Does a compsite role can contain a derived role

hi guys pls answer this question
does a compsite role can contain a derived role?
thank you

Hi Sunny,
Yes composite role can contain derived roles in it. But a composite role cant contain any composite roles.
Please visit:
http://www.*********************/tutorials/composite_role.htm   to find more about Composite roles.
Hope it helps.
Please award points if it is useful.
Thanks & regards,
santosh

Similar Messages

  • Does Oracle User Password can contain non-ASCII characters?

    Hi Experts,
    Can we create a user with password containing non-ASCII characters like "Ro'çá".
    I was able to create a database instance by providing the password for sys as "Ro'çá". But now i am not able to login from command prompt using sqlplus or SQLPLUS Application. I am getting below error:
    C:\Documents and Settings\xyz>sqlplus system/Ro'çá@test
    SQL*Plus: Release 10.2.0.1.0 - Production on Sun Jul 4 12:17:33 2010
    Copyright (c) 1982, 2005, Oracle. All rights reserved.
    ERROR:
    ORA-12154: TNS:could not resolve the connect identifier specified
    Enter user-name:
    same in case i enclose the password in ""
    C:\Documents and Settings\xyz>sqlplus system/"Ro'çá"@test
    SQL*Plus: Release 10.2.0.1.0 - Production on Sun Jul 4 12:17:33 2010
    Copyright (c) 1982, 2005, Oracle. All rights reserved.
    ERROR:
    ORA-12154: TNS:could not resolve the connect identifier specified
    Enter user-name:
    same in case i enclose the password in ""
    Also using create user i am not able to create user with password in non-ASCII characters but alter user works and changes the password to non-ASCII characters when enclosed in quotes.
    I wanted to know whether the password can contain non-ASCII characters or not?
    Thanks in advance for your help.

    I don't think that the characters used are allowed. See this doc which only mentions three characters to be used .
    http://download.oracle.com/docs/cd/E11882_01/server.112/e10575/tdpsg_user_accounts.htm#BEICECGF
    I did try the same but it didn't work for me either.
    SQL> select * from V$version;
    BANNER
    Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
    PL/SQL Release 11.2.0.1.0 - Production
    CORE    11.2.0.1.0      Production
    TNS for 32-bit Windows: Version 11.2.0.1.0 - Production
    NLSRTL Version 11.2.0.1.0 - Production
    SQL> grant connect to user1 identified by Ro'çá;
    ERROR:
    ORA-01756: quoted string not properly terminated
    SQL> grant connect to user1 identified by "Ro'çá";
    Grant succeeded.
    SQL> connect uesr1/"Ro'çá";
    ERROR:
    ORA-01017: invalid username/password; logon denied
    Warning: You are no longer connected to ORACLE.
    SQL> connect uesr1/"Ro'çá"
    ERROR:
    ORA-01017: invalid username/password; logon denied
    SQL> connect uesr1/"Ro'çá"
    ERROR:
    ORA-01017: invalid username/password; logon denied
    SQL>HTH
    Aman....

  • All objects are inactive in derived roles (copied from existing derived role)

    I need to create more than 1000 derived roles, from existing reference roles.
    Reference roles are also derived roles. So I executed LSMW for mass copy.
    Eg: Reference role XYZ with parent role XXX
    New role(ABC) copied from XYZ ,so ABC is having same values as XYZ and master role also.
    Now the issue is after executing the LSMW all roles are copied to new roles, but all objects are inactive in new roles .I am not able to activate the object also.

    Hi Colleen,
    Issue: I have derived roles for plant XX, now I want to derive same set of roles for YY plant. My reference plant is XX, So what am doing is copying the XX roles to New roles (YY) .No change in object or description, just copy role to new role. And I am using LSMW for the same.
    After copy the roles, I will change the description and profile using another script and manually change the org values. But after copy the roles to new roles using script all objects are inactive (In red color),if am selecting the org tab ,I will get message like ,no org levels maintained. Because all objects are inactive .And there are no options (edit) to activate the objects or maintain the fields.
    Thanks,
    Anusha

  • Little Challenge --How to give or restrict TRX in derive roles !

    Want to give 10 trx in 2 derive roles and 15 in another 2 derive roles from same Parent role-Any method to do so?One I know is to give additional 5 Trx access through manually Adding TCD in remaning 2 derive roleANY other way to give or restrict so that tabs should not be in manually or changed mode?

    >
    ARYENDRA DALAL wrote:
    > so that tabs should not be in manually or changed mode?
    Hi,
    Excellent answer from Juluis. Also the way you want to do this is conflicting with the Ref-Derive role concept.
    I can add/modify some thing to the previous two answers.
    One point I want to make clear that you mentioned as quoted above. Do you mean to say that the S_TCode will not be in changed mode (_or_ need not to add S_TCode manually) in Profile generator?
    If Yes, then please check the following approach:
    1. Create your first parent role and pair of derived roles with 10 Tcodes.
    2. Create one role as per the concept of Transaction role - value role. That means, the role will contain those 5 TCodes in the menu but will not contain any authorization (except S_TCODE, all objects should be deactivated).
    3. Then create one composite role with these two (one derive role of the pair and the other single role).
    if No, then follow this approach:
    1. Follow step one of above.
    2. Create one generic role without any menue entry. Add TCode manually in authorization tab and then 5 TCodes there.
    3. Create another role (value role) [let me know if you need details concept on this] and maintain the authorization of those 5 TCodes here together with org. values.
    4. Create composite role by using these three roles (one derive role from the pair, one generic transaction role and one value role).
    But please note that the menue entry should not be maintained in the derive role in any circumstances and if you do then you are no longer maintaining SAP Ref-Derive role concept.
    Please let me know if these help you to some extent.
    Regards,
    Dipanjan

  • Mass generation of Derived Roles

    Hello,
    SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
    Thanks.

    Hello,
    we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
    Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
    - parent roles and derived roles: you will find them in table AGR_DEFINE
    - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
    - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
    - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
    HTH and kind regards
    Jens Hoetger

  • Org data in Derived role differ from Parent role

    Hi there
    I need some help please, I am in the process of creating various parent / derived roles and have found that when I update the parent role (org data) and I do a generate do a derived role update the values in the org data is not correctly pulled through to the derived roles.
    e.g.
    In the parent role for Org data "Purchase Org" the previous value was "/" so that it could be specified in the derived roles should they require the split on this field, however the business has decided that they do not require a restriction on this field so I went back to the parent role and changed the value to "*", so I generated the parent role, updated the derived roles, but when I go to any of my derived roles that field value is still blank, it did not pull through the value * .
    We are currently on
    SAP_ABA  701           0005    SAPKA70105
    SAP_BASIS  701        0005     SAPKB70105
    I have created the derived roles with the parent role as the derived from role, it does pull through the values but just does not update it once I do make changes.
    Your help / suggestions would really be appreciated as I need to create MANY roles.
    Regards
    Sonja

    Hi Sonja,
    obviously there is a misunderstanding of how the derivation works....
    > Thanks guys for the feedback, but surely I do not only need to maintain the ORG data in the derived roles individually, if I have got an Org field that should be the same for all the derived roles I must be able to update the Parent role with this value which then upon generate, and generate / activate the derived roles must update the derived roles.
    -->no.
    Only the first time of derivation, if the field content in the derived roles are initial...
    help.sap.com:
    quote
    The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role, and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See SAP Note 314513).
    unquote
    The whole stuff:  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/1c/c38028816c11d396bc0000e82de14a/frameset.htm
    otherwise the maintained org.fieldvalues would get overwritten by the value of the master role every time. And that is exactly, what has to be avoided!
    b.rgds, Bernhard

  • Master role-derive role concept and FICO role in dev system!!!

    Hi all,
    I have created a master role with t-codes
    AWUW
    BAPI
    BD10
    BD100
    BD101
    BD102
    BD103
    BD104
    BD105
    BD11
    BD12
    BD13
    BD14
    BD15
    also included object PLOG where maintained org data
    and created a derived role from that master role and generated from the master role.
    After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
    Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
    How should I proceed???
    I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
    Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
    Thanks in Advance
    Regards,
    Souren

    Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
    One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
    If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
    For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

  • Only two Workbook roles can be seen  in NW04s Bex 7.0

    A user has access to over five workbook roles but when she opens
    Bex 7.0 -
    > Bex Analyzer--> Open Workbook-- Roles,
    user can only see two workbook roles. I delete these two workbook roles, and user reopens Bex 7.0, user will see the next two workbook roles. Does this mean user can only see two roles at at time in NW04s Bex 7.0? Has anyone come accross similar case?

    Hi,
    Please check the docs below there you can find how to guide and more about reports integration with enterprise portal.
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6cc17893-0e01-0010-6d91-f9303b436d91
    http://help.sap.com/saphelp_nw04s/helpdata/en/33/39fa40ee14f26fe10000000a1550b0/frameset.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/ab/9659400d9d1059e10000000a155106/content.htm
    https://websmp101.sap-ag.de/~sapdownload/011000358700002894802003E/HowToBIPortal1.pdf
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/2482b090-0201-0010-d080-aec6c02ce8f9
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/dc1d9990-0201-0010-16aa-db3c4eb8b642
    Regards,
    ®

  • GRC BRM: Update Org Levels of derived roles

    Dear GRC experts,
    we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
    I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
    If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
    For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
    Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
    In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
    Does anybody know how to automate this task?
    Many thanks for your help!
    Regards,
    Markus

    Hi Markus Richter
    Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
    Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
    Mass Child role Org value update in GRC 10
    Does this work for you as an approach?
    Regards
    Colleen

  • Adjusting derived role in background

    Hello,
    Each time we modify a reference role, we spend a lot of time adjusting the derived roles (at least 20 derived roles, about 5 000 users by role).
    To do it, we execute PFCG, Authorization tabs, then in the authorizations menu-> adjust derived-> Generate derived roles.
    Is there a standard way to do it in background or in a batch mode (maybe by program, or function module) ?
    Thanks.
    Guillaume

    Hi Guillaume.
    We actually cloned the SUPRN_REGENERATE_DEPENDENT program into a Z-program and added the multiple roles functionality based on the timestamps in table AGR_TIME.
    We then save the timestamps in a shadowtable (clone of AGR_TIME) so we can figure out when the role have been changed and a derivation is neccessary!
    Contact me for further details!
    Regards Fredrik

  • ERM 5.3 (SP12) Derived Role Update Problem

    Hello Experts,
    I have a question.
    We have a master role/derived role set up in the back-end system. We are trying to update a master role and its derive roles in ERM via PFGC sync.
    Our problem:
    We can add a transaction to a master role no problem in ERM via PFCG sync (adding a transaction code in the back-end and sync to ERM) However, we are unable to update the transaction for derived roles (nothing happens for derived roles in ERM).
    If I am correct, we don't have to add a transaction to each derived role manually, and we should be able to update derived roles automatically once we update a transaction in a master role.
    Please just note that we successfully imported all the master/derived roles from our back-end system, and we are not try to create a derived role in ERM at this time. All we want right now is to update a master role and its derived roles in ERM via PFCG sync.
    If you can, please advice.
    HM

    Go to the TXT file , cut the last line from the AGR_1252 (rtable and insert it to the top of the lines ( AGR_1252) , and reimport it will work I had the same problem in my previous implementation.
    try for one parent & child role
    This is a known problem with SAP they will rectify it in SP12/SP13 or so

  • BRM - Derived roles values not passing to backend

    Hello ,
    When we define a derive role with org values in BRM . derived role getting created in backend but it is not passing org values in backend .
    org values are empty in derived roles for backend system
    we have finished su25 activity as well in backend
    we are in sp12 on NW7.31
    Any solution available
    Regards
    Rajendra

    Hi Andrzej,
    Generation and maintain authotization are working fine .
    My issue is, in derivation phase, when I derive a role in BRM,
    the derived role which got created doesn't have org values in backend system.
    So I want to know whether this is bug or Derivation phase in BRM will not pass org values to back end
    Regards
    Rajendra

  • Reg derived roles combination into composite role

    Dear All,
    We have a role called GR Clerk. This will be available across all stores and DC for our retail customer. We have devised a strategy wherein we will create one global role with * in org level for site. Then we will
    create derived roles for individual DC and stores (from global role) and maintain site for each derived role.
    Now our customer wants following:
    Example: Store 1's GR clerk shall have required authorizations on transaction for Store 1, plus, one
    additional authorization/transaction for Store2.
    What we initially though that we will create two individual global roles: One for all authorizations and
    second for additional authorization.
    Global GR Clerk role: GRC
    Transactions: t1, t2, t3          
    Global GR Clerk role: GRC_additional
    Transactions: t4
    Derived Roles
    for GRCStore1:     
    1. GRCStore1 with org level Site= Store1     
    2.GRCStore1_additional with org level Site= Store2
    Now I will assign both derived roles to user who is GR Clerk on Store1.
    Is this approach correct?
    Also, customer wants that only one role should be assigned to user. So shall I create a composite role out of 2 derived roles?
    Will the respective site org levels be maintained after combining derived roles into composite one?
    Thanks for your time in advance.
    regards, Sean.

    Hi,
    Regarding the transaction roles and authorization roles, it is also a good approach, however, you would still have to consider the above point in case the authorization objects overlaps and make sure that both are restricted to appropriate "stores".
    Whether it's a good approach or not, per me, depends on the overall scenario and the fact that how much maintenance would be required in long term.
    Like say, if it is a case that the transaction codes (t1,t2 and t3) are for specific stores and transaction t4 is like display activity of other store and not just store 2. Then creating a common role for transaction t4 and including it in the composite role apart with the store specific role with tcodes (t1,t2 and t4) would also be a good approach.
    ZZZ:STORE_CLERK_STORE1             (Composite Role)
    ZZS_STORE_CLERK_STORE1                      transaction code t1, t2 and t3
    ZZZ_STORE_CLERK_STANDARD                  transaction code t4 (Either no org level restriction or all store access)
    ZZZ_STORE_CLERK               (Parent Role)
    ZZS_STORE_CLERK_STORE1                  Org level Restricted to Store 1
    ZZS_STORE_CLERK_STORE2                  Org level restricted to Store 2
    and so on
    PS: Naming convention are for illustration only
    Cheers !!
    Zaheer

  • Derived Role Z-transaction issue

    Has anyone had a problem with having custom (Z-transactions) transactions in your master role, then when the derived role is generated from this master role, these Z transactions and their authorization objects are missing in the derived role?

    Susan,
    The only way to make sure changes in SU24 is brought into existing roles is to update the role in expert mode with the "merge with new data option".
    Did you try to adjust all the derived roles from the Master role to see if this bring populate custom t-code & auth objects to the derived roles? (Authorization -> Adjust Derived -> Generate Derived roles).
    Have fun.
    Lye

  • How can we determined what role contains a particular privilege.

    Hi All.
    How can we determined what role contains a particular privilege.???
    I have found note User Management (UMX) Security Infrastructure Reporting (Doc ID 1222663.1)
    Our implementation doesn't seem to have a "UMX_W3H_HOMEPAGE / W3H Homepage Permission Set"
    This is a R12.0.4 instance
    Thanks in advance

    How can we determined what role contains a particular privilege.???User Management Responsibility > Roles & Role Inheritance > Search for the Role > Click on Edit and you will find the list of Permissions.
    I have found note User Management (UMX) Security Infrastructure Reporting (Doc ID 1222663.1)
    Our implementation doesn't seem to have a "UMX_W3H_HOMEPAGE / W3H Homepage Permission Set"
    This is a R12.0.4 instanceAccording to (How to Assign User Management Security Reports to a User [ID 1221304.1]), it is available in 12.1.1 and above.
    Thanks,
    Hussein

Maybe you are looking for