Generation of derived roles when transported

Similar Messages

• Mass generation of Derived Roles

  Hello,
  SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
  Thanks.

  Hello,
  we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
  Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
  - parent roles and derived roles: you will find them in table AGR_DEFINE
  - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
  - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
  - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
  HTH and kind regards
  Jens Hoetger

• Role when transported goes into Ungenerated state in Quality.

  All,
  I have a SCM system - 5.1
  When I build a role, generate it on Development box it gets generated, but when transported to Quality it is in ungenerated state.
  Associated Analysis authorization is also trasnported correct.
  I have checked all the logs,  there are no errors.
  Org. Values match on both the systems.
  One observation  is when the system was upgraded, they did not complete the SU25 steps, is this the one that is causing the issue or not.
  Your advice will be helpful.
  Vidyar.

  I have a big task as the upgrade was done 2 years back and I started with the project now
  How they survived this long?
  This problem is hapening for all the roles you are transporting? Or for few random roles?
  Regards,
  Arpan Paik

• Issue with Creating CATT Script for Generating Derived Roles

  Hi Experts,
  I am desperately trying to find the solution on how I create a CATT Script to generate derived roles from few 100 master roles.
  I posted a thread on Security (Can I do a 'mass generation' of dervied roles?) .. however, since it turns out to be a SCAT issue, I thought I'll ask someone from this forum too.
  Extract from the other thread is as follows :
  "I cannot get the script to automate the generation of derived roles.
  when Entering parameters for a test case, I can only see the Initial PFCG Screen. Display/Change Authorization screen doesn't seem to get recorded / logged in the test screen.
  I.e : All screens with program SAPLPRGN_TREE is recorded, however all screens with program SAPMSSY0 is not.
  I hope it makes sense.. Any suggestions on how I can automate the generation of derived roles tasks?
  Thanks.
  Dineish

  Hi,
  I have the same problem just now.
  Have you found some solutions about it ?
  thx
  Luigi

• Master role and derived role concept

  Guys,
  1) How to assign the organizational levels for the derived role?
       Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  Greatly appreciate for some body's help.

  >  1) How to assign the organizational levels for the derived role?
  >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  Only if you assign the master roles to users. (and maybe for testing, see 3)
  >
  > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
  >
  >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
  >
  >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  See 2, it goes there automatically. No choice.
  Jurjen

• Missing Master and Derived Roles

  Hello All,
                I have got an odd scenario and I am hoping some of you might have run into the same issue or might point me to the right direction.
  Back ground
  We are on ECC 5.0 and have Master Derived Concept, and then Derived Roles are grouped in Composites
  We recently( Last week ) created some ( say 34 ) Derived roles and some (10) composites using a combinition of the newly created derived and some Old derived roles.
  Transported The derived seperatly and Composites seperately. Transports went successfully into QA and PRD.
  This week we noticed that all of the 34 derived roles are missing in DEV ONLY along with 28 Master of the 34 Child Roles. All the Childs and master still exist in QA and PRD.
  We have tried to look up the change Doc of the missing roles or the profiles or the authorizations of the missing roles and there is no change log under suim. Change Log shows when the role was created but nothing after that. According to Basis transports does not have any unusual log
  Since its a DEV system so no delete transports have come into DEV, therefore delete transport could not be an option.
  I have also uploaded one of the missing master roles from the PRD to DEV and it is succfully established the relation with the childs. I was hoping it might shake up the Change History regarding missing role but it did not, It now shows when the role was created earlier( 2006 ) and This week  agian but no Delete History
  Any Ideas on how to explain this behavior

  Another possible and imaginable human error worth looking into is that at some stage in the past a transport request was created for the master and child roles -- okay.
  Then the child roles were "broken" by changing org. levels and other fields in the authorization maintenance, so the roles themselves were deleted with the intention of creating them again from one of the "template" child-roles --> okay, seems reasonable to have happened.
  Then (here is the problem!) someone released the transport before the new child roles were created. This is interpreted by the system to be a deletion transport of roles.
  Additionally the sequence of the transports might have added additional obscurity to the issue and now, much later on, someone imported the transport into production which deleted the roles.
  <conspiracy_theory>
  The person then deleted the transport request from the queues and archived the change documents in SU83.
  </conspiracy_theory>
  Cheers,
  Julius

• Manually added auth objects and Derived roles

  If there are manually added auth objects in the parent role do they come across to the derived roles?
  Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

  yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
  yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
  if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
  http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

• Is transporting two groups of derived roles separately an issue?

  Hi Gurus,
  We have a situation where we need to transport 150+ child roles of same Parent. As these roles are very bulky in content, we though of creating two transports having 70+ roles each. While doing so, we released first transport and when it reached test system we release another one.
  Final result in test system is all the child roles which were moved in first transport now have authorization tab "red". While one which were transported in second tp are perfect.
  I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times before we deleted it from the buffer. Please let me know the best possible way to move the changes to test environment and later to prod. Increasing tp file size or increasing the ideal run time of the dialog/background work process are the option. But looking for some other alternatives.

  That you have such large derived roles should be suspect in itself. How many org. fields have you promoted and did you transport that change to the field definition through first (just to double-check)?
  How many users are these roles already assigned to? --> The import events for role transports also perform the user compare and "after change" user buffer syncs. This can have performance impacts, if that is the ponit of failure you are referring to.
  > I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times
  Take a look in ST22 for the short dumps related to this. Give us more infos about the bottleneck and perhaps we can help further.
  PS: When doing performance tests, you should not give up after the first try... (memory area management and syncs which the system does - some of them you can do in advance and only need to be done once / repsctively the first time).
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 4, 2010 10:43 AM

• Transporting Individual Child/Derived Roles

  Suppose I have 5 Child/Derived Roles of 1 parent role.
  If I make an Org Level change to 1 of teh Child Roles, do I need to transport all the other child Roles as well?
  My peers say that if I do not transport the remaining child roles there are some side-effects. But they do not know the exact reason.
  Please guide me with teh reason for this.
  Thanks in advance.

  Once you make a change to the Org level content in the specific derived role, it can be transported independently of the other sister derived roles from the same parent.
  When you enter that specific derived role in the transport request, it will automatically bring in the parent role but not the other sister derived roles.
  I have not seen any side effects to this approach and it is SAP recommended.
  Thanks,
  Guru.

• Portal Run time error when created a seperate role for Transport package.

  Hi Experts,
  I have created a seperate role for Transport Package(import/export iviews).
  Normally we have transport package functionality in system admin.
  Below steps i followed for creating the new role(trans admin)
  1.Copied SAP provided system admin role to a seperate folder.
  2.Deleted reamining portal objects(like UWL, portal display etc ..) except transport packege workset.
  3.Renamed the role to trans admin.
  I have assigned that role to my self, it is working fine to me when i clcik on export and import.I have super admin role.
  when i assign this role to some portal users, Export is not working.
  when user clicks on Export role they are getting below error.
  Portal Runtime Error
  An exception occurred while processing a request for :
  iView : N/A
  Component Name : N/A
  Access denied (Object(s): com.sap.portal.system/security/sap.com/NetWeaver.Portal/medium_safety/com.sap.portal.appdesigner.contentcatalog/components/Framework).
  Exception id: 12:10_31/08/09_0031_21763550
  See the details for the exception ID in the log file
  By looking into exception iD also, same error access denied it is showing.
  Please Advice.
  Thanks
  Sony.

  Hi Raghu,
  Thanks for the reply.
  I have given full permissions to all users to this trans admin role before itself.
  Thanks in advance.
  Sony.
  Edited by: ambica sony on Aug 31, 2009 1:53 PM

• Derived Role generation in BRM

  Hi,
  In BRM while creating a parent role, corresponding derived roles are created and sent for approval.
  Post approval, the roles are generated, in the foreground confirmation message states that Parent + derived roles all are successfully generated.
  In the backend system the derived role's "Authorization" tab is with a status yellow and profile is not generated. However, the derived role has all the relevant values in it and the last changed by / date is appropriate to reflect the changes done.
  Can some one please point to a solution to this? We have raised an OSS for this about a month back and applied suggestions from SAP without any result.
  Version - GRC 10.0 SP10
  Thanks,
  Sammukh

  Hello Andrzej
  Yes, the derived roles are in status complete. After generation of all the roles (parent+derived) the derived roles move to the maintain test cases phase. Here we maintain the test cases and close the methodology. Post this the derived roles' status become complete.
  Yes, we did try re-generating them manually from mass generation from GRC. The result is same. In fact the surprising thing is following:
  1. Derived role is complete and in not generated state.
  2. Mass generated from GRC - still not generated.
  3. Manually generated in backend system - roles are now generated.
  4. Mass generated from GRC again - status that was generated from point 3 before changed to not generated again.
  Looks like the generation from GRC itself is the problem, but we are unable to pin-point the issue.
  Thanks
  Sammukh

• Derived roles are getting overwritten everytime when I update Master Role.

  Hi Experts !
  We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
  Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
  Please help and give your valuable advise.
  Regards,
  Lokesh Bajaj

  Hi Lokesh,
  The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
  Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
  You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
  Cheers

• Check status for Derived role generation

  Hello,
  We are trying to place a check to validate and ensure that the child roles are generated using "generate derived role" (CtrlShiftF4) from the parent role. However, i'm not able to find an appropriate function module or table field via which this can be checked.
  Are there any options to check this?
  Thanks in advance
  Vijaya

  Hi,
  You can find the status of the roles whether the profile is generated or not .. with PFCG only.
  PFCG
  -> Utilities (M)
  -> Overview Status (CtrlShiftF11)
  Give the role names (for which you need to know whether they are generated or not)
  Tick/select - Only Display Roles with Errors and Warnings
  -> Execute
  It will display all the role names and profile name and their status green generated, yellow not generated. If you copy all data and paste it in the excel it would be like below...
  ZS_ECC_NPR_AFM_TESTING_GL     @IC\QSingle Role@     11/20/2011     12:47:32     VKUMAR     @5C\QNo menu exists@          @5D\QCurrent version not generated@     ZNPRAFMTES     @5D\QUser master record not completely updated@
  ZS_ECC_NPR_DATABASE_ADMIN_GL     @IC\QSingle Role@     08/02/11     18:02:26     MMAKUCH     @5C\QNo menu exists@          @5B\QAuthorization profile is generated@     ZNPRDTBADM     @5C\QNo users are assigned@
  Hope this helps you.
  Thanks,
  Vinod

• Master - Derived roles -- some generated some ungenerated.

  All,
  We know how to solve this issue but we would like to know what causes it and how to prevent it in future development.  Example:  We have roles that have been created from one master role.  There are probably 80-90 derived roles from this one master role all with a small variation of company code and release code.  These roles have been implemented for over a year or more and nothing has been added to the master role to be pushed down.  The only change has been an derived roles added with new company code/release code.  When these roles are created the master roles gets generated and then pushed down through all the derived roles once the specific authorizations are added.  I development is shows that everything is in sync and is all green.  In quality and production it willl show that for each company code release code 01-06 are green, 07-10 are red and 11-15 are green.  Its always the same release codes for each company code that show are ungenerated. 
  This is just one example we have other roles that have been created and at GOLIVE (3 years ago) and the newly created derived roles is green where as certain older ones are not.  We thought it had to do with the generation of new roles but I just created a new company code from the example above and it is the same way.
  Is there a certain procedure that makes this happen, or is there a way to prevent this?  Also, with this in production and not being able to generate these roles in production is it hurting or will it affect anything within the roles transactions if there are authorizations in the role, and a profile assigned to the role for a generated authorization but the authorization stop light shows red will this affect anything?
  Any help or ideas are greatly appreciated.
  Thanks,
  -Daniel

  Daniel,
  we need to analyze from different angles like:
  1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
  you need to mass generate the profiles! (SUPC)
  2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
  3.. some changes were made to the roles after the transport was created.
  Plz Refer to SAP Note 571276 and the following link:
  Re: Changes to Role
  4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
  5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
  6 Finally, check whether company code & release code exist in QA & PRD.
  Thanks,
  Sri

• BRM - Derived roles values not passing to backend

  Hello ,
  When we define a derive role with org values in BRM . derived role getting created in backend but it is not passing org values in backend .
  org values are empty in derived roles for backend system
  we have finished su25 activity as well in backend
  we are in sp12 on NW7.31
  Any solution available
  Regards
  Rajendra

  Hi Andrzej,
  Generation and maintain authotization are working fine .
  My issue is, in derivation phase, when I derive a role in BRM,
  the derived role which got created doesn't have org values in backend system.
  So I want to know whether this is bug or Derivation phase in BRM will not pass org values to back end
  Regards
  Rajendra