Master role & Derived role concept

Similar Messages

• Master role-derive role concept and FICO role in dev system!!!

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
  Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
  Thanks in Advance
  Regards,
  Souren

  Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
  One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
  If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
  For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

• Master role-derive role concept?

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  Thanks in advance
  Regards,
  Souren

  you should refer to the SECURITY forum at Security

• Missing Master and Derived Roles

  Hello All,
                I have got an odd scenario and I am hoping some of you might have run into the same issue or might point me to the right direction.
  Back ground
  We are on ECC 5.0 and have Master Derived Concept, and then Derived Roles are grouped in Composites
  We recently( Last week ) created some ( say 34 ) Derived roles and some (10) composites using a combinition of the newly created derived and some Old derived roles.
  Transported The derived seperatly and Composites seperately. Transports went successfully into QA and PRD.
  This week we noticed that all of the 34 derived roles are missing in DEV ONLY along with 28 Master of the 34 Child Roles. All the Childs and master still exist in QA and PRD.
  We have tried to look up the change Doc of the missing roles or the profiles or the authorizations of the missing roles and there is no change log under suim. Change Log shows when the role was created but nothing after that. According to Basis transports does not have any unusual log
  Since its a DEV system so no delete transports have come into DEV, therefore delete transport could not be an option.
  I have also uploaded one of the missing master roles from the PRD to DEV and it is succfully established the relation with the childs. I was hoping it might shake up the Change History regarding missing role but it did not, It now shows when the role was created earlier( 2006 ) and This week  agian but no Delete History
  Any Ideas on how to explain this behavior

  Another possible and imaginable human error worth looking into is that at some stage in the past a transport request was created for the master and child roles -- okay.
  Then the child roles were "broken" by changing org. levels and other fields in the authorization maintenance, so the roles themselves were deleted with the intention of creating them again from one of the "template" child-roles --> okay, seems reasonable to have happened.
  Then (here is the problem!) someone released the transport before the new child roles were created. This is interpreted by the system to be a deletion transport of roles.
  Additionally the sequence of the transports might have added additional obscurity to the issue and now, much later on, someone imported the transport into production which deleted the roles.
  <conspiracy_theory>
  The person then deleted the transport request from the queues and archived the change documents in SU83.
  </conspiracy_theory>
  Cheers,
  Julius

• Authorization in APO: org level concept (parent role -- derived role) ?

  Hello experts,
  we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
  Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
  My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
  Regards
  Thomas

  I got the solution - the profile generation was missing !

• Master role and derived role concept

  Guys,
  1) How to assign the organizational levels for the derived role?
       Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  Greatly appreciate for some body's help.

  >  1) How to assign the organizational levels for the derived role?
  >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
  Only if you assign the master roles to users. (and maybe for testing, see 3)
  >
  > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
  Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
  >
  >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
  Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
  >
  >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
  See 2, it goes there automatically. No choice.
  Jurjen

• Derived roles are getting overwritten everytime when I update Master Role.

  Hi Experts !
  We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
  Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
  Please help and give your valuable advise.
  Regards,
  Lokesh Bajaj

  Hi Lokesh,
  The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
  Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
  You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
  Cheers

• Importing master role from ECC into portal throws derived role exception

  Hello,
  While uploading master and derived role from backend system into the portal I am getting the following exception.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED
  Does it imply that the derived role is already imported with the import of master role and there is no need to explicitly import the derived role?
  The landscape uses role upload tool of portal for UME.
  Regards
  Pooja

  Hi Pooja,
  There is a limitation with the role upload tool that the derived roles cannot be uploaded.
  The migration is only able to upload roles which have their own menus. Derived R/3 roles does not have menus themselves as they derive them from other roles. The purpose of the migration is to bring the R/3 navigation structures into the portal. Therefore you can only migrate the role from which your role is derived.
  Regards
  Anja

• Parent-derived roles

  Hello,
  I look for to dispay all derived roles of a parent role and export it in a file?
  Can some help me?
  Thanks.

  try table AGR_DEFINE in SE16/16N. This table lists the parent/child (master role/derived role) relationship.
  -Prashant

• ERM 5.3 (SP12) Derived Role Update Problem

  Hello Experts,
  I have a question.
  We have a master role/derived role set up in the back-end system. We are trying to update a master role and its derive roles in ERM via PFGC sync.
  Our problem:
  We can add a transaction to a master role no problem in ERM via PFCG sync (adding a transaction code in the back-end and sync to ERM) However, we are unable to update the transaction for derived roles (nothing happens for derived roles in ERM).
  If I am correct, we don't have to add a transaction to each derived role manually, and we should be able to update derived roles automatically once we update a transaction in a master role.
  Please just note that we successfully imported all the master/derived roles from our back-end system, and we are not try to create a derived role in ERM at this time. All we want right now is to update a master role and its derived roles in ERM via PFCG sync.
  If you can, please advice.
  HM

  Go to the TXT file , cut the last line from the AGR_1252 (rtable and insert it to the top of the lines ( AGR_1252) , and reimport it will work I had the same problem in my previous implementation.
  try for one parent & child role
  This is a known problem with SAP they will rectify it in SP12/SP13 or so

• Master - Derived roles -- some generated some ungenerated.

  All,
  We know how to solve this issue but we would like to know what causes it and how to prevent it in future development.  Example:  We have roles that have been created from one master role.  There are probably 80-90 derived roles from this one master role all with a small variation of company code and release code.  These roles have been implemented for over a year or more and nothing has been added to the master role to be pushed down.  The only change has been an derived roles added with new company code/release code.  When these roles are created the master roles gets generated and then pushed down through all the derived roles once the specific authorizations are added.  I development is shows that everything is in sync and is all green.  In quality and production it willl show that for each company code release code 01-06 are green, 07-10 are red and 11-15 are green.  Its always the same release codes for each company code that show are ungenerated. 
  This is just one example we have other roles that have been created and at GOLIVE (3 years ago) and the newly created derived roles is green where as certain older ones are not.  We thought it had to do with the generation of new roles but I just created a new company code from the example above and it is the same way.
  Is there a certain procedure that makes this happen, or is there a way to prevent this?  Also, with this in production and not being able to generate these roles in production is it hurting or will it affect anything within the roles transactions if there are authorizations in the role, and a profile assigned to the role for a generated authorization but the authorization stop light shows red will this affect anything?
  Any help or ideas are greatly appreciated.
  Thanks,
  -Daniel

  Daniel,
  we need to analyze from different angles like:
  1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
  you need to mass generate the profiles! (SUPC)
  2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
  3.. some changes were made to the roles after the transport was created.
  Plz Refer to SAP Note 571276 and the following link:
  Re: Changes to Role
  4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
  5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
  6 Finally, check whether company code & release code exist in QA & PRD.
  Thanks,
  Sri

• CSI Accelerator: Master / Derived roles

  Hi,
  As some of you might be aware, CSI accelerator besides having other typical SOD tool functionalities also helps in role creation as well just like ERM of GRC.
  But using this tool u2018CSIu2019 I have seen diff non-org filed values in the derived roles having been maintained as comapared to the master while creating them thus derived is customized to a gerat extent. So I just want to understand:
  1.     in such cases (where derived has non-org filelds values diff from masters) how does CSI handle the instances when master would be changed and changes need to be pushed to existing derived roles? In that case those non-org in already existing derived roles would again become same as masters.
  2.     Even using ERM one should be able to maintain diff values in the derived at non-org levels so how is the above mentioned push handled in case of ERM? Or itu2019s not handled at all and it simply wipes such discrepancies?
  thanks,
  Gill

  Daniel,
  we need to analyze from different angles like:
  1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
  you need to mass generate the profiles! (SUPC)
  2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
  3.. some changes were made to the roles after the transport was created.
  Plz Refer to SAP Note 571276 and the following link:
  Re: Changes to Role
  4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
  5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
  6 Finally, check whether company code & release code exist in QA & PRD.
  Thanks,
  Sri

• Derived roles linked to Master role

  How do we find the all derived role related to a particular Master role?

  Hi Ajit,
  Since you are new to security, you might want to dig the security tables.
  You can maintain a spreadsheet of all tables relevant to security.
  For starters, in SE16 , dig USR, UST, AGR, USH,USO*
  Hope this helps
  Abhishek

• Mass role import with derived roles out of master roles

  Hi everybody,
  I want to import a mass of roles with derivation (org. values) levels.
  Could you please provide me with the terminology of the org. info file.
  Bulk and role info were created and could successfully imported, but the derivation level (comes up with the
  org info file) never works. There are no derived roles.
  Look of the org file:
  Role Name [ Alphanumeric (100) ] [ Mandatory ]     Derived Org. Level [ Alphanumeric (50) ] [ Mandatory ]     From Value [ Alphanumeric (100) ] [ Mandatory ]     To Value [ Alphanumeric (100) ]
  Z0007_K:FI_AP_CHANGE     Company Code (BUKRS)     CN10     
  Z0008_K:FI_AP_CHANGE     Company Code (BUKRS)     CN20     
  Z0009_K:FI_AP_CHANGE     Company Code (BUKRS)     CN30     
  Z0010_K:FI_AP_CHANGE     Company Code (BUKRS)     CN40     
  Z0011_K:FI_AP_CHANGE     Company Code (BUKRS)     MA10     
  Any ideas ?
  Reg,
  Ulrich

  Hello everybody,
  The right way to import orglevel fields is like that:
  before the org level field, you need to add the "$" sign- like that - $BUKRS
  in every line.
  good luck,
  best regards,
  Haim Brauner

• 'Protecting' your derived roles from being maintained on object level

  I'm redesigning an authorization concept that has been polluted in the past by maintaining object level values in the derived roles instead of the master roles.
  Now I would like to build in a kind of warning or authorization so that future role administrators can adjust master roles on object level, and derive the roles from the master, but are not allowed (or get a warning) to change object level values in the derived roles themselves.
  I'm looking for a warning similar to the warning you get when you are trying to change an organizational level value within the object rather than change the orglevel table.
  I have looked for entries in table PRGN_CUST, but found none.
  Also, the authorization checks for deriving roles [seem to be similar|http://help.sap.com/saphelp_nw04/helpdata/en/2b/84653f1b76b11ae10000000a114084/frameset.htm] to actually maintaining a role, so no distinction can be made here.
  Knowing al this, II think the answer is: 'no, this is not possible' but if you have dealt with the same problem successfully, please let me know.
  Kind regards,
  Lodewijk Borsboom

  Hi Lodewijk,
  There are exit paths in SU01 and PFCG which might (have) help(ed) but SAP removed the documentation on them because as (to my knowledge) as the code was integrated into BAPIs and org. management these exits (like many which have gone before them) caused no end to confusion over time.
  I heard that they would at some ponit be replaced by BADI's but I guess the same problem exists there and I have to date not seem any of them released.
  I have the documentation if you are interested but which release are you on? I suspect that SAP might even remove the exit coding anyway.
  As the other's have stated, I would also go for a detective control. You can always wipe the mistake out again from the master and this will let you know that someone is not sticking to the rules or doesn't understand the concept.
  This is also an advantage when compared to an error message or warning which only they see...
  Cheers,
  Julius