Parent-derived roles

Similar Messages

• Org data in Derived role differ from Parent role

  Hi there
  I need some help please, I am in the process of creating various parent / derived roles and have found that when I update the parent role (org data) and I do a generate do a derived role update the values in the org data is not correctly pulled through to the derived roles.
  e.g.
  In the parent role for Org data "Purchase Org" the previous value was "/" so that it could be specified in the derived roles should they require the split on this field, however the business has decided that they do not require a restriction on this field so I went back to the parent role and changed the value to "*", so I generated the parent role, updated the derived roles, but when I go to any of my derived roles that field value is still blank, it did not pull through the value * .
  We are currently on
  SAP_ABA  701           0005    SAPKA70105
  SAP_BASIS  701        0005     SAPKB70105
  I have created the derived roles with the parent role as the derived from role, it does pull through the values but just does not update it once I do make changes.
  Your help / suggestions would really be appreciated as I need to create MANY roles.
  Regards
  Sonja

  Hi Sonja,
  obviously there is a misunderstanding of how the derivation works....
  > Thanks guys for the feedback, but surely I do not only need to maintain the ORG data in the derived roles individually, if I have got an Org field that should be the same for all the derived roles I must be able to update the Parent role with this value which then upon generate, and generate / activate the derived roles must update the derived roles.
  -->no.
  Only the first time of derivation, if the field content in the derived roles are initial...
  help.sap.com:
  quote
  The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role, and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See SAP Note 314513).
  unquote
  The whole stuff:  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/1c/c38028816c11d396bc0000e82de14a/frameset.htm
  otherwise the maintained org.fieldvalues would get overwritten by the value of the master role every time. And that is exactly, what has to be avoided!
  b.rgds, Bernhard

• Derived Role generation in BRM

  Hi,
  In BRM while creating a parent role, corresponding derived roles are created and sent for approval.
  Post approval, the roles are generated, in the foreground confirmation message states that Parent + derived roles all are successfully generated.
  In the backend system the derived role's "Authorization" tab is with a status yellow and profile is not generated. However, the derived role has all the relevant values in it and the last changed by / date is appropriate to reflect the changes done.
  Can some one please point to a solution to this? We have raised an OSS for this about a month back and applied suggestions from SAP without any result.
  Version - GRC 10.0 SP10
  Thanks,
  Sammukh

  Hello Andrzej
  Yes, the derived roles are in status complete. After generation of all the roles (parent+derived) the derived roles move to the maintain test cases phase. Here we maintain the test cases and close the methodology. Post this the derived roles' status become complete.
  Yes, we did try re-generating them manually from mass generation from GRC. The result is same. In fact the surprising thing is following:
  1. Derived role is complete and in not generated state.
  2. Mass generated from GRC - still not generated.
  3. Manually generated in backend system - roles are now generated.
  4. Mass generated from GRC again - status that was generated from point 3 before changed to not generated again.
  Looks like the generation from GRC itself is the problem, but we are unable to pin-point the issue.
  Thanks
  Sammukh

• DB table for Derived Roles and Parent Roles

  Hi Expart,
  In which DB table the Derived Roles and Parent Roles are store .that is i need to find out the derived role and parent Role .i have completed the Complex and single role by table AGR_AGRS
  But i have to find out the table for Derived Role
  Plz help me to get those table
  Thanks in advance
  Tarak

  It's the same table as for the master role: AGR_DEFINE (field PARENT_AGR is filled for derived roles).
  ~As from Forum

• Authorization in APO: org level concept (parent role -- derived role) ?

  Hello experts,
  we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
  Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
  My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
  Regards
  Thomas

  I got the solution - the profile generation was missing !

• Maintaining the authorizations for parent role and derived role

  Hi Experts,
  Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
  Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
  1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
  2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
  please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

  I will try to answer both your queries here:
  "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
  The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
  All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
  Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
  Soumya

• Little Challenge --How to give or restrict TRX in derive roles !

  Want to give 10 trx in 2 derive roles and 15 in another 2 derive roles from same Parent role-Any method to do so?One I know is to give additional 5 Trx access through manually Adding TCD in remaning 2 derive roleANY other way to give or restrict so that tabs should not be in manually or changed mode?

  >
  ARYENDRA DALAL wrote:
  > so that tabs should not be in manually or changed mode?
  Hi,
  Excellent answer from Juluis. Also the way you want to do this is conflicting with the Ref-Derive role concept.
  I can add/modify some thing to the previous two answers.
  One point I want to make clear that you mentioned as quoted above. Do you mean to say that the S_TCode will not be in changed mode (_or_ need not to add S_TCode manually) in Profile generator?
  If Yes, then please check the following approach:
  1. Create your first parent role and pair of derived roles with 10 Tcodes.
  2. Create one role as per the concept of Transaction role - value role. That means, the role will contain those 5 TCodes in the menu but will not contain any authorization (except S_TCODE, all objects should be deactivated).
  3. Then create one composite role with these two (one derive role of the pair and the other single role).
  if No, then follow this approach:
  1. Follow step one of above.
  2. Create one generic role without any menue entry. Add TCode manually in authorization tab and then 5 TCodes there.
  3. Create another role (value role) [let me know if you need details concept on this] and maintain the authorization of those 5 TCodes here together with org. values.
  4. Create composite role by using these three roles (one derive role from the pair, one generic transaction role and one value role).
  But please note that the menue entry should not be maintained in the derive role in any circumstances and if you do then you are no longer maintaining SAP Ref-Derive role concept.
  Please let me know if these help you to some extent.
  Regards,
  Dipanjan

• Question on org level values in derived roles

  I have a set of derived roles for a retail org.
  They have set the org level for the WERKS object to the store number i.e. 0012. in the  M_MSEG_LGO, M_MSEG_WMB,   and M_MSEG_WWE but set it to "" in the  M_MRES_WWA and M_MSEG_WWA. Needless to stay the "" is overiding the site restriction.
  My question is, how can they allow store to store transfers and goods issues for other sites but only do POs and goods receipts for their default store?
  If the transactions in the role are using the same object, it doesn't seem like it can be done but I am told it can! I can't figure it out. Can anyone assist?
  Thanks

  If you are talking about  straight authorization object ( then your design cannot go with derived role concept )
  If your controls are only through the organizational object  only then derived role design will help
  If its a mix of both standard object + organizational level object derived role will not help you.
  Please note
  the WERKS is the organization level  in your case the plan value is 0012
  do not set the values in parent role and also do not populate this value were its "$werks"
  what is TCODE you are using ?
  Edited by: Franklin Jayasim on Jul 21, 2010 11:45 PM

• Change authorization object in a derived role

  Hi Gurus,
  What's happen if someone has added a new authorization object in a derived role?
  He has only changed some derived role, not the parent role, he added manually a new value in the authorization field. The parent role didn't changed.
  <u>Note:</u>The field was not an organizationnal field, it was S_DATASET.
  What do you think about this ?
  Thanks
  Hery-zo

  Do i understand this right??? do functional teams have access to PFCG to create roles???
  If so that is your real problem, as that shoudl never been doen that way. You are completely right functional consultants have no clue about how roles should be build. advise:
  1 take away the access to PFCG in ALL systems for anybody other than security consultants administrators.
  2 ask all functional teams to describe the roles points to be adressed:
     A TRX in every role
     B all wanted restrictions on every TRX (described functionally)
     C orglevels on which restrictions should be build.
     D Test process for every TRX in every role (both positive and negative)
     E  check all roles against table USOBT and look for manually added objects,  
         if they can not give a good reason for adding these REMOVE them.
  3 retest all roles based on point 2D, ask the funcxtional consultants to assist where needed. Adjust roels during testing where needed, but create a good auditable record for every change.
  4 Update USOBT_C (use TRX SU24) for all changes you apply during testing
  5 check your roles for the corrected TRX after this change and update the other roels involved as well.
  6 ONLY allow roles that have followed the above process to go to Production.
  The above steps are the only way to create a secure SAP Production system for you!

• Master role-derive role concept and FICO role in dev system!!!

  Hi all,
  I have created a master role with t-codes
  AWUW
  BAPI
  BD10
  BD100
  BD101
  BD102
  BD103
  BD104
  BD105
  BD11
  BD12
  BD13
  BD14
  BD15
  also included object PLOG where maintained org data
  and created a derived role from that master role and generated from the master role.
  After that I wanted to change the org level but the system is not allowing me to change, although I selected the values from the F4 screen.
  Now I want to maintain seperate org value of each of the derived role...and when adjusted from the master role..these maitained value should not vanished.
  How should I proceed???
  I have another issue....I am now in Dev system....I need to create a role with FICO module with SPRO....
  Should I go ahead and cread a role and assign FICO block and assign SPRO...will that be sufficient??
  Thanks in Advance
  Regards,
  Souren

  Yes, It seems that you have broken the org level by directly making changes in the org level field inside pfcg.
  One way to correct this is to regenerate the role in expert mode by selecting the option 'Delete and recreate profile and authorizations' (in case you want to correct it for all the org level fields.).
  If you want only for PLOG, then delete this object and add again. Then go to organization level tab at the top and give the required value. Do this in the master role and generate and push the changes to derived role. Now, goto derived role and make the org level change the same way you did for parent role..
  For your second question, you will have to see what all auth objects are being checked by SPRO for a FICO module assosciate. You can create a test role with SPRO in it and then do authorization trace through ST01 to see what all objects are checked when they work.

• All objects are inactive in derived roles (copied from existing derived role)

  I need to create more than 1000 derived roles, from existing reference roles.
  Reference roles are also derived roles. So I executed LSMW for mass copy.
  Eg: Reference role XYZ with parent role XXX
  New role(ABC) copied from XYZ ,so ABC is having same values as XYZ and master role also.
  Now the issue is after executing the LSMW all roles are copied to new roles, but all objects are inactive in new roles .I am not able to activate the object also.

  Hi Colleen,
  Issue: I have derived roles for plant XX, now I want to derive same set of roles for YY plant. My reference plant is XX, So what am doing is copying the XX roles to New roles (YY) .No change in object or description, just copy role to new role. And I am using LSMW for the same.
  After copy the roles, I will change the description and profile using another script and manually change the org values. But after copy the roles to new roles using script all objects are inactive (In red color),if am selecting the org tab ,I will get message like ,no org levels maintained. Because all objects are inactive .And there are no options (edit) to activate the objects or maintain the fields.
  Thanks,
  Anusha

• Derived roles are getting overwritten everytime when I update Master Role.

  Hi Experts !
  We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
  Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
  Please help and give your valuable advise.
  Regards,
  Lokesh Bajaj

  Hi Lokesh,
  The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
  Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
  You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
  Cheers

• Mass generation of Derived Roles

  Hello,
  SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
  Thanks.

  Hello,
  we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
  Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
  - parent roles and derived roles: you will find them in table AGR_DEFINE
  - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
  - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
  - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
  HTH and kind regards
  Jens Hoetger

• Mass gerneration of derived roles

  Hello,
  I've got two questions concerning mass generation of roles.
  1)
  In a system are implented certain roles. Sometimes we're getting an update of the parent roles. In the next step we have to derivate all kind roles manually. This is very costly for a lot of roles.
  I know the point "mass generation" in PFCG, but if we use this with option "all roles to be compared" the derived roles will not be compared. Even if I do this in same system (changing the parent role, choosing option the mentioned option) the kind role will not be updated. Is there a possibility to solve this problem or make the derivation faster without touching each parent role?
  2)
  I want to do the derivation of roles automatically. I read here something about LSMW, Batch-Input or CATT scripts. Can anybody explain me how it exactly works with this automatic derivation of roles?
  Regards,
  Julia

  Thanks for your possibilities to solve the problem.
  I think the first problem with the derivation of roles after update of parent role could be solved with your mentioned report and eCATT.
  But with the second problem I still have trouble. I tried to use eCATT with transaction SECATT in SAP system. This works fine as long the roles have the same organizational levels.
  But I think that there has got to be a script for each role, because the organizational levels differ from role to role. So if you have e.g. 100 parent roles in your system, you have to create 100 scripts (apart from the question, if it's reasonable to have so much parent roles). It's helpful that the parameters can be stored in a data container, but additionally you have to know, which script concernes which roles and you have got to use the right script for right role.
  Or did I overlooked something in eCATT?
  Regards,
  Julia

• Is transporting two groups of derived roles separately an issue?

  Hi Gurus,
  We have a situation where we need to transport 150+ child roles of same Parent. As these roles are very bulky in content, we though of creating two transports having 70+ roles each. While doing so, we released first transport and when it reached test system we release another one.
  Final result in test system is all the child roles which were moved in first transport now have authorization tab "red". While one which were transported in second tp are perfect.
  I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times before we deleted it from the buffer. Please let me know the best possible way to move the changes to test environment and later to prod. Increasing tp file size or increasing the ideal run time of the dialog/background work process are the option. But looking for some other alternatives.

  That you have such large derived roles should be suspect in itself. How many org. fields have you promoted and did you transport that change to the field definition through first (just to double-check)?
  How many users are these roles already assigned to? --> The import events for role transports also perform the user compare and "after change" user buffer syncs. This can have performance impacts, if that is the ponit of failure you are referring to.
  > I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times
  Take a look in ST22 for the short dumps related to this. Give us more infos about the bottleneck and perhaps we can help further.
  PS: When doing performance tests, you should not give up after the first try... (memory area management and syncs which the system does - some of them you can do in advance and only need to be done once / repsctively the first time).
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 4, 2010 10:43 AM