ERM: Importing Derived Roles Problem

Similar Messages

• Mass Role Import of derived roles.

  Hi All,
  I am trying to mass import derived roles. I have created the files Bulk Download File, Role Expert Information File and Primary Org Level File.
  All these files are tab delemited text files.
  But when i am uploading, it gives me error on Primary Org Level file format is incorrect.
  Please suggest me on file format of Primary Org Level. We are on Role Expert 5.2.
  Format I am using is
  ROLE NAME<TAB>DERIVED ORG LEVEL<TAB>FROM VALUE<TAB>TO VALUE
  My To Value is blank.
  Thanks in Advance.
  Regards,
  Pravin

  Hi Alpesh,
  I was able to upload all the derived roles. What i found was that, there is a limitation on number of rows for primary org value file. It could be limitation of RE 5.2 SP9.
  Whenever, primary org value file use to exceed 500 rows, it gives format error.
  So, then i restricted the primary org value file within 500 rows & upload went smoothly.
  Now, there is one query.
  Is it possible, that all the roles which are uploaded can be set to phase generated.
  Please suggest.
  Thanks in Advance.
  Regards,
  Pravin

• ERM 5.3 (SP12) Derived Role Update Problem

  Hello Experts,
  I have a question.
  We have a master role/derived role set up in the back-end system. We are trying to update a master role and its derive roles in ERM via PFGC sync.
  Our problem:
  We can add a transaction to a master role no problem in ERM via PFCG sync (adding a transaction code in the back-end and sync to ERM) However, we are unable to update the transaction for derived roles (nothing happens for derived roles in ERM).
  If I am correct, we don't have to add a transaction to each derived role manually, and we should be able to update derived roles automatically once we update a transaction in a master role.
  Please just note that we successfully imported all the master/derived roles from our back-end system, and we are not try to create a derived role in ERM at this time. All we want right now is to update a master role and its derived roles in ERM via PFCG sync.
  If you can, please advice.
  HM

  Go to the TXT file , cut the last line from the AGR_1252 (rtable and insert it to the top of the lines ( AGR_1252) , and reimport it will work I had the same problem in my previous implementation.
  try for one parent & child role
  This is a known problem with SAP they will rectify it in SP12/SP13 or so

• Mass Role Import  -- 9000 derived roles with 9 org Levels, how to get TXT

  Hello,
  I hava a problem.
  I want to use the (Mass Role Import) Bulk Role Import element in the ERM  (SAP GRC AC 5.3 )for importing SAP roles (I only found that way to import roles from SAP).
  I have 100 primary roles and more or less 9000 derived roles with 9 org Levels.
  Is there a way to get this 9000 derived roles with their 9 org Levels in a TXT file?. Or do I have to do it manually this part to insert it in the "Bulk Role Import ".
  Can someone help me?
  Thank you in advance.
  Pablo Mortera.

  Hi Mike,
  what kind of TA´s are in your role. Is it possible to integrate a "dummy" TA (without conflicting
  your SOD)?
  In my example I have CO TA´s bundled in a role:
  Role:   ZXXXX_O:CO_ORDERMANAGER_CRE - CO Order Manager Pflege
  with
  KO01 Create Internal Order ...
  KO02 Change Order ... 
  KO04 Order Manager ... 
  KOK2 Collective Proc. Internal Orders ... 
  KOK4 Aut. Collect. Proc. Internal Orders
  update this role with TA KO01 and KOKRS will be available for derivation.
  Done this manually without import in ERM.
  Reg,
  Ulrich

• Mass role import with derived roles out of master roles

  Hi everybody,
  I want to import a mass of roles with derivation (org. values) levels.
  Could you please provide me with the terminology of the org. info file.
  Bulk and role info were created and could successfully imported, but the derivation level (comes up with the
  org info file) never works. There are no derived roles.
  Look of the org file:
  Role Name [ Alphanumeric (100) ] [ Mandatory ]     Derived Org. Level [ Alphanumeric (50) ] [ Mandatory ]     From Value [ Alphanumeric (100) ] [ Mandatory ]     To Value [ Alphanumeric (100) ]
  Z0007_K:FI_AP_CHANGE     Company Code (BUKRS)     CN10     
  Z0008_K:FI_AP_CHANGE     Company Code (BUKRS)     CN20     
  Z0009_K:FI_AP_CHANGE     Company Code (BUKRS)     CN30     
  Z0010_K:FI_AP_CHANGE     Company Code (BUKRS)     CN40     
  Z0011_K:FI_AP_CHANGE     Company Code (BUKRS)     MA10     
  Any ideas ?
  Reg,
  Ulrich

  Hello everybody,
  The right way to import orglevel fields is like that:
  before the org level field, you need to add the "$" sign- like that - $BUKRS
  in every line.
  good luck,
  best regards,
  Haim Brauner

• Importing master role from ECC into portal throws derived role exception

  Hello,
  While uploading master and derived role from backend system into the portal I am getting the following exception.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED
  Does it imply that the derived role is already imported with the import of master role and there is no need to explicitly import the derived role?
  The landscape uses role upload tool of portal for UME.
  Regards
  Pooja

  Hi Pooja,
  There is a limitation with the role upload tool that the derived roles cannot be uploaded.
  The migration is only able to upload roles which have their own menus. Derived R/3 roles does not have menus themselves as they derive them from other roles. The purpose of the migration is to bring the R/3 navigation structures into the portal. Therefore you can only migrate the role from which your role is derived.
  Regards
  Anja

• Missing Master and Derived Roles

  Hello All,
                I have got an odd scenario and I am hoping some of you might have run into the same issue or might point me to the right direction.
  Back ground
  We are on ECC 5.0 and have Master Derived Concept, and then Derived Roles are grouped in Composites
  We recently( Last week ) created some ( say 34 ) Derived roles and some (10) composites using a combinition of the newly created derived and some Old derived roles.
  Transported The derived seperatly and Composites seperately. Transports went successfully into QA and PRD.
  This week we noticed that all of the 34 derived roles are missing in DEV ONLY along with 28 Master of the 34 Child Roles. All the Childs and master still exist in QA and PRD.
  We have tried to look up the change Doc of the missing roles or the profiles or the authorizations of the missing roles and there is no change log under suim. Change Log shows when the role was created but nothing after that. According to Basis transports does not have any unusual log
  Since its a DEV system so no delete transports have come into DEV, therefore delete transport could not be an option.
  I have also uploaded one of the missing master roles from the PRD to DEV and it is succfully established the relation with the childs. I was hoping it might shake up the Change History regarding missing role but it did not, It now shows when the role was created earlier( 2006 ) and This week  agian but no Delete History
  Any Ideas on how to explain this behavior

  Another possible and imaginable human error worth looking into is that at some stage in the past a transport request was created for the master and child roles -- okay.
  Then the child roles were "broken" by changing org. levels and other fields in the authorization maintenance, so the roles themselves were deleted with the intention of creating them again from one of the "template" child-roles --> okay, seems reasonable to have happened.
  Then (here is the problem!) someone released the transport before the new child roles were created. This is interpreted by the system to be a deletion transport of roles.
  Additionally the sequence of the transports might have added additional obscurity to the issue and now, much later on, someone imported the transport into production which deleted the roles.
  <conspiracy_theory>
  The person then deleted the transport request from the queues and archived the change documents in SU83.
  </conspiracy_theory>
  Cheers,
  Julius

• ERM overwrites backend role without warning.

  We are on version 5.3 - SP13.
  I have uploaded roles to our ERM installation. The upload was performed with the bulk download file collected via the /VIRSA/RE_DNLDROLES - program in backend in combination with the role information file which we have maintained with relevant role attribute data. The Org-level file is not relevant for us since our security concept does not include derived roles.
  When we took the tool into use we discovered that even though the upload was completed successfully there are examples of roles which are created with non-identical content (authorization objects and field values) from the actual backend roles.
  When we started performing changes to those roles, not identical in ERM and backend, via ERM, the system did not give a warning of the inconsistency but just directly overwrote the backend role with the incorrect ERM version of the role. 
  Anyone else with experience with the same error?

  Thanks Raghu and Frank for your replies!
  What I did was:
  1. Yes: I imported roles into ERM.
  I made the assumption that the roles would be created correctly contentwise in ERM since the upload is done from a file which is directly downloaded from the backend system. I probably have some issues in this department as you have both already pinpointed.
  Maybe the lack of including the OrgData file in the upload is the source for the error...?
  Sorry about my stupid question Raghy, but how do I maintain the Org Data file? I see that the data columns are:
  Rolename - Derived Org Level - From value - To value
  Do I really have to maintain this manually when I do not have derived roles....?
  (I see that there is a lot of org level values included in the system already from the initial upload.)
  Do you have any general advise on how I can easily verify that my roles are created with correct content in ERM compared with the backend system?
  2. Yes/No: I agree that if you generate a role from ERM, then you must know what you do and expect the backend role to be overwritten.
  What I did was that I opened PFCG from ERM to make changes to the role.
  I have in earlier test scenarios received a system messages at this point in the process asking me if I really want to overwrite the backend role. To my understanding this message is supposed to appear in any case when the ERM role is different from the backend role. Then I have the possibility to cancel the opening of PFCG and synchronize the role from backend to ERM before I continue with actually opening PFCG and performing the role changes.
  I do not know why I get this message sometimes, but not always.....
  Best regards
  Kari

• Change authorization object in a derived role

  Hi Gurus,
  What's happen if someone has added a new authorization object in a derived role?
  He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
  <u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
  What do you think about this ?
  Thanks
  Hery-zo

  Do i understand this right??? do functional teams have access to PFCG to create roles???
  If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
  1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
  2 ask all functional teams to describe the roles points to be adressed:
     A TRX in every role
     B all wanted restrictions on every TRX (described functionally)
     C orglevels on which restrictions should be build.
     D Test process for every TRX in every role (both positive and negative)
     E  check all roles against table USOBT and look for manually added objects,  
         if they can not give a good reason for adding these REMOVE them.
  3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
  4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
  5 check your roles for the corrected TRX after this change and update the other roels involved as well.
  6 ONLY allow roles that have followed the above process to go to Production.
  The above steps are the only way to create a secure SAP Production system for you!

• Derived Role generation in BRM

  Hi,
  In BRM while creating a parent role, corresponding derived roles are created and sent for approval.
  Post approval, the roles are generated, in the foreground confirmation message states that Parent + derived roles all are successfully generated.
  In the backend system the derived role's "Authorization" tab is with a status yellow and profile is not generated. However, the derived role has all the relevant values in it and the last changed by / date is appropriate to reflect the changes done.
  Can some one please point to a solution to this? We have raised an OSS for this about a month back and applied suggestions from SAP without any result.
  Version - GRC 10.0 SP10
  Thanks,
  Sammukh

  Hello Andrzej
  Yes, the derived roles are in status complete. After generation of all the roles (parent+derived) the derived roles move to the maintain test cases phase. Here we maintain the test cases and close the methodology. Post this the derived roles' status become complete.
  Yes, we did try re-generating them manually from mass generation from GRC. The result is same. In fact the surprising thing is following:
  1. Derived role is complete and in not generated state.
  2. Mass generated from GRC - still not generated.
  3. Manually generated in backend system - roles are now generated.
  4. Mass generated from GRC again - status that was generated from point 3 before changed to not generated again.
  Looks like the generation from GRC itself is the problem, but we are unable to pin-point the issue.
  Thanks
  Sammukh

• Derived roles are getting overwritten everytime when I update Master Role.

  Hi Experts !
  We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
  Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
  Please help and give your valuable advise.
  Regards,
  Lokesh Bajaj

  Hi Lokesh,
  The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
  Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
  You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
  Cheers

• Mass generation of Derived Roles

  Hello,
  SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
  Thanks.

  Hello,
  we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
  Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
  - parent roles and derived roles: you will find them in table AGR_DEFINE
  - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
  - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
  - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
  HTH and kind regards
  Jens Hoetger

• 'Protecting' your derived roles from being maintained on object level

  I'm redesigning an authorization concept that has been polluted in the past by maintaining object level values in the derived roles instead of the master roles.
  Now I would like to build in a kind of warning or authorization so that future role administrators can adjust master roles on object level, and derive the roles from the master, but are not allowed (or get a warning) to change object level values in the derived roles themselves.
  I'm looking for a warning similar to the warning you get when you are trying to change an organizational level value within the object rather than change the orglevel table.
  I have looked for entries in table PRGN_CUST, but found none.
  Also, the authorization checks for deriving roles [seem to be similar|http://help.sap.com/saphelp_nw04/helpdata/en/2b/84653f1b76b11ae10000000a114084/frameset.htm] to actually maintaining a role, so no distinction can be made here.
  Knowing al this, II think the answer is: 'no, this is not possible' but if you have dealt with the same problem successfully, please let me know.
  Kind regards,
  Lodewijk Borsboom

  Hi Lodewijk,
  There are exit paths in SU01 and PFCG which might (have) help(ed) but SAP removed the documentation on them because as (to my knowledge) as the code was integrated into BAPIs and org. management these exits (like many which have gone before them) caused no end to confusion over time.
  I heard that they would at some ponit be replaced by BADI's but I guess the same problem exists there and I have to date not seem any of them released.
  I have the documentation if you are interested but which release are you on? I suspect that SAP might even remove the exit coding anyway.
  As the other's have stated, I would also go for a detective control. You can always wipe the mistake out again from the master and this will let you know that someone is not sticking to the rules or doesn't understand the concept.
  This is also an advantage when compared to an error message or warning which only they see...
  Cheers,
  Julius

• Mass gerneration of derived roles

  Hello,
  I've got two questions concerning mass generation of roles.
  1)
  In a system are implented certain roles. Sometimes we're getting an update of the parent roles. In the next step we have to derivate all kind roles manually. This is very costly for a lot of roles.
  I know the point "mass generation" in PFCG, but if we use this with option "all roles to be compared" the derived roles will not be compared. Even if I do this in same system (changing the parent role, choosing option the mentioned option) the kind role will not be updated. Is there a possibility to solve this problem or make the derivation faster without touching each parent role?
  2)
  I want to do the derivation of roles automatically. I read here something about LSMW, Batch-Input or CATT scripts. Can anybody explain me how it exactly works with this automatic derivation of roles?
  Regards,
  Julia

  Thanks for your possibilities to solve the problem.
  I think the first problem with the derivation of roles after update of parent role could be solved with your mentioned report and eCATT.
  But with the second problem I still have trouble. I tried to use eCATT with transaction SECATT in SAP system. This works fine as long the roles have the same organizational levels.
  But I think that there has got to be a script for each role, because the organizational levels differ from role to role. So if you have e.g. 100 parent roles in your system, you have to create 100 scripts (apart from the question, if it's reasonable to have so much parent roles). It's helpful that the parameters can be stored in a data container, but additionally you have to know, which script concernes which roles and you have got to use the right script for right role.
  Or did I overlooked something in eCATT?
  Regards,
  Julia

• Is transporting two groups of derived roles separately an issue?

  Hi Gurus,
  We have a situation where we need to transport 150+ child roles of same Parent. As these roles are very bulky in content, we though of creating two transports having 70+ roles each. While doing so, we released first transport and when it reached test system we release another one.
  Final result in test system is all the child roles which were moved in first transport now have authorization tab "red". While one which were transported in second tp are perfect.
  I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times before we deleted it from the buffer. Please let me know the best possible way to move the changes to test environment and later to prod. Increasing tp file size or increasing the ideal run time of the dialog/background work process are the option. But looking for some other alternatives.

  That you have such large derived roles should be suspect in itself. How many org. fields have you promoted and did you transport that change to the field definition through first (just to double-check)?
  How many users are these roles already assigned to? --> The import events for role transports also perform the user compare and "after change" user buffer syncs. This can have performance impacts, if that is the ponit of failure you are referring to.
  > I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times
  Take a look in ST22 for the short dumps related to this. Give us more infos about the bottleneck and perhaps we can help further.
  PS: When doing performance tests, you should not give up after the first try... (memory area management and syncs which the system does - some of them you can do in advance and only need to be done once / repsctively the first time).
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 4, 2010 10:43 AM