Authorization in APO: org level concept (parent role -- derived role) ?

Similar Messages

• Master role-derive role concept and FICO role in dev system!!!

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
  Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
  Thanks in Advance
  Regards,
  Souren

  Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
  One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
  If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
  For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

• Master role-derive role concept?

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  Thanks in advance
  Regards,
  Souren

  you should refer to the SECURITY forum at Security

• Master role & Derived role concept

  Hi Friends ,
  We have master and drive role concept in our project . ABC_XXXX (Master role )  ABC_1000(Derived role) (1000= company code)
  Now we need to maintain some values in master roles lets say display :03 .  Should we regenrate deived role  as well ?
  If we regenrate derived role  , Do inhertiance relatioship breaks? and we need to maintain company code =1000 value again ?
  Please suggest.
  regards

  Forgot to answer some more questions you had asked. Adding them here:
  Now we need to maintain some values in master roles lets say display :03 . Should we regenrate deived role as well ?
       - use the steps I mentioned in my earlier reply to re-generate derived roles from the Master role.
  If we regenrate derived role , Do inhertiance relatioship breaks?
           - please use the steps I suggested, the inheritance will not break. And this is an advantage of Master-->derived role.thats the meaning of having this concept in SAP.
  and we need to maintain company code =1000 value again ?
  --- No you dont need to. (you can check and see this manually).
  Hope it helps...
  Soumya
  Edited by: Soumya Thomas on May 20, 2010 12:34 PM
  Edited by: Soumya Thomas on May 20, 2010 12:35 PM

• Question on org level values in derived roles

  I have a set of derived roles for a retail org.
  They have set the org level for the WERKS object to the store number i.e. 0012. in the  M_MSEG_LGO, M_MSEG_WMB,   and M_MSEG_WWE but set it to "" in the  M_MRES_WWA and M_MSEG_WWA. Needless to stay the "" is overiding the site restriction.
  My question is, how can they allow store to store transfers and goods issues for other sites but only do POs and goods receipts for their default store?
  If the transactions in the role are using the same object, it doesn't seem like it can be done but I am told it can! I can't figure it out. Can anyone assist?
  Thanks

  If you are talking about  straight authorization object ( then your design cannot go with derived role concept )
  If your controls are only through the organizational object  only then derived role design will help
  If its a mix of both standard object + organizational level object derived role will not help you.
  Please note
  the WERKS is the organization level  in your case the plan value is 0012
  do not set the values in parent role and also do not populate this value were its "$werks"
  what is TCODE you are using ?
  Edited by: Franklin Jayasim on Jul 21, 2010 11:45 PM

• Mass role Import in ERM "unable to determine matching org. level" Error

  I am trying to upload the Derived Roles into the ERM. I have already uploaded all the Parents Roles. The volumes of the Derived Roles is huge in my SAP Backend system.
  I am not able to understand what should be the content of Org File which we upload. Please correct if I am wrong
  1>Example a role Z_TEST_D is derived from Z_TEST on the org levels EKGRP,KOART,GSBER,WERKS.
  2>I have run Org Synchronization Job in the ERM
  3>Downloaded Z_TEST (Parent Role) and uploaded it into ERM(It was easy because there was no org file)
  4> Downloaded Z_TEST_D(Derived Role) through /VIRSA/RE_DNLDROLES Tcode in backend.
  5>Downloaded the AGR_1252 information for this role which contained the Org levels and values
  6>I put all those information into the Org File and then tried to upload it throws me the error Role Z_TEST_D : not imported; unable to determine matching org. level for WERKSin the system
  So I again tried with the another method by changing the input sheet for the Org File
  Z_TEST_D BUKRS 0* 9*
  Z_TEST_D EKGRP *
  Z_TEST_D KOART *
  Z_TEST_D GSBER *
  Z_TEST_D WERKS *
  and tried to upload it again gave me the same error. I have checked the ERM all these Org Levels are fetched into the ERM. I am not sure if I am missing any basic things.
  Current Support pack: SP10 Hot Fix 2.
  Please share your experience and best practice to upload the roles,

  Hello Rahul,
  I had that same problem with SP10 also. The way I resolved itand this sounds crazywas to move that WERKS line up one or two rows.
  The problem I noticed was not with all derived roles, but when there was a problem, it was always the last line of the Org file for the role that was causing the problem. And the problem was not always WERKS either.
  If the next time you run it, the error occurs on the "new" last line (e.g. GSBER), move that line up also. Eventually they all make it in. I have not seen this problem repeated in SP12. Don't delete the line, just shift the order within the number of rows the role has.
  P.S. I have several hundred derived roles, about 10 - 15% had this import problem.
  -Dylan

• GRC BRM: Update Org Levels of derived roles

  Dear GRC experts,
  we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
  I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
  If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
  For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
  Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
  In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
  Does anybody know how to automate this task?
  Many thanks for your help!
  Regards,
  Markus

  Hi Markus Richter
  Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
  Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
  Mass Child role Org value update in GRC 10
  Does this work for you as an approach?
  Regards
  Colleen

• 'Protecting' your derived roles from being maintained on object level

  I'm redesigning an authorization concept that has been polluted in the past by maintaining object level values in the derived roles instead of the master roles.
  Now I would like to build in a kind of warning or authorization so that future role administrators can adjust master roles on object level, and derive the roles from the master, but are not allowed (or get a warning) to change object level values in the derived roles themselves.
  I'm looking for a warning similar to the warning you get when you are trying to change an organizational level value within the object rather than change the orglevel table.
  I have looked for entries in table PRGN_CUST, but found none.
  Also, the authorization checks for deriving roles [seem to be similar|http://help.sap.com/saphelp_nw04/helpdata/en/2b/84653f1b76b11ae10000000a114084/frameset.htm] to actually maintaining a role, so no distinction can be made here.
  Knowing al this, II think the answer is: 'no, this is not possible' but if you have dealt with the same problem successfully, please let me know.
  Kind regards,
  Lodewijk Borsboom

  Hi Lodewijk,
  There are exit paths in SU01 and PFCG which might (have) help(ed) but SAP removed the documentation on them because as (to my knowledge) as the code was integrated into BAPIs and org. management these exits (like many which have gone before them) caused no end to confusion over time.
  I heard that they would at some ponit be replaced by BADI's but I guess the same problem exists there and I have to date not seem any of them released.
  I have the documentation if you are interested but which release are you on? I suspect that SAP might even remove the exit coding anyway.
  As the other's have stated, I would also go for a detective control. You can always wipe the mistake out again from the master and this will let you know that someone is not sticking to the rules or doesn't understand the concept.
  This is also an advantage when compared to an error message or warning which only they see...
  Cheers,
  Julius

• Master role and derived role concept

  Guys,
  1) How to assign the organizational levels for the derived role?
       Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  Greatly appreciate for some body's help.

  >  1) How to assign the organizational levels for the derived role?
  >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  Only if you assign the master roles to users. (and maybe for testing, see 3)
  >
  > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
  >
  >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
  >
  >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  See 2, it goes there automatically. No choice.
  Jurjen

• ERM -- unable to determine matching org. level for BRGRU in the system

  Hello,
  I have a problem.
  When I trY to import in the ERM (SAP GRC AC 5.3 SP5) a mass import of roles (derived roles) using the template Organizational Template.
  Some of the roles gives me this error:
  "Role not imported; unable to determine matching org. level for BRGRU in the system".
  In the file I put for example
  ZAPVAPINTE     BUKRS     0083
  Am I doing it right? or do I have to put $BURKS?
  Best regards.
  Pablo Mortera.

  I have found that when you run the background job "syncronization of the organizational values" it pulls the org value name and all "values" assigned to it.  If you don't have values specified (on the table level) for the org name, you get this error.  We have many fields that we use values for these fields but they aren't specified in the table.
  For example:  We have the org value "PLVAR" with the values "AL", "01", "02", "03", and "GB" assigned to it.  You can actually see these values in the backend system using SE11.  We do not get this error on this org value.  However, we have another org value "SACHZ" that we use, but we do not have any values assigned to it on the table level, so it is giving us this error.  We are trying to find out how to populate the "values" field since this was not done through configuration.
  Here are the steps:  (1) Go to SE11 in your backend system.  (2)  Put your org value (example:  PLVAR) in the "DATA TYPE" field and click display. (3) Double click on the Domain name.  (4)  Go to the Value Range Tab and click on the "Value Table" name if there is one.  This is the table that has the org values assigned in it - normally done through configuration. (5) go to Utilities --> table contents --> display.  (6) execute the table contents.  These are the values that the sync job pulls over.  If there are no values there or if there is no "values table" name, you get the error.  If there are values there, you don't get it.
  We are working with our technical team to get the values in these fields to see if that works.  Another quick way to see if there are values assigned to the org field is to use "Org Value Mapping" in ERM.  Select the "derived org level field" you want to see and click on the "org value from" magnifying glass.  If no values are there, a "values table" hasn't been populated in SE11. 
  It doesn't make much sense to me though because we can still use values for these fields for our derived roles....we just don't populate the table with them.
  I'll update this message if we find a solution.
  Thanks,
  Peggy

• Parent-derived roles

  Hello,
  I look for to dispay all derived roles of a parent role and export it in a file?
  Can some help me?
  Thanks.

  try table AGR_DEFINE in SE16/16N. This table lists the parent/child (master role/derived role) relationship.
  -Prashant

• Missing Master and Derived Roles

  Hello All,
                I have got an odd scenario and I am hoping some of you might have run into the same issue or might point me to the right direction.
  Back ground
  We are on ECC 5.0 and have Master Derived Concept, and then Derived Roles are grouped in Composites
  We recently( Last week ) created some ( say 34 ) Derived roles and some (10) composites using a combinition of the newly created derived and some Old derived roles.
  Transported The derived seperatly and Composites seperately. Transports went successfully into QA and PRD.
  This week we noticed that all of the 34 derived roles are missing in DEV ONLY along with 28 Master of the 34 Child Roles. All the Childs and master still exist in QA and PRD.
  We have tried to look up the change Doc of the missing roles or the profiles or the authorizations of the missing roles and there is no change log under suim. Change Log shows when the role was created but nothing after that. According to Basis transports does not have any unusual log
  Since its a DEV system so no delete transports have come into DEV, therefore delete transport could not be an option.
  I have also uploaded one of the missing master roles from the PRD to DEV and it is succfully established the relation with the childs. I was hoping it might shake up the Change History regarding missing role but it did not, It now shows when the role was created earlier( 2006 ) and This week  agian but no Delete History
  Any Ideas on how to explain this behavior

  Another possible and imaginable human error worth looking into is that at some stage in the past a transport request was created for the master and child roles -- okay.
  Then the child roles were "broken" by changing org. levels and other fields in the authorization maintenance, so the roles themselves were deleted with the intention of creating them again from one of the "template" child-roles --> okay, seems reasonable to have happened.
  Then (here is the problem!) someone released the transport before the new child roles were created. This is interpreted by the system to be a deletion transport of roles.
  Additionally the sequence of the transports might have added additional obscurity to the issue and now, much later on, someone imported the transport into production which deleted the roles.
  <conspiracy_theory>
  The person then deleted the transport request from the queues and archived the change documents in SU83.
  </conspiracy_theory>
  Cheers,
  Julius

• Manually added auth objects and Derived roles

  If there are manually added auth objects in the parent role do they come across to the derived roles?
  Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

  yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
  yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
  if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
  http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

• Derived roles are getting overwritten everytime when I update Master Role.

  Hi Experts !
  We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
  Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
  Please help and give your valuable advise.
  Regards,
  Lokesh Bajaj

  Hi Lokesh,
  The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
  Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
  You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
  Cheers

• CSI Accelerator: Master / Derived roles

  Hi,
  As some of you might be aware, CSI accelerator besides having other typical SOD tool functionalities also helps in role creation as well just like ERM of GRC.
  But using this tool u2018CSIu2019 I have seen diff non-org filed values in the derived roles having been maintained as comapared to the master while creating them thus derived is customized to a gerat extent. So I just want to understand:
  1.     in such cases (where derived has non-org filelds values diff from masters) how does CSI handle the instances when master would be changed and changes need to be pushed to existing derived roles? In that case those non-org in already existing derived roles would again become same as masters.
  2.     Even using ERM one should be able to maintain diff values in the derived at non-org levels so how is the above mentioned push handled in case of ERM? Or itu2019s not handled at all and it simply wipes such discrepancies?
  thanks,
  Gill

  Daniel,
  we need to analyze from different angles like:
  1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
  you need to mass generate the profiles! (SUPC)
  2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
  3.. some changes were made to the roles after the transport was created.
  Plz Refer to SAP Note 571276 and the following link:
  Re: Changes to Role
  4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
  5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
  6 Finally, check whether company code & release code exist in QA & PRD.
  Thanks,
  Sri