Missing Master and Derived Roles

Hello All,
              I have got an odd scenario and I am hoping some of you might have run into the same issue or might point me to the right direction.
Back ground
We are on ECC 5.0 and have Master Derived Concept, and then Derived Roles are grouped in Composites
We recently( Last week ) created some ( say 34 ) Derived roles and some (10) composites using a combinition of the newly created derived and some Old derived roles.
Transported The derived seperatly and Composites seperately. Transports went successfully into QA and PRD.
This week we noticed that all of the 34 derived roles are missing in DEV ONLY along with 28 Master of the 34 Child Roles. All the Childs and master still exist in QA and PRD.
We have tried to look up the change Doc of the missing roles or the profiles or the authorizations of the missing roles and there is no change log under suim. Change Log shows when the role was created but nothing after that. According to Basis transports does not have any unusual log
Since its a DEV system so no delete transports have come into DEV, therefore delete transport could not be an option.
I have also uploaded one of the missing master roles from the PRD to DEV and it is succfully established the relation with the childs. I was hoping it might shake up the Change History regarding missing role but it did not, It now shows when the role was created earlier( 2006 ) and This week  agian but no Delete History
Any Ideas on how to explain this behavior

Another possible and imaginable human error worth looking into is that at some stage in the past a transport request was created for the master and child roles -- okay.
Then the child roles were "broken" by changing org. levels and other fields in the authorization maintenance, so the roles themselves were deleted with the intention of creating them again from one of the "template" child-roles --> okay, seems reasonable to have happened.
Then (here is the problem!) someone released the transport before the new child roles were created. This is interpreted by the system to be a deletion transport of roles.
Additionally the sequence of the transports might have added additional obscurity to the issue and now, much later on, someone imported the transport into production which deleted the roles.
<conspiracy_theory>
The person then deleted the transport request from the queues and archived the change documents in SU83.
</conspiracy_theory>
Cheers,
Julius

Similar Messages

  • Master role and derived role concept

    Guys,
    1) How to assign the organizational levels for the derived role?
         Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
    2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
    3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
    4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
    Greatly appreciate for some body's help.

    >  1) How to assign the organizational levels for the derived role?
    >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
    Only if you assign the master roles to users. (and maybe for testing, see 3)
    >
    > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
    Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
    >
    >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
    Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
    >
    >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
    See 2, it goes there automatically. No choice.
    Jurjen

  • Manually added auth objects and Derived roles

    If there are manually added auth objects in the parent role do they come across to the derived roles?
    Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

    yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
    yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
    if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
    http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

  • Maintaining the authorizations for parent role and derived role

    Hi Experts,
    Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
    Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
    1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
    2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
    please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

    I will try to answer both your queries here:
    "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
    The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
    All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
    Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
    Soumya

  • Derived roles are getting overwritten everytime when I update Master Role.

    Hi Experts !
    We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
    Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
    Please help and give your valuable advise.
    Regards,
    Lokesh Bajaj

    Hi Lokesh,
    The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
    Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
    You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
    Cheers

  • Importing master role from ECC into portal throws derived role exception

    Hello,
    While uploading master and derived role from backend system into the portal I am getting the following exception.
    com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED
    Does it imply that the derived role is already imported with the import of master role and there is no need to explicitly import the derived role?
    The landscape uses role upload tool of portal for UME.
    Regards
    Pooja

    Hi Pooja,
    There is a limitation with the role upload tool that the derived roles cannot be uploaded.
    The migration is only able to upload roles which have their own menus. Derived R/3 roles does not have menus themselves as they derive them from other roles. The purpose of the migration is to bring the R/3 navigation structures into the portal. Therefore you can only migrate the role from which your role is derived.
    Regards
    Anja

  • Master Universe and Derived Universe

    Post Author: AmitP
    CA Forum: WebIntelligence Reporting
    Hi
    I am making changes to the Master Universe because of which the Derived Universe gets in to the read only mode. If I want to work on or edit the master and derived universe simultaneously, whether it is possible to do it?
    If yes what is the way of doing it?

    >  1) How to assign the organizational levels for the derived role?
    >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
    Only if you assign the master roles to users. (and maybe for testing, see 3)
    >
    > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
    Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
    >
    >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
    Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
    >
    >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
    See 2, it goes there automatically. No choice.
    Jurjen

  • Master role & Derived role concept

    Hi Friends ,
    We have master and drive role concept in our project . ABC_XXXX (Master role )  ABC_1000(Derived role) (1000= company code)
    Now we need to maintain some values in master roles lets say display :03 .  Should we regenrate deived role  as well ?
    If we regenrate derived role  , Do inhertiance relatioship breaks? and we need to maintain company code =1000 value again ?
    Please suggest.
    regards

    Forgot to answer some more questions you had asked. Adding them here:
    Now we need to maintain some values in master roles lets say display :03 . Should we regenrate deived role as well ?
         - use the steps I mentioned in my earlier reply to re-generate derived roles from the Master role.
    If we regenrate derived role , Do inhertiance relatioship breaks?
             - please use the steps I suggested, the inheritance will not break. And this is an advantage of Master-->derived role.thats the meaning of having this concept in SAP.
    and we need to maintain company code =1000 value again ?
    --- No you dont need to. (you can check and see this manually).
    Hope it helps...
    Soumya
    Edited by: Soumya Thomas on May 20, 2010 12:34 PM
    Edited by: Soumya Thomas on May 20, 2010 12:35 PM

  • Mass generation of Derived Roles

    Hello,
    SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
    Thanks.

    Hello,
    we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
    Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
    - parent roles and derived roles: you will find them in table AGR_DEFINE
    - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
    - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
    - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
    HTH and kind regards
    Jens Hoetger

  • Derived Role Z-transaction issue

    Has anyone had a problem with having custom (Z-transactions) transactions in your master role, then when the derived role is generated from this master role, these Z transactions and their authorization objects are missing in the derived role?

    Susan,
    The only way to make sure changes in SU24 is brought into existing roles is to update the role in expert mode with the "merge with new data option".
    Did you try to adjust all the derived roles from the Master role to see if this bring populate custom t-code & auth objects to the derived roles? (Authorization -> Adjust Derived -> Generate Derived roles).
    Have fun.
    Lye

  • Master role-derive role concept and FICO role in dev system!!!

    Hi all,
    I have created a master role with t-codes
    AWUW
    BAPI
    BD10
    BD100
    BD101
    BD102
    BD103
    BD104
    BD105
    BD11
    BD12
    BD13
    BD14
    BD15
    also included object PLOG where maintained org data
    and created a derived role from that master role and generated from the master role.
    After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
    Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
    How should I proceed???
    I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
    Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
    Thanks in Advance
    Regards,
    Souren

    Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
    One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
    If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
    For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

  • Master - Derived roles -- some generated some ungenerated.

    All,
    We know how to solve this issue but we would like to know what causes it and how to prevent it in future development.  Example:  We have roles that have been created from one master role.  There are probably 80-90 derived roles from this one master role all with a small variation of company code and release code.  These roles have been implemented for over a year or more and nothing has been added to the master role to be pushed down.  The only change has been an derived roles added with new company code/release code.  When these roles are created the master roles gets generated and then pushed down through all the derived roles once the specific authorizations are added.  I development is shows that everything is in sync and is all green.  In quality and production it willl show that for each company code release code 01-06 are green, 07-10 are red and 11-15 are green.  Its always the same release codes for each company code that show are ungenerated. 
    This is just one example we have other roles that have been created and at GOLIVE (3 years ago) and the newly created derived roles is green where as certain older ones are not.  We thought it had to do with the generation of new roles but I just created a new company code from the example above and it is the same way.
    Is there a certain procedure that makes this happen, or is there a way to prevent this?  Also, with this in production and not being able to generate these roles in production is it hurting or will it affect anything within the roles transactions if there are authorizations in the role, and a profile assigned to the role for a generated authorization but the authorization stop light shows red will this affect anything?
    Any help or ideas are greatly appreciated.
    Thanks,
    -Daniel

    Daniel,
    we need to analyze from different angles like:
    1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
    you need to mass generate the profiles! (SUPC)
    2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
    3.. some changes were made to the roles after the transport was created.
    Plz Refer to SAP Note 571276 and the following link:
    Re: Changes to Role
    4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
    5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
    6 Finally, check whether company code & release code exist in QA & PRD.
    Thanks,
    Sri

  • CSI Accelerator: Master / Derived roles

    Hi,
    As some of you might be aware, CSI accelerator besides having other typical SOD tool functionalities also helps in role creation as well just like ERM of GRC.
    But using this tool u2018CSIu2019 I have seen diff non-org filed values in the derived roles having been maintained as comapared to the master while creating them thus derived is customized to a gerat extent. So I just want to understand:
    1.     in such cases (where derived has non-org filelds values diff from masters) how does CSI handle the instances when master would be changed and changes need to be pushed to existing derived roles? In that case those non-org in already existing derived roles would again become same as masters.
    2.     Even using ERM one should be able to maintain diff values in the derived at non-org levels so how is the above mentioned push handled in case of ERM? Or itu2019s not handled at all and it simply wipes such discrepancies?
    thanks,
    Gill

    Daniel,
    we need to analyze from different angles like:
    1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
    you need to mass generate the profiles! (SUPC)
    2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
    3.. some changes were made to the roles after the transport was created.
    Plz Refer to SAP Note 571276 and the following link:
    Re: Changes to Role
    4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
    5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
    6 Finally, check whether company code & release code exist in QA & PRD.
    Thanks,
    Sri

  • DB table for Derived Roles and Parent Roles

    Hi Expart,
    In which DB table the Derived Roles and Parent Roles are store .that is i need to find out the derived role and parent Role .i have completed the Complex and single role by table AGR_AGRS
    But i have to find out the table for Derived Role
    Plz help me to get those table
    Thanks in advance
    Tarak

    It's the same table as for the master role: AGR_DEFINE (field PARENT_AGR is filled for derived roles).
    ~As from Forum

  • Master role-derive role concept?

    Hi all,
    I have created a master role with t-codes
    AWUW
    BAPI
    BD10
    BD100
    BD101
    BD102
    BD103
    BD104
    BD105
    BD11
    BD12
    BD13
    BD14
    BD15
    also included object PLOG where maintained org data
    and created a derived role from that master role and generated from the master role.
    After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
    Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
    How should I proceed???
    Thanks in advance
    Regards,
    Souren

    you should refer to the SECURITY forum at Security

Maybe you are looking for

  • JDeveloper - ADF Faces projects - calling a jspx from another project

    I have an ADF Faces project which has a jspx file and a backing bean. The jspx file is called 1.jspx and the backing bean is called 1.java. Navigation within the page and outside of the page is controlled by the faces-config.xml. However, I want to b

  • Customer logo in SAP CRM 2007

    I want to add Customer logo to the homepage ... next to the area where the SAP logo is displayed. I dont know how to do this. Could anyone please help me? Prafful

  • Spotlight not indexing iPhoto Keywords - need help

    Spotlight appears to be working for everything else but will not index iPhoto (version 7.0.1) keywords. When I run in Terminal: mdimport -d1 Pictures/ I get the following results. The second line would seem to indicate something not going as it shoul

  • Unable to open page from buttons within firefox IE whereasothers explorers can

    In the firefox opened page when button for opening new sight within the page is clicked there is no effect and the page does not open wheras in inetrnet explorer same page can be opened please advice. For example in fire fox opened page when submitti

  • Premiere, Media Encoder and Flash Cue Points - bug?

    I've been encoding a number of FLV On2 VP6 videos recently and using the new Media Encoder. For this project we need flash cue points (nav and event). I've discovered some weird things in Media Encoder - it's been duplicating cue points (or maybe the