OR changed

    Hello GRC Community,
    We are working with Access Control 5.3 SP 12 and we are setting up organization levels for the risk analysis.
    The setup is loaded with a flat file, and the configurations seems to be loaded in the right way.
    Doing the configuration on the RAR portal, openning the tab "rule architect" then "organization rules" and "create", we have this information:
    Organization Rule: Z001
    Description: TEST
    Risk             Organization Level     from            to             search type     Status
    F001*     BUKRS               PRE0                  AND                  Enabled
    F001*     EKORG               PR00                 OR                  Enabled
    F001*     EKORG               PR01                 OR                  Enabled
    F001*     EKORG               RP00                 AND                  Enabled
    F001*     VKORG               RP00                 OR                  Enabled
    F001*     VKORG               RP01                 OR                  Enabled
    F001*     VKORG               RP02                 AND                  Enabled
    F001*     WERKS               SV00                 OR                  Enabled
    F001*     WERKS               VS00                 OR                  Enabled
    Finally save button.
    When we want to edit an organization rule or add new one with the screen of organization rules, after saving we have the next result when load the rule again:
    In the case of the same organization rule (Z001), the RAR returns this info:
    Organization Rule: Z001
    Description: TEST
    Risk             Organization Level     from            to             search type     Status
    F001*     BUKRS               PRE0                  AND                  Enabled
    F001*     EKORG               PR00                 OR                  Enabled
    F001*     EKORG               PR01                 OR                  Enabled
    F001*     EKORG               RP00                 OR                  Enabled
    F001*     VKORG               RP00                 OR                  Enabled
    F001*     VKORG               RP01                 OR                  Enabled
    F001*     VKORG               RP02                 OR                  Enabled
    F001*     WERKS               SV00                 OR                  Enabled
    F001*     WERKS               VS00                 OR                  Enabled
    So the RAR has changed the logical AND for OR.
    Why is it happening?  This effect doesnt happen if i made an upload from a ftlat file of organizational rules.
    We already tryed this symptom doing the same exercise with RAR SP 14 with the same issue.
    Thanks in advance for all your comments
    Regards,
    Alejandro
    Edited by: Alejandro Acuña Acosta on Jun 3, 2011 8:53 AM

    Hi,
    >
    > 1. The Addons HR and NonHR are installed on the erp?
    >
    Yes.
    > 2. The GRC could be an stand alone java server?
    >
    It should be on separate server.
    > 3.  The Spro config for process control is configured on the ERP or the grc server?
    >
    ERP server.
    Thanks
    Sunny

  • Mass gerneration of derived roles

    Hello,
    I've got two questions concerning mass generation of roles.
    1)
    In a system are implented certain roles. Sometimes we're getting an update of the parent roles. In the next step we have to derivate all kind roles manually. This is very costly for a lot of roles.
    I know the point "mass generation" in PFCG, but if we use this with option "all roles to be compared" the derived roles will not be compared. Even if I do this in same system (changing the parent role, choosing option the mentioned option) the kind role will not be updated. Is there a possibility to solve this problem or make the derivation faster without touching each parent role?
    2)
    I want to do the derivation of roles automatically. I read here something about LSMW, Batch-Input or CATT scripts. Can anybody explain me how it exactly works with this automatic derivation of roles?
    Regards,
    Julia

    Thanks for your possibilities to solve the problem.
    I think the first problem with the derivation of roles after update of parent role could be solved with your mentioned report and eCATT.
    But with the second problem I still have trouble. I tried to use eCATT with transaction SECATT in SAP system. This works fine as long the roles have the same organizational levels.
    But I think that there has got to be a script for each role, because the organizational levels differ from role to role. So if you have e.g. 100 parent roles in your system, you have to create 100 scripts (apart from the question, if it's reasonable to have so much parent roles). It's helpful that the parameters can be stored in a data container, but additionally you have to know, which script concernes which roles and you have got to use the right script for right role.
    Or did I overlooked something in eCATT?
    Regards,
    Julia

  • Master role and derived role concept

    Guys,
    1) How to assign the organizational levels for the derived role?
         Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
    2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
    3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
    4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
    Greatly appreciate for some body's help.

    >  1) How to assign the organizational levels for the derived role?
    >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
    Only if you assign the master roles to users. (and maybe for testing, see 3)
    >
    > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
    Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
    >
    >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
    Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
    >
    >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
    See 2, it goes there automatically. No choice.
    Jurjen

Maybe you are looking for

  • How to suppress a section that a blank subreport appears in?

    Post Author: MikeA-ICE CA Forum: General I have a series of subreports inside of a main report (each one in a different Group Header like GH2a, GH2b,etc. ) and there are certain times where there are no records in a particular group. The Subreport an

  • Xorg 1.7.1+xf86-video-intel 2.9.1 brokes keyboard,mouse and screen

    Hello there. I'm using Archlinux with core+extra repos (xorg-server 1.6.3 and intel drivers 2.8.1). Today I've tried to update to xorg-server 1.7.1+xf86-video-intel 2.9.1 drivers. After X restart I've got strange screen (Acer One 110 netbook), seems

  • What is Workbench and Cut over stratrgy

    hi Gurus Can any one plese tel me 1 .  what is    ' WORKBENCH'      Why we use it and when? 2. what is CUTOVER STRATEGY    when we use it and why? Thanks and Regards           babi

  • XML Schema Validations in JDK1.4?

    Hi, The below code errors out when run on JDK1.4-           SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); Schema schemaXSD = schemaFactory.newSchema(new File("C:\\TestSchema.xsd")); Validator validator =

  • Unable to Reactivate Photoshop CS5

    Hello, I upgraded my system hard drive to an SSD.  Before imaging my C: drive I decided to deactivate Photoshop just in case something terrible happened.  After restoring the system image to my new SSD, the computer booted Windows7 and all seemed wel