Master - Derived roles -- some generated some ungenerated.

Similar Messages

• "save derived roles" and "generate derived  roles"

  Can anyone tell the difference between "save derived roles" and "generate derived  roles".

  Hi,
  Save Derived role will save the changes you made to the role(Eg: You might have added a new org value for company code)but this will not be reflect to the users and user masters remain the same unless you generate the role.
  Once the Role is generated user masters and profiles are updated.
  Rakesh

• CSI Accelerator: Master / Derived roles

  Hi,
  As some of you might be aware, CSI accelerator besides having other typical SOD tool functionalities also helps in role creation as well just like ERM of GRC.
  But using this tool u2018CSIu2019 I have seen diff non-org filed values in the derived roles having been maintained as comapared to the master while creating them thus derived is customized to a gerat extent. So I just want to understand:
  1.     in such cases (where derived has non-org filelds values diff from masters) how does CSI handle the instances when master would be changed and changes need to be pushed to existing derived roles? In that case those non-org in already existing derived roles would again become same as masters.
  2.     Even using ERM one should be able to maintain diff values in the derived at non-org levels so how is the above mentioned push handled in case of ERM? Or itu2019s not handled at all and it simply wipes such discrepancies?
  thanks,
  Gill

  Daniel,
  we need to analyze from different angles like:
  1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
  you need to mass generate the profiles! (SUPC)
  2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
  3.. some changes were made to the roles after the transport was created.
  Plz Refer to SAP Note 571276 and the following link:
  Re: Changes to Role
  4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
  5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
  6 Finally, check whether company code & release code exist in QA & PRD.
  Thanks,
  Sri

• Master role & Derived role concept

  Hi Friends ,
  We have master and drive role concept in our project . ABC_XXXX (Master role )  ABC_1000(Derived role) (1000= company code)
  Now we need to maintain some values in master roles lets say display :03 .  Should we regenrate deived role  as well ?
  If we regenrate derived role  , Do inhertiance relatioship breaks? and we need to maintain company code =1000 value again ?
  Please suggest.
  regards

  Forgot to answer some more questions you had asked. Adding them here:
  Now we need to maintain some values in master roles lets say display :03 . Should we regenrate deived role as well ?
       - use the steps I mentioned in my earlier reply to re-generate derived roles from the Master role.
  If we regenrate derived role , Do inhertiance relatioship breaks?
           - please use the steps I suggested, the inheritance will not break. And this is an advantage of Master-->derived role.thats the meaning of having this concept in SAP.
  and we need to maintain company code =1000 value again ?
  --- No you dont need to. (you can check and see this manually).
  Hope it helps...
  Soumya
  Edited by: Soumya Thomas on May 20, 2010 12:34 PM
  Edited by: Soumya Thomas on May 20, 2010 12:35 PM

• Derived Role Z-transaction issue

  Has anyone had a problem with having custom (Z-transactions) transactions in your master role, then when the derived role is generated from this master role, these Z transactions and their authorization objects are missing in the derived role?

  Susan,
  The only way to make sure changes in SU24 is brought into existing roles is to update the role in expert mode with the "merge with new data option".
  Did you try to adjust all the derived roles from the Master role to see if this bring populate custom t-code & auth objects to the derived roles? (Authorization -> Adjust Derived -> Generate Derived roles).
  Have fun.
  Lye

• ERM 5.3 (SP12) Derived Role Update Problem

  Hello Experts,
  I have a question.
  We have a master role/derived role set up in the back-end system. We are trying to update a master role and its derive roles in ERM via PFGC sync.
  Our problem:
  We can add a transaction to a master role no problem in ERM via PFCG sync (adding a transaction code in the back-end and sync to ERM) However, we are unable to update the transaction for derived roles (nothing happens for derived roles in ERM).
  If I am correct, we don't have to add a transaction to each derived role manually, and we should be able to update derived roles automatically once we update a transaction in a master role.
  Please just note that we successfully imported all the master/derived roles from our back-end system, and we are not try to create a derived role in ERM at this time. All we want right now is to update a master role and its derived roles in ERM via PFCG sync.
  If you can, please advice.
  HM

  Go to the TXT file , cut the last line from the AGR_1252 (rtable and insert it to the top of the lines ( AGR_1252) , and reimport it will work I had the same problem in my previous implementation.
  try for one parent & child role
  This is a known problem with SAP they will rectify it in SP12/SP13 or so

• Derived roles are getting overwritten everytime when I update Master Role.

  Hi Experts !
  We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
  Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
  Please help and give your valuable advise.
  Regards,
  Lokesh Bajaj

  Hi Lokesh,
  The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
  Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
  You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
  Cheers

• Issue with Creating CATT Script for Generating Derived Roles

  Hi Experts,
  I am desperately trying to find the solution on how I create a CATT Script to generate derived roles from few 100 master roles.
  I posted a thread on Security (Can I do a 'mass generation' of dervied roles?) .. however, since it turns out to be a SCAT issue, I thought I'll ask someone from this forum too.
  Extract from the other thread is as follows :
  "I cannot get the script to automate the generation of derived roles.
  when Entering parameters for a test case, I can only see the Initial PFCG Screen. Display/Change Authorization screen doesn't seem to get recorded / logged in the test screen.
  I.e : All screens with program SAPLPRGN_TREE is recorded, however all screens with program SAPMSSY0 is not.
  I hope it makes sense.. Any suggestions on how I can automate the generation of derived roles tasks?
  Thanks.
  Dineish

  Hi,
  I have the same problem just now.
  Have you found some solutions about it ?
  thx
  Luigi

• Master role and derived role concept

  Guys,
  1) How to assign the organizational levels for the derived role?
       Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  Greatly appreciate for some body's help.

  >  1) How to assign the organizational levels for the derived role?
  >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  Only if you assign the master roles to users. (and maybe for testing, see 3)
  >
  > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
  >
  >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
  >
  >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  See 2, it goes there automatically. No choice.
  Jurjen

• Missing Master and Derived Roles

  Hello All,
                I have got an odd scenario and I am hoping some of you might have run into the same issue or might point me to the right direction.
  Back ground
  We are on ECC 5.0 and have Master Derived Concept, and then Derived Roles are grouped in Composites
  We recently( Last week ) created some ( say 34 ) Derived roles and some (10) composites using a combinition of the newly created derived and some Old derived roles.
  Transported The derived seperatly and Composites seperately. Transports went successfully into QA and PRD.
  This week we noticed that all of the 34 derived roles are missing in DEV ONLY along with 28 Master of the 34 Child Roles. All the Childs and master still exist in QA and PRD.
  We have tried to look up the change Doc of the missing roles or the profiles or the authorizations of the missing roles and there is no change log under suim. Change Log shows when the role was created but nothing after that. According to Basis transports does not have any unusual log
  Since its a DEV system so no delete transports have come into DEV, therefore delete transport could not be an option.
  I have also uploaded one of the missing master roles from the PRD to DEV and it is succfully established the relation with the childs. I was hoping it might shake up the Change History regarding missing role but it did not, It now shows when the role was created earlier( 2006 ) and This week  agian but no Delete History
  Any Ideas on how to explain this behavior

  Another possible and imaginable human error worth looking into is that at some stage in the past a transport request was created for the master and child roles -- okay.
  Then the child roles were "broken" by changing org. levels and other fields in the authorization maintenance, so the roles themselves were deleted with the intention of creating them again from one of the "template" child-roles --> okay, seems reasonable to have happened.
  Then (here is the problem!) someone released the transport before the new child roles were created. This is interpreted by the system to be a deletion transport of roles.
  Additionally the sequence of the transports might have added additional obscurity to the issue and now, much later on, someone imported the transport into production which deleted the roles.
  <conspiracy_theory>
  The person then deleted the transport request from the queues and archived the change documents in SU83.
  </conspiracy_theory>
  Cheers,
  Julius

• Master role-derive role concept and FICO role in dev system!!!

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
  Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
  Thanks in Advance
  Regards,
  Souren

  Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
  One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
  If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
  For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

• Master role-derive role concept?

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  Thanks in advance
  Regards,
  Souren

  you should refer to the SECURITY forum at Security

• BIP report output in PDF and RTF generating some blank columns or � symbols

  Hi Experts,
  I am new to BIP. I have developed some BIP reports in 10.1.3.4.1 version which are working fine in Dev and UAT environment.
  But it's generating some blank columns and some columns with proper data and some columns with"cellphone" kind of symbol in PDF and " �"
  symbols in RTF in Prod environment.
  In all the environments the version of BIP is same.
  So any help in resolving this issue is appreciated.
  Thanks in advance..
  Regards,
  Suresh.A

  All of the complex report logic is handled in your Oracle Report (rdf) file.
  If your Oracle report is working OK, then this report should be generating XML.
  After running your report, go to the View Requests window. Highlight your request, and click the Diagnostics button. Then click the 'View XML' button. If you see XML data, then you should be OK.
  When I faced a similar issue, it was because the '1 step' process didnt work for the particular report I was using. The '1 step' process doesn't work for every report. Which report are you using?
  If the report is submitted via a form (not the concurrent manager request form), then you probably need to use 2 steps to produce the desired output.
  For more information, see the following thread:
  Enhancment to avoid 2 step check printing
  HTH,
  Mark K

• Importing master role from ECC into portal throws derived role exception

  Hello,
  While uploading master and derived role from backend system into the portal I am getting the following exception.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED
  Does it imply that the derived role is already imported with the import of master role and there is no need to explicitly import the derived role?
  The landscape uses role upload tool of portal for UME.
  Regards
  Pooja

  Hi Pooja,
  There is a limitation with the role upload tool that the derived roles cannot be uploaded.
  The migration is only able to upload roles which have their own menus. Derived R/3 roles does not have menus themselves as they derive them from other roles. The purpose of the migration is to bring the R/3 navigation structures into the portal. Therefore you can only migrate the role from which your role is derived.
  Regards
  Anja

• [svn:osmf:] 10648: Adding first MAST unit tests and added some ASDocs

  Revision: 10648
  Author:   [email protected]
  Date:     2009-09-28 10:28:12 -0700 (Mon, 28 Sep 2009)
  Log Message:
  Adding first MAST unit tests and added some ASDocs
  Modified Paths:
      osmf/trunk/framework/MediaFrameworkFlexTest/.actionScriptProperties
      osmf/trunk/framework/MediaFrameworkFlexTest/org/openvideoplayer/MediaFrameworkTests.as
      osmf/trunk/plugins/MASTPlugin/org/openvideoplayer/mast/adapter/MASTAdapter.as
      osmf/trunk/plugins/MASTPlugin/org/openvideoplayer/mast/loader/MASTDocumentProcessedEvent. as
      osmf/trunk/plugins/MASTPlugin/org/openvideoplayer/mast/loader/MASTDocumentProcessor.as
      osmf/trunk/plugins/MASTPlugin/org/openvideoplayer/mast/loader/MASTLoadedContext.as
      osmf/trunk/plugins/MASTPlugin/org/openvideoplayer/mast/loader/MASTLoader.as
      osmf/trunk/plugins/MASTPlugin/org/openvideoplayer/mast/managers/MASTConditionManager.as
  Added Paths:
      osmf/trunk/framework/MediaFrameworkFlexTest/org/openvideoplayer/mast/
      osmf/trunk/framework/MediaFrameworkFlexTest/org/openvideoplayer/mast/MASTTestConstants.as
      osmf/trunk/framework/MediaFrameworkFlexTest/org/openvideoplayer/mast/loader/
      osmf/trunk/framework/MediaFrameworkFlexTest/org/openvideoplayer/mast/loader/TestMASTLoade r.as
      osmf/trunk/plugins/MASTLib/
      osmf/trunk/plugins/MASTLib/.actionScriptProperties
      osmf/trunk/plugins/MASTLib/.flexLibProperties
      osmf/trunk/plugins/MASTLib/.project
      osmf/trunk/plugins/MASTLib/src/

  These are automated emails from the OSMF forums.  To unsubscribe, go here:
  http://forums.adobe.com/community/opensource/osmf/commits
  -- Brian