Tuesday 18 June 2013

Creating Master and Derived Roles

Are you looking for a way to create or maintain roles more efficiently?

Example: to manage multiple roles which are common in term of TCODE, authorization object value but different appear in companies code / organization level in FICO modules.



Steps to create master and child roles:

1) Execute "PFCG" and create a new master role (Z_MASTER_ROLE_1) and assign value for the pending object (*) and leave the "Org Level" empty

2) Create a new child role (Z_MASTER_ROLE_CHILD_1) and derive it from the master role created earlier


3) Click "Yes"


4) Ensure the correct master role been selected and save the child role for now


5) Back to the master role and click the "Generate Derived Role" button to refresh all the object value for child role that attach to the it


6) Click the 'tick" icon to continue to start the child role refresh


7) Click "Generate"


8) Back to the child role and observe that the child role been updated with the TCODE and authorization data from master role



9) Enter the relevant "Org Level" for the child role


10) Done, "save" and "generate profile" for the child role and it ready to be use


11) Here you go, you can create multiple child roles base on the master role as template. Any TCODE / authorization object value added in the master role will be able push to all the child roles easily without impacting on the child role "Org Level".

12) The master and child role relationship could be display by using SQVI or TCODE: SE16" on table: AGR_DEFINE.






7 comments:

  1. can we derive a role from derived role?

    ReplyDelete
    Replies
    1. It's possible ... but normally the master and child relationship are maintain as one level for ease of maintenance.

      Delete
  2. Hi,
    Z_MASTER_ROLE_CHILD_1 CoCode 1100 is to Create (01)
    Z_MASTER_ROLE_CHILD_2 CoCode 1200 is to Display (03)

    and being assigned to same user, I found the effect is able to Create 01 for CoCode 1200.

    Is it true?

    ReplyDelete
    Replies
    1. Yes, as the user been assigned with create and display for both 1100 and 1200 roles. You can google SOD conflict for more details..

      Delete
  3. Very nice text about the roles in SAP. Pages like this one help me, thanks a lot !

    ReplyDelete
  4. Thank you. It's a very clear overview of the main functionalities of SAP role management

    ReplyDelete