ERP Mass Role generating from master role.

Similar Messages

• FM to create role derived from other role

  Hi,
  I have to create roles derived from other roles. i need FM which can create roles derived from other roles. can anybody help me.
  Thanks in advance.

  Try BAPI_BUPA_ROLE_ADD_2
  Refer: http://abap.wikiprog.com/wiki/BAPI_BUPA_ROLE_ADD_2

• Org data in Derived role differ from Parent role

  Hi there
  I need some help please, I am in the process of creating various parent / derived roles and have found that when I update the parent role (org data) and I do a generate do a derived role update the values in the org data is not correctly pulled through to the derived roles.
  e.g.
  In the parent role for Org data "Purchase Org" the previous value was "/" so that it could be specified in the derived roles should they require the split on this field, however the business has decided that they do not require a restriction on this field so I went back to the parent role and changed the value to "*", so I generated the parent role, updated the derived roles, but when I go to any of my derived roles that field value is still blank, it did not pull through the value * .
  We are currently on
  SAP_ABA  701           0005    SAPKA70105
  SAP_BASIS  701        0005     SAPKB70105
  I have created the derived roles with the parent role as the derived from role, it does pull through the values but just does not update it once I do make changes.
  Your help / suggestions would really be appreciated as I need to create MANY roles.
  Regards
  Sonja

  Hi Sonja,
  obviously there is a misunderstanding of how the derivation works....
  > Thanks guys for the feedback, but surely I do not only need to maintain the ORG data in the derived roles individually, if I have got an Org field that should be the same for all the derived roles I must be able to update the Parent role with this value which then upon generate, and generate / activate the derived roles must update the derived roles.
  -->no.
  Only the first time of derivation, if the field content in the derived roles are initial...
  help.sap.com:
  quote
  The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role, and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See SAP Note 314513).
  unquote
  The whole stuff:  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/1c/c38028816c11d396bc0000e82de14a/frameset.htm
  otherwise the maintained org.fieldvalues would get overwritten by the value of the master role every time. And that is exactly, what has to be avoided!
  b.rgds, Bernhard

• Derived roles linked to Master role

  How do we find the all derived role related to a particular Master role?

  Hi Ajit,
  Since you are new to security, you might want to dig the security tables.
  You can maintain a spreadsheet of all tables relevant to security.
  For starters, in SE16 , dig USR, UST, AGR, USH,USO*
  Hope this helps
  Abhishek

• GRC 10 Role Import error(Master role does not exist) in SP12

  Hi,
  We have completed connectors part and ran sync jobs successfully.
  We have given required inputs in Define Criteria,Select Role Data in Role Import.When we submit this,only few roles are successfully imported.
  It is giving error like Master role does not exist(some roles) but it is successful for few other roles. 
  We have tried with SKIP option in role authorization source as per a note but it is not successful for all the role import and getting above mentioned error.
  Please check and advice.
  Thanks & Regards,
  Koteswara Rao.

  Hi Koteswara
  Have you confirmed in SAP that your ZM* roles are definitely imparting roles only? When you tried to upload them on second attempt, did you relaunch the the role import screen to ensure any buffering completely cleared?
  Another thing to try - import the master role and then exit NWBC and run the repository synch job. Go back to NWBC and attempt to import the derived roles to see if error is gone?
  If these don't work for you it may be time to contact SAP. I assume it was the following note you referred to: 1576321 - Import derived role without master role
  Also, this topic was raised in SCN last year (unfortunately the thread was not updated with the solution). Possibly reach to the thread owner and see if they will login to SCN and update it Role import failed with Master role  does not exist in SP13
  Regards
  Colleen

• Mass role import with derived roles out of master roles

  Hi everybody,
  I want to import a mass of roles with derivation (org. values) levels.
  Could you please provide me with the terminology of the org. info file.
  Bulk and role info were created and could successfully imported, but the derivation level (comes up with the
  org info file) never works. There are no derived roles.
  Look of the org file:
  Role Name [ Alphanumeric (100) ] [ Mandatory ]     Derived Org. Level [ Alphanumeric (50) ] [ Mandatory ]     From Value [ Alphanumeric (100) ] [ Mandatory ]     To Value [ Alphanumeric (100) ]
  Z0007_K:FI_AP_CHANGE     Company Code (BUKRS)     CN10     
  Z0008_K:FI_AP_CHANGE     Company Code (BUKRS)     CN20     
  Z0009_K:FI_AP_CHANGE     Company Code (BUKRS)     CN30     
  Z0010_K:FI_AP_CHANGE     Company Code (BUKRS)     CN40     
  Z0011_K:FI_AP_CHANGE     Company Code (BUKRS)     MA10     
  Any ideas ?
  Reg,
  Ulrich

  Hello everybody,
  The right way to import orglevel fields is like that:
  before the org level field, you need to add the "$" sign- like that - $BUKRS
  in every line.
  good luck,
  best regards,
  Haim Brauner

• Editable text box on each page, but generated from Master Page?

  I want to create a blank text box that lives on the Master Page so that it shows up on each page in the document, but I then would enter custom text into the field on each page ( or just leave it blank).
  I know, I know, I can do simply copy a text box from one page, and paste in place on all subsequent pages... or set it up once on a page, then just keep duplicating that page... or some other work around. But simple as those work arounds are, I'd just like a blank text box show up automatically on each page as a master page item, then I can enter text as a see fit and not have to do any duplicating tricks. I've looked up a few tutorials, but none solve for my need.
  So I guess the real question is, does InDesign allow the content of a master page text field to be individually edited on the pages of the document itself?

  It's bet to NEVER use the override master page items command since it overrides ALL master items. That's like using a wrecking ball as a flyswatter. And you don't need to put random text in the frame either (especially since you said you don't want to use it on some pages, though it might be best for those if you create another master without the frame). To override any master object hold Cmd (Mac) or Ctrl (Windows) + Shift and click on it with the selection tool.

• How to set a sub-role invisible from the role

  Hi guys,
  Our roles are as following:
  Role1
  App1
  App2
  SubRole1
  SubApp1
  SubApp2
  We've assigned SubRole1 to Role1, but we don't want it is shown under Role1, how to set it?
  Many Thanks and Best Regards,
  Xiaoming Yang

  Hi,
  If you do not need these applications/iViews in the navigation hierarchy, then you do not have to do any fancy tricks.
  If all Role1 users should get subRole1 iViews, then just have one role and make those iViews invisible.
  If you want to be able to assign the iViews in subrole1, just create a second role with no entry point (it does not need to be a subrole) and set the permissions so there is no end user permission, and then assign it to users.
  Hope that helps.
  Daniel

• Communcation idoc not formed from master idocs

  Hi,
  I thoroughly searched all threads and could not find one on this.
  We have an issue where when we run RBDMIDOC program in production system only master idocs are formed, and no communication idocs are formed. There is no error message. But in testing system communication idocs gets generated from master idocs. We encounter no error.
  I checked partner profile and distribution model in testing and production, they were same.
  My query is that if the Program is successfully generating communication idocs in testing system, why not is it doing so in production system. Please help me on this.
  Thanks & Regards
  Amit Sharma

  Hi,
  We had same kind of issue. This was happend due to Distrubution channel not properly created.
  We re created the Distrubution channel agian properly then it worked fine.
  Check the distrubution channel config . this will solve the issue.
  Regards,
  Shanumgavel chandrasekaran.

• Importing master role from ECC into portal throws derived role exception

  Hello,
  While uploading master and derived role from backend system into the portal I am getting the following exception.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED
  Does it imply that the derived role is already imported with the import of master role and there is no need to explicitly import the derived role?
  The landscape uses role upload tool of portal for UME.
  Regards
  Pooja

  Hi Pooja,
  There is a limitation with the role upload tool that the derived roles cannot be uploaded.
  The migration is only able to upload roles which have their own menus. Derived R/3 roles does not have menus themselves as they derive them from other roles. The purpose of the migration is to bring the R/3 navigation structures into the portal. Therefore you can only migrate the role from which your role is derived.
  Regards
  Anja

• What would be convenient way to backup mass roles details from GRC ?

  Hello SCN folks,
  For a GRC 10.1 environment where in, there are 100k plus roles maintained, what would be an ideal & convenient way to backup the roles details, periodically? Since the volume is high a direct export would result in timeout and huge overhead in the system.
  Following is the generic steps to export one or multiple role details from GRC:
  Access Management work center-> Role Management->Role maintenance screen -> Choose one or multiple roles as per search parameter, Landscapes -> Click on to "Role Details Export" -> Select all attributed to be exported -> Click on "Export"
  Regards,
  Suvonkar

  Hi Colleen,
  To maintain a backup of all the changes made to the Role & profile attributes periodically in the large & dynamic SAP environment. And for backing up new roles & attributed getting added-up in GRC for provisioning & risk simulation.
  Approver details changes: the backup also acts as a repository for reference for previous approvers.
  Role Name
  Landscape
  Role Type
  Description
  Business Process
  Subprocess
  Project Release
  Role Status
  Critical Level
  Sensitivity
  Profile Name
  Profile Description
  Functional Area
  Company
  Assignment Approver
  Role Content Approver
  Certification Period
  Reaffirm Period
  Etc
  Regards,
  Suvonkar

• Master role-derive role concept and FICO role in dev system!!!

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
  Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
  Thanks in Advance
  Regards,
  Souren

  Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
  One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
  If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
  For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

• All objects are inactive in derived roles (copied from existing derived role)

  I need to create more than 1000 derived roles, from existing reference roles.
  Reference roles are also derived roles. So I executed LSMW for mass copy.
  Eg: Reference role XYZ with parent role XXX
  New role(ABC) copied from XYZ ,so ABC is having same values as XYZ and master role also.
  Now the issue is after executing the LSMW all roles are copied to new roles, but all objects are inactive in new roles .I am not able to activate the object also.

  Hi Colleen,
  Issue: I have derived roles for plant XX, now I want to derive same set of roles for YY plant. My reference plant is XX, So what am doing is copying the XX roles to New roles (YY) .No change in object or description, just copy role to new role. And I am using LSMW for the same.
  After copy the roles, I will change the description and profile using another script and manually change the org values. But after copy the roles to new roles using script all objects are inactive (In red color),if am selecting the org tab ,I will get message like ,no org levels maintained. Because all objects are inactive .And there are no options (edit) to activate the objects or maintain the fields.
  Thanks,
  Anusha

• Derived roles are getting overwritten everytime when I update Master Role.

  Hi Experts !
  We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
  Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
  Please help and give your valuable advise.
  Regards,
  Lokesh Bajaj

  Hi Lokesh,
  The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
  Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
  You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
  Cheers

• Master role-derive role concept?

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  Thanks in advance
  Regards,
  Souren

  you should refer to the SECURITY forum at Security