Derive role table

Hi All,
Can any one please tell me which table store the information about derive role.
Thanks in advance
~John

Hello John
It's the same table as for the master role: AGR_DEFINE (field PARENT_AGR is filled for derived roles).
Regards
  Uwe

Similar Messages

  • DB table for Derived Roles and Parent Roles

    Hi Expart,
    In which DB table the Derived Roles and Parent Roles are store .that is i need to find out the derived role and parent Role .i have completed the Complex and single role by table AGR_AGRS
    But i have to find out the table for Derived Role
    Plz help me to get those table
    Thanks in advance
    Tarak

    It's the same table as for the master role: AGR_DEFINE (field PARENT_AGR is filled for derived roles).
    ~As from Forum

  • Risk Analysis of derived role is not able to fetch organisational values.

    Dear All,
    We have run the Permission level analysis in GRC 5.2 for the ROLES at permission level and
    found that the tool is not reading the ORGANIZATION VALUES maintained
    in the derived roles.
    We had explored in the GRC tool & found that the field BUKRS,KOART,etc
    are ENABLED in the RULES.While the CC tool is fetching value of other authorzation object.
    Please Advice if there is any configuration settings required.
    For your reference I am pasting the part of report.
    Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     ACTVT : Activity     Create or generate
    Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     KOART : Account Type     $KOART
    Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     ACTVT : Activity     Create or generate
    Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     BUKRS : Company Code     $BUKRS
    Thanks,
    Sandeep Bhatia

    Hello Sandeep,
    Doing Org Lvl Analysis is not so simple in RAR.
    Firstly this is only user based.
    For using it you will have to schedule one job in configuration which will update Org Values for users in the database table. I don't remember name of this Utility however it will be something Orguser, just search in Configuration tab.
    As mentioned by you, org lvl are already enabled and make sure there values is $.......,
    Reason being Org Rules will be generated at runtime and then anlysis will be done.
    It will be better you take help of SAP on this. As they have document which will be very helpful to you.
    Regards,
    Surpreet

  • Change authorization object in a derived role

    Hi Gurus,
    What's happen if someone has added a new authorization object in a derived role?
    He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
    <u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
    What do you think about this ?
    Thanks
    Hery-zo

    Do i understand this right??? do functional teams have access to PFCG to create roles???
    If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
    1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
    2 ask all functional teams to describe the roles points to be adressed:
       A TRX in every role
       B all wanted restrictions on every TRX (described functionally)
       C orglevels on which restrictions should be build.
       D Test process for every TRX in every role (both positive and negative)
       E  check all roles against table USOBT and look for manually added objects,  
           if they can not give a good reason for adding these REMOVE them.
    3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
    4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
    5 check your roles for the corrected TRX after this change and update the other roels involved as well.
    6 ONLY allow roles that have followed the above process to go to Production.
    The above steps are the only way to create a secure SAP Production system for you!

  • Changing Organization level for derived roles

    Dear All,
    Below is my query:
    When there is any requirement to change the organization level of a derived role, we go to the role and change the organization level manually.
    We have derived our roles, based on the units(company codes).
    Now we have a scenario, where we need to add one unit in a particular derivation of all roles.
    Please suggest if there is any way of updating the organization level in mass for a specific derivation.
    Regards,
    Reshma Vijayan.

    Colleen Lee wrote:
    At least with this option you are using the PFCG functionality and not hitting the tables directly
    Hi Reshma, Colleen,
    Some additional warnings about manipulating the downloads:
    The downloadfile is a fixed record length text file, do not mess up the data positions.
    Be aware of case (upper/lower) when manipulating the file.
    Make sure you do a unicode download to preserve special characters in the menu texts.
    There are very, very few checks done on the file contents when uploading again. It will allow you to pollute your AGR* tables in such a way you'll need an ABAP-er or SQL-savvy colleague to clean up the mess. It is very close to manipulating the tables directly.
    I once managed to get entries into AGR_1251 which didn't show up in PFCG and wouldn't even disappear from the tables after I had deleted the roles in question.
    And yes, I still use this method, but I won't advise it to anyone I cannot personally train to be aware of the pitfalls ;-)
    Jurjen

  • Mass generation of Derived Roles

    Hello,
    SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
    Thanks.

    Hello,
    we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
    Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
    - parent roles and derived roles: you will find them in table AGR_DEFINE
    - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
    - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
    - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
    HTH and kind regards
    Jens Hoetger

  • 'Protecting' your derived roles from being maintained on object level

    I'm redesigning an authorization concept that has been polluted in the past by maintaining object level values in the derived roles instead of the master roles.
    Now I would like to build in a kind of warning or authorization so that future role administrators can adjust master roles on object level, and derive the roles from the master, but are not allowed (or get a warning) to change object level values in the derived roles themselves.
    I'm looking for a warning similar to the warning you get when you are trying to change an organizational level value within the object rather than change the orglevel table.
    I have looked for entries in table PRGN_CUST, but found none.
    Also, the authorization checks for deriving roles [seem to be similar|http://help.sap.com/saphelp_nw04/helpdata/en/2b/84653f1b76b11ae10000000a114084/frameset.htm] to actually maintaining a role, so no distinction can be made here.
    Knowing al this, II think the answer is: 'no, this is not possible' but if you have dealt with the same problem successfully, please let me know.
    Kind regards,
    Lodewijk Borsboom

    Hi Lodewijk,
    There are exit paths in SU01 and PFCG which might (have) help(ed) but SAP removed the documentation on them because as (to my knowledge) as the code was integrated into BAPIs and org. management these exits (like many which have gone before them) caused no end to confusion over time.
    I heard that they would at some ponit be replaced by BADI's but I guess the same problem exists there and I have to date not seem any of them released.
    I have the documentation if you are interested but which release are you on? I suspect that SAP might even remove the exit coding anyway.
    As the other's have stated, I would also go for a detective control. You can always wipe the mistake out again from the master and this will let you know that someone is not sticking to the rules or doesn't understand the concept.
    This is also an advantage when compared to an error message or warning which only they see...
    Cheers,
    Julius

  • Adjusting derived role in background

    Hello,
    Each time we modify a reference role, we spend a lot of time adjusting the derived roles (at least 20 derived roles, about 5 000 users by role).
    To do it, we execute PFCG, Authorization tabs, then in the authorizations menu-> adjust derived-> Generate derived roles.
    Is there a standard way to do it in background or in a batch mode (maybe by program, or function module) ?
    Thanks.
    Guillaume

    Hi Guillaume.
    We actually cloned the SUPRN_REGENERATE_DEPENDENT program into a Z-program and added the multiple roles functionality based on the timestamps in table AGR_TIME.
    We then save the timestamps in a shadowtable (clone of AGR_TIME) so we can figure out when the role have been changed and a derivation is neccessary!
    Contact me for further details!
    Regards Fredrik

  • Parent-derived roles

    Hello,
    I look for to dispay all derived roles of a parent role and export it in a file?
    Can some help me?
    Thanks.

    try table AGR_DEFINE in SE16/16N. This table lists the parent/child (master role/derived role) relationship.
    -Prashant

  • Derived roles linked to Master role

    How do we find the all derived role related to a particular Master role?

    Hi Ajit,
    Since you are new to security, you might want to dig the security tables.
    You can maintain a spreadsheet of all tables relevant to security.
    For starters, in SE16 , dig USR, UST, AGR, USH,USO*
    Hope this helps
    Abhishek

  • Check status for Derived role generation

    Hello,
    We are trying to place a check to validate and ensure that the child roles are generated using "generate derived role" (CtrlShiftF4) from the parent role. However, i'm not able to find an appropriate function module or table field via which this can be checked.
    Are there any options to check this?
    Thanks in advance
    Vijaya

    Hi,
    You can find the status of the roles whether the profile is generated or not .. with PFCG only.
    PFCG
    -> Utilities (M)
    -> Overview Status (CtrlShiftF11)
    Give the role names (for which you need to know whether they are generated or not)
    Tick/select - Only Display Roles with Errors and Warnings
    -> Execute
    It will display all the role names and profile name and their status green generated, yellow not generated. If you copy all data and paste it in the excel it would be like below...
    ZS_ECC_NPR_AFM_TESTING_GL     @IC\QSingle Role@     11/20/2011     12:47:32     VKUMAR     @5C\QNo menu exists@          @5D\QCurrent version not generated@     ZNPRAFMTES     @5D\QUser master record not completely updated@
    ZS_ECC_NPR_DATABASE_ADMIN_GL     @IC\QSingle Role@     08/02/11     18:02:26     MMAKUCH     @5C\QNo menu exists@          @5B\QAuthorization profile is generated@     ZNPRDTBADM     @5C\QNo users are assigned@
    Hope this helps you.
    Thanks,
    Vinod

  • Deriving roles and profiles

    Hi,
    i am using pfcg for creating roles. When i want to derive a role from a mother role the profile is not taken with the role. Is there a way to derive not only the role but also the profile from a mother role?
    Regards
    Florian

    Hello Florian
    I still do not see the point yet if the derived role should be identical to the master role then you could do the following:
    (1) Copy master role -> name of derived role
    (2) Update table AGR_DEFINE for the derived role name, i.e.
    - select all values from AGR_DEFINE with AGR_NAME = '<name of derived role>'
    - set AGR_NAME-parent_agr = '<name of master role>'
    Regards
      Uwe

  • ERM: Importing Derived Roles Problem

    Hello All,
    It appears that if I download and mass import 1 derived role at a time, the ERM mass import works perfectly. But, if I download the same successful derived roles and import them together, the ERM mass import does not import all the role details. Instead, it drops the role description and long description.
    This problem occurs if I upload 2 or more derived roles at a time.
    Any ideas?
    System Details: GRC AC SP12, VIRSANH 12, VIRSAHR 10.
    -Dylan

    Hi Dylan -
    We have found a work around for this, but before I list the steps let me not be presumptuous in my explanation as you must have both the parent roles uploaded in ERM in addition to updating the "Primary Org. Level File" with the appropriate data prior to loading the derived roles.
    Upon downloading the derived roles from the backend, 3 files are exported [Bulk File, Info File & Org File] and this is true for all roles that are exported. However, only when derived roles are exported will the Org File be populated with data (i.e. role name).  This makes sense because the only time this Org File is needed is when you import derived roles, all other roles only require the Bulk & Info File.
    Our guess was the way it was supposed to work is that the Org values were supposed to be exported into this file with the role names, however the Org Level & Value fields are blank.  We tried multiple combination of populating this file, but continued to get the same import error.  We eventually figured out a way to update this file to pull in all of the Org level data:
    *NOTE we found the most success with Mass Import files with the following extension: Bulk - .txt, Info - .xls, Org - .xls
    As stated before, the derived role Org file auto-populates the role names that were downloaded. In the 'Derived Orl Level' & 'From Value' fields you need only populate the first value from the 'AGR_1252' table listed in the Bulk file.
    Example:
    In the Bulk file we have a role: ZD:HR_AT_ANALYST and the first value listed for line AGR_1252 is the client number+role name then the Derived Orl Level and Value.  So we populated our Org file to look like this.
    Role Name                                         --->>>    Derived Org Level         --->>>    From Value
    ZD:HR_AT_ANALYST                    --->>>   KORSS                           --->>>   NRPC
    ZD:HR_BN_PAYROLL_DSPLY         --->>>    PERSA                         --->>>      *
    ZD:HR_PY_AT_ANALYST                --->>>   BURKS                         --->>>      NRPC
    If the file is populated this way, somehow it magically picks up the remaining Org Level Data for role when loaded. So the file does not have to actually have all of the values for each role.  I can be tedious to sift through the bulk file for the values, but there are quick ways to do it in excel.
    Hope this helps,

  • Error while uploading R/3 Derived Role into EP

    Dear all,
    When i was trying to upload the derived role from backend R/3 system. It's giving following error.
    com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED - message at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(HQ1CLNT230,en_US,pradeep,TWPN_GET_ROLE,ROLE_TABLE,{ENABLE_LOGGING= , ROLENAME=ZR:GT_CUSTOMER_001, MENUTEXTS_ONLY_IN_MASTERLANG= }): Check parameters. Nested Exception. ROLE_IS_DERIVED at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:244) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1699) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:769) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:488) Original exception: com.sapportals.connector.ConnectorException: Nested Exception. ROLE_IS_DERIVED at com.sapportals.connectors.SAPCFConnector.SAPConnectorException.getNewConnectionException(SAPConnectorException.java:67) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:318) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:411) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:433) at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:403) at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:148) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1699) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:769) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:488)
    Kindly Suggeset me
    Rgds
    PRadeep

    Pradeep,
    Kindly explain the process flow of your upload.
    James

  • Little Challenge --How to give or restrict TRX in derive roles !

    Want to give 10 trx in 2 derive roles and 15 in another 2 derive roles from same Parent role-Any method to do so?One I know is to give additional 5 Trx access through manually Adding TCD in remaning 2 derive roleANY other way to give or restrict so that tabs should not be in manually or changed mode?

    >
    ARYENDRA DALAL wrote:
    > so that tabs should not be in manually or changed mode?
    Hi,
    Excellent answer from Juluis. Also the way you want to do this is conflicting with the Ref-Derive role concept.
    I can add/modify some thing to the previous two answers.
    One point I want to make clear that you mentioned as quoted above. Do you mean to say that the S_TCode will not be in changed mode (_or_ need not to add S_TCode manually) in Profile generator?
    If Yes, then please check the following approach:
    1. Create your first parent role and pair of derived roles with 10 Tcodes.
    2. Create one role as per the concept of Transaction role - value role. That means, the role will contain those 5 TCodes in the menu but will not contain any authorization (except S_TCODE, all objects should be deactivated).
    3. Then create one composite role with these two (one derive role of the pair and the other single role).
    if No, then follow this approach:
    1. Follow step one of above.
    2. Create one generic role without any menue entry. Add TCode manually in authorization tab and then 5 TCodes there.
    3. Create another role (value role) [let me know if you need details concept on this] and maintain the authorization of those 5 TCodes here together with org. values.
    4. Create composite role by using these three roles (one derive role from the pair, one generic transaction role and one value role).
    But please note that the menue entry should not be maintained in the derive role in any circumstances and if you do then you are no longer maintaining SAP Ref-Derive role concept.
    Please let me know if these help you to some extent.
    Regards,
    Dipanjan

Maybe you are looking for

  • Can we use impdp to import the data from an normal exp dump?

    Hi All, I have a export dump taken from a 9i database. Can i use impdp to import the data into 10g database from that 9i exp dump? Please suggest thanks and Regards Arun

  • How do you get charge for visual voicemail?

    After reading a couple of post and being completely confused by them I tried an experiment. I turn airplane mode on and then proceed to check my voicemail from earlier. The voicemail played without me connecting to AT$T. So this verifies that the act

  • What can be done to enable multiple usb  "mouse" buttons  in Solaris 10 ?

    My usb multimedia keyboard is recognized as a "combined" usb device. Two /dev/usb/hidx are created , one with usb keyboard driver attached, the other with the usb mouse driver attached. Events are generated for the scroll wheel on the keyboard, but n

  • Bringing the footage and the Comp from Photoshop into After Effects.

    hay guys I am running After Effects CC on Maverick OS and I have a Compositon in Photoshop that has video in it and it works perfectly but when i try to bring in the Comp to after effects, it only give me a still frame of the video footage and not th

  • Where is the sample files?

    I have Adobe Illustrator CS6 installed in my system, but I can't find the samples files mentioned in the PDF file "Adobe Illustrator CS6 What's New"..The text says " ... is available as a sample file in your Illustrator software." The files are: Natu