Reg derived roles combination into composite role

Similar Messages

• Importing master role from ECC into portal throws derived role exception

  Hello,
  While uploading master and derived role from backend system into the portal I am getting the following exception.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED
  Does it imply that the derived role is already imported with the import of master role and there is no need to explicitly import the derived role?
  The landscape uses role upload tool of portal for UME.
  Regards
  Pooja

  Hi Pooja,
  There is a limitation with the role upload tool that the derived roles cannot be uploaded.
  The migration is only able to upload roles which have their own menus. Derived R/3 roles does not have menus themselves as they derive them from other roles. The purpose of the migration is to bring the R/3 navigation structures into the portal. Therefore you can only migrate the role from which your role is derived.
  Regards
  Anja

• Error while uploading R/3 Derived Role into EP

  Dear all,
  When i was trying to upload the derived role from backend R/3 system. It's giving following error.
  com.sap.portal.pcd.rolemigration.RoleMigrationException: Nested Exception. Failure to execute native function. Nested Exception. ROLE_IS_DERIVED - message at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(HQ1CLNT230,en_US,pradeep,TWPN_GET_ROLE,ROLE_TABLE,{ENABLE_LOGGING= , ROLENAME=ZR:GT_CUSTOMER_001, MENUTEXTS_ONLY_IN_MASTERLANG= }): Check parameters. Nested Exception. ROLE_IS_DERIVED at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:244) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1699) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:769) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:488) Original exception: com.sapportals.connector.ConnectorException: Nested Exception. ROLE_IS_DERIVED at com.sapportals.connectors.SAPCFConnector.SAPConnectorException.getNewConnectionException(SAPConnectorException.java:67) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:318) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:411) at com.sapportals.connectors.SAPCFConnector.execution.functions.SAPCFConnectorInteraction.execute(SAPCFConnectorInteraction.java:433) at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:403) at com.sap.portal.pcd.rolemigration.util.Connector.callFunction(Connector.java:148) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:1699) at com.sap.portal.pcd.rolemigration.RoleMigrationObject.migrate(RoleMigrationObject.java:769) at com.sap.portal.pcd.rolemigration.RoleMigrationThread.run(RoleMigrationThread.java:488)
  Kindly Suggeset me
  Rgds
  PRadeep

  Pradeep,
  Kindly explain the process flow of your upload.
  James

• Missing Master and Derived Roles

  Hello All,
                I have got an odd scenario and I am hoping some of you might have run into the same issue or might point me to the right direction.
  Back ground
  We are on ECC 5.0 and have Master Derived Concept, and then Derived Roles are grouped in Composites
  We recently( Last week ) created some ( say 34 ) Derived roles and some (10) composites using a combinition of the newly created derived and some Old derived roles.
  Transported The derived seperatly and Composites seperately. Transports went successfully into QA and PRD.
  This week we noticed that all of the 34 derived roles are missing in DEV ONLY along with 28 Master of the 34 Child Roles. All the Childs and master still exist in QA and PRD.
  We have tried to look up the change Doc of the missing roles or the profiles or the authorizations of the missing roles and there is no change log under suim. Change Log shows when the role was created but nothing after that. According to Basis transports does not have any unusual log
  Since its a DEV system so no delete transports have come into DEV, therefore delete transport could not be an option.
  I have also uploaded one of the missing master roles from the PRD to DEV and it is succfully established the relation with the childs. I was hoping it might shake up the Change History regarding missing role but it did not, It now shows when the role was created earlier( 2006 ) and This week  agian but no Delete History
  Any Ideas on how to explain this behavior

  Another possible and imaginable human error worth looking into is that at some stage in the past a transport request was created for the master and child roles -- okay.
  Then the child roles were "broken" by changing org. levels and other fields in the authorization maintenance, so the roles themselves were deleted with the intention of creating them again from one of the "template" child-roles --> okay, seems reasonable to have happened.
  Then (here is the problem!) someone released the transport before the new child roles were created. This is interpreted by the system to be a deletion transport of roles.
  Additionally the sequence of the transports might have added additional obscurity to the issue and now, much later on, someone imported the transport into production which deleted the roles.
  <conspiracy_theory>
  The person then deleted the transport request from the queues and archived the change documents in SU83.
  </conspiracy_theory>
  Cheers,
  Julius

• ERM: Importing Derived Roles Problem

  Hello All,
  It appears that if I download and mass import 1 derived role at a time, the ERM mass import works perfectly. But, if I download the same successful derived roles and import them together, the ERM mass import does not import all the role details. Instead, it drops the role description and long description.
  This problem occurs if I upload 2 or more derived roles at a time.
  Any ideas?
  System Details: GRC AC SP12, VIRSANH 12, VIRSAHR 10.
  -Dylan

  Hi Dylan -
  We have found a work around for this, but before I list the steps let me not be presumptuous in my explanation as you must have both the parent roles uploaded in ERM in addition to updating the "Primary Org. Level File" with the appropriate data prior to loading the derived roles.
  Upon downloading the derived roles from the backend, 3 files are exported [Bulk File, Info File & Org File] and this is true for all roles that are exported. However, only when derived roles are exported will the Org File be populated with data (i.e. role name).  This makes sense because the only time this Org File is needed is when you import derived roles, all other roles only require the Bulk & Info File.
  Our guess was the way it was supposed to work is that the Org values were supposed to be exported into this file with the role names, however the Org Level & Value fields are blank.  We tried multiple combination of populating this file, but continued to get the same import error.  We eventually figured out a way to update this file to pull in all of the Org level data:
  *NOTE we found the most success with Mass Import files with the following extension: Bulk - .txt, Info - .xls, Org - .xls
  As stated before, the derived role Org file auto-populates the role names that were downloaded. In the 'Derived Orl Level' & 'From Value' fields you need only populate the first value from the 'AGR_1252' table listed in the Bulk file.
  Example:
  In the Bulk file we have a role: ZD:HR_AT_ANALYST and the first value listed for line AGR_1252 is the client number+role name then the Derived Orl Level and Value.  So we populated our Org file to look like this.
  Role Name                                         --->>>    Derived Org Level         --->>>    From Value
  ZD:HR_AT_ANALYST                    --->>>   KORSS                           --->>>   NRPC
  ZD:HR_BN_PAYROLL_DSPLY         --->>>    PERSA                         --->>>      *
  ZD:HR_PY_AT_ANALYST                --->>>   BURKS                         --->>>      NRPC
  If the file is populated this way, somehow it magically picks up the remaining Org Level Data for role when loaded. So the file does not have to actually have all of the values for each role.  I can be tedious to sift through the bulk file for the values, but there are quick ways to do it in excel.
  Hope this helps,

• Little Challenge --How to give or restrict TRX in derive roles !

  Want to give 10 trx in 2 derive roles and 15 in another 2 derive roles from same Parent role-Any method to do so?One I know is to give additional 5 Trx access through manually Adding TCD in remaning 2 derive roleANY other way to give or restrict so that tabs should not be in manually or changed mode?

  >
  ARYENDRA DALAL wrote:
  > so that tabs should not be in manually or changed mode?
  Hi,
  Excellent answer from Juluis. Also the way you want to do this is conflicting with the Ref-Derive role concept.
  I can add/modify some thing to the previous two answers.
  One point I want to make clear that you mentioned as quoted above. Do you mean to say that the S_TCode will not be in changed mode (_or_ need not to add S_TCode manually) in Profile generator?
  If Yes, then please check the following approach:
  1. Create your first parent role and pair of derived roles with 10 Tcodes.
  2. Create one role as per the concept of Transaction role - value role. That means, the role will contain those 5 TCodes in the menu but will not contain any authorization (except S_TCODE, all objects should be deactivated).
  3. Then create one composite role with these two (one derive role of the pair and the other single role).
  if No, then follow this approach:
  1. Follow step one of above.
  2. Create one generic role without any menue entry. Add TCode manually in authorization tab and then 5 TCodes there.
  3. Create another role (value role) [let me know if you need details concept on this] and maintain the authorization of those 5 TCodes here together with org. values.
  4. Create composite role by using these three roles (one derive role from the pair, one generic transaction role and one value role).
  But please note that the menue entry should not be maintained in the derive role in any circumstances and if you do then you are no longer maintaining SAP Ref-Derive role concept.
  Please let me know if these help you to some extent.
  Regards,
  Dipanjan

• Changing Organization level for derived roles

  Dear All,
  Below is my query:
  When there is any requirement to change the organization level of a derived role, we go to the role and change the organization level manually.
  We have derived our roles, based on the units(company codes).
  Now we have a scenario, where we need to add one unit in a particular derivation of all roles.
  Please suggest if there is any way of updating the organization level in mass for a specific derivation.
  Regards,
  Reshma Vijayan.

  Colleen Lee wrote:
  At least with this option you are using the PFCG functionality and not hitting the tables directly
  Hi Reshma, Colleen,
  Some additional warnings about manipulating the downloads:
  The downloadfile is a fixed record length text file, do not mess up the data positions.
  Be aware of case (upper/lower) when manipulating the file.
  Make sure you do a unicode download to preserve special characters in the menu texts.
  There are very, very few checks done on the file contents when uploading again. It will allow you to pollute your AGR* tables in such a way you'll need an ABAP-er or SQL-savvy colleague to clean up the mess. It is very close to manipulating the tables directly.
  I once managed to get entries into AGR_1251 which didn't show up in PFCG and wouldn't even disappear from the tables after I had deleted the roles in question.
  And yes, I still use this method, but I won't advise it to anyone I cannot personally train to be aware of the pitfalls ;-)
  Jurjen

• Authorization in APO: org level concept (parent role -- derived role) ?

  Hello experts,
  we want to introduce some authorization / roles in APO using the typical R3 concept of having a "parent role" and derive "single roles" from such a parent role and change the "org levels" inside the single role. Testing this with master data objects like C_APO_LOC (location in APO) it seems to me that APO doesn't know about "org levels".
  Whenever I create a parent role (lets say "Z_PAR_ROLE_LOC_MASTER") to access /SAPAPO/LOC3 (Location master data) and create a single role out of it (derive it into Z_SINGLE_ROLE_LOCMASTER_1234") and enter the location ID 1234 ... regenerating and populating a change from the parent role "Z_PAR_ROLE_LOC_MASTER" does immediately wipe out the location ID 1234 maintained before in the single/derived role "Z_SINGLE_ROLE_LOCMASTER_1234".
  My question: is this by design that APO does not know about "org levels" or is there something special I have to consider using PFCG correctly in SCM (I can see the "Org Level" button but it says there are no org levels) ?
  Regards
  Thomas

  I got the solution - the profile generation was missing !

• Mass role import with derived roles out of master roles

  Hi everybody,
  I want to import a mass of roles with derivation (org. values) levels.
  Could you please provide me with the terminology of the org. info file.
  Bulk and role info were created and could successfully imported, but the derivation level (comes up with the
  org info file) never works. There are no derived roles.
  Look of the org file:
  Role Name [ Alphanumeric (100) ] [ Mandatory ]     Derived Org. Level [ Alphanumeric (50) ] [ Mandatory ]     From Value [ Alphanumeric (100) ] [ Mandatory ]     To Value [ Alphanumeric (100) ]
  Z0007_K:FI_AP_CHANGE     Company Code (BUKRS)     CN10     
  Z0008_K:FI_AP_CHANGE     Company Code (BUKRS)     CN20     
  Z0009_K:FI_AP_CHANGE     Company Code (BUKRS)     CN30     
  Z0010_K:FI_AP_CHANGE     Company Code (BUKRS)     CN40     
  Z0011_K:FI_AP_CHANGE     Company Code (BUKRS)     MA10     
  Any ideas ?
  Reg,
  Ulrich

  Hello everybody,
  The right way to import orglevel fields is like that:
  before the org level field, you need to add the "$" sign- like that - $BUKRS
  in every line.
  good luck,
  best regards,
  Haim Brauner

• Mass Role Import  -- 9000 derived roles with 9 org Levels, how to get TXT

  Hello,
  I hava a problem.
  I want to use the (Mass Role Import) Bulk Role Import element in the ERM  (SAP GRC AC 5.3 )for importing SAP roles (I only found that way to import roles from SAP).
  I have 100 primary roles and more or less 9000 derived roles with 9 org Levels.
  Is there a way to get this 9000 derived roles with their 9 org Levels in a TXT file?. Or do I have to do it manually this part to insert it in the "Bulk Role Import ".
  Can someone help me?
  Thank you in advance.
  Pablo Mortera.

  Hi Mike,
  what kind of TA´s are in your role. Is it possible to integrate a "dummy" TA (without conflicting
  your SOD)?
  In my example I have CO TA´s bundled in a role:
  Role:   ZXXXX_O:CO_ORDERMANAGER_CRE - CO Order Manager Pflege
  with
  KO01 Create Internal Order ...
  KO02 Change Order ... 
  KO04 Order Manager ... 
  KOK2 Collective Proc. Internal Orders ... 
  KOK4 Aut. Collect. Proc. Internal Orders
  update this role with TA KO01 and KOKRS will be available for derivation.
  Done this manually without import in ERM.
  Reg,
  Ulrich

• Derived roles are getting overwritten everytime when I update Master Role.

  Hi Experts !
  We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.
  Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.
  Please help and give your valuable advise.
  Regards,
  Lokesh Bajaj

  Hi Lokesh,
  The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.
  Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 
  You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.
  Cheers

• Mass generation of Derived Roles

  Hello,
  SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
  Thanks.

  Hello,
  we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
  Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
  - parent roles and derived roles: you will find them in table AGR_DEFINE
  - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
  - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
  - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
  HTH and kind regards
  Jens Hoetger

• 'Protecting' your derived roles from being maintained on object level

  I'm redesigning an authorization concept that has been polluted in the past by maintaining object level values in the derived roles instead of the master roles.
  Now I would like to build in a kind of warning or authorization so that future role administrators can adjust master roles on object level, and derive the roles from the master, but are not allowed (or get a warning) to change object level values in the derived roles themselves.
  I'm looking for a warning similar to the warning you get when you are trying to change an organizational level value within the object rather than change the orglevel table.
  I have looked for entries in table PRGN_CUST, but found none.
  Also, the authorization checks for deriving roles [seem to be similar|http://help.sap.com/saphelp_nw04/helpdata/en/2b/84653f1b76b11ae10000000a114084/frameset.htm] to actually maintaining a role, so no distinction can be made here.
  Knowing al this, II think the answer is: 'no, this is not possible' but if you have dealt with the same problem successfully, please let me know.
  Kind regards,
  Lodewijk Borsboom

  Hi Lodewijk,
  There are exit paths in SU01 and PFCG which might (have) help(ed) but SAP removed the documentation on them because as (to my knowledge) as the code was integrated into BAPIs and org. management these exits (like many which have gone before them) caused no end to confusion over time.
  I heard that they would at some ponit be replaced by BADI's but I guess the same problem exists there and I have to date not seem any of them released.
  I have the documentation if you are interested but which release are you on? I suspect that SAP might even remove the exit coding anyway.
  As the other's have stated, I would also go for a detective control. You can always wipe the mistake out again from the master and this will let you know that someone is not sticking to the rules or doesn't understand the concept.
  This is also an advantage when compared to an error message or warning which only they see...
  Cheers,
  Julius

• GRC BRM: Update Org Levels of derived roles

  Dear GRC experts,
  we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
  I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
  If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
  For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
  Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
  In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
  Does anybody know how to automate this task?
  Many thanks for your help!
  Regards,
  Markus

  Hi Markus Richter
  Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
  Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
  Mass Child role Org value update in GRC 10
  Does this work for you as an approach?
  Regards
  Colleen

• Adjusting derived role in background

  Hello,
  Each time we modify a reference role, we spend a lot of time adjusting the derived roles (at least 20 derived roles, about 5 000 users by role).
  To do it, we execute PFCG, Authorization tabs, then in the authorizations menu-> adjust derived-> Generate derived roles.
  Is there a standard way to do it in background or in a batch mode (maybe by program, or function module) ?
  Thanks.
  Guillaume

  Hi Guillaume.
  We actually cloned the SUPRN_REGENERATE_DEPENDENT program into a Z-program and added the multiple roles functionality based on the timestamps in table AGR_TIME.
  We then save the timestamps in a shadowtable (clone of AGR_TIME) so we can figure out when the role have been changed and a derivation is neccessary!
  Contact me for further details!
  Regards Fredrik