Derived Role generation in BRM

Similar Messages

• Illegal Tcodes error while role generation in BRM GRC 10.0

  Hi Experts,
  I am working on SP11 GRC 10.0.
  In BRM, after following all necessry steps for role creation, when I enter last stage "Role Generation" and try to generate it, I am getting error "Illegal Tcodes (system name)" as shown in below screenshot.
  I am adding SAP standard t-codes only (e.g. SU53) which are existing in the backend system but still it throws error.
  Your suggestion is highly appreciated.

  Hi Swati,
  Thanks for your reply.
  I had already applied note: 1066687 but it didn't resolve my issue.
  Note: 1441463 is valid till release 720 and I am on release 731 and SP11.
  Thanks
  Jayesh

• Check status for Derived role generation

  Hello,
  We are trying to place a check to validate and ensure that the child roles are generated using "generate derived role" (CtrlShiftF4) from the parent role. However, i'm not able to find an appropriate function module or table field via which this can be checked.
  Are there any options to check this?
  Thanks in advance
  Vijaya

  Hi,
  You can find the status of the roles whether the profile is generated or not .. with PFCG only.
  PFCG
  -> Utilities (M)
  -> Overview Status (CtrlShiftF11)
  Give the role names (for which you need to know whether they are generated or not)
  Tick/select - Only Display Roles with Errors and Warnings
  -> Execute
  It will display all the role names and profile name and their status green generated, yellow not generated. If you copy all data and paste it in the excel it would be like below...
  ZS_ECC_NPR_AFM_TESTING_GL     @IC\QSingle Role@     11/20/2011     12:47:32     VKUMAR     @5C\QNo menu exists@          @5D\QCurrent version not generated@     ZNPRAFMTES     @5D\QUser master record not completely updated@
  ZS_ECC_NPR_DATABASE_ADMIN_GL     @IC\QSingle Role@     08/02/11     18:02:26     MMAKUCH     @5C\QNo menu exists@          @5B\QAuthorization profile is generated@     ZNPRDTBADM     @5C\QNo users are assigned@
  Hope this helps you.
  Thanks,
  Vinod

• BRM - Derived roles values not passing to backend

  Hello ,
  When we define a derive role with org values in BRM . derived role getting created in backend but it is not passing org values in backend .
  org values are empty in derived roles for backend system
  we have finished su25 activity as well in backend
  we are in sp12 on NW7.31
  Any solution available
  Regards
  Rajendra

  Hi Andrzej,
  Generation and maintain authotization are working fine .
  My issue is, in derivation phase, when I derive a role in BRM,
  the derived role which got created doesn't have org values in backend system.
  So I want to know whether this is bug or Derivation phase in BRM will not pass org values to back end
  Regards
  Rajendra

• Mass generation of Derived Roles

  Hello,
  SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
  Thanks.

  Hello,
  we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
  Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
  - parent roles and derived roles: you will find them in table AGR_DEFINE
  - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
  - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
  - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
  HTH and kind regards
  Jens Hoetger

• GRC BRM: Update Org Levels of derived roles

  Dear GRC experts,
  we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
  I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
  If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
  For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
  Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
  In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
  Does anybody know how to automate this task?
  Many thanks for your help!
  Regards,
  Markus

  Hi Markus Richter
  Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
  Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
  Mass Child role Org value update in GRC 10
  Does this work for you as an approach?
  Regards
  Colleen

• Generation of derived roles when transported

  Hello Everyone,
  We are on ECC6.0 and I've come across a scenario where I've created certain number of derived roles from a parent role and generated the parent and derived one's from the parent role in PFCG and created a transport request. But,
  When I got them imported (SCC1) to a different client on the same box I can see that the authorization tab is still in yellow in all these derived roles,they do contain the same profile name in the authorization tab in PFCG as from the original client they were created in and I would like to know the reason why these roles under the auth.tab are in YELLOW and need a regeneration of profile? I remember doing it previously where I did not regenerate the profiles for the roles when they are imported/transported to a different client.
  And the status text in SUPC says " no current profile".
  Any ideas/inputs are much appreciated.
  Regards,
  Raj

  Hi,
  There may be more that one cases.
  What are the roles you included into the Transport request? You should include all the Derive roles along with the parent roles ideally. Also, I hope you have checked the authorization data for the derived roles in the development before transport.
  Other option could be the system change options for appending data in the target system.
  Please provide more information and also try to search for SAP Notes if there any with this kind of issues.
  Regards,
  Dipanjan

• Authorization in APO: org level concept (parent role -- derived role) ?

  Hello experts,
  we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
  Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
  My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
  Regards
  Thomas

  I got the solution - the profile generation was missing !

• Mass gerneration of derived roles

  Hello,
  I've got two questions concerning mass generation of roles.
  1)
  In a system are implented certain roles. Sometimes we're getting an update of the parent roles. In the next step we have to derivate all kind roles manually. This is very costly for a lot of roles.
  I know the point "mass generation" in PFCG, but if we use this with option "all roles to be compared" the derived roles will not be compared. Even if I do this in same system (changing the parent role, choosing option the mentioned option) the kind role will not be updated. Is there a possibility to solve this problem or make the derivation faster without touching each parent role?
  2)
  I want to do the derivation of roles automatically. I read here something about LSMW, Batch-Input or CATT scripts. Can anybody explain me how it exactly works with this automatic derivation of roles?
  Regards,
  Julia

  Thanks for your possibilities to solve the problem.
  I think the first problem with the derivation of roles after update of parent role could be solved with your mentioned report and eCATT.
  But with the second problem I still have trouble. I tried to use eCATT with transaction SECATT in SAP system. This works fine as long the roles have the same organizational levels.
  But I think that there has got to be a script for each role, because the organizational levels differ from role to role. So if you have e.g. 100 parent roles in your system, you have to create 100 scripts (apart from the question, if it's reasonable to have so much parent roles). It's helpful that the parameters can be stored in a data container, but additionally you have to know, which script concernes which roles and you have got to use the right script for right role.
  Or did I overlooked something in eCATT?
  Regards,
  Julia

• Master - Derived roles -- some generated some ungenerated.

  All,
  We know how to solve this issue but we would like to know what causes it and how to prevent it in future development.  Example:  We have roles that have been created from one master role.  There are probably 80-90 derived roles from this one master role all with a small variation of company code and release code.  These roles have been implemented for over a year or more and nothing has been added to the master role to be pushed down.  The only change has been an derived roles added with new company code/release code.  When these roles are created the master roles gets generated and then pushed down through all the derived roles once the specific authorizations are added.  I development is shows that everything is in sync and is all green.  In quality and production it willl show that for each company code release code 01-06 are green, 07-10 are red and 11-15 are green.  Its always the same release codes for each company code that show are ungenerated. 
  This is just one example we have other roles that have been created and at GOLIVE (3 years ago) and the newly created derived roles is green where as certain older ones are not.  We thought it had to do with the generation of new roles but I just created a new company code from the example above and it is the same way.
  Is there a certain procedure that makes this happen, or is there a way to prevent this?  Also, with this in production and not being able to generate these roles in production is it hurting or will it affect anything within the roles transactions if there are authorizations in the role, and a profile assigned to the role for a generated authorization but the authorization stop light shows red will this affect anything?
  Any help or ideas are greatly appreciated.
  Thanks,
  -Daniel

  Daniel,
  we need to analyze from different angles like:
  1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
  you need to mass generate the profiles! (SUPC)
  2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
  3.. some changes were made to the roles after the transport was created.
  Plz Refer to SAP Note 571276 and the following link:
  Re: Changes to Role
  4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
  5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
  6 Finally, check whether company code & release code exist in QA & PRD.
  Thanks,
  Sri

• Issue with Creating CATT Script for Generating Derived Roles

  Hi Experts,
  I am desperately trying to find the solution on how I create a CATT Script to generate derived roles from few 100 master roles.
  I posted a thread on Security (Can I do a 'mass generation' of dervied roles?) .. however, since it turns out to be a SCAT issue, I thought I'll ask someone from this forum too.
  Extract from the other thread is as follows :
  "I cannot get the script to automate the generation of derived roles.
  when Entering parameters for a test case, I can only see the Initial PFCG Screen. Display/Change Authorization screen doesn't seem to get recorded / logged in the test screen.
  I.e : All screens with program SAPLPRGN_TREE is recorded, however all screens with program SAPMSSY0 is not.
  I hope it makes sense.. Any suggestions on how I can automate the generation of derived roles tasks?
  Thanks.
  Dineish

  Hi,
  I have the same problem just now.
  Have you found some solutions about it ?
  thx
  Luigi

• Error while uploading R/3 Derived Role into EP

  Dear all,
  When i was trying to upload the derived role from backend R/3 system. It's giving following error.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED - message at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(HQ1CLNT230,en_US,pradeep,TWPN_GET_ROLE,ROLE_TABLE,{ENABLE_LOGGING= , ROLENAME=ZR:GT_CUSTOMER_001, MENUTEXTS_ONLY_IN_MASTERLANG= }): Check parameters. Nested Exception. ROLE_IS_DERIVED at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:244) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1699) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:769) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:488) Original exception: com.sapportals.connector.ConnectorException: Nested Exception. ROLE_IS_DERIVED at com.sapportals.connectors.SAPCFConnector.SAPConnectorException.getNewConnectionException(SAPConnectorException.java:67) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:318) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:411) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:433) at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:403) at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:148) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1699) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:769) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:488)
  Kindly Suggeset me
  Rgds
  PRadeep

  Pradeep,
  Kindly explain the process flow of your upload.
  James

• Little Challenge --How to give or restrict TRX in derive roles !

  Want to give 10 trx in 2 derive roles and 15 in another 2 derive roles from same Parent role-Any method to do so?One I know is to give additional 5 Trx access through manually Adding TCD in remaning 2 derive roleANY other way to give or restrict so that tabs should not be in manually or changed mode?

  >
  ARYENDRA DALAL wrote:
  > so that tabs should not be in manually or changed mode?
  Hi,
  Excellent answer from Juluis. Also the way you want to do this is conflicting with the Ref-Derive role concept.
  I can add/modify some thing to the previous two answers.
  One point I want to make clear that you mentioned as quoted above. Do you mean to say that the S_TCode will not be in changed mode (_or_ need not to add S_TCode manually) in Profile generator?
  If Yes, then please check the following approach:
  1. Create your first parent role and pair of derived roles with 10 Tcodes.
  2. Create one role as per the concept of Transaction role - value role. That means, the role will contain those 5 TCodes in the menu but will not contain any authorization (except S_TCODE, all objects should be deactivated).
  3. Then create one composite role with these two (one derive role of the pair and the other single role).
  if No, then follow this approach:
  1. Follow step one of above.
  2. Create one generic role without any menue entry. Add TCode manually in authorization tab and then 5 TCodes there.
  3. Create another role (value role) [let me know if you need details concept on this] and maintain the authorization of those 5 TCodes here together with org. values.
  4. Create composite role by using these three roles (one derive role from the pair, one generic transaction role and one value role).
  But please note that the menue entry should not be maintained in the derive role in any circumstances and if you do then you are no longer maintaining SAP Ref-Derive role concept.
  Please let me know if these help you to some extent.
  Regards,
  Dipanjan

• Risk Analysis of derived role is not able to fetch organisational values.

  Dear All,
  We have run the Permission level analysis in GRC 5.2 for the ROLES at permission level and
  found that the tool is not reading the ORGANIZATION VALUES maintained
  in the derived roles.
  We had explored in the GRC tool & found that the field BUKRS,KOART,etc
  are ENABLED in the RULES.While the CC tool is fetching value of other authorzation object.
  Please Advice if there is any configuration settings required.
  For your reference I am pasting the part of report.
  Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     ACTVT : Activity     Create or generate
  Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     KOART : Account Type     $KOART
  Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     ACTVT : Activity     Create or generate
  Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     BUKRS : Company Code     $BUKRS
  Thanks,
  Sandeep Bhatia

  Hello Sandeep,
  Doing Org Lvl Analysis is not so simple in RAR.
  Firstly this is only user based.
  For using it you will have to schedule one job in configuration which will update Org Values for users in the database table. I don't remember name of this Utility however it will be something Orguser, just search in Configuration tab.
  As mentioned by you, org lvl are already enabled and make sure there values is $.......,
  Reason being Org Rules will be generated at runtime and then anlysis will be done.
  It will be better you take help of SAP on this. As they have document which will be very helpful to you.
  Regards,
  Surpreet

• Master role and derived role concept

  Guys,
  1) How to assign the organizational levels for the derived role?
       Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  Greatly appreciate for some body's help.

  >  1) How to assign the organizational levels for the derived role?
  >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  Only if you assign the master roles to users. (and maybe for testing, see 3)
  >
  > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
  >
  >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
  >
  >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  See 2, it goes there automatically. No choice.
  Jurjen