Derived role authorization tab

Similar Messages

• Maintaining the authorizations for parent role and derived role

  Hi Experts,
  Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
  Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
  1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
  2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
  please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

  I will try to answer both your queries here:
  "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
  The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
  All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
  Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
  Soumya

• Change authorization object in a derived role

  Hi Gurus,
  What's happen if someone has added a new authorization object in a derived role?
  He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
  <u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
  What do you think about this ?
  Thanks
  Hery-zo

  Do i understand this right??? do functional teams have access to PFCG to create roles???
  If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
  1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
  2 ask all functional teams to describe the roles points to be adressed:
     A TRX in every role
     B all wanted restrictions on every TRX (described functionally)
     C orglevels on which restrictions should be build.
     D Test process for every TRX in every role (both positive and negative)
     E  check all roles against table USOBT and look for manually added objects,  
         if they can not give a good reason for adding these REMOVE them.
  3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
  4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
  5 check your roles for the corrected TRX after this change and update the other roels involved as well.
  6 ONLY allow roles that have followed the above process to go to Production.
  The above steps are the only way to create a secure SAP Production system for you!

• Authorization in APO: org level concept (parent role -- derived role) ?

  Hello experts,
  we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
  Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
  My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
  Regards
  Thomas

  I got the solution - the profile generation was missing !

• Little Challenge --How to give or restrict TRX in derive roles !

  Want to give 10 trx in 2 derive roles and 15 in another 2 derive roles from same Parent role-Any method to do so?One I know is to give additional 5 Trx access through manually Adding TCD in remaning 2 derive roleANY other way to give or restrict so that tabs should not be in manually or changed mode?

  >
  ARYENDRA DALAL wrote:
  > so that tabs should not be in manually or changed mode?
  Hi,
  Excellent answer from Juluis. Also the way you want to do this is conflicting with the Ref-Derive role concept.
  I can add/modify some thing to the previous two answers.
  One point I want to make clear that you mentioned as quoted above. Do you mean to say that the S_TCode will not be in changed mode (_or_ need not to add S_TCode manually) in Profile generator?
  If Yes, then please check the following approach:
  1. Create your first parent role and pair of derived roles with 10 Tcodes.
  2. Create one role as per the concept of Transaction role - value role. That means, the role will contain those 5 TCodes in the menu but will not contain any authorization (except S_TCODE, all objects should be deactivated).
  3. Then create one composite role with these two (one derive role of the pair and the other single role).
  if No, then follow this approach:
  1. Follow step one of above.
  2. Create one generic role without any menue entry. Add TCode manually in authorization tab and then 5 TCodes there.
  3. Create another role (value role) [let me know if you need details concept on this] and maintain the authorization of those 5 TCodes here together with org. values.
  4. Create composite role by using these three roles (one derive role from the pair, one generic transaction role and one value role).
  But please note that the menue entry should not be maintained in the derive role in any circumstances and if you do then you are no longer maintaining SAP Ref-Derive role concept.
  Please let me know if these help you to some extent.
  Regards,
  Dipanjan

• Risk Analysis of derived role is not able to fetch organisational values.

  Dear All,
  We have run the Permission level analysis in GRC 5.2 for the ROLES at permission level and
  found that the tool is not reading the ORGANIZATION VALUES maintained
  in the derived roles.
  We had explored in the GRC tool & found that the field BUKRS,KOART,etc
  are ENABLED in the RULES.While the CC tool is fetching value of other authorzation object.
  Please Advice if there is any configuration settings required.
  For your reference I am pasting the part of report.
  Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     ACTVT : Activity     Create or generate
  Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     KOART : Account Type     $KOART
  Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     ACTVT : Activity     Create or generate
  Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     BUKRS : Company Code     $BUKRS
  Thanks,
  Sandeep Bhatia

  Hello Sandeep,
  Doing Org Lvl Analysis is not so simple in RAR.
  Firstly this is only user based.
  For using it you will have to schedule one job in configuration which will update Org Values for users in the database table. I don't remember name of this Utility however it will be something Orguser, just search in Configuration tab.
  As mentioned by you, org lvl are already enabled and make sure there values is $.......,
  Reason being Org Rules will be generated at runtime and then anlysis will be done.
  It will be better you take help of SAP on this. As they have document which will be very helpful to you.
  Regards,
  Surpreet

• Master role and derived role concept

  Guys,
  1) How to assign the organizational levels for the derived role?
       Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  Greatly appreciate for some body's help.

  >  1) How to assign the organizational levels for the derived role?
  >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  Only if you assign the master roles to users. (and maybe for testing, see 3)
  >
  > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
  >
  >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
  >
  >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  See 2, it goes there automatically. No choice.
  Jurjen

• Master role-derive role concept and FICO role in dev system!!!

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
  Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
  Thanks in Advance
  Regards,
  Souren

  Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
  One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
  If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
  For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

• Derived Role generation in BRM

  Hi,
  In BRM while creating a parent role, corresponding derived roles are created and sent for approval.
  Post approval, the roles are generated, in the foreground confirmation message states that Parent + derived roles all are successfully generated.
  In the backend system the derived role's "Authorization" tab is with a status yellow and profile is not generated. However, the derived role has all the relevant values in it and the last changed by / date is appropriate to reflect the changes done.
  Can some one please point to a solution to this? We have raised an OSS for this about a month back and applied suggestions from SAP without any result.
  Version - GRC 10.0 SP10
  Thanks,
  Sammukh

  Hello Andrzej
  Yes, the derived roles are in status complete. After generation of all the roles (parent+derived) the derived roles move to the maintain test cases phase. Here we maintain the test cases and close the methodology. Post this the derived roles' status become complete.
  Yes, we did try re-generating them manually from mass generation from GRC. The result is same. In fact the surprising thing is following:
  1. Derived role is complete and in not generated state.
  2. Mass generated from GRC - still not generated.
  3. Manually generated in backend system - roles are now generated.
  4. Mass generated from GRC again - status that was generated from point 3 before changed to not generated again.
  Looks like the generation from GRC itself is the problem, but we are unable to pin-point the issue.
  Thanks
  Sammukh

• Adjusting derived role in background

  Hello,
  Each time we modify a reference role, we spend a lot of time adjusting the derived roles (at least 20 derived roles, about 5 000 users by role).
  To do it, we execute PFCG, Authorization tabs, then in the authorizations menu-> adjust derived-> Generate derived roles.
  Is there a standard way to do it in background or in a batch mode (maybe by program, or function module) ?
  Thanks.
  Guillaume

  Hi Guillaume.
  We actually cloned the SUPRN_REGENERATE_DEPENDENT program into a Z-program and added the multiple roles functionality based on the timestamps in table AGR_TIME.
  We then save the timestamps in a shadowtable (clone of AGR_TIME) so we can figure out when the role have been changed and a derivation is neccessary!
  Contact me for further details!
  Regards Fredrik

• Is transporting two groups of derived roles separately an issue?

  Hi Gurus,
  We have a situation where we need to transport 150+ child roles of same Parent. As these roles are very bulky in content, we though of creating two transports having 70+ roles each. While doing so, we released first transport and when it reached test system we release another one.
  Final result in test system is all the child roles which were moved in first transport now have authorization tab "red". While one which were transported in second tp are perfect.
  I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times before we deleted it from the buffer. Please let me know the best possible way to move the changes to test environment and later to prod. Increasing tp file size or increasing the ideal run time of the dialog/background work process are the option. But looking for some other alternatives.

  That you have such large derived roles should be suspect in itself. How many org. fields have you promoted and did you transport that change to the field definition through first (just to double-check)?
  How many users are these roles already assigned to? --> The import events for role transports also perform the user compare and "after change" user buffer syncs. This can have performance impacts, if that is the ponit of failure you are referring to.
  > I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times
  Take a look in ST22 for the short dumps related to this. Give us more infos about the bottleneck and perhaps we can help further.
  PS: When doing performance tests, you should not give up after the first try... (memory area management and syncs which the system does - some of them you can do in advance and only need to be done once / repsctively the first time).
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 4, 2010 10:43 AM

• Master - Derived roles -- some generated some ungenerated.

  All,
  We know how to solve this issue but we would like to know what causes it and how to prevent it in future development.  Example:  We have roles that have been created from one master role.  There are probably 80-90 derived roles from this one master role all with a small variation of company code and release code.  These roles have been implemented for over a year or more and nothing has been added to the master role to be pushed down.  The only change has been an derived roles added with new company code/release code.  When these roles are created the master roles gets generated and then pushed down through all the derived roles once the specific authorizations are added.  I development is shows that everything is in sync and is all green.  In quality and production it willl show that for each company code release code 01-06 are green, 07-10 are red and 11-15 are green.  Its always the same release codes for each company code that show are ungenerated. 
  This is just one example we have other roles that have been created and at GOLIVE (3 years ago) and the newly created derived roles is green where as certain older ones are not.  We thought it had to do with the generation of new roles but I just created a new company code from the example above and it is the same way.
  Is there a certain procedure that makes this happen, or is there a way to prevent this?  Also, with this in production and not being able to generate these roles in production is it hurting or will it affect anything within the roles transactions if there are authorizations in the role, and a profile assigned to the role for a generated authorization but the authorization stop light shows red will this affect anything?
  Any help or ideas are greatly appreciated.
  Thanks,
  -Daniel

  Daniel,
  we need to analyze from different angles like:
  1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
  you need to mass generate the profiles! (SUPC)
  2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
  3.. some changes were made to the roles after the transport was created.
  Plz Refer to SAP Note 571276 and the following link:
  Re: Changes to Role
  4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
  5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
  6 Finally, check whether company code & release code exist in QA & PRD.
  Thanks,
  Sri

• CSI Accelerator: Master / Derived roles

  Hi,
  As some of you might be aware, CSI accelerator besides having other typical SOD tool functionalities also helps in role creation as well just like ERM of GRC.
  But using this tool u2018CSIu2019 I have seen diff non-org filed values in the derived roles having been maintained as comapared to the master while creating them thus derived is customized to a gerat extent. So I just want to understand:
  1.     in such cases (where derived has non-org filelds values diff from masters) how does CSI handle the instances when master would be changed and changes need to be pushed to existing derived roles? In that case those non-org in already existing derived roles would again become same as masters.
  2.     Even using ERM one should be able to maintain diff values in the derived at non-org levels so how is the above mentioned push handled in case of ERM? Or itu2019s not handled at all and it simply wipes such discrepancies?
  thanks,
  Gill

  Daniel,
  we need to analyze from different angles like:
  1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
  you need to mass generate the profiles! (SUPC)
  2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
  3.. some changes were made to the roles after the transport was created.
  Plz Refer to SAP Note 571276 and the following link:
  Re: Changes to Role
  4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
  5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
  6 Finally, check whether company code & release code exist in QA & PRD.
  Thanks,
  Sri

• Generation of derived roles when transported

  Hello Everyone,
  We are on ECC6.0 and I've come across a scenario where I've created certain number of derived roles from a parent role and generated the parent and derived one's from the parent role in PFCG and created a transport request. But,
  When I got them imported (SCC1) to a different client on the same box I can see that the authorization tab is still in yellow in all these derived roles,they do contain the same profile name in the authorization tab in PFCG as from the original client they were created in and I would like to know the reason why these roles under the auth.tab are in YELLOW and need a regeneration of profile? I remember doing it previously where I did not regenerate the profiles for the roles when they are imported/transported to a different client.
  And the status text in SUPC says " no current profile".
  Any ideas/inputs are much appreciated.
  Regards,
  Raj

  Hi,
  There may be more that one cases.
  What are the roles you included into the Transport request? You should include all the Derive roles along with the parent roles ideally. Also, I hope you have checked the authorization data for the derived roles in the development before transport.
  Other option could be the system change options for appending data in the target system.
  Please provide more information and also try to search for SAP Notes if there any with this kind of issues.
  Regards,
  Dipanjan

• Security Issue: How to create a derived role from the Base role

  Hi All,
  Kindly let me know how can i create a derived role from the base role?
  Please respond at the earliest.
  Thanks in advance.
  Ramesh.

  Go to PFCG and Create a role with desired Name.
  In the Description Tab, on the Left Side there is a text box for "Derive From "
  enter the Base role.
  Now your newly created role is derived from the Base role.
  Save the newly created role and again run PFCG, enter the Base role name and execute.Select Edit role. Go to Authorization tab.
  Edit Authorization.
  In the Menu Adjust Derived -> Generate and Adjust derive
  This will Generate the derived role.
  Now you may go and check the authorization in the derived role.