Adjusting derived role in background

Similar Messages

• Mass generation of Derived Roles

  Hello,
  SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
  Thanks.

  Hello,
  we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
  Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
  - parent roles and derived roles: you will find them in table AGR_DEFINE
  - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
  - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
  - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
  HTH and kind regards
  Jens Hoetger

• Org data in Derived role differ from Parent role

  Hi there
  I need some help please, I am in the process of creating various parent / derived roles and have found that when I update the parent role (org data) and I do a generate do a derived role update the values in the org data is not correctly pulled through to the derived roles.
  e.g.
  In the parent role for Org data "Purchase Org" the previous value was "/" so that it could be specified in the derived roles should they require the split on this field, however the business has decided that they do not require a restriction on this field so I went back to the parent role and changed the value to "*", so I generated the parent role, updated the derived roles, but when I go to any of my derived roles that field value is still blank, it did not pull through the value * .
  We are currently on
  SAP_ABA  701           0005    SAPKA70105
  SAP_BASIS  701        0005     SAPKB70105
  I have created the derived roles with the parent role as the derived from role, it does pull through the values but just does not update it once I do make changes.
  Your help / suggestions would really be appreciated as I need to create MANY roles.
  Regards
  Sonja

  Hi Sonja,
  obviously there is a misunderstanding of how the derivation works....
  > Thanks guys for the feedback, but surely I do not only need to maintain the ORG data in the derived roles individually, if I have got an Org field that should be the same for all the derived roles I must be able to update the Parent role with this value which then upon generate, and generate / activate the derived roles must update the derived roles.
  -->no.
  Only the first time of derivation, if the field content in the derived roles are initial...
  help.sap.com:
  quote
  The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role, and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See SAP Note 314513).
  unquote
  The whole stuff:  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/1c/c38028816c11d396bc0000e82de14a/frameset.htm
  otherwise the maintained org.fieldvalues would get overwritten by the value of the master role every time. And that is exactly, what has to be avoided!
  b.rgds, Bernhard

• Change authorization object in a derived role

  Hi Gurus,
  What's happen if someone has added a new authorization object in a derived role?
  He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
  <u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
  What do you think about this ?
  Thanks
  Hery-zo

  Do i understand this right??? do functional teams have access to PFCG to create roles???
  If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
  1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
  2 ask all functional teams to describe the roles points to be adressed:
     A TRX in every role
     B all wanted restrictions on every TRX (described functionally)
     C orglevels on which restrictions should be build.
     D Test process for every TRX in every role (both positive and negative)
     E  check all roles against table USOBT and look for manually added objects,  
         if they can not give a good reason for adding these REMOVE them.
  3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
  4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
  5 check your roles for the corrected TRX after this change and update the other roels involved as well.
  6 ONLY allow roles that have followed the above process to go to Production.
  The above steps are the only way to create a secure SAP Production system for you!

• Master role-derive role concept and FICO role in dev system!!!

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
  Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
  Thanks in Advance
  Regards,
  Souren

  Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
  One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
  If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
  For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

• 'Protecting' your derived roles from being maintained on object level

  I'm redesigning an authorization concept that has been polluted in the past by maintaining object level values in the derived roles instead of the master roles.
  Now I would like to build in a kind of warning or authorization so that future role administrators can adjust master roles on object level, and derive the roles from the master, but are not allowed (or get a warning) to change object level values in the derived roles themselves.
  I'm looking for a warning similar to the warning you get when you are trying to change an organizational level value within the object rather than change the orglevel table.
  I have looked for entries in table PRGN_CUST, but found none.
  Also, the authorization checks for deriving roles [seem to be similar|http://help.sap.com/saphelp_nw04/helpdata/en/2b/84653f1b76b11ae10000000a114084/frameset.htm] to actually maintaining a role, so no distinction can be made here.
  Knowing al this, II think the answer is: 'no, this is not possible' but if you have dealt with the same problem successfully, please let me know.
  Kind regards,
  Lodewijk Borsboom

  Hi Lodewijk,
  There are exit paths in SU01 and PFCG which might (have) help(ed) but SAP removed the documentation on them because as (to my knowledge) as the code was integrated into BAPIs and org. management these exits (like many which have gone before them) caused no end to confusion over time.
  I heard that they would at some ponit be replaced by BADI's but I guess the same problem exists there and I have to date not seem any of them released.
  I have the documentation if you are interested but which release are you on? I suspect that SAP might even remove the exit coding anyway.
  As the other's have stated, I would also go for a detective control. You can always wipe the mistake out again from the master and this will let you know that someone is not sticking to the rules or doesn't understand the concept.
  This is also an advantage when compared to an error message or warning which only they see...
  Cheers,
  Julius

• GRC BRM: Update Org Levels of derived roles

  Dear GRC experts,
  we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
  I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
  If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
  For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
  Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
  In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
  Does anybody know how to automate this task?
  Many thanks for your help!
  Regards,
  Markus

  Hi Markus Richter
  Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
  Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
  Mass Child role Org value update in GRC 10
  Does this work for you as an approach?
  Regards
  Colleen

• Master role-derive role concept?

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  Thanks in advance
  Regards,
  Souren

  you should refer to the SECURITY forum at Security

• Is transporting two groups of derived roles separately an issue?

  Hi Gurus,
  We have a situation where we need to transport 150+ child roles of same Parent. As these roles are very bulky in content, we though of creating two transports having 70+ roles each. While doing so, we released first transport and when it reached test system we release another one.
  Final result in test system is all the child roles which were moved in first transport now have authorization tab "red". While one which were transported in second tp are perfect.
  I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times before we deleted it from the buffer. Please let me know the best possible way to move the changes to test environment and later to prod. Increasing tp file size or increasing the ideal run time of the dialog/background work process are the option. But looking for some other alternatives.

  That you have such large derived roles should be suspect in itself. How many org. fields have you promoted and did you transport that change to the field definition through first (just to double-check)?
  How many users are these roles already assigned to? --> The import events for role transports also perform the user compare and "after change" user buffer syncs. This can have performance impacts, if that is the ponit of failure you are referring to.
  > I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times
  Take a look in ST22 for the short dumps related to this. Give us more infos about the bottleneck and perhaps we can help further.
  PS: When doing performance tests, you should not give up after the first try... (memory area management and syncs which the system does - some of them you can do in advance and only need to be done once / repsctively the first time).
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 4, 2010 10:43 AM

• Derived Role Z-transaction issue

  Has anyone had a problem with having custom (Z-transactions) transactions in your master role, then when the derived role is generated from this master role, these Z transactions and their authorization objects are missing in the derived role?

  Susan,
  The only way to make sure changes in SU24 is brought into existing roles is to update the role in expert mode with the "merge with new data option".
  Did you try to adjust all the derived roles from the Master role to see if this bring populate custom t-code & auth objects to the derived roles? (Authorization -> Adjust Derived -> Generate Derived roles).
  Have fun.
  Lye

• Security Issue: How to create a derived role from the Base role

  Hi All,
  Kindly let me know how can i create a derived role from the base role?
  Please respond at the earliest.
  Thanks in advance.
  Ramesh.

  Go to PFCG and Create a role with desired Name.
  In the Description Tab, on the Left Side there is a text box for "Derive From "
  enter the Base role.
  Now your newly created role is derived from the Base role.
  Save the newly created role and again run PFCG, enter the Base role name and execute.Select Edit role. Go to Authorization tab.
  Edit Authorization.
  In the Menu Adjust Derived -> Generate and Adjust derive
  This will Generate the derived role.
  Now you may go and check the authorization in the derived role.

• Derived role authorization tab

  Hi All:
        I created a derived role from a master role and the authorization tab is RED for both roles.Under the profile for both roles it says profile match up required.I even did profile comparison using PFUD.Can anyone help me.
         Thanks,
         J D

  Hi Jim,
  To generate the both the roles
  1. First goto the parent role in change mode and then click on the authorization tab and then click on the change authorization data and then save the role here and generate the role. (This will generate only the parent role).
  2. To generate the derived roles don't need to goto the derived role in the parent role itself goto the change authorization data in the authorization button, click on the menu option Authorizations, under that click on adjust derived and then under that save the derived role and then Generate the derived role.
  but incase if you have changed anything in the derived role itself, you can save and generate in the derived role.
  Regards,
  Ashok

• Error while uploading R/3 Derived Role into EP

  Dear all,
  When i was trying to upload the derived role from backend R/3 system. It's giving following error.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED - message at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(HQ1CLNT230,en_US,pradeep,TWPN_GET_ROLE,ROLE_TABLE,{ENABLE_LOGGING= , ROLENAME=ZR:GT_CUSTOMER_001, MENUTEXTS_ONLY_IN_MASTERLANG= }): Check parameters. Nested Exception. ROLE_IS_DERIVED at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:244) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1699) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:769) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:488) Original exception: com.sapportals.connector.ConnectorException: Nested Exception. ROLE_IS_DERIVED at com.sapportals.connectors.SAPCFConnector.SAPConnectorException.getNewConnectionException(SAPConnectorException.java:67) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:318) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:411) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:433) at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:403) at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:148) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1699) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:769) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:488)
  Kindly Suggeset me
  Rgds
  PRadeep

  Pradeep,
  Kindly explain the process flow of your upload.
  James

• Little Challenge --How to give or restrict TRX in derive roles !

  Want to give 10 trx in 2 derive roles and 15 in another 2 derive roles from same Parent role-Any method to do so?One I know is to give additional 5 Trx access through manually Adding TCD in remaning 2 derive roleANY other way to give or restrict so that tabs should not be in manually or changed mode?

  >
  ARYENDRA DALAL wrote:
  > so that tabs should not be in manually or changed mode?
  Hi,
  Excellent answer from Juluis. Also the way you want to do this is conflicting with the Ref-Derive role concept.
  I can add/modify some thing to the previous two answers.
  One point I want to make clear that you mentioned as quoted above. Do you mean to say that the S_TCode will not be in changed mode (_or_ need not to add S_TCode manually) in Profile generator?
  If Yes, then please check the following approach:
  1. Create your first parent role and pair of derived roles with 10 Tcodes.
  2. Create one role as per the concept of Transaction role - value role. That means, the role will contain those 5 TCodes in the menu but will not contain any authorization (except S_TCODE, all objects should be deactivated).
  3. Then create one composite role with these two (one derive role of the pair and the other single role).
  if No, then follow this approach:
  1. Follow step one of above.
  2. Create one generic role without any menue entry. Add TCode manually in authorization tab and then 5 TCodes there.
  3. Create another role (value role) [let me know if you need details concept on this] and maintain the authorization of those 5 TCodes here together with org. values.
  4. Create composite role by using these three roles (one derive role from the pair, one generic transaction role and one value role).
  But please note that the menue entry should not be maintained in the derive role in any circumstances and if you do then you are no longer maintaining SAP Ref-Derive role concept.
  Please let me know if these help you to some extent.
  Regards,
  Dipanjan

• Risk Analysis of derived role is not able to fetch organisational values.

  Dear All,
  We have run the Permission level analysis in GRC 5.2 for the ROLES at permission level and
  found that the tool is not reading the ORGANIZATION VALUES maintained
  in the derived roles.
  We had explored in the GRC tool & found that the field BUKRS,KOART,etc
  are ENABLED in the RULES.While the CC tool is fetching value of other authorzation object.
  Please Advice if there is any configuration settings required.
  For your reference I am pasting the part of report.
  Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     ACTVT : Activity     Create or generate
  Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     KOART : Account Type     $KOART
  Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     ACTVT : Activity     Create or generate
  Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     BUKRS : Company Code     $BUKRS
  Thanks,
  Sandeep Bhatia

  Hello Sandeep,
  Doing Org Lvl Analysis is not so simple in RAR.
  Firstly this is only user based.
  For using it you will have to schedule one job in configuration which will update Org Values for users in the database table. I don't remember name of this Utility however it will be something Orguser, just search in Configuration tab.
  As mentioned by you, org lvl are already enabled and make sure there values is $.......,
  Reason being Org Rules will be generated at runtime and then anlysis will be done.
  It will be better you take help of SAP on this. As they have document which will be very helpful to you.
  Regards,
  Surpreet