Mass gerneration of derived roles

Similar Messages

• Mass generation of Derived Roles

  Hello,
  SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
  Thanks.

  Hello,
  we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
  Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
  - parent roles and derived roles: you will find them in table AGR_DEFINE
  - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
  - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
  - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
  HTH and kind regards
  Jens Hoetger

• ERM: Importing Derived Roles Problem

  Hello All,
  It appears that if I download and mass import 1 derived role at a time, the ERM mass import works perfectly. But, if I download the same successful derived roles and import them together, the ERM mass import does not import all the role details. Instead, it drops the role description and long description.
  This problem occurs if I upload 2 or more derived roles at a time.
  Any ideas?
  System Details: GRC AC SP12, VIRSANH 12, VIRSAHR 10.
  -Dylan

  Hi Dylan -
  We have found a work around for this, but before I list the steps let me not be presumptuous in my explanation as you must have both the parent roles uploaded in ERM in addition to updating the "Primary Org. Level File" with the appropriate data prior to loading the derived roles.
  Upon downloading the derived roles from the backend, 3 files are exported [Bulk File, Info File & Org File] and this is true for all roles that are exported. However, only when derived roles are exported will the Org File be populated with data (i.e. role name).  This makes sense because the only time this Org File is needed is when you import derived roles, all other roles only require the Bulk & Info File.
  Our guess was the way it was supposed to work is that the Org values were supposed to be exported into this file with the role names, however the Org Level & Value fields are blank.  We tried multiple combination of populating this file, but continued to get the same import error.  We eventually figured out a way to update this file to pull in all of the Org level data:
  *NOTE we found the most success with Mass Import files with the following extension: Bulk - .txt, Info - .xls, Org - .xls
  As stated before, the derived role Org file auto-populates the role names that were downloaded. In the 'Derived Orl Level' & 'From Value' fields you need only populate the first value from the 'AGR_1252' table listed in the Bulk file.
  Example:
  In the Bulk file we have a role: ZD:HR_AT_ANALYST and the first value listed for line AGR_1252 is the client number+role name then the Derived Orl Level and Value.  So we populated our Org file to look like this.
  Role Name                                         --->>>    Derived Org Level         --->>>    From Value
  ZD:HR_AT_ANALYST                    --->>>   KORSS                           --->>>   NRPC
  ZD:HR_BN_PAYROLL_DSPLY         --->>>    PERSA                         --->>>      *
  ZD:HR_PY_AT_ANALYST                --->>>   BURKS                         --->>>      NRPC
  If the file is populated this way, somehow it magically picks up the remaining Org Level Data for role when loaded. So the file does not have to actually have all of the values for each role.  I can be tedious to sift through the bulk file for the values, but there are quick ways to do it in excel.
  Hope this helps,

• Mass role import with derived roles out of master roles

  Hi everybody,
  I want to import a mass of roles with derivation (org. values) levels.
  Could you please provide me with the terminology of the org. info file.
  Bulk and role info were created and could successfully imported, but the derivation level (comes up with the
  org info file) never works. There are no derived roles.
  Look of the org file:
  Role Name [ Alphanumeric (100) ] [ Mandatory ]     Derived Org. Level [ Alphanumeric (50) ] [ Mandatory ]     From Value [ Alphanumeric (100) ] [ Mandatory ]     To Value [ Alphanumeric (100) ]
  Z0007_K:FI_AP_CHANGE     Company Code (BUKRS)     CN10     
  Z0008_K:FI_AP_CHANGE     Company Code (BUKRS)     CN20     
  Z0009_K:FI_AP_CHANGE     Company Code (BUKRS)     CN30     
  Z0010_K:FI_AP_CHANGE     Company Code (BUKRS)     CN40     
  Z0011_K:FI_AP_CHANGE     Company Code (BUKRS)     MA10     
  Any ideas ?
  Reg,
  Ulrich

  Hello everybody,
  The right way to import orglevel fields is like that:
  before the org level field, you need to add the "$" sign- like that - $BUKRS
  in every line.
  good luck,
  best regards,
  Haim Brauner

• Mass Role Import  -- 9000 derived roles with 9 org Levels, how to get TXT

  Hello,
  I hava a problem.
  I want to use the (Mass Role Import) Bulk Role Import element in the ERM  (SAP GRC AC 5.3 )for importing SAP roles (I only found that way to import roles from SAP).
  I have 100 primary roles and more or less 9000 derived roles with 9 org Levels.
  Is there a way to get this 9000 derived roles with their 9 org Levels in a TXT file?. Or do I have to do it manually this part to insert it in the "Bulk Role Import ".
  Can someone help me?
  Thank you in advance.
  Pablo Mortera.

  Hi Mike,
  what kind of TA´s are in your role. Is it possible to integrate a "dummy" TA (without conflicting
  your SOD)?
  In my example I have CO TA´s bundled in a role:
  Role:   ZXXXX_O:CO_ORDERMANAGER_CRE - CO Order Manager Pflege
  with
  KO01 Create Internal Order ...
  KO02 Change Order ... 
  KO04 Order Manager ... 
  KOK2 Collective Proc. Internal Orders ... 
  KOK4 Aut. Collect. Proc. Internal Orders
  update this role with TA KO01 and KOKRS will be available for derivation.
  Done this manually without import in ERM.
  Reg,
  Ulrich

• Mass Role Import of derived roles.

  Hi All,
  I am trying to mass import derived roles. I have created the files Bulk Download File, Role Expert Information File and Primary Org Level File.
  All these files are tab delemited text files.
  But when i am uploading, it gives me error on Primary Org Level file format is incorrect.
  Please suggest me on file format of Primary Org Level. We are on Role Expert 5.2.
  Format I am using is
  ROLE NAME<TAB>DERIVED ORG LEVEL<TAB>FROM VALUE<TAB>TO VALUE
  My To Value is blank.
  Thanks in Advance.
  Regards,
  Pravin

  Hi Alpesh,
  I was able to upload all the derived roles. What i found was that, there is a limitation on number of rows for primary org value file. It could be limitation of RE 5.2 SP9.
  Whenever, primary org value file use to exceed 500 rows, it gives format error.
  So, then i restricted the primary org value file within 500 rows & upload went smoothly.
  Now, there is one query.
  Is it possible, that all the roles which are uploaded can be set to phase generated.
  Please suggest.
  Thanks in Advance.
  Regards,
  Pravin

• Changing Organization level for derived roles

  Dear All,
  Below is my query:
  When there is any requirement to change the organization level of a derived role, we go to the role and change the organization level manually.
  We have derived our roles, based on the units(company codes).
  Now we have a scenario, where we need to add one unit in a particular derivation of all roles.
  Please suggest if there is any way of updating the organization level in mass for a specific derivation.
  Regards,
  Reshma Vijayan.

  Colleen Lee wrote:
  At least with this option you are using the PFCG functionality and not hitting the tables directly
  Hi Reshma, Colleen,
  Some additional warnings about manipulating the downloads:
  The downloadfile is a fixed record length text file, do not mess up the data positions.
  Be aware of case (upper/lower) when manipulating the file.
  Make sure you do a unicode download to preserve special characters in the menu texts.
  There are very, very few checks done on the file contents when uploading again. It will allow you to pollute your AGR* tables in such a way you'll need an ABAP-er or SQL-savvy colleague to clean up the mess. It is very close to manipulating the tables directly.
  I once managed to get entries into AGR_1251 which didn't show up in PFCG and wouldn't even disappear from the tables after I had deleted the roles in question.
  And yes, I still use this method, but I won't advise it to anyone I cannot personally train to be aware of the pitfalls ;-)
  Jurjen

• All objects are inactive in derived roles (copied from existing derived role)

  I need to create more than 1000 derived roles, from existing reference roles.
  Reference roles are also derived roles. So I executed LSMW for mass copy.
  Eg: Reference role XYZ with parent role XXX
  New role(ABC) copied from XYZ ,so ABC is having same values as XYZ and master role also.
  Now the issue is after executing the LSMW all roles are copied to new roles, but all objects are inactive in new roles .I am not able to activate the object also.

  Hi Colleen,
  Issue: I have derived roles for plant XX, now I want to derive same set of roles for YY plant. My reference plant is XX, So what am doing is copying the XX roles to New roles (YY) .No change in object or description, just copy role to new role. And I am using LSMW for the same.
  After copy the roles, I will change the description and profile using another script and manually change the org values. But after copy the roles to new roles using script all objects are inactive (In red color),if am selecting the org tab ,I will get message like ,no org levels maintained. Because all objects are inactive .And there are no options (edit) to activate the objects or maintain the fields.
  Thanks,
  Anusha

• Derived Role generation in BRM

  Hi,
  In BRM while creating a parent role, corresponding derived roles are created and sent for approval.
  Post approval, the roles are generated, in the foreground confirmation message states that Parent + derived roles all are successfully generated.
  In the backend system the derived role's "Authorization" tab is with a status yellow and profile is not generated. However, the derived role has all the relevant values in it and the last changed by / date is appropriate to reflect the changes done.
  Can some one please point to a solution to this? We have raised an OSS for this about a month back and applied suggestions from SAP without any result.
  Version - GRC 10.0 SP10
  Thanks,
  Sammukh

  Hello Andrzej
  Yes, the derived roles are in status complete. After generation of all the roles (parent+derived) the derived roles move to the maintain test cases phase. Here we maintain the test cases and close the methodology. Post this the derived roles' status become complete.
  Yes, we did try re-generating them manually from mass generation from GRC. The result is same. In fact the surprising thing is following:
  1. Derived role is complete and in not generated state.
  2. Mass generated from GRC - still not generated.
  3. Manually generated in backend system - roles are now generated.
  4. Mass generated from GRC again - status that was generated from point 3 before changed to not generated again.
  Looks like the generation from GRC itself is the problem, but we are unable to pin-point the issue.
  Thanks
  Sammukh

• GRC BRM: Update Org Levels of derived roles

  Dear GRC experts,
  we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
  I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
  If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
  For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
  Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
  In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
  Does anybody know how to automate this task?
  Many thanks for your help!
  Regards,
  Markus

  Hi Markus Richter
  Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
  Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
  Mass Child role Org value update in GRC 10
  Does this work for you as an approach?
  Regards
  Colleen

• Master - Derived roles -- some generated some ungenerated.

  All,
  We know how to solve this issue but we would like to know what causes it and how to prevent it in future development.  Example:  We have roles that have been created from one master role.  There are probably 80-90 derived roles from this one master role all with a small variation of company code and release code.  These roles have been implemented for over a year or more and nothing has been added to the master role to be pushed down.  The only change has been an derived roles added with new company code/release code.  When these roles are created the master roles gets generated and then pushed down through all the derived roles once the specific authorizations are added.  I development is shows that everything is in sync and is all green.  In quality and production it willl show that for each company code release code 01-06 are green, 07-10 are red and 11-15 are green.  Its always the same release codes for each company code that show are ungenerated. 
  This is just one example we have other roles that have been created and at GOLIVE (3 years ago) and the newly created derived roles is green where as certain older ones are not.  We thought it had to do with the generation of new roles but I just created a new company code from the example above and it is the same way.
  Is there a certain procedure that makes this happen, or is there a way to prevent this?  Also, with this in production and not being able to generate these roles in production is it hurting or will it affect anything within the roles transactions if there are authorizations in the role, and a profile assigned to the role for a generated authorization but the authorization stop light shows red will this affect anything?
  Any help or ideas are greatly appreciated.
  Thanks,
  -Daniel

  Daniel,
  we need to analyze from different angles like:
  1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
  you need to mass generate the profiles! (SUPC)
  2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
  3.. some changes were made to the roles after the transport was created.
  Plz Refer to SAP Note 571276 and the following link:
  Re: Changes to Role
  4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
  5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
  6 Finally, check whether company code & release code exist in QA & PRD.
  Thanks,
  Sri

• CSI Accelerator: Master / Derived roles

  Hi,
  As some of you might be aware, CSI accelerator besides having other typical SOD tool functionalities also helps in role creation as well just like ERM of GRC.
  But using this tool u2018CSIu2019 I have seen diff non-org filed values in the derived roles having been maintained as comapared to the master while creating them thus derived is customized to a gerat extent. So I just want to understand:
  1.     in such cases (where derived has non-org filelds values diff from masters) how does CSI handle the instances when master would be changed and changes need to be pushed to existing derived roles? In that case those non-org in already existing derived roles would again become same as masters.
  2.     Even using ERM one should be able to maintain diff values in the derived at non-org levels so how is the above mentioned push handled in case of ERM? Or itu2019s not handled at all and it simply wipes such discrepancies?
  thanks,
  Gill

  Daniel,
  we need to analyze from different angles like:
  1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
  you need to mass generate the profiles! (SUPC)
  2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
  3.. some changes were made to the roles after the transport was created.
  Plz Refer to SAP Note 571276 and the following link:
  Re: Changes to Role
  4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
  5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
  6 Finally, check whether company code & release code exist in QA & PRD.
  Thanks,
  Sri

• Issue with Creating CATT Script for Generating Derived Roles

  Hi Experts,
  I am desperately trying to find the solution on how I create a CATT Script to generate derived roles from few 100 master roles.
  I posted a thread on Security (Can I do a 'mass generation' of dervied roles?) .. however, since it turns out to be a SCAT issue, I thought I'll ask someone from this forum too.
  Extract from the other thread is as follows :
  "I cannot get the script to automate the generation of derived roles.
  when Entering parameters for a test case, I can only see the Initial PFCG Screen. Display/Change Authorization screen doesn't seem to get recorded / logged in the test screen.
  I.e : All screens with program SAPLPRGN_TREE is recorded, however all screens with program SAPMSSY0 is not.
  I hope it makes sense.. Any suggestions on how I can automate the generation of derived roles tasks?
  Thanks.
  Dineish

  Hi,
  I have the same problem just now.
  Have you found some solutions about it ?
  thx
  Luigi

• Error while uploading R/3 Derived Role into EP

  Dear all,
  When i was trying to upload the derived role from backend R/3 system. It's giving following error.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED - message at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(HQ1CLNT230,en_US,pradeep,TWPN_GET_ROLE,ROLE_TABLE,{ENABLE_LOGGING= , ROLENAME=ZR:GT_CUSTOMER_001, MENUTEXTS_ONLY_IN_MASTERLANG= }): Check parameters. Nested Exception. ROLE_IS_DERIVED at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:244) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1699) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:769) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:488) Original exception: com.sapportals.connector.ConnectorException: Nested Exception. ROLE_IS_DERIVED at com.sapportals.connectors.SAPCFConnector.SAPConnectorException.getNewConnectionException(SAPConnectorException.java:67) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:318) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:411) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:433) at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:403) at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:148) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1699) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:769) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:488)
  Kindly Suggeset me
  Rgds
  PRadeep

  Pradeep,
  Kindly explain the process flow of your upload.
  James

• Mass Change for Indirect Role Assignment

  Hi all,
  I am in the process of changing the company’s authorisations from a standard SU01 role assignment to a position based indirect role assignment.
  At the moment I am using PFCG going to the Org Mg button under the User tab then attaching the position that way.  Is there a way of assigning more than one role to a position at the same time?
  Is there a Mass Assignment option in PFCG or is there a separate transaction available to make this process quicker??
  Thanks for your help
  Ian

  you can mass-assign people and roles if you go to transaction PPOME instead of PFCG. to make role assignments from PPOME please apply note 578271 first. be careful whilst implementing this <insert nasty word here> note because some of those view-clusters tend to refuse to load your changes = you can see them, but they don't work - might be you will have to flush table buffers for the changes to take effect.