ERM 5.3 (SP12) Derived Role Update Problem

Similar Messages

• Workflow tasks in derived roles

  Hello,
  I am involved in a EHS Product Compliance project that uses workflow.
  In PFCG I assign a standard workflow task to a role under the workflow tab.  If I go to tcode PFTC, type in the workflow task number then navigate to: Additional Data->Agent assignment->Display, the user account assigned to the role is listed and clicking the Overall View button I see the role assignment.
  The problem is when I derive the role.  In this case the tasks show up under the workflow tab, but the derived role is not listed under PFCT and this role does not allow my end user to process workflows.
  Are there any known limitations using workflows in derived roles?

  Hello Savitha,
  What you proposed will work, but that defeats the who purpose of deriving roles.  I want to add the workflow tasks to the base role and then have my 30 derived roles updated automatically.
  Kerry

• Org data in Derived role differ from Parent role

  Hi there
  I need some help please, I am in the process of creating various parent / derived roles and have found that when I update the parent role (org data) and I do a generate do a derived role update the values in the org data is not correctly pulled through to the derived roles.
  e.g.
  In the parent role for Org data "Purchase Org" the previous value was "/" so that it could be specified in the derived roles should they require the split on this field, however the business has decided that they do not require a restriction on this field so I went back to the parent role and changed the value to "*", so I generated the parent role, updated the derived roles, but when I go to any of my derived roles that field value is still blank, it did not pull through the value * .
  We are currently on
  SAP_ABA  701           0005    SAPKA70105
  SAP_BASIS  701        0005     SAPKB70105
  I have created the derived roles with the parent role as the derived from role, it does pull through the values but just does not update it once I do make changes.
  Your help / suggestions would really be appreciated as I need to create MANY roles.
  Regards
  Sonja

  Hi Sonja,
  obviously there is a misunderstanding of how the derivation works....
  > Thanks guys for the feedback, but surely I do not only need to maintain the ORG data in the derived roles individually, if I have got an Org field that should be the same for all the derived roles I must be able to update the Parent role with this value which then upon generate, and generate / activate the derived roles must update the derived roles.
  -->no.
  Only the first time of derivation, if the field content in the derived roles are initial...
  help.sap.com:
  quote
  The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role, and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See SAP Note 314513).
  unquote
  The whole stuff:  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/1c/c38028816c11d396bc0000e82de14a/frameset.htm
  otherwise the maintained org.fieldvalues would get overwritten by the value of the master role every time. And that is exactly, what has to be avoided!
  b.rgds, Bernhard

• ERM: Importing Derived Roles Problem

  Hello All,
  It appears that if I download and mass import 1 derived role at a time, the ERM mass import works perfectly. But, if I download the same successful derived roles and import them together, the ERM mass import does not import all the role details. Instead, it drops the role description and long description.
  This problem occurs if I upload 2 or more derived roles at a time.
  Any ideas?
  System Details: GRC AC SP12, VIRSANH 12, VIRSAHR 10.
  -Dylan

  Hi Dylan -
  We have found a work around for this, but before I list the steps let me not be presumptuous in my explanation as you must have both the parent roles uploaded in ERM in addition to updating the "Primary Org. Level File" with the appropriate data prior to loading the derived roles.
  Upon downloading the derived roles from the backend, 3 files are exported [Bulk File, Info File & Org File] and this is true for all roles that are exported. However, only when derived roles are exported will the Org File be populated with data (i.e. role name).  This makes sense because the only time this Org File is needed is when you import derived roles, all other roles only require the Bulk & Info File.
  Our guess was the way it was supposed to work is that the Org values were supposed to be exported into this file with the role names, however the Org Level & Value fields are blank.  We tried multiple combination of populating this file, but continued to get the same import error.  We eventually figured out a way to update this file to pull in all of the Org level data:
  *NOTE we found the most success with Mass Import files with the following extension: Bulk - .txt, Info - .xls, Org - .xls
  As stated before, the derived role Org file auto-populates the role names that were downloaded. In the 'Derived Orl Level' & 'From Value' fields you need only populate the first value from the 'AGR_1252' table listed in the Bulk file.
  Example:
  In the Bulk file we have a role: ZD:HR_AT_ANALYST and the first value listed for line AGR_1252 is the client number+role name then the Derived Orl Level and Value.  So we populated our Org file to look like this.
  Role Name                                         --->>>    Derived Org Level         --->>>    From Value
  ZD:HR_AT_ANALYST                    --->>>   KORSS                           --->>>   NRPC
  ZD:HR_BN_PAYROLL_DSPLY         --->>>    PERSA                         --->>>      *
  ZD:HR_PY_AT_ANALYST                --->>>   BURKS                         --->>>      NRPC
  If the file is populated this way, somehow it magically picks up the remaining Org Level Data for role when loaded. So the file does not have to actually have all of the values for each role.  I can be tedious to sift through the bulk file for the values, but there are quick ways to do it in excel.
  Hope this helps,

• Derived roles are getting overwritten everytime when I update Master Role.

  Hi Experts !
  We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
  Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
  Please help and give your valuable advise.
  Regards,
  Lokesh Bajaj

  Hi Lokesh,
  The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
  Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
  You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
  Cheers

• GRC BRM: Update Org Levels of derived roles

  Dear GRC experts,
  we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
  I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
  If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
  For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
  Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
  In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
  Does anybody know how to automate this task?
  Many thanks for your help!
  Regards,
  Markus

  Hi Markus Richter
  Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
  Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
  Mass Child role Org value update in GRC 10
  Does this work for you as an approach?
  Regards
  Colleen

• Mass Role Import  -- 9000 derived roles with 9 org Levels, how to get TXT

  Hello,
  I hava a problem.
  I want to use the (Mass Role Import) Bulk Role Import element in the ERM  (SAP GRC AC 5.3 )for importing SAP roles (I only found that way to import roles from SAP).
  I have 100 primary roles and more or less 9000 derived roles with 9 org Levels.
  Is there a way to get this 9000 derived roles with their 9 org Levels in a TXT file?. Or do I have to do it manually this part to insert it in the "Bulk Role Import ".
  Can someone help me?
  Thank you in advance.
  Pablo Mortera.

  Hi Mike,
  what kind of TA´s are in your role. Is it possible to integrate a "dummy" TA (without conflicting
  your SOD)?
  In my example I have CO TA´s bundled in a role:
  Role:   ZXXXX_O:CO_ORDERMANAGER_CRE - CO Order Manager Pflege
  with
  KO01 Create Internal Order ...
  KO02 Change Order ... 
  KO04 Order Manager ... 
  KOK2 Collective Proc. Internal Orders ... 
  KOK4 Aut. Collect. Proc. Internal Orders
  update this role with TA KO01 and KOKRS will be available for derivation.
  Done this manually without import in ERM.
  Reg,
  Ulrich

• Change authorization object in a derived role

  Hi Gurus,
  What's happen if someone has added a new authorization object in a derived role?
  He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
  <u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
  What do you think about this ?
  Thanks
  Hery-zo

  Do i understand this right??? do functional teams have access to PFCG to create roles???
  If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
  1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
  2 ask all functional teams to describe the roles points to be adressed:
     A TRX in every role
     B all wanted restrictions on every TRX (described functionally)
     C orglevels on which restrictions should be build.
     D Test process for every TRX in every role (both positive and negative)
     E  check all roles against table USOBT and look for manually added objects,  
         if they can not give a good reason for adding these REMOVE them.
  3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
  4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
  5 check your roles for the corrected TRX after this change and update the other roels involved as well.
  6 ONLY allow roles that have followed the above process to go to Production.
  The above steps are the only way to create a secure SAP Production system for you!

• Mass gerneration of derived roles

  Hello,
  I've got two questions concerning mass generation of roles.
  1)
  In a system are implented certain roles. Sometimes we're getting an update of the parent roles. In the next step we have to derivate all kind roles manually. This is very costly for a lot of roles.
  I know the point "mass generation" in PFCG, but if we use this with option "all roles to be compared" the derived roles will not be compared. Even if I do this in same system (changing the parent role, choosing option the mentioned option) the kind role will not be updated. Is there a possibility to solve this problem or make the derivation faster without touching each parent role?
  2)
  I want to do the derivation of roles automatically. I read here something about LSMW, Batch-Input or CATT scripts. Can anybody explain me how it exactly works with this automatic derivation of roles?
  Regards,
  Julia

  Thanks for your possibilities to solve the problem.
  I think the first problem with the derivation of roles after update of parent role could be solved with your mentioned report and eCATT.
  But with the second problem I still have trouble. I tried to use eCATT with transaction SECATT in SAP system. This works fine as long the roles have the same organizational levels.
  But I think that there has got to be a script for each role, because the organizational levels differ from role to role. So if you have e.g. 100 parent roles in your system, you have to create 100 scripts (apart from the question, if it's reasonable to have so much parent roles). It's helpful that the parameters can be stored in a data container, but additionally you have to know, which script concernes which roles and you have got to use the right script for right role.
  Or did I overlooked something in eCATT?
  Regards,
  Julia

• Derived Role Z-transaction issue

  Has anyone had a problem with having custom (Z-transactions) transactions in your master role, then when the derived role is generated from this master role, these Z transactions and their authorization objects are missing in the derived role?

  Susan,
  The only way to make sure changes in SU24 is brought into existing roles is to update the role in expert mode with the "merge with new data option".
  Did you try to adjust all the derived roles from the Master role to see if this bring populate custom t-code & auth objects to the derived roles? (Authorization -> Adjust Derived -> Generate Derived roles).
  Have fun.
  Lye

• USMM - License Classification on Derived Roles

  Hello,
  I want to assign license type by roles and we're currenlty using the derived role approach in our SAP systems. Is there a way to assign license type to the master role and have it show in the USER CLASSIFCATION report in transaction USMM. I noticed that if  I assign the license type to the master no user shows up with a licens type on the report however if I assign the license type to the child role the user ID shows up in the report with the assigned license type.  I realized in order for a user ID to show up with a license type a role need to be assign to the user ID. I'm wondering if the same can be done but to the master role instead without having to update each child role with a license type in the system.
  -Wes

  Hi
  Well...what an eye-opener that one was. It does seem to make sense if you've got a standard set of derived composite roles rolled out across multiple sites if you could then classify the parent composite role for USMM, read the correct charge based on the link to the derived composite via AGR_DEFINE (I'm guessing this is the bit that's not yet working).
  (edited) Old age made me say a daft thing - I can't create a parent/derived composite   but it still looks good (edited)
  A user moves jobs within the organisation was a cat 71 and became a cat 72 then the removal/assignment of composite roles takes care of license type too. Trouble is, I've found it common practice for admin to add new roles and forget to remove (outgoing manager problems). But, then again our poor administrator in GSD had a miserable time trying to work out who did what and which license they should have
  Thanks once again for the LICENSE_ATTRIBUTES help - very much appreciated.
  Cheers
  David
  Edited by: David Berry on Sep 22, 2010 5:42 PM

• Risk Analysis of derived role is not able to fetch organisational values.

  Dear All,
  We have run the Permission level analysis in GRC 5.2 for the ROLES at permission level and
  found that the tool is not reading the ORGANIZATION VALUES maintained
  in the derived roles.
  We had explored in the GRC tool & found that the field BUKRS,KOART,etc
  are ENABLED in the RULES.While the CC tool is fetching value of other authorzation object.
  Please Advice if there is any configuration settings required.
  For your reference I am pasting the part of report.
  Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     ACTVT : Activity     Create or generate
  Medium     F_BKPF_KOA : Accounting Document: Authorization for Account Types     KOART : Account Type     $KOART
  Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     ACTVT : Activity     Create or generate
  Medium     F_BKPF_BUK : Accounting Document: Authorization for Company Codes     BUKRS : Company Code     $BUKRS
  Thanks,
  Sandeep Bhatia

  Hello Sandeep,
  Doing Org Lvl Analysis is not so simple in RAR.
  Firstly this is only user based.
  For using it you will have to schedule one job in configuration which will update Org Values for users in the database table. I don't remember name of this Utility however it will be something Orguser, just search in Configuration tab.
  As mentioned by you, org lvl are already enabled and make sure there values is $.......,
  Reason being Org Rules will be generated at runtime and then anlysis will be done.
  It will be better you take help of SAP on this. As they have document which will be very helpful to you.
  Regards,
  Surpreet

• Changing Organization level for derived roles

  Dear All,
  Below is my query:
  When there is any requirement to change the organization level of a derived role, we go to the role and change the organization level manually.
  We have derived our roles, based on the units(company codes).
  Now we have a scenario, where we need to add one unit in a particular derivation of all roles.
  Please suggest if there is any way of updating the organization level in mass for a specific derivation.
  Regards,
  Reshma Vijayan.

  Colleen Lee wrote:
  At least with this option you are using the PFCG functionality and not hitting the tables directly
  Hi Reshma, Colleen,
  Some additional warnings about manipulating the downloads:
  The downloadfile is a fixed record length text file, do not mess up the data positions.
  Be aware of case (upper/lower) when manipulating the file.
  Make sure you do a unicode download to preserve special characters in the menu texts.
  There are very, very few checks done on the file contents when uploading again. It will allow you to pollute your AGR* tables in such a way you'll need an ABAP-er or SQL-savvy colleague to clean up the mess. It is very close to manipulating the tables directly.
  I once managed to get entries into AGR_1251 which didn't show up in PFCG and wouldn't even disappear from the tables after I had deleted the roles in question.
  And yes, I still use this method, but I won't advise it to anyone I cannot personally train to be aware of the pitfalls ;-)
  Jurjen

• Missing Master and Derived Roles

  Hello All,
                I have got an odd scenario and I am hoping some of you might have run into the same issue or might point me to the right direction.
  Back ground
  We are on ECC 5.0 and have Master Derived Concept, and then Derived Roles are grouped in Composites
  We recently( Last week ) created some ( say 34 ) Derived roles and some (10) composites using a combinition of the newly created derived and some Old derived roles.
  Transported The derived seperatly and Composites seperately. Transports went successfully into QA and PRD.
  This week we noticed that all of the 34 derived roles are missing in DEV ONLY along with 28 Master of the 34 Child Roles. All the Childs and master still exist in QA and PRD.
  We have tried to look up the change Doc of the missing roles or the profiles or the authorizations of the missing roles and there is no change log under suim. Change Log shows when the role was created but nothing after that. According to Basis transports does not have any unusual log
  Since its a DEV system so no delete transports have come into DEV, therefore delete transport could not be an option.
  I have also uploaded one of the missing master roles from the PRD to DEV and it is succfully established the relation with the childs. I was hoping it might shake up the Change History regarding missing role but it did not, It now shows when the role was created earlier( 2006 ) and This week  agian but no Delete History
  Any Ideas on how to explain this behavior

  Another possible and imaginable human error worth looking into is that at some stage in the past a transport request was created for the master and child roles -- okay.
  Then the child roles were "broken" by changing org. levels and other fields in the authorization maintenance, so the roles themselves were deleted with the intention of creating them again from one of the "template" child-roles --> okay, seems reasonable to have happened.
  Then (here is the problem!) someone released the transport before the new child roles were created. This is interpreted by the system to be a deletion transport of roles.
  Additionally the sequence of the transports might have added additional obscurity to the issue and now, much later on, someone imported the transport into production which deleted the roles.
  <conspiracy_theory>
  The person then deleted the transport request from the queues and archived the change documents in SU83.
  </conspiracy_theory>
  Cheers,
  Julius

• Derived Role generation in BRM

  Hi,
  In BRM while creating a parent role, corresponding derived roles are created and sent for approval.
  Post approval, the roles are generated, in the foreground confirmation message states that Parent + derived roles all are successfully generated.
  In the backend system the derived role's "Authorization" tab is with a status yellow and profile is not generated. However, the derived role has all the relevant values in it and the last changed by / date is appropriate to reflect the changes done.
  Can some one please point to a solution to this? We have raised an OSS for this about a month back and applied suggestions from SAP without any result.
  Version - GRC 10.0 SP10
  Thanks,
  Sammukh

  Hello Andrzej
  Yes, the derived roles are in status complete. After generation of all the roles (parent+derived) the derived roles move to the maintain test cases phase. Here we maintain the test cases and close the methodology. Post this the derived roles' status become complete.
  Yes, we did try re-generating them manually from mass generation from GRC. The result is same. In fact the surprising thing is following:
  1. Derived role is complete and in not generated state.
  2. Mass generated from GRC - still not generated.
  3. Manually generated in backend system - roles are now generated.
  4. Mass generated from GRC again - status that was generated from point 3 before changed to not generated again.
  Looks like the generation from GRC itself is the problem, but we are unable to pin-point the issue.
  Thanks
  Sammukh