Derived roles linked to Master role

How do we find the all derived role related to a particular Master role?

Hi Ajit,
Since you are new to security, you might want to dig the security tables.
You can maintain a spreadsheet of all tables relevant to security.
For starters, in SE16 , dig USR, UST, AGR, USH,USO*
Hope this helps
Abhishek

Similar Messages

ERP Mass Role generating from master role.

Hello
In our ERP system we have several master roles and lots of roles derived from those masters. My question is when I add a transaction or even change one authorization object I have to manually generate all of those sub roles.
How can I do "copy from master role" then regenerate and then compare users more easily? Editing hundreds of roles takes lots of time.
I know PFCG has option Mass Compare and Mass Generate but they are not working for those sub roles.
Thanks

Hi,
Please go through help.sap.com or google to search and understand the process of creation/generation of master-derived roles:-)
If you have master -derived role created in system, you do not need to generate each individual roles. Just go to change mode of Master role in Authorization tab and beside "Generate" button at the top, you also see an icon "Generate derived role" (CTRLSHIFTF4 is the shortcut key) which can be used to adjust-derive all derived roles inheriting all characteristics of the master role into the derived roles (except the organizational values in case they are separately maintained in the derived roles)
Thanks
Sandipan
Edited by: Sandipan Choudhury on Mar 18, 2011 2:53 PM

GRC 10 Role Import error(Master role does not exist) in SP12

Hi,
We have completed connectors part and ran sync jobs successfully.
We have given required inputs in Define Criteria,Select Role Data in Role Import.When we submit this,only few roles are successfully imported.
It is giving error like Master role does not exist(some roles) but it is successful for few other roles.
We have tried with SKIP option in role authorization source as per a note but it is not successful for all the role import and getting above mentioned error.
Please check and advice.
Thanks & Regards,
Koteswara Rao.

Hi Koteswara
Have you confirmed in SAP that your ZM* roles are definitely imparting roles only? When you tried to upload them on second attempt, did you relaunch the the role import screen to ensure any buffering completely cleared?
Another thing to try - import the master role and then exit NWBC and run the repository synch job. Go back to NWBC and attempt to import the derived roles to see if error is gone?
If these don't work for you it may be time to contact SAP. I assume it was the following note you referred to: 1576321 - Import derived role without master role
Also, this topic was raised in SCN last year (unfortunately the thread was not updated with the solution). Possibly reach to the thread owner and see if they will login to SCN and update it Role import failed with Master role does not exist in SP13
Regards
Colleen

Business Role - Link to PFCG role

Dear all,
When I create a new business role in CRM there is a field called PFCG role ID in which you must provide a PFCG role.
What is the functionality of this PFCG role in relation to the Business Role?
When I look into standard SAP business roles and their associated standard SAP PFCG role I see a lot of "external services"/views. Is it possible to create such a role from scratch myself.
Is there some documentation available that explain this relationship between the PFCG role and the business role.
Thank you in advance,

Dear Ivan,
To start with Business Partner Roles and PFCG roles are different. Though you have an integration that one business partner cannot view the data of other business partner because of the roles that are being maintained in PFCG.
Lets say you have two customers (BP Role Customer). One customer cannot view the data of other customer because of the role that is being assigned to his user id in SU01. You create the roles in PFCG.
CRM Business Partner Roles:
http://help.sap.com/saphelp_glossary/en/dc/926ecf5e1cd511bcbe0800060d9c68/content.htm
Rights and responsibilities that a business partner can have in various business transactions.
The assignment of a BP view determines the relevant data sets, so that only a particular part of the BP master data is displayed, depending on the business transaction in question.
http://www.crmexpertonline.com/archive/Volume_03_(2007)/Issue_04_(May)/v3i4a4.cfm?session=
Each business partner role contains a predefined set of functions based on the business partners relationship to your company. For example, you could have business partner roles such as employee or vendor. The business partner roles determine the fields you have available in the SAP CRM system for the business partner. Business partner role categories sort business partner roles into groups, such as person or company.
PFCG Roles:
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
The SAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP System, after he or she has logged on to the system and authenticated himself or herself.
To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
Hope this will help.
Regards,
Naveen.

Portal Roles link to ABAP Roles

Hi,
i want the user to get the roles that are assigned to him in the ABAP system. We have roles for specific functional area like MM, Sales & Finance. I know if i create a portal roleand link the role to the abap role and set the prperty fo the role to be entry point i can get the roles as in the abap.
What i want to achieve is some thing like this. The every user core role will have a BW Home and BW reports Tab by default in the level one. When the user selects BW Reports the level 2 should be filled with the abap roles assgined to him. Can any one help me if this can be achieved and if so the steps to be follow.
Thank you,
Ravi.

Hi ,
check the below document to get roles from erp into portal
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/f1cbe7ee-0901-0010-12b9-e6c74d94e132
After bringing roles into portal , do necessary settings in portal to appear in second level navigation ( do not set entry point =yes)
Koti Reddy

Mass role import with derived roles out of master roles

Hi everybody,
I want to import a mass of roles with derivation (org. values) levels.
Could you please provide me with the terminology of the org. info file.
Bulk and role info were created and could successfully imported, but the derivation level (comes up with the
org info file) never works. There are no derived roles.
Look of the org file:
Role Name [ Alphanumeric (100) ] [ Mandatory ]     Derived Org. Level [ Alphanumeric (50) ] [ Mandatory ]     From Value [ Alphanumeric (100) ] [ Mandatory ]     To Value [ Alphanumeric (100) ]
Z0007_K:FI_AP_CHANGE     Company Code (BUKRS)     CN10
Z0008_K:FI_AP_CHANGE     Company Code (BUKRS)     CN20
Z0009_K:FI_AP_CHANGE     Company Code (BUKRS)     CN30
Z0010_K:FI_AP_CHANGE     Company Code (BUKRS)     CN40
Z0011_K:FI_AP_CHANGE     Company Code (BUKRS)     MA10
Any ideas ?
Reg,
Ulrich

Hello everybody,
The right way to import orglevel fields is like that:
before the org level field, you need to add the "$" sign- like that - $BUKRS
in every line.
good luck,
best regards,
Haim Brauner

Master role-derive role concept and FICO role in dev system!!!

Hi all,
I have created a master role with t-codes
AWUW
BAPI
BD10
BD100
BD101
BD102
BD103
BD104
BD105
BD11
BD12
BD13
BD14
BD15
also included object PLOG where maintained org data
and created a derived role from that master role and generated from the master role.
After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
How should I proceed???
I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
Thanks in Advance
Regards,
Souren

Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

Master role-derive role concept?

Hi all,
I have created a master role with t-codes
AWUW
BAPI
BD10
BD100
BD101
BD102
BD103
BD104
BD105
BD11
BD12
BD13
BD14
BD15
also included object PLOG where maintained org data
and created a derived role from that master role and generated from the master role.
After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
How should I proceed???
Thanks in advance
Regards,
Souren

you should refer to the SECURITY forum at Security

Master role & Derived role concept

Hi Friends ,
We have master and drive role concept in our project . ABC_XXXX (Master role ) ABC_1000(Derived role) (1000= company code)
Now we need to maintain some values in master roles lets say display :03 . Should we regenrate deived role as well ?
If we regenrate derived role , Do inhertiance relatioship breaks? and we need to maintain company code =1000 value again ?
Please suggest.
regards

Forgot to answer some more questions you had asked. Adding them here:
Now we need to maintain some values in master roles lets say display :03 . Should we regenrate deived role as well ?
- use the steps I mentioned in my earlier reply to re-generate derived roles from the Master role.
If we regenrate derived role , Do inhertiance relatioship breaks?
- please use the steps I suggested, the inheritance will not break. And this is an advantage of Master-->derived role.thats the meaning of having this concept in SAP.
and we need to maintain company code =1000 value again ?
--- No you dont need to. (you can check and see this manually).
Hope it helps...
Soumya
Edited by: Soumya Thomas on May 20, 2010 12:34 PM
Edited by: Soumya Thomas on May 20, 2010 12:35 PM

Master role

Hi guys,
I have created a project in spro and assigned that project as a zrole..I thint that zrole is the master role.Is it correct? If so can anybody tell me how to derive roles from that master role..
reg'
Zeemaaa...

to create derived role, create a role as normal & in the description tab put the name of your parent role in field "Derive from role". Enter your org restrictions and then go back to your master/parent role and push through the object level changes from the Authorizations tab of the master role (I think the button is titled "adjust derived")

Master role and derived role concept

Guys,
1) How to assign the organizational levels for the derived role?
Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
Greatly appreciate for some body's help.

> 1) How to assign the organizational levels for the derived role?
> Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
Only if you assign the master roles to users. (and maybe for testing, see 3)
>
> 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
>
> 3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
>
> 4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
See 2, it goes there automatically. No choice.
Jurjen

Derived roles are getting overwritten everytime when I update Master Role.

Hi Experts !
We have created some Master and Derived roles in the past. According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
Please help and give your valuable advise.
Regards,
Lokesh Bajaj

Hi Lokesh,
The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
Using derived roles you cannot achieve your requirement. If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship. This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account.
You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level). I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
Cheers

Importing master role from ECC into portal throws derived role exception

Hello,
While uploading master and derived role from backend system into the portal I am getting the following exception.
com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED
Does it imply that the derived role is already imported with the import of master role and there is no need to explicitly import the derived role?
The landscape uses role upload tool of portal for UME.
Regards
Pooja

Hi Pooja,
There is a limitation with the role upload tool that the derived roles cannot be uploaded.
The migration is only able to upload roles which have their own menus. Derived R/3 roles does not have menus themselves as they derive them from other roles. The purpose of the migration is to bring the R/3 navigation structures into the portal. Therefore you can only migrate the role from which your role is derived.
Regards
Anja

Org data in Derived role differ from Parent role

Hi there
I need some help please, I am in the process of creating various parent / derived roles and have found that when I update the parent role (org data) and I do a generate do a derived role update the values in the org data is not correctly pulled through to the derived roles.
e.g.
In the parent role for Org data "Purchase Org" the previous value was "/" so that it could be specified in the derived roles should they require the split on this field, however the business has decided that they do not require a restriction on this field so I went back to the parent role and changed the value to "*", so I generated the parent role, updated the derived roles, but when I go to any of my derived roles that field value is still blank, it did not pull through the value * .
We are currently on
SAP_ABA 701 0005 SAPKA70105
SAP_BASIS 701 0005 SAPKB70105
I have created the derived roles with the parent role as the derived from role, it does pull through the values but just does not update it once I do make changes.
Your help / suggestions would really be appreciated as I need to create MANY roles.
Regards
Sonja

Hi Sonja,
obviously there is a misunderstanding of how the derivation works....
> Thanks guys for the feedback, but surely I do not only need to maintain the ORG data in the derived roles individually, if I have got an Org field that should be the same for all the derived roles I must be able to update the Parent role with this value which then upon generate, and generate / activate the derived roles must update the derived roles.
-->no.
Only the first time of derivation, if the field content in the derived roles are initial...
help.sap.com:
quote
The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role, and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See SAP Note 314513).
unquote
The whole stuff: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/1c/c38028816c11d396bc0000e82de14a/frameset.htm
otherwise the maintained org.fieldvalues would get overwritten by the value of the master role every time. And that is exactly, what has to be avoided!
b.rgds, Bernhard

Partner roles in Vendor master record

Hi all
can some one explain me how to enter the partner roles in vendor master record
In sap help i didnt understood this point
"When working with partner roles, you must maintain the following settings:
Separate vendor master records must exist for all the partners of a vendor that are to be entered in that vendors master record."
what does it mean
suppose i am creating vendor master record 1234
Vendor master record:1234
LF 1234       /*vendor
BA1234       /*ordering address
i have to click 1234 in BA and select 'parner' at the top to enter the ordering adress right ...
what is the 'Separate vendor master records must exist for all the partners' mean
it has to be like this?
Vendor master record:1234
LF 1234       /*vendor
BA1235       /*ordering address
1235 vendor master record is created earlier and ordering address maintained ??
please help me in this record, any user manual or some screen shots to explain how to maintain partner roles in vendor master record
regards
Bhushan.N

Hi Sasi ,
What Ramkrishna explained is correct. I will try to illustrate it with the example.
Suppose you are creating a vendor 1234 which is Head office of the supplier where you need to place the order. But goods will be supplied from Pune plant so you should enter 1235 againts partner function GS , here 1235 is seperate vendor master record with Pune plant details & it must exist in the system so that you can use it as a partner function Hope this has cleared your doubts.
Similarly you vcan create other partner functions like payee,ordering party etc.
Regards,
Anand

Derived roles linked to Master role

Similar Messages

Maybe you are looking for