Transporting Individual Child/Derived Roles

Suppose I have 5 Child/Derived Roles of 1 parent role.
If I make an Org Level change to 1 of teh Child Roles, do I need to transport all the other child Roles as well?
My peers say that if I do not transport the remaining child roles there are some side-effects. But they do not know the exact reason.
Please guide me with teh reason for this.
Thanks in advance.

Once you make a change to the Org level content in the specific derived role, it can be transported independently of the other sister derived roles from the same parent.
When you enter that specific derived role in the transport request, it will automatically bring in the parent role but not the other sister derived roles.
I have not seen any side effects to this approach and it is SAP recommended.
Thanks,
Guru.

Similar Messages

  • Is transporting two groups of derived roles separately an issue?

    Hi Gurus,
    We have a situation where we need to transport 150+ child roles of same Parent. As these roles are very bulky in content, we though of creating two transports having 70+ roles each. While doing so, we released first transport and when it reached test system we release another one.
    Final result in test system is all the child roles which were moved in first transport now have authorization tab "red". While one which were transported in second tp are perfect.
    I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times before we deleted it from the buffer. Please let me know the best possible way to move the changes to test environment and later to prod. Increasing tp file size or increasing the ideal run time of the dialog/background work process are the option. But looking for some other alternatives.

    That you have such large derived roles should be suspect in itself. How many org. fields have you promoted and did you transport that change to the field definition through first (just to double-check)?
    How many users are these roles already assigned to? --> The import events for role transports also perform the user compare and "after change" user buffer syncs. This can have performance impacts, if that is the ponit of failure you are referring to.
    > I have tried sending all the roles in 1 transport but due to its huge size it failed and got stuck many times
    Take a look in ST22 for the short dumps related to this. Give us more infos about the bottleneck and perhaps we can help further.
    PS: When doing performance tests, you should not give up after the first try... (memory area management and syncs which the system does - some of them you can do in advance and only need to be done once / repsctively the first time).
    Cheers,
    Julius
    Edited by: Julius Bussche on Apr 4, 2010 10:43 AM

  • Generation of derived roles when transported

    Hello Everyone,
    We are on ECC6.0 and I've come across a scenario where I've created certain number of derived roles from a parent role and generated the parent and derived one's from the parent role in PFCG and created a transport request. But,
    When I got them imported (SCC1) to a different client on the same box I can see that the authorization tab is still in yellow in all these derived roles,they do contain the same profile name in the authorization tab in PFCG as from the original client they were created in and I would like to know the reason why these roles under the auth.tab are in YELLOW and need a regeneration of profile? I remember doing it previously where I did not regenerate the profiles for the roles when they are imported/transported to a different client.
    And the status text in SUPC says " no current profile".
    Any ideas/inputs are much appreciated.
    Regards,
    Raj

    Hi,
    There may be more that one cases.
    What are the roles you included into the Transport request? You should include all the Derive roles along with the parent roles ideally. Also, I hope you have checked the authorization data for the derived roles in the development before transport.
    Other option could be the system change options for appending data in the target system.
    Please provide more information and also try to search for SAP Notes if there any with this kind of issues.
    Regards,
    Dipanjan

  • Missing Master and Derived Roles

    Hello All,
                  I have got an odd scenario and I am hoping some of you might have run into the same issue or might point me to the right direction.
    Back ground
    We are on ECC 5.0 and have Master Derived Concept, and then Derived Roles are grouped in Composites
    We recently( Last week ) created some ( say 34 ) Derived roles and some (10) composites using a combinition of the newly created derived and some Old derived roles.
    Transported The derived seperatly and Composites seperately. Transports went successfully into QA and PRD.
    This week we noticed that all of the 34 derived roles are missing in DEV ONLY along with 28 Master of the 34 Child Roles. All the Childs and master still exist in QA and PRD.
    We have tried to look up the change Doc of the missing roles or the profiles or the authorizations of the missing roles and there is no change log under suim. Change Log shows when the role was created but nothing after that. According to Basis transports does not have any unusual log
    Since its a DEV system so no delete transports have come into DEV, therefore delete transport could not be an option.
    I have also uploaded one of the missing master roles from the PRD to DEV and it is succfully established the relation with the childs. I was hoping it might shake up the Change History regarding missing role but it did not, It now shows when the role was created earlier( 2006 ) and This week  agian but no Delete History
    Any Ideas on how to explain this behavior

    Another possible and imaginable human error worth looking into is that at some stage in the past a transport request was created for the master and child roles -- okay.
    Then the child roles were "broken" by changing org. levels and other fields in the authorization maintenance, so the roles themselves were deleted with the intention of creating them again from one of the "template" child-roles --> okay, seems reasonable to have happened.
    Then (here is the problem!) someone released the transport before the new child roles were created. This is interpreted by the system to be a deletion transport of roles.
    Additionally the sequence of the transports might have added additional obscurity to the issue and now, much later on, someone imported the transport into production which deleted the roles.
    <conspiracy_theory>
    The person then deleted the transport request from the queues and archived the change documents in SU83.
    </conspiracy_theory>
    Cheers,
    Julius

  • Master role and derived role concept

    Guys,
    1) How to assign the organizational levels for the derived role?
         Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
    2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
    3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
    4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
    Greatly appreciate for some body's help.

    >  1) How to assign the organizational levels for the derived role?
    >      Say for example, I have to create the derived roles with respect to the plant code.And after inheriting the tcodes ,authorizations from the master role , I noticed a pop up page with organizational level tabulation and I assigned the respective plant code there and in the same way for all the following derived roles.But the rest of the rows like company code,sales organization,distribution channel etc which are seen in the tabulation are left empty.I noticed that all the fields which are left empty in the org.levels of the derived roles  are been filled up with the vaules of the corresponding master role org.level values when the derived button icon , which is seen under the authorization tab of master role is pressed.So pls let me know the correct procedure to assign.*Do we really need to maintain org.values for master roles?*
    Only if you assign the master roles to users. (and maybe for testing, see 3)
    >
    > 2) If a master role is transported to QA or PRD, will the derived role along with it move automatically?
    Nope, but if one of it's derived roles is transported the master is automatically included in the transport. You'll have to make sure all derived roles are transported yourself.
    >
    >  3) Is master and derived role tested parallely in the QA system or first master role is tested ,followed by the derived role?
    Best order is to do all unit testing wit the master, with all org levels at * and create the derived roles only when the master is tested and corrected to satisfaction. In that way the derived roles only have to be tested for organizational shielding.
    >
    >  4) According to my understanding we dont assign any user to the master roles, but why do we move it to PRD?
    See 2, it goes there automatically. No choice.
    Jurjen

  • Org data in Derived role differ from Parent role

    Hi there
    I need some help please, I am in the process of creating various parent / derived roles and have found that when I update the parent role (org data) and I do a generate do a derived role update the values in the org data is not correctly pulled through to the derived roles.
    e.g.
    In the parent role for Org data "Purchase Org" the previous value was "/" so that it could be specified in the derived roles should they require the split on this field, however the business has decided that they do not require a restriction on this field so I went back to the parent role and changed the value to "*", so I generated the parent role, updated the derived roles, but when I go to any of my derived roles that field value is still blank, it did not pull through the value * .
    We are currently on
    SAP_ABA  701           0005    SAPKA70105
    SAP_BASIS  701        0005     SAPKB70105
    I have created the derived roles with the parent role as the derived from role, it does pull through the values but just does not update it once I do make changes.
    Your help / suggestions would really be appreciated as I need to create MANY roles.
    Regards
    Sonja

    Hi Sonja,
    obviously there is a misunderstanding of how the derivation works....
    > Thanks guys for the feedback, but surely I do not only need to maintain the ORG data in the derived roles individually, if I have got an Org field that should be the same for all the derived roles I must be able to update the Parent role with this value which then upon generate, and generate / activate the derived roles must update the derived roles.
    -->no.
    Only the first time of derivation, if the field content in the derived roles are initial...
    help.sap.com:
    quote
    The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role, and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See SAP Note 314513).
    unquote
    The whole stuff:  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/1c/c38028816c11d396bc0000e82de14a/frameset.htm
    otherwise the maintained org.fieldvalues would get overwritten by the value of the master role every time. And that is exactly, what has to be avoided!
    b.rgds, Bernhard

  • Mass generation of Derived Roles

    Hello,
    SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
    Thanks.

    Hello,
    we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
    Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
    - parent roles and derived roles: you will find them in table AGR_DEFINE
    - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
    - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
    - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
    HTH and kind regards
    Jens Hoetger

  • GRC BRM: Update Org Levels of derived roles

    Dear GRC experts,
    we are using the GRC BRM Master Derived concept and have around 100 Master roles in place.
    I understand that the Org Levels of derived roles are only once set per Org Value Map during the initial (Mass) Derivation.
    If we add a transation like VA01 to a Master role this also adds some new Org Levels to the Master role. Via "Propagate to Derived roles" the new transaction and object values are added into the Derived roles.
    For the new Org Levels these are added also but the values are not the one from the Org Value Map of the Derived role but exactly the same values of the Master Role.
    Using "Derived Role Org. values Update" does not help us here to update the corresponding Derived roles as no change to the Org Value Map has been done.
    In case a Master role has 40 different Derived roles associated this would require to update manually any of the Derived roles for adjusting the new Org Levels.
    Does anybody know how to automate this task?
    Many thanks for your help!
    Regards,
    Markus

    Hi Markus Richter
    Once you maintain the imparting role and propagate to the derived role, the derived roles will inherit the new org values from the imparting. So that at least has the org values in the derived roles but not the correct values
    Next up is to try to use the Mass Maintain Roles to update the derived roles with correct values from the org map (ensure org maps were updated first) mentioned in post
    Mass Child role Org value update in GRC 10
    Does this work for you as an approach?
    Regards
    Colleen

  • Releasing transport requests with job roles take forever after upgrading to Netweaver 7

    Dear experts,
    Some time ago we've out SAP ECC 5 system to ECC 6. Since then, it takes a very long time to release transport requests containing job roles.
    For example, a request containing 154 job roles (1 template and 153 derived roles) took 4 hours to release in our DEV system. Before the upgrade this only took a couple of minutes.
    Afterwards, the import in our QAS and PRD system don't take longer than normal.
    Apparently this time is taken by the Export phase:
    Checks at Operating System Level   
    17.04.2014 09:50:03
    (0) Successfully Completed
    Pre-Export Methods                 
    17.04.2014 09:50:37
    (0) Successfully Completed
    Export                             
    17.04.2014 13:51:02
    (0) Successfully Completed
    Does anyone know what causes this and how to solve?
    Kind regards,
    Nicolas

    Hello Nicolas,
    What I understood from your description is that ,it takes very long time to release the job. Once it is released, execution does not take much time.
    To me it seems to be background job/work process issue. Maybe all the background work process are busy to execute current jobs and no free work process available for the jobs which are in the queue. In that case, if possible try to increase number of bg work processes.
    Check for any performance issues during that period. Check if there is any locking issue and jobs are stuck because of that.
    Hope this helps to investigate the issue
    Regards,
    Archana

  • Master - Derived roles -- some generated some ungenerated.

    All,
    We know how to solve this issue but we would like to know what causes it and how to prevent it in future development.  Example:  We have roles that have been created from one master role.  There are probably 80-90 derived roles from this one master role all with a small variation of company code and release code.  These roles have been implemented for over a year or more and nothing has been added to the master role to be pushed down.  The only change has been an derived roles added with new company code/release code.  When these roles are created the master roles gets generated and then pushed down through all the derived roles once the specific authorizations are added.  I development is shows that everything is in sync and is all green.  In quality and production it willl show that for each company code release code 01-06 are green, 07-10 are red and 11-15 are green.  Its always the same release codes for each company code that show are ungenerated. 
    This is just one example we have other roles that have been created and at GOLIVE (3 years ago) and the newly created derived roles is green where as certain older ones are not.  We thought it had to do with the generation of new roles but I just created a new company code from the example above and it is the same way.
    Is there a certain procedure that makes this happen, or is there a way to prevent this?  Also, with this in production and not being able to generate these roles in production is it hurting or will it affect anything within the roles transactions if there are authorizations in the role, and a profile assigned to the role for a generated authorization but the authorization stop light shows red will this affect anything?
    Any help or ideas are greatly appreciated.
    Thanks,
    -Daniel

    Daniel,
    we need to analyze from different angles like:
    1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
    you need to mass generate the profiles! (SUPC)
    2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
    3.. some changes were made to the roles after the transport was created.
    Plz Refer to SAP Note 571276 and the following link:
    Re: Changes to Role
    4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
    5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
    6 Finally, check whether company code & release code exist in QA & PRD.
    Thanks,
    Sri

  • Reg derived roles combination into composite role

    Dear All,
    We have a role called GR Clerk. This will be available across all stores and DC for our retail customer. We have devised a strategy wherein we will create one global role with * in org level for site. Then we will
    create derived roles for individual DC and stores (from global role) and maintain site for each derived role.
    Now our customer wants following:
    Example: Store 1's GR clerk shall have required authorizations on transaction for Store 1, plus, one
    additional authorization/transaction for Store2.
    What we initially though that we will create two individual global roles: One for all authorizations and
    second for additional authorization.
    Global GR Clerk role: GRC
    Transactions: t1, t2, t3          
    Global GR Clerk role: GRC_additional
    Transactions: t4
    Derived Roles
    for GRCStore1:     
    1. GRCStore1 with org level Site= Store1     
    2.GRCStore1_additional with org level Site= Store2
    Now I will assign both derived roles to user who is GR Clerk on Store1.
    Is this approach correct?
    Also, customer wants that only one role should be assigned to user. So shall I create a composite role out of 2 derived roles?
    Will the respective site org levels be maintained after combining derived roles into composite one?
    Thanks for your time in advance.
    regards, Sean.

    Hi,
    Regarding the transaction roles and authorization roles, it is also a good approach, however, you would still have to consider the above point in case the authorization objects overlaps and make sure that both are restricted to appropriate "stores".
    Whether it's a good approach or not, per me, depends on the overall scenario and the fact that how much maintenance would be required in long term.
    Like say, if it is a case that the transaction codes (t1,t2 and t3) are for specific stores and transaction t4 is like display activity of other store and not just store 2. Then creating a common role for transaction t4 and including it in the composite role apart with the store specific role with tcodes (t1,t2 and t4) would also be a good approach.
    ZZZ:STORE_CLERK_STORE1             (Composite Role)
    ZZS_STORE_CLERK_STORE1                      transaction code t1, t2 and t3
    ZZZ_STORE_CLERK_STANDARD                  transaction code t4 (Either no org level restriction or all store access)
    ZZZ_STORE_CLERK               (Parent Role)
    ZZS_STORE_CLERK_STORE1                  Org level Restricted to Store 1
    ZZS_STORE_CLERK_STORE2                  Org level restricted to Store 2
    and so on
    PS: Naming convention are for illustration only
    Cheers !!
    Zaheer

  • Manually added auth objects and Derived roles

    If there are manually added auth objects in the parent role do they come across to the derived roles?
    Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

    yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
    yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
    if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
    http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

  • Parent-derived roles

    Hello,
    I look for to dispay all derived roles of a parent role and export it in a file?
    Can some help me?
    Thanks.

    try table AGR_DEFINE in SE16/16N. This table lists the parent/child (master role/derived role) relationship.
    -Prashant

  • CSI Accelerator: Master / Derived roles

    Hi,
    As some of you might be aware, CSI accelerator besides having other typical SOD tool functionalities also helps in role creation as well just like ERM of GRC.
    But using this tool u2018CSIu2019 I have seen diff non-org filed values in the derived roles having been maintained as comapared to the master while creating them thus derived is customized to a gerat extent. So I just want to understand:
    1.     in such cases (where derived has non-org filelds values diff from masters) how does CSI handle the instances when master would be changed and changes need to be pushed to existing derived roles? In that case those non-org in already existing derived roles would again become same as masters.
    2.     Even using ERM one should be able to maintain diff values in the derived at non-org levels so how is the above mentioned push handled in case of ERM? Or itu2019s not handled at all and it simply wipes such discrepancies?
    thanks,
    Gill

    Daniel,
    we need to analyze from different angles like:
    1.Have u generated roles in DEV system ?? Hope no organisational values are missing in authorizations tab.
    you need to mass generate the profiles! (SUPC)
    2. When creating the transport the person might have forgot to  unchecked to transport the profiles as well.
    3.. some changes were made to the roles after the transport was created.
    Plz Refer to SAP Note 571276 and the following link:
    Re: Changes to Role
    4. If any system upgrades might have change the auth tab to red. (but in your case it with org levels)
    5. These type of mistakes happen if any new person have joined & without proper reading  company documentation, might  have the changed the roles.
    6 Finally, check whether company code & release code exist in QA & PRD.
    Thanks,
    Sri

  • Maintaining the authorizations for parent role and derived role

    Hi Experts,
    Kindly advice me the Pro and cons of the parent role and derived role.. below is the scenario
    Currently  we have created the 700 role in  our regionally organization and we want to dervie the roles for each country
    1 ) we want to do the Auth field (activity level) settings in parent role and Org levels  in the derived role  .
    2)  But one my collegue says do the default  Auth filed ( activity values) common to every country in the parent role and diff activity one in the derived role .
    please advice me wat will be the best scenario for mantaining the authorizations filed values like (activity level  one)

    I will try to answer both your queries here:
    "my collegue says they are some NON ORG values different from each country ..suggest us to maintain all the default values in Parent role and auth with diff values needs to be maintained in derived role (child role).. "
    The only set of values which should/can be different in a child role (when compared with its parent) will be the org level values. So if this filed is NON_ORG you will not be able to maintain it directly inside the child roles.....this is the basic principle of derived role conceptu2026 that the only item you will directly maintain in a child role are the org levels(which will come as u2018organisational levelsu2019 in the upper tab in the auth data of a role).
    All NON_ORG fields inside a child role is acquired from the parent role. You should never change the values of any such fields (non-org fields) in the child role. these changes will get lost the next time you run the parent child inheritance from u201Cgenerate derived roleu201D function in your parent role.
    Coming to the second question on how to run the program, you just need to enter the technical name of the field you want to convert (tech names like BUKRS, WERKS etc u2026 figure out the name of the concerned field you have in hand)u2026.executeu2026 you will that the field will now onwards appear as an org level value in all roles in the system and not just as a field inside the auth objectsu2026.I would suggest you take one field and try running it in ur dev or  sandbox..see how the field changes in your roles.... the change can always be reverted by using PFCG_ORGFIELD_delete. ... you will understand it better....
    Soumya

Maybe you are looking for