Org data in Derived role differ from Parent role

Similar Messages

• GRC BRM: Update Org Levels of derived roles

  Dear GRC experts,
  we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
  I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
  If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
  For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
  Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
  In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
  Does anybody know how to automate this task?
  Many thanks for your help!
  Regards,
  Markus

  Hi Markus Richter
  Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
  Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
  Mass Child role Org value update in GRC 10
  Does this work for you as an approach?
  Regards
  Colleen

• Authorization in APO: org level concept (parent role -- derived role) ?

  Hello experts,
  we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
  Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
  My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
  Regards
  Thomas

  I got the solution - the profile generation was missing !

• Maintaining the authorizations for parent role and derived role

  Hi Experts,
  Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
  Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
  1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
  2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
  please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

  I will try to answer both your queries here:
  "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
  The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
  All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
  Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
  Soumya

• All objects are inactive in derived roles (copied from existing derived role)

  I need to create more than 1000 derived roles, from existing reference roles.
  Reference roles are also derived roles. So I executed LSMW for mass copy.
  Eg: Reference role XYZ with parent role XXX
  New role(ABC) copied from XYZ ,so ABC is having same values as XYZ and master role also.
  Now the issue is after executing the LSMW all roles are copied to new roles, but all objects are inactive in new roles .I am not able to activate the object also.

  Hi Colleen,
  Issue: I have derived roles for plant XX, now I want to derive same set of roles for YY plant. My reference plant is XX, So what am doing is copying the XX roles to New roles (YY) .No change in object or description, just copy role to new role. And I am using LSMW for the same.
  After copy the roles, I will change the description and profile using another script and manually change the org values. But after copy the roles to new roles using script all objects are inactive (In red color),if am selecting the org tab ,I will get message like ,no org levels maintained. Because all objects are inactive .And there are no options (edit) to activate the objects or maintain the fields.
  Thanks,
  Anusha

• 'Protecting' your derived roles from being maintained on object level

  I'm redesigning an authorization concept that has been polluted in the past by maintaining object level values in the derived roles instead of the master roles.
  Now I would like to build in a kind of warning or authorization so that future role administrators can adjust master roles on object level, and derive the roles from the master, but are not allowed (or get a warning) to change object level values in the derived roles themselves.
  I'm looking for a warning similar to the warning you get when you are trying to change an organizational level value within the object rather than change the orglevel table.
  I have looked for entries in table PRGN_CUST, but found none.
  Also, the authorization checks for deriving roles [seem to be similar|http://help.sap.com/saphelp_nw04/helpdata/en/2b/84653f1b76b11ae10000000a114084/frameset.htm] to actually maintaining a role, so no distinction can be made here.
  Knowing al this, II think the answer is: 'no, this is not possible' but if you have dealt with the same problem successfully, please let me know.
  Kind regards,
  Lodewijk Borsboom

  Hi Lodewijk,
  There are exit paths in SU01 and PFCG which might (have) help(ed) but SAP removed the documentation on them because as (to my knowledge) as the code was integrated into BAPIs and org. management these exits (like many which have gone before them) caused no end to confusion over time.
  I heard that they would at some ponit be replaced by BADI's but I guess the same problem exists there and I have to date not seem any of them released.
  I have the documentation if you are interested but which release are you on? I suspect that SAP might even remove the exit coding anyway.
  As the other's have stated, I would also go for a detective control. You can always wipe the mistake out again from the master and this will let you know that someone is not sticking to the rules or doesn't understand the concept.
  This is also an advantage when compared to an error message or warning which only they see...
  Cheers,
  Julius

• Question on org level values in derived roles

  I have a set of derived roles for a retail org.
  They have set the org level for the WERKS object to the store number i.e. 0012. in the  M_MSEG_LGO, M_MSEG_WMB,   and M_MSEG_WWE but set it to "" in the  M_MRES_WWA and M_MSEG_WWA. Needless to stay the "" is overiding the site restriction.
  My question is, how can they allow store to store transfers and goods issues for other sites but only do POs and goods receipts for their default store?
  If the transactions in the role are using the same object, it doesn't seem like it can be done but I am told it can! I can't figure it out. Can anyone assist?
  Thanks

  If you are talking about  straight authorization object ( then your design cannot go with derived role concept )
  If your controls are only through the organizational object  only then derived role design will help
  If its a mix of both standard object + organizational level object derived role will not help you.
  Please note
  the WERKS is the organization level  in your case the plan value is 0012
  do not set the values in parent role and also do not populate this value were its "$werks"
  what is TCODE you are using ?
  Edited by: Franklin Jayasim on Jul 21, 2010 11:45 PM

• Transferring ORg Data From ECC to CRM

  Hi,
  An ORg structure was maintianed manually in our CRM system. Without deleting the strucutre we tried to generate the ORg strucutre from ECC using the program CRMC_R3_ORG_GENERATE .
  Now it created problems and our products and business partners are not picking up the Sales Org Data.
  When we tried to regenerate the org using CRMC_R3_ORG_GENERATE a dump error is observed.
  We tried deleting the org strucutre using report rhrhdl00 but it didnt worked.
  Can you guys help us in bringing the Sales Org Data from the ECC

  Hello Vijay,
  you can delete the complete org structure in order to copy it again
  from the R/3. For that please use report RHRHDL00 to completely
  delete all org units.
  Enter "O" for object type and the number of your root org unit as ID.
  Enter "ORGEH" as evaluation path and execute the program (you can first
  check what will happen by leaving the "test" flag set). Kindly refer
  to the documentation attached to this report in trx. SE38. You should
  repeat this for all other root org units.
  Unfortunately this report does not delete the corresponding Business
  partners created in role Organisational unit, but they can be deleted
  by means of trx. BUPA_DEL.
  With report RHCHECKRELATIONS you might delete evetualy remained
  relations for these objects.
  Before reprocess report  CRMC_R3_ORG_GENERATE you need to
  refresh the buffer(before note 696229, generated records were
  considered as already saved in PPOMA_CRM).
  For example this report could be :
  REPORT  CRM_ORGMAN_R3_ORGDATA_DEL_GEN.
  DATA: lv_answer TYPE char1.
  START-OF-SELECTION.
  popup to confirm
    CALL FUNCTION 'POPUP_TO_CONFIRM_STEP'
      EXPORTING
        defaultoption = 'N'
        titel         = text-001
        textline1     = text-002
      IMPORTING
        answer        = lv_answer.
    IF lv_answer = 'J'.
  refresh buffer
      DELETE FROM DATABASE indx(st) ID 'KEY'.
    ENDIF.
  Execute this report and then CRM org data could be created via
  trnasaction CRMC_R3_ORG_GENERATE
  Regards, Gerhard

• DB table for Derived Roles and Parent Roles

  Hi Expart,
  In which DB table the Derived Roles and Parent Roles are store .that is i need to find out the derived role and parent Role .i have completed the Complex and single role by table AGR_AGRS
  But i have to find out the table for Derived Role
  Plz help me to get those table
  Thanks in advance
  Tarak

  It's the same table as for the master role: AGR_DEFINE (field PARENT_AGR is filled for derived roles).
  ~As from Forum

• Mass Role Import  -- 9000 derived roles with 9 org Levels, how to get TXT

  Hello,
  I hava a problem.
  I want to use the (Mass Role Import) Bulk Role Import element in the ERM  (SAP GRC AC 5.3 )for importing SAP roles (I only found that way to import roles from SAP).
  I have 100 primary roles and more or less 9000 derived roles with 9 org Levels.
  Is there a way to get this 9000 derived roles with their 9 org Levels in a TXT file?. Or do I have to do it manually this part to insert it in the "Bulk Role Import ".
  Can someone help me?
  Thank you in advance.
  Pablo Mortera.

  Hi Mike,
  what kind of TA´s are in your role. Is it possible to integrate a "dummy" TA (without conflicting
  your SOD)?
  In my example I have CO TA´s bundled in a role:
  Role:   ZXXXX_O:CO_ORDERMANAGER_CRE - CO Order Manager Pflege
  with
  KO01 Create Internal Order ...
  KO02 Change Order ... 
  KO04 Order Manager ... 
  KOK2 Collective Proc. Internal Orders ... 
  KOK4 Aut. Collect. Proc. Internal Orders
  update this role with TA KO01 and KOKRS will be available for derivation.
  Done this manually without import in ERM.
  Reg,
  Ulrich

• Data Element Sales Org in CRM and ECC differ in length...

  Hi Experts,
  The standard data element for Sales Org in ECC and CRM differ in Length.
  Similarly the Purchasing Org.
  I need to export the Sales Org from CRM to ECC. But there is an error due to the length mismatch.
  Why is there this difference? How can my requirement be met ?
  Any ideas/pointers would be of great help.
  Points Assured.
  Thanks in Advance.
  Arun.

  use offset like vbeln+0(5).

• How to derive Budget Period from Delivery date in PR/PO

  Hello Gurus,
  I have activated the Budget Period functionality in FM (BCS). I am deriving the budget period from Posting date but in case of PR/PO I want to derive it from Delivery date instead of Document/Posting Date.I know it is not possible while standard derivation. Could any one help me with some suggestion like if I can use some exit/BaDI in MM. Also I am creating a PM order and at the time of release of PM order system creates the PR in background hence I need to know some kind of exit/BADI which can be called to update the Budget Period field in PR.
  Thanks in Advance!
  Regards
  Rohit Goel

  Hello Eli,
  I have one more query to ask on the above scenario.
  The scenario is my delivery date in PO is say July but I did good issue in May hence the Budget Period should be May and not july in my GR and IV.
  Now when I am doing GR in May then system is showing the Budget Period as July in GR document but in FM Document it is populating as May. I have defined a derivation strategy to derive budget period from posting date so may be because of that.
  But when I am doing IV then it is again moving the amount from May to July. It may be right behaviour that system is deriving all the account assignment from Source document but is there any way to overwrite.
  I have defined the derivation strategy with the condition that overwrite with new value if already written (Deriving from Posting Date to Budget Period).
  Please guide me on this if possible.
  Thanks in Advance
  Regards
  Rohit

• I want to create org data profile in service scenario, with price determination from sales org, distribution centre , can any one help me with these

  i want to create org data profile in service scenario, with price determination from sales org, distribution centre , can any one help me with these
  IF I CREATE SERVICE ORG WITH SERVICE SCENARIO ORG DATA PROFILE,
  MY PRICING IS NOT GETTING DETERMINED AS IT IS LINKED TO SALES ORG AND DISTRIBUTION CHANNEL THROUGH PRICING DETERMINATION SO HOW TO DO THE CUSTOMIZATION FOR THIS SITUATION
  WITH REGARDS,
  SATHISH

  Hi Satish,
  Please assign the org det. rules to org det. profile with Sales and Service scenarios and then assign the org. det. profile to transaction type. The below screenshot is just for your reference.
  Hope it would fix your issue.
  Regards,

• Multiple business roles and org data determination

  Hello together,
  we are having an issue with the organizational data determination. Some users have multiple business roles in different sales organizsations. This means, they are assigned to several units in our org modell.
  This users can select the business role after the login screen. But this selection doesn't affect the org data determination (rule: ORGMAN_12).
  For example. My user is assigned to 4 different org units. After the login i select a role. In debugging i can see this role, but the system selects only the first role and not the role i've selected after the login.
  Is there any other rule which follows the select business role? Or can i assign one user only to one unit?
  Best regards
  Sascha

  Thanks for your reply!
  The problem is, that i need exactly the org unit according to the selected business role at the beginning. Because we have in one company different distribution channel (e.g. 10, 20, 30). And depending on this the user can create an business partner in 10, 20 or 30. So, in our case we have some users assigned to 10 AND 20 AND 30. For each channel we have one role.
  Our org modell looks like this:
  company XYZ
  --channel 10 ( role 'salespro10')
  mustermann-m
  --channel 20 ( role 'salespro20')
  mustermann-m
  --channel 30 ( role 'salespro30')
  mustermann-m
  If the user mustermann-m select salespro10 he should be able to create a business partner in channel 10. And if the user select the salespro20 he should be able to create the bp in channel20.
  But if you use the RH_STRUC_GET i get ALL assigment.
  Best regards,
  Sascha

• Org Data from activities

  Hey Pros,
  I just have one short question. I search for the Table where the organizational data of an activity is stored.
  Also I seach for the connection between the crmc_orderadm_h and the specific org data.
  Thanks for your answers.
  Greets Christian

  Hi Christian,
  What I can understand from the query is that you need to search the Activity data for the transaction type.
  If this is the case, you can find it in CRMD_ACTIVITY_H table.
  Link to this table can be found in CRMD_LINK table.
  Hope this helps!
  Regards,
  Saumya